Solving ICS Cybersecurity Challenges in the Electric Industry

•Download as PPTX, PDF•

1 like•409 views

This document discusses how a mid-sized US electric utility implemented the Dragos cybersecurity platform to improve the visibility of its operational technology (OT) assets and threats, enhance compliance functions, and better support its limited OT security team. The Dragos solution included passive network monitoring sensors, asset characterization, and threat intelligence reporting. It helped the utility address compliance requirements, leverage Dragos' expertise through training and assistance, and improve its detection of OT threats through behavioral analytics and investigation playbooks. The solution demonstrated that combining technology with personnel support can effectively address common industrial control system security challenges faced by electric utilities.

Technology

SolvingICS Cybersecurity Challengesin the Electric
Industry
Dragos
Matt Cowell
mcowell@dragos.com
@m_p_cowell

Dragos Platform
Threat Detection & Response
technology for ICS
Dragos WorldView
ICS/OT Threat Intelligence
Threat Operations Center
Experienced assistance &
training
The Dragos Offering

Case Study Background
• Mid-sized US Electric utility
• Generation, Transmission and
Distribution networks
• Diverse mix of control system vendors
• Limited team to support OT cyber
security functions
• Network infrastructure supportive of
monitoring
• Converging IT/OT SOC

Customer Objectives
Improve visibility of networked OT assets
Improve visibility of OT threats
Improve NERC/CIP compliance functions
Better enable limited OT security team

Architecture
• Passive network monitoring
• Sensor/Server based
• 16 distributed sensors
• Centralized monitoring

Objective 1: Asset Visibility
Summary
• 30,000+ assets
• Vast volumes of data available
• Distributed across hundreds of
miles
• Some physical network separation

Objective 1: Asset Visibility
Solution
• Asset characterization
• Connections & protocols
• Zoning
• Timeline analysis

Objective 2: Compliance
Summary
• NERC CIP regulated utility
• Required high level of manual effort
• Apprehensive of outside vendors

Objective 2: Compliance
Solution
• Consultative discussion to
understand compliance pains
• Address specific CIP requirements
through technology
• Establish credibility through
industry trusted partners
Security Patch Management
 CIP-007-6 R2:
Malicious Code Prevention
 CIP-007-6 R3:
Security Event Monitoring
 CIP-007-6 R4:
Incident Reporting & Response
Planning
 CIP-008-5 R1:
Vulnerability Assessments
 CIP-010-2 R3:

Objective 3: Personnel
Summary
• Small, dedicated team
• Varied experience levels
• Performing many different functions
• Converging OT/IT SOC

Objective 3: Personnel
Solution
• Leverage Dragos experience
through technology
• On site assistance and ongoing
support
• Training to empower customer
personnel
• IR support escalation through
retainer

Objective 4: OT Threats
Summary
• Limited information sharing of
industry-wide threats
• Improve detection based on
known TTP’s & behaviors
• Reduce amount of work
performed by analysts to
validate alerts
• Know how to respond to
threats.

Objective 4: OT Threats
Solution
• Threat behavior analytics
• Query focused datasets
• Investigation playbooks
• Threat intelligence reports
provide additional context &
details

Additional resources
https://dragos.com/resource/implementing-the-dragos-
platform-to-solve-ics-cybersecurity-challenges-in-the-electric-
industry/
https://dragos.com/media/dragos-ics-threat-detection-response-
platform-demo/

Summary
Threats are increasing but defense is doable
IT and OT teams are blending
Solution requires combination of tech. & personnel to be effective+
Pursue proactive threat hunting vs reactive IR
Many companies are facing similar challenges

What's hot

Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks. Learn more here: https://www.dragos.com/blog/trisis/

Trisis in Perspective: Implications for ICS Defenders

Dragos, Inc.

Upon discovery and initial analysis in mid-2017, audiences primarily viewed CRASHOVERRIDE as a disruptive event targeting electric utility operations in Ukraine. Similar to the 2015 attack in the same area, CRASHOVERRIDE interrupted the flow of electricity by manipulating ICS equipment and delayed recovery operations to prolong the impact. However, CRASHOVERRIDE’s immediate effects represent only the precursors for an attempt at a more ambitious attack than what was achieved. In this presentation, Dragos Principal Adversary Hunter Joe Slowik reexamines the CRASHOVERRIDE event and likely attacker intentions, highlighting how CRASHOVERRIDE attempted a different type of attack than 2015. Viewers learn how to begin developing and deploying the required visibility, resilience, and response measures needed to cope with an attack like CRASHOVERRIDE. To view the webinar, go here: https://youtu.be/yX0ZSu_rVc0

Reassessing the 2016 CRASHOVERRIDE Cyber Attack

Dragos, Inc.

In this presentation, Matt Bodman, Director of Special Programs at Dragos, demonstrates the basics of Neighborhood Keeper. Neighborhood Keeper is a collaborative threat detection and intelligence program, led by Dragos in partnership with the DOE, that makes ICS threat analytics and data accessible to the greater ICS community. Its initial participants include: Dragos, Ameren, First Energy, Department of Energy’s Idaho National Labs, North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center, and Southern Company. Neighborhood Keeper will serve smaller providers who lack sufficient resources to buy and manage advanced security technologies, giving them access to collaborative ICS data at near-real-time and providing them immediate insight into the ICS threat landscape without revealing sensitive data. For more information, please visit https://dragos.com/neighborhood-keeper/

Neighborhood Keeper - Introduction

Dragos, Inc.

In this presentation Daniel Michaud-Soucy, Principal Threat Analyst at Dragos, will demonstrate three separate models in order to identify gaps in ICS security posture. First, threat modeling serves as an inward look as an ICS network defender in order to properly understand the environment, the threat actors, the impacts, the risks and the crown jewels pertaining to an industrial process. Second, the ICS cyber kill chain serves as an outward look at the steps an adversary needs to take in order to achieve their objectives. Third, the bowtie model allows a graphical representation of the threats to the environment as well as the protection, detection, and response controls that help secure it. In the end, the asset owner creates a holistic picture of the security controls in their network, pertaining to the threat actors they care about and allows identification of gaps in their strategy. Visit www.dragos.com to learn more about the Dragos industrial cybersecurity platform for increased visibility of assets, threats and guided responses.

Dressing up the ICS Kill Chain

Dragos, Inc.

Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems. Visit www.dragos.com to learn more.

TRISIS in Perspective

Dragos, Inc.

Dragos and CyberWire: ICS Ransomware

Dragos, Inc.

How to Respond to Industrial Intrusions

Dragos, Inc.

Dragos S4x20: How to Build an OT Security Operations Center

Dragos, Inc.

Presentation from Cyber Security for Critical Assets conference (CS4CA ) in Houston, March 26-28 2019 presented by Sergio Caltagirone, Vice President of Threat Intelligence. Covers: - overview of the OT threat landscape - new OT threats Dragos has uncovered through its industrial cybersecurity technology platform, array of services, and industrial threat intelligence. - details on major industrial threat activity groups and root causes of many recent OT compromises Learn more here: https://dragos.com/year-in-review/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/dragos-inc./ Follow us on Twitter: https://twitter.com/dragosinc

The Current ICS Threat Landscape

Dragos, Inc.

Sergio Caltagirone's, Dragos VP of Threat Intelligence, presentation from RSA 2019. The industrial control system threat is growing quickly. But ICS hackers do not start by disrupting electric grids. Instead, they mature predictably leading them from things that go bad, to things that go boom. In this presentation, Sergio Caltagirone will explain how using ICS threat intelligence Dragos has developed an ICS hacker maturity model enabling us to determine how much risk a threat poses and predict how long until they reach maximum risk. More information here: https://dragos.com/rsa-2019/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/drag.... Follow us on Twitter: https://twitter.com/dragosinc

How Long to Boom: Understanding and Measuring ICS Hacker Maturity

Dragos, Inc.

Joe Slowik, Dragos Sr. Adversary Hunter's presentation from RSA 2019. Cyber-defense centers on “what” a technology is designed to look for, with capabilities and limitations depending on the method. Three distinct approaches have emerged: traditional IOCs, anomaly detection and behavioral analytics. Unfortunately, marketing has muddied these terms beyond recognition. In this presentation, Joe Slowik, Adversary Hunter at Dragos will critically examine each approach and its capabilities. More information here: https://dragos.com/rsa-2019/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/drag.... Follow us on Twitter: https://twitter.com/dragosinc

Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors

Dragos, Inc.

Industrial control networks have been thrust into a world of network interconnectivity the likes we haven’t seen before, and that is expanding at an astonishing rate. A cultural and technical recalibration is vital to defend ICS assets from cyber threats, and the risks and potential consequences of a successful attack against our critical infrastructure are well known, yet few would argue that these changes are slow in coming. Why is that? In part, the notion that control networks are adequately defensible against cyber attack by “air gapping” the control network from the Internet and corporate network is still believed to be the best defense. In this presentation, the value and vulnerabilities of the air gap will be discussed, as well as specific methods to mitigate cyber threats along the attack continuum.

From Air Gap to Air Control

EnergySec

Selena Larson, Dragos Intelligence Analyst's presentation from RSA 2019. There have been public narratives about the US being on the precipice of a nationwide hacker-caused blackout. What is the reality of adversary activity and the potential or likelihood of a cyber attack that could disrupt the electric grid? What are hackers currently doing in ICS networks? In this presentation, Selena Larson, Intelligence Analyst at Dragos will separate fact from (science) fiction. More information here: https://dragos.com/rsa-2019/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/drag.... Follow us on Twitter: https://twitter.com/dragosinc

Debunking the Hacker Hype: The Reality of Widespread Blackouts

Dragos, Inc.

Kofax Document Security

Kofax

The energy and utilities industry needs to take extraordinary steps to protect its critical infrastructure. Gone are the days where treating physical security, process control security, and cybersecurity as separate functional areas can suffice. As the threats to our nation’s electric utility enterprises continue to rise, we must use all available information resources and security tools in highly integrated total security systems. As described in this presentation, recognizing and capitalizing upon the broad commonality of security domains across all the three security functional areas can open many more possibilities to enhance an enterprise’s defenses. Based upon this unique systems concept, already proven effective for cybersecurity, a methodology for an integrated total security defense is described that begins with threat and vulnerability intelligence-driven security processes. By extending this methodology to all three security functional areas, organizations can better organize and utilize all their security resources and processes, including threat and vulnerability information, pre-emptive defense strategies, real and near-real time situation awareness capabilities, and incident response/ recovery actions; regardless of whether they are part of the physical, process control, or cybersecurity functional areas. In addition to methods and tools for highly efficient collection and analysis of “all source” threat and vulnerability information, also described are systems approaches for fusing and correlating the high volume and wide variety of available security relevant information. These can assist the security professionals to quickly analyze and initiate actions as needed across each of the physical, control process, and cyber security areas.

An Approach to Closing the Gaps between Physical, Process Control, and Cybers...

EnergySec

This presentation overviews the key findings and takeaways from Dragos' 2019 ICS Year in Review reports, detailing ICS vulnerability data, global ICS threat activity, and observations from Dragos' professional service engagements--including threat hunts, penetration tests, tabletop exercises, incident response, and more. Go here to read all of the Year in Review reports, view infographics, and watch the webinar: https://dragos.com/year-in-review-2019/

Dragos 2019 ICS Year in Review

Dragos, Inc.

Dragos' Sergio Caltagirone and Robert M. Lee discuss the four types of threat detection methods for industrial control systems operations, while providing ICS-specific use cases, to help you determine which detection strategy is most effective for your organization. The recorded webinar can be found here: hhttps://youtu.be/zqvDu0OaY8k Aslo check out: Four Types of Threat Detection White Paper: https://dragos.com/blog/FourTypesOfTh... Part of the Secrets of ICS Cybersecurity webinar series: https://dragos.com/blog/20181017Webin... More info www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/drag.... Follow us on Twitter: https://twitter.com/dragosinc

The Four Types of Threat Detection and Use Cases in Industrial Security

Dragos, Inc.

A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.

A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...

Kaspersky

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

Katie Nickels

New Threats, New Approaches in Modern Data Centers - A Presentation by NPS at CENIC conference 11:00 am - 12:00 pm, Wednesday, March 22, 2017 – in San Diego, California The standard approach to securing data centers has historically emphasized strong perimeter protection to keep threats on the outside of the network. However, this model is ineffective for handling new types of threats—including advanced persistent threats, insider threats, and coordinated attacks. A better model for data center security is needed: one that assumes threats can be anywhere and probably are everywhere and then, through automation, acts accordingly. Using micro-segmentation, fine-grained network controls enable unit-level trust, and flexible security policies can be applied all the way down to a network interface. In this joint presentation between customer, partner, and VMware, the fundamental tenants of micro-segmentation will be discussed. Presenters will describe how the Naval Postgraduate School has incorporated these principles into the architecture and design of a multi-tenant Cybersecurity Lab environment to deliver security training to national and international government personnel. Edgar Mendoza, IT Specialist, Information Technology and Communications Services (ITACS) Naval Postgraduate School Eldor Magat, Computer Specialist, ITACS, Naval Postgraduate School Mike Monahan, Network Engineer, ITACS, Naval Postgraduate School Iben Rodriguez, Brocade Resident SDN Delivery Consultant, ITACS, Naval Postgraduate School Brian Recore, NSX Systems Engineer, VMware, Inc. https://youtu.be/mYBbIbfKkGU?t=1h7m16s Copied from the program with corrections - https://adobeindd.com/view/publications/b9fbbdf0-60f1-41dc-8654-3d2141b0bf54/nh4h/publication-web-resources/pdf/Conference_Agenda_2017_v1.pdf

New Threats, New Approaches in Modern Data Centers

Iben Rodriguez

What's hot (20)

Trisis in Perspective: Implications for ICS Defenders

Reassessing the 2016 CRASHOVERRIDE Cyber Attack

Neighborhood Keeper - Introduction

Dressing up the ICS Kill Chain

TRISIS in Perspective

Dragos and CyberWire: ICS Ransomware

How to Respond to Industrial Intrusions

Dragos S4x20: How to Build an OT Security Operations Center

The Current ICS Threat Landscape

How Long to Boom: Understanding and Measuring ICS Hacker Maturity

Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors

From Air Gap to Air Control

Debunking the Hacker Hype: The Reality of Widespread Blackouts

Kofax Document Security

An Approach to Closing the Gaps between Physical, Process Control, and Cybers...

Dragos 2019 ICS Year in Review

The Four Types of Threat Detection and Use Cases in Industrial Security

A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

New Threats, New Approaches in Modern Data Centers

Similar to Solving ICS Cybersecurity Challenges in the Electric Industry

AFAC session 2 - September 8, 2014

KBIZEAU

The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats. https://www.infosectrain.com/courses/soc-analyst-expert-training/

Soc analyst course content v3

ShivamSharma909

Soc analyst course content

ShivamSharma909

A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries. Asset visibility and network baselining Continuous network monitoring Threat intelligence ingestion Thorough incident response plans

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Angeloluca Barba

New Horizons SCYBER Presentation

New Horizons Computer Learning Centers / 5PE

Offensive cyber security engineer pragram course agenda

ShivamSharma909

Offensive cyber security engineer

ShivamSharma909

Offensive cyber security engineer updated

InfosecTrain

Slides from panel talk at the annual IEEE Power and Energy Society meeting on Power System Cybersecurity. After a 8 hour tutorial and a panel talk, there were a number of consistent themes and challenges that surfaced. The two that concern me the most are: a) blocking engineers from discussing security approaches at technical conferences and b) treating power system cybersecurity as only a compliance issue for the IT, legal, and compliance departments. With the hopes that this sparks a bigger conversation, I’m sharing a copy of my slides from our panel talk. Thoughts and comments are welcomed.

IEEE PES GM 2017 Cybersecurity Panel Talk

Nathan Wallace, PhD, PE

Embedded Security and the IoT – Challenges, Trends and Solutions

Real-Time Innovations (RTI)

An introduction to SOC (Security Operation Center)

Ahmad Haghighi

IoT Security Assessment - IEEE PAR Proposal

Syam Madanapalli

Proactive Approach to OT incident response - HOUSECCON 2023

Chris Sistrunk

Get ready to dive into the exciting world of IoT data processing! 🌐📊 Join us for a thought-provoking webinar on "Processing: Turning IoT Data into Intelligence" hosted by industry visionary Deepak Shankar, founder of Mirabilis Design. Discover how to harness the potential of IoT devices by strategically choosing processors that optimize power, performance, and space. In this engaging session, you'll explore key insights: ✅ Impact of processor architecture on Power-Performance-Area optimization ✅ Enabling AI and ML algorithms through precise compute and storage requirements ✅ Future trends in IoT hardware innovation ✅ Strategies for extending battery life and cost prediction through system design Don't miss the chance to learn how to leverage a single IoT Edge processor for multiple applications and much more. This is your opportunity to gain a competitive edge in the evolving IoT landscape.

Mastering IoT Design: Sense, Process, Connect: Processing: Turning IoT Data i...

Deepak Shankar

For many companies, Cyber Security is achieved solely through the application of technological solutions to software and hardware challenges. Schneider-Electric takes a more holistic approach with a program built around complete product lifecycles and encompassing safety, maintenance and security. Discover Schneider-Electric's cyber security vision, from understanding how secure functionality is engineered into products through the tools and support available to manage updates and patches, plus specific procedures for handling potential vulnerabilities. A software and hardware ecosystem is only as strong as its weakest component, and Schneider-Electric is working to strengthen this through StruXureware and the evolution of platforms.

Cyber security: A roadmap to secure solutions

Schneider Electric

Data centers move exabytes of data through their networks. This explosive growth in network traffic has put demands on data centers to adapt and add new technologies and standards to keep pace and make information easily accessible. Our personal information, company IP assets and sensitive data run across these networks that are constantly under persistent and malicious cyber attacks to look for vulnerabilities in their networks. IT security teams have to protect complex networks that are growing in size and complexity. They call for a new approach to gaining full – rather than partial – visibility into network behavior to stop downtime losses and data leaks. By providing 1 to 1 NetFlow generation then collecting the data and analyzing the flow records is essential in time-to-resolution (TTR). To help you take full advantage of valuable NetFlow data for use in network security management, Emulex and Lancope have created a best-in-class network and security solution that allows you to quickly and continuously monitor the makeup of the traffic traversing your network. In this webinar, we’ll explore why network security management is crucial in managing functionality and visibility of an organization’s network infrastructure and how Emulex helps address these deployment requirements. We'll also explore what matters most when network security is breached, and share some best practice insights gleaned from working with customers that run some of the largest and most critical data networks on the planet.

Using NetFlow to Streamline Security Analysis and Response to Cyber Threats

Emulex Corporation

Software Defined Networking in the ATMOSPHERE project

ATMOSPHERE .

As part of a Cisco Inc. funded project, I worked with Dr. Gail-Joon Ahn to propose a Policy Management framework to address secure collaboration and communication between disparate systems and Internet of Thing devices. We took this research one step further by proposing a robust, interacting and responsive edge-based infrastructure which we termed GORE computing. The Policy Management framework thus proposed in this computing paradigm is generic in nature with the intention of it being capable for utilization in futuristic edge-based computing paradigms for IoT based devices.

Final Master's Defense Presentation : Policy-driven Security Management in Ga...

Clinton DSouza

Stephen Wallo

AFCEA International

chapitre1-cloud security basics-23 (1).pptx

GhofraneFerchichi2

Similar to Solving ICS Cybersecurity Challenges in the Electric Industry (20)

AFAC session 2 - September 8, 2014

Soc analyst course content v3

Soc analyst course content

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

New Horizons SCYBER Presentation

Offensive cyber security engineer pragram course agenda

Offensive cyber security engineer

Offensive cyber security engineer updated

IEEE PES GM 2017 Cybersecurity Panel Talk

Embedded Security and the IoT – Challenges, Trends and Solutions

An introduction to SOC (Security Operation Center)

IoT Security Assessment - IEEE PAR Proposal

Proactive Approach to OT incident response - HOUSECCON 2023

Mastering IoT Design: Sense, Process, Connect: Processing: Turning IoT Data i...

Cyber security: A roadmap to secure solutions

Using NetFlow to Streamline Security Analysis and Response to Cyber Threats

Software Defined Networking in the ATMOSPHERE project

Final Master's Defense Presentation : Policy-driven Security Management in Ga...

Stephen Wallo

chapitre1-cloud security basics-23 (1).pptx

More from Dragos, Inc.

Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework

Dragos, Inc.

Purple Teaming ICS Networks

Dragos, Inc.

Dragos discusses the quickly rising tensions between the US, Russia, and Iran, threat intelligence on malicious activity surrounding these tensions, and recommended responses to defend industrial control systems and critical infrastructure worldwide. Presentations included from Dragos Threat Intelligence following these threats and the Dragos Threat Operations Center currently responding and defending against these threats. Visit www.dragos.com for more info about industrial cybersecurity

Rising Cyber Escalation US Iran Russia ICS Threats and Response

Dragos, Inc.

2018 Year in Review- ICS Threat Activity Groups

Dragos, Inc.

Key Considerations for Executives from Dragos Executive Year In Review on Industrial Cybersecurity Strategy by Robert M Lee Addresses questions of : - How do we know if we’re underspending or overspending on ICS/industrial cybersecurity? - What is the best thing we can do to get started that will help move us forward in OT security? - If a major attack happens, what is the role of the government? More Info here: https://dragos.com/resource/insights-to-build-an-effective-industrial-cybersecurity-strategy-for-your-organization/ https://www.linkedin.com/company/dragos-inc./ Twitter: https://twitter.com/dragosinc

Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...

Dragos, Inc.

From #CTISUMMIT. More info here: https://dragos.com/blog/industry-news/meet-me-in-the-middle-threat-indications-and-warning-in-principle-and-practice/ Video here: https://youtu.be/79RdB3aj2vA Discussions on threat intelligence often get bogged down between “machine speed” ingestion of atomic indicators and in-depth analysis of activity taking weeks (or months) to produce. Left in the cold in such debates is a very important but seldom considered middle ground: time-sensitive and incomplete but enriched threat intelligence. In the U.S. Navy and similar services, this is referred to as threat “indications and warning” (I&W) – a step beyond a simple observable refined to ensure accuracy and timely receipt. The goal of I&W is to get actionable, important information to those in need of it most as quickly, efficiently, and accurately as possible, even if as a result some context or other insights are lost. As a result of this activity, consumers are better armed and equipped to deal with and counter threats as they emerge, rather than either reacting to items with no context whatsoever or only reading about their challenges weeks after the fact in a complete intelligence report. This discussion explores the concept of threat I&W within the context of network security generally and threat intelligence specifically to identify this topic as a shamefully ignored middle ground between extremes. The presentation explores the conceptual background behind this idea, then transition to real-life examples of I&W drawn from the speaker’s past activity in threat intelligence, incident response, and military operations.

Meet Me in the Middle: Threat Indications and Warning in Principle and Practice

Dragos, Inc.

Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.

Threat Activity Groups - Dragos

Dragos, Inc.

Dragos Adversary Hunter Joe Slowik presents on Behavior-Based Defense in ICS at the 13th annual API conference in Houston, TX. This presentation discusses how identifying adversary behaviors and their common requirements and behaviors can help network defenders prepare for future events--exemplifying how network defense for sensitive environments is strengthened through continuous improvement from prior events. Visit www.dragos.com to learn more.

Behavior-Based Defense in ICS

Dragos, Inc.

TTPs for Threat hunting In Oil Refineries

Dragos, Inc.

More from Dragos, Inc. (9)

Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework

Purple Teaming ICS Networks

Rising Cyber Escalation US Iran Russia ICS Threats and Response

2018 Year in Review- ICS Threat Activity Groups

Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...

Meet Me in the Middle: Threat Indications and Warning in Principle and Practice

Threat Activity Groups - Dragos

Behavior-Based Defense in ICS

TTPs for Threat hunting In Oil Refineries

Recently uploaded

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Manulife - Insurer Innovation Award 2024

The Digital Insurer

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors

Manulife - Insurer Innovation Award 2024

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

AWS Community Day CPH - Three problems of Terraform

Top 10 Most Downloaded Games on Play Store in 2024

Artificial Intelligence Chap.5 : Uncertainty

Partners Life - Insurer Innovation Award 2024

🐬 The future of MySQL is Postgres 🐘

Powerful Google developer tools for immediate impact! (2023-24 C)

Artificial Intelligence: Facts and Myths

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

GenAI Risks & Security Meetup 01052024.pdf

Why Teams call analytics are critical to your entire business

A Domino Admins Adventures (Engage 2024)

Solving ICS Cybersecurity Challenges in the Electric Industry

1. SolvingICS Cybersecurity Challengesin the Electric Industry Dragos Matt Cowell mcowell@dragos.com @m_p_cowell

3. Dragos Platform Threat Detection & Response technology for ICS Dragos WorldView ICS/OT Threat Intelligence Threat Operations Center Experienced assistance & training The Dragos Offering

4. Case Study Background • Mid-sized US Electric utility • Generation, Transmission and Distribution networks • Diverse mix of control system vendors • Limited team to support OT cyber security functions • Network infrastructure supportive of monitoring • Converging IT/OT SOC

5. Customer Objectives Improve visibility of networked OT assets Improve visibility of OT threats Improve NERC/CIP compliance functions Better enable limited OT security team

6. Architecture • Passive network monitoring • Sensor/Server based • 16 distributed sensors • Centralized monitoring

7. Objective 1: Asset Visibility Summary • 30,000+ assets • Vast volumes of data available • Distributed across hundreds of miles • Some physical network separation

8. Objective 1: Asset Visibility Solution • Asset characterization • Connections & protocols • Zoning • Timeline analysis

9. Objective 2: Compliance Summary • NERC CIP regulated utility • Required high level of manual effort • Apprehensive of outside vendors

10. Objective 2: Compliance Solution • Consultative discussion to understand compliance pains • Address specific CIP requirements through technology • Establish credibility through industry trusted partners Security Patch Management  CIP-007-6 R2: Malicious Code Prevention  CIP-007-6 R3: Security Event Monitoring  CIP-007-6 R4: Incident Reporting & Response Planning  CIP-008-5 R1: Vulnerability Assessments  CIP-010-2 R3:

11. Objective 3: Personnel Summary • Small, dedicated team • Varied experience levels • Performing many different functions • Converging OT/IT SOC

12. Objective 3: Personnel Solution • Leverage Dragos experience through technology • On site assistance and ongoing support • Training to empower customer personnel • IR support escalation through retainer

13. Objective 4: OT Threats Summary • Limited information sharing of industry-wide threats • Improve detection based on known TTP’s & behaviors • Reduce amount of work performed by analysts to validate alerts • Know how to respond to threats.

14. Objective 4: OT Threats Solution • Threat behavior analytics • Query focused datasets • Investigation playbooks • Threat intelligence reports provide additional context & details

15. Additional resources https://dragos.com/resource/implementing-the-dragos- platform-to-solve-ics-cybersecurity-challenges-in-the-electric- industry/ https://dragos.com/media/dragos-ics-threat-detection-response- platform-demo/

16. Summary Threats are increasing but defense is doable IT and OT teams are blending Solution requires combination of tech. & personnel to be effective+ Pursue proactive threat hunting vs reactive IR Many companies are facing similar challenges

17. Thank you https://dragos.com @DragosInc

Editor's Notes

“What’s the goal for the conference?” Personal intro 2nd Energysec conference
First things first, how many attended BeerISAC last night? – hopefully you are all caffeinated and awake by now How many unfamiliar with BeerISAC?
Some of you might not be familiar with Dragos so id like to start with a quick introduction but will keep it brief so we can spend more time on the good stuff Know that Dragos has a 3 pronged approach to OT cybersecurity Know - Detect - Respond
The purpose of this presentation is to highlight the experience of an electric utility that Dragos worked with as we feel it could be applicable to many other utilieis Serves over 750k people Generation (coal, gas, wind, solar) Including Emerson, GE, SEL, Rockwell, Siemens, Honeywell, Yokogawa Managed switch infrastructure Team of 3 supported by IT security team Converging OT into existing IT Security operations
Customer is always right Knowing ALL OT Assets and changes over time Compliance efficiencies Limited personnel, performing lots of tasks – better equip so they are more efficient Rather than working in dark, try to better understand the threat landscape “That’s it”
Before we jump into the objectives and solutions it’s important to understand the primary technology being used in this instance Decreased risk of interruption to operations On prem server (cloud is an option too) Sensors positioned strategically to SPAN ports to give maximum visibility of different networks Deployed over 3 months - Coordinated with Dragos and customer field personnel
If you don’t know everything you have, you cannot protect In this case they already have a lot of infrastructure and data collection already available BUT too much data for limited team to manually process Utility covers expansive territory so network visibility essential Physical separation challenges need to be addressed – usually recommend architecture review before deployment to ensure coverage goals meet infrastructure capability
ASSET Visualizing on an easy to read graphical UI or map makes it easier for all experience levels. IP, MAC, TCP/UDP ports useful but need more. Deep Packet Inspection drills into useful application layer content but requires a broad coverage of protocol dissectors (some proprietary). The more seen, the more learned - Serial numbers, fw versions, configurations High level characterizations – HMI, Switch, Protective relay – all important for crown jewel analysis and investigations based upon intel – treat different device types differently COMMUNICATIONS Relationships between assets and between zone. Does it align to expectations. Are there any odd connections that require further exploration – ie unexpected internet connections ZONES Visualizing and analyzing thousands of assets is challenging. Breaking up the view into a representation that best meets your requirements – graphical, function, type, IP address range TIMELINE When did assets first appear/disappear? Does this correlate with other timestamps – surveillance cameras, door entry logs? BENEFITS Save analysts time in collecting asset details – more efficient, less money. Assists compliance requirements with standard reports. Aids improved threat detection and IR
Often security tools purchased to the benefit of security teams but important to explore other stakeholders such as those responsible for compliance (increase overall value) Compliance != good security but is a legal requirement Enhance compliance by developing improvements beyond current capability Reduce people with clipboards and manual work Outside vendors disrupting operations – inadvertent violations or downtime
Technology can enable enhanced NERC requirements inc: Patch management, Security event monitoring, IR planning, vuln assessments, etc Begins with asset inventory AND knowing more about vulns – actual cvss score, impact, alternative work arounds – integrated threat intelligence expands on open source details – available through platform Pasive vulnerability discovery coming Behavior analytics – knowing what malicious behaviors observed in wild (intelligence) and known ‘expected’ behaviors based on assets and protocols – able to detect and alert and then take action Log collection and analysis – easier collection and review for limited team Playbooks and IR case management – augment with services – TTX to test and validate 15 months -> CIP-009-6 R1: Recovery Plans for BES Cyber Systems Platform + Intel + Services Asset inventory, ports and services Specific compliance pains – apply understanding of NERC/CIP, customer pains and technology capabilities to improve Improved credibility through partnerships with trusted partners such as SEL, DOE, EISAC
Better enable existing OT team Wearing many hats – need to be focused/efficient with time Assessments, patching, incident response Utility does have security operations expanding coverage of OT
Dragos has over 200+ years combined ICS cyber security experience – further more develop asset characterizations through custom dev and working with partners Analytics to improve detection – reduce false positive to focus efforts on real threats Playbooks to guide effective IR Emerging technology and limited resources, Dragos field team assisted with deployment until customer was comfortable – even helped run wire! Full spectrum from detection through response Expand domain areas of limited experience such as threat intelligence (knowing what we have learned of ICS focused adversaries) and proactive threat hunting – YIR highlighted 1/3 IR cases adversaries were undetected over 12 months Augment existing team capabilities with Dragos support, training and IR team
Threats to OT are increasing in frequency and sophistication Not a lot of industry wide information sharing ALSO Limited information sharing compounded with inaccurate reporting and hype – wild goose chase Lots of lessons to be learned False positives Having foresight to know what to do in a situation not experienced before
Derived from intelligence – ie observed in wild or collaboration with vendors – Dragos team shares detections and response through continuously updated content packs TBA’s improve confidence and provide context – TTPs and IOC’s QFD’s streamline IR and proactive hunts by providing reports of key data in one view Playbooks provide experience from the field on the appropriate response for new events Intel reports provide supporting data
You might be able to relate to some of this… Individual needs might be different – but likely need combination of tech and people “An ounce of prevention is worth a pound of cure” With that, thank you for your time and pass back to Tim

Solving ICS Cybersecurity Challenges in the Electric Industry

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Solving ICS Cybersecurity Challenges in the Electric Industry

Similar to Solving ICS Cybersecurity Challenges in the Electric Industry (20)

More from Dragos, Inc.

More from Dragos, Inc. (9)

Recently uploaded

Recently uploaded (20)

Solving ICS Cybersecurity Challenges in the Electric Industry

Editor's Notes