ICS case studies v2
-
Upload
nguyen-binh -
Category
Devices & Hardware
-
view
475 -
download
1
Transcript of ICS case studies v2
![Page 1: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/1.jpg)
1 Copyright © 2014, FireEye, Inc. All rights reserved.
Case StudiesIndustrial Control Systems
Dan Scali, Manager – Industrial Control SystemsMandiant Security Consulting Services
![Page 2: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/2.jpg)
2 Copyright © 2014, FireEye, Inc. All rights reserved.
ICS security threatsEnterprise/IT
Plant DMZ
SCADA/ICS
Control
SCADA Historian HMI
PLCs, Controllers, RTUs, PACs
Threat vector:Attacks on the enterprise
Threat vector:Attacks on ICS/SCADA systems
and devices
![Page 3: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/3.jpg)
3 Copyright © 2014, FireEye, Inc. All rights reserved.
Case studies
Building a comprehensive program:How an ICS operator used Mandiant Security Consulting Services to build an IT/OT cyber security program
Defending the SCADA & field-level devices:How an ICS operator used passive network monitoring to identify SCADA network configuration flaws
![Page 4: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/4.jpg)
4 Copyright © 2014, FireEye, Inc. All rights reserved.
Case StudyBuilding a cyber security program
![Page 5: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/5.jpg)
5 Copyright © 2014, FireEye, Inc. All rights reserved.
The challenges
Maintain compliance
Resist targeted attacks
Support reliability
Business imperative Implications
• 10-20k serial assets coming into scope for NERC CIP
• Requires coordination across OT & IT
Transition from NERC CIP v3 to NERC CIP v5
Detect, respond to, and contain incidents
impacting grid assets
IT/OT convergence and next-generation grid
• Integrated SOC will need visibility into grid assets
• IR processes and technologies must be adapted for control system environment
• Legacy control systems technology will be replaced
• Connectivity & exposure of power systems will increase
![Page 6: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/6.jpg)
6 Copyright © 2014, FireEye, Inc. All rights reserved.
FireEye’s solution: Program strategyMission:To support the reliable operation of the bulk electric system in accordance with legal and regulatory responsibilities by preventing, detecting, and responding to cybersecurity incidents.
Governance Technology Operations
Stakeholders:Transmission & Distribution – Cybersecurity – Power Systems IT
• Policy• Compliance• Training• Asset inventory• Metrics
• New projects• Technical standards• Evaluation &
Procurement• External working groups
• Maintenance• Incident Response• Vulnerability & Patch
Management
Key functions & activities
![Page 7: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/7.jpg)
7 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample roadmap
![Page 8: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/8.jpg)
8 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample heatmap
![Page 9: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/9.jpg)
9 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample project plan
![Page 10: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/10.jpg)
10 Copyright © 2014, FireEye, Inc. All rights reserved.
Case StudyProtecting the SCADA
![Page 11: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/11.jpg)
11 Copyright © 2014, FireEye, Inc. All rights reserved.
The challenge
Customer had invested heavily in a network segmentation and firewall configuration effort
Needed a way to validate that:– No connections were possible directly from the business network
to the SCADA network– SCADA was not able to communicate with the internet
![Page 12: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/12.jpg)
12 Copyright © 2014, FireEye, Inc. All rights reserved.
The Solution: FireEye PX Ultrafast packet capture up to 20Gbps sustained
in single appliance allows for aggregation and cost savings
Internal or external storage options (FC or SAS) Ultrafast search
patented tiered indexing system (search TBs in seconds)
Session Analysis full reconstruction of web, email, DNS, & ftp
traffic File extraction User extensible
Industry standard PCAP format for capture data Export of index data in Netflow v9 or IPFIX format
![Page 13: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/13.jpg)
13 Copyright © 2014, FireEye, Inc. All rights reserved.
PX deployment options
Firewall/DMZ
Switch
ICS
Router
Firewall/DMZ
Switch
ICS
Router Tap(OOB)
SPAN
NX
PX
Pivot2Pcap
TAP
NX
PX
Pivot2Pcap
Router
Firewall/DMZ
ICS
Tap(Inline)
Switch
NX
PX
Pivot2PcapTap
Enterprise Network Enterprise Network Enterprise Network
![Page 14: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/14.jpg)
14 Copyright © 2014, FireEye, Inc. All rights reserved.
Results
15 minutes of network traffic capture data revealed: Traffic direct from business network to SCADA zone External DNS requests Potential multi-homed devices Limited segmentation between SCADA zones
![Page 15: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/15.jpg)
15 Copyright © 2014, FireEye, Inc. All rights reserved.
Incident response workflow
FireEye threat prevention platform (NX, EX, FX, or AX) detects threat and generates alert with detailed OS change report.
Detect
A A AA
A
Contain
OS change report is sent to HX appliance which then generates indicator and pushes to endpoint agent.
Operator can contain & isolate the compromised endpoint by blocking all
A A AA
A
traffic with single clickworkflow while continuing with the investigation.
Analyst can view detailed exploit timeline from the endpoint to better understand the attack.
Validate & Contain
HX HXPX
Analyst pivots to PX with IP address and time of infection to reconstruct kill chain before, during and after to determine the scope and impact of a threat via captured packets.
Forensics Analysis
![Page 16: ICS case studies v2](https://reader034.fdocuments.us/reader034/viewer/2022042906/589aa5501a28abfc1a8b610b/html5/thumbnails/16.jpg)
16 Copyright © 2014, FireEye, Inc. All rights reserved.
Questions?