SlideShare a Scribd company logo

SCADA Security: The 5 Stages of Cyber Grief

Lancope, Inc.
Lancope, Inc.

Lancope’s Director of Security Research, Tom Cross, examines the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems. Hear about: * The state of Control System security vulnerabilities * Attack activity that is prompting a change in perspective * The unique, long term challenges associated with protecting SCADA networks * How anomaly detection can play a key role in protecting SCADA systems now

Technology
1 of 27
Download to read offline
SCADA Security: The Five Stages of Cyber Grief Tom Cross Director of Security Research
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) The 5 Stages of Cyber Grief
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Its not connected to the Internet. Stage 1: Denial
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) "In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks.” Source: Sean McGurk, Verizon The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing. Its connected to the Internet.
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) ICS Cert • In February 2011, independent security researcher Ruben Santamarta used SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems. • In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. Many of those control systems had their remote access configured with default logon credentials. • In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN.
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) SHODAN • Project STRIDE: “To date, we have discovered over 500,000 control system related nodes world- wide on the internet. About 30% are from the US, and most are on ISP addresses.”
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 2: Anger
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 3: Bargaining
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 3: Bargaining • Stuxnet • First widely reported use of malware to destroy a physical plant • Extremely sophisticated • Jumped the air-gap via USB keys • Widespread infections throughout the Internet • Shamoon • Targeted the energy sector • Destructive • Over writes files • Destroys the Master Boot Record Stuxnet infections, source Symantec:
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 4: Depression
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 4: Depression The Patching Treadmill • Control systems are not designed to be shut down regularly • Entire systems may need to be shut down for a single patch install • Patching may mean upgrading • Upgrades can cascade through a system • Even assessments may require downtime! • Patching leads to Interconnectivity • Interconnectivity leads to compromise • Solutions? – Third-Party Run-Time In-Memory Patching? – Intrusion Prevention Systems?
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 5: Acceptance What would acceptance mean? • Getting serious about interconnectivity • We need to find new ways to work • We need to accept some inconvenience • Designing systems for patchability • Systems that can be patched without being restarted • Hot Standby failover • Patches that do not require upgrades • Security patches that can be accepted without performance concerns • Built in IDS capability? • Designing systems for failure
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Lancope does Netflow
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Network Visibility through Netflow DMZ VPN Internal Network Internet NetFlow Packets src and dst ip src and dst port start time end time mac address byte count - more - NetFlow 3G Internet 3G Internet NetFlow NetFlow NetFlow NetFlow NetFlow Collector
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Intrusion Audit Trails 1:06:15 PM: Internal Host Visits Malicious Web Site 1:06:30 PM: Malware Infection Complete, Accesses Internet Command and Control 1:06:35 PM: Malware begins scanning internal network 1:13:59 PM: Multiple internal infected hosts 1:07:00 PM: Gateway malware analysis identifies the transaction as malicious 1:14:00 PM: Administrators manually disconnect the initial infected host Do you know what went on while you were mitigating?
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Behavioral Anomaly Detection
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Get Engaged with Lancope! @Lancope @NetFlowNinjas SubscribeJoin DiscussionDownload @stealth_labs Access StealthWatch Labs Intelligence Center (SLIC) Reports Security Research
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Lancope at Cisco Live 2013 Return of the famous Lancope Ninja Sword! • Visit booth #737 • Email sales@lancope.com to request a private demo at the event.
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Thank you! Tom Cross Director of Security Research

Recommended

The Stuxnet Worm creation process
The Stuxnet Worm creation processThe Stuxnet Worm creation process
The Stuxnet Worm creation process
Ajay Ohri
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
Lancope, Inc.
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
Lancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
Lancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
Lancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Lancope, Inc.
 

Recommended

The Stuxnet Worm creation process
The Stuxnet Worm creation processThe Stuxnet Worm creation process
The Stuxnet Worm creation process
Ajay Ohri
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
Lancope, Inc.
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
Lancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
Lancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
Lancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Lancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
Lancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Lancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
Lancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
Lancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
Lancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
Lancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Lancope, Inc.
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation Tovar
Lancope, Inc.
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
Lancope, Inc.
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
Lancope, Inc.
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
Lancope, Inc.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

More Related Content

More from Lancope, Inc.

Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
Lancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Lancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
Lancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
Lancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
Lancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
Lancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Lancope, Inc.
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
Lancope, Inc.
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
Lancope, Inc.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 

More from Lancope, Inc. (20)

Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation Tovar
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

SCADA Security: The 5 Stages of Cyber Grief

  • 1. SCADA Security: The Five Stages of Cyber Grief Tom Cross Director of Security Research
  • 2. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 3. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) The 5 Stages of Cyber Grief
  • 4. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 5. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Its not connected to the Internet. Stage 1: Denial
  • 6. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 7. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) "In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks.” Source: Sean McGurk, Verizon The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing. Its connected to the Internet.
  • 8. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 9. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) ICS Cert • In February 2011, independent security researcher Ruben Santamarta used SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems. • In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. Many of those control systems had their remote access configured with default logon credentials. • In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN.
  • 10. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) SHODAN • Project STRIDE: “To date, we have discovered over 500,000 control system related nodes world- wide on the internet. About 30% are from the US, and most are on ISP addresses.”
  • 11. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 12. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 2: Anger
  • 13. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 14. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 3: Bargaining
  • 15. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 3: Bargaining • Stuxnet • First widely reported use of malware to destroy a physical plant • Extremely sophisticated • Jumped the air-gap via USB keys • Widespread infections throughout the Internet • Shamoon • Targeted the energy sector • Destructive • Over writes files • Destroys the Master Boot Record Stuxnet infections, source Symantec:
  • 16. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 17. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 4: Depression
  • 18. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 4: Depression The Patching Treadmill • Control systems are not designed to be shut down regularly • Entire systems may need to be shut down for a single patch install • Patching may mean upgrading • Upgrades can cascade through a system • Even assessments may require downtime! • Patching leads to Interconnectivity • Interconnectivity leads to compromise • Solutions? – Third-Party Run-Time In-Memory Patching? – Intrusion Prevention Systems?
  • 19. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 20. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Stage 5: Acceptance What would acceptance mean? • Getting serious about interconnectivity • We need to find new ways to work • We need to accept some inconvenience • Designing systems for patchability • Systems that can be patched without being restarted • Hot Standby failover • Patches that do not require upgrades • Security patches that can be accepted without performance concerns • Built in IDS capability? • Designing systems for failure
  • 21. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Lancope does Netflow
  • 22. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Network Visibility through Netflow DMZ VPN Internal Network Internet NetFlow Packets src and dst ip src and dst port start time end time mac address byte count - more - NetFlow 3G Internet 3G Internet NetFlow NetFlow NetFlow NetFlow NetFlow Collector
  • 23. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Intrusion Audit Trails 1:06:15 PM: Internal Host Visits Malicious Web Site 1:06:30 PM: Malware Infection Complete, Accesses Internet Command and Control 1:06:35 PM: Malware begins scanning internal network 1:13:59 PM: Multiple internal infected hosts 1:07:00 PM: Gateway malware analysis identifies the transaction as malicious 1:14:00 PM: Administrators manually disconnect the initial infected host Do you know what went on while you were mitigating?
  • 24. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Behavioral Anomaly Detection
  • 25. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Get Engaged with Lancope! @Lancope @NetFlowNinjas SubscribeJoin DiscussionDownload @stealth_labs Access StealthWatch Labs Intelligence Center (SLIC) Reports Security Research
  • 26. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Lancope at Cisco Live 2013 Return of the famous Lancope Ninja Sword! • Visit booth #737 • Email sales@lancope.com to request a private demo at the event.
  • 27. ©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Thank you! Tom Cross Director of Security Research