More Related Content More from Lancope, Inc. (20) SCADA Security: The 5 Stages of Cyber Grief2. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
3. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
The 5 Stages of Cyber Grief
4. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
5. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Its not connected to the Internet.
Stage 1: Denial
6. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
7. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
"In our experience in conducting hundreds of vulnerability
assessments in the private sector, in no case have we ever
found the operations network, the SCADA system or energy
management system separated from the enterprise network.
On average, we see 11 direct connections between those
networks.”
Source: Sean McGurk, Verizon
The Subcommittee on National Security, Homeland Defense,
and Foreign Operations May 25, 2011 hearing.
Its connected to the Internet.
8. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
9. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
ICS Cert
• In February 2011, independent security researcher Ruben Santamarta
used SHODAN to identify online remote access links to multiple
utility companies’ Supervisory Control and Data Acquisition (SCADA)
systems.
• In April 2011, ICS-CERT received reports of 75 Internet facing control
system devices, mostly in the water sector. Many of those control
systems had their remote access configured with default logon
credentials.
• In September 2011, independent researcher Eireann Leverett
contacted ICS-CERT to report several thousand Internet facing
devices that he discovered using SHODAN.
10. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
SHODAN
• Project STRIDE: “To date,
we have discovered over
500,000 control system
related nodes world-
wide on the internet.
About 30% are from the
US, and most are on ISP
addresses.”
11. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
12. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 2: Anger
13. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
14. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 3: Bargaining
15. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 3: Bargaining
• Stuxnet
• First widely reported use of malware to destroy a physical plant
• Extremely sophisticated
• Jumped the air-gap via USB keys
• Widespread infections throughout the Internet
• Shamoon
• Targeted the energy sector
• Destructive
• Over writes files
• Destroys the Master Boot Record
Stuxnet infections, source Symantec:
16. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
17. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 4: Depression
18. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 4: Depression
The Patching Treadmill
• Control systems are not designed to be shut down regularly
• Entire systems may need to be shut down for a single patch install
• Patching may mean upgrading
• Upgrades can cascade through a system
• Even assessments may require downtime!
• Patching leads to Interconnectivity
• Interconnectivity leads to compromise
• Solutions?
– Third-Party Run-Time In-Memory Patching?
– Intrusion Prevention Systems?
19. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
20. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 5: Acceptance
What would acceptance mean?
• Getting serious about interconnectivity
• We need to find new ways to work
• We need to accept some inconvenience
• Designing systems for patchability
• Systems that can be patched without being restarted
• Hot Standby failover
• Patches that do not require upgrades
• Security patches that can be accepted without performance concerns
• Built in IDS capability?
• Designing systems for failure
21. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Lancope does Netflow
22. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Network Visibility through Netflow
DMZ
VPN
Internal
Network
Internet
NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
NetFlow
3G
Internet
3G
Internet
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow Collector
23. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Intrusion Audit Trails
1:06:15 PM:
Internal Host
Visits Malicious
Web Site
1:06:30 PM:
Malware Infection
Complete, Accesses
Internet Command and
Control
1:06:35 PM:
Malware begins
scanning internal
network
1:13:59 PM:
Multiple internal
infected hosts
1:07:00 PM:
Gateway malware analysis
identifies the transaction
as malicious
1:14:00 PM:
Administrators
manually disconnect
the initial infected host
Do you know what went on while you were mitigating?
24. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Behavioral Anomaly Detection
25. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Get Engaged with Lancope!
@Lancope
@NetFlowNinjas
SubscribeJoin DiscussionDownload
@stealth_labs
Access
StealthWatch
Labs Intelligence Center
(SLIC) Reports
Security Research
26. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Lancope at Cisco Live 2013
Return of the famous Lancope Ninja Sword!
• Visit booth #737
• Email
sales@lancope.com to
request a private demo
at the event.
27. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Thank you!
Tom Cross
Director of Security Research