This document discusses two case studies involving industrial control systems security: 1) A case study of an ICS operator that used Mandiant Security Consulting Services to build a comprehensive cyber security program across both IT and operational technology. 2) A case study of how another ICS operator used passive network monitoring with FireEye PX to identify flaws in their SCADA network configuration and validate network segmentation between the business network and SCADA network.

1. 1 Copyright © 2014, FireEye, Inc. All rights reserved.
Case StudiesIndustrial Control Systems
Dan Scali, Manager – Industrial Control Systems
Mandiant Security Consulting Services

2. 2 Copyright © 2014, FireEye, Inc. All rights reserved.
ICS security threats
Enterprise/IT
Plant DMZ
SCADA/ICS
Control
SCADA HistorianHMI
PLCs, Controllers, RTUs, PACs
Threat vector:
Attacks on the enterprise
Threat vector:
Attacks on ICS/SCADA systems
and devices

3. 3 Copyright © 2014, FireEye, Inc. All rights reserved.
Case studies
 Building a comprehensive program:
How an ICS operator used Mandiant Security Consulting
Services to build an IT/OT cyber security program
 Defending the SCADA & field-level devices:
How an ICS operator used passive network monitoring to
identify SCADA network configuration flaws

4. 4 Copyright © 2014, FireEye, Inc. All rights reserved.
Case Study
Building a cyber security program

5. 5 Copyright © 2014, FireEye, Inc. All rights reserved.
The challenges
Maintain
compliance
Resist targeted
attacks
Support
reliability
Business imperative Implications
• 10-20k serial assets coming into
scope for NERC CIP
• Requires coordination across OT & IT
Transition from NERC CIP
v3 to NERC CIP v5
Detect, respond to, and
contain incidents
impacting grid assets
IT/OT convergence and
next-generation grid
• Integrated SOC will need visibility into
grid assets
• IR processes and technologies must
be adapted for control system
environment
• Legacy control systems technology
will be replaced
• Connectivity & exposure of power
systems will increase

6. 6 Copyright © 2014, FireEye, Inc. All rights reserved.
FireEye’s solution: Program strategy
Mission:
To support the reliable operation of the bulk electric system in accordance with legal and
regulatory responsibilities by preventing, detecting, and responding to cybersecurity
incidents.
Governance Technology Operations
Stakeholders:
Transmission & Distribution – Cybersecurity – Power Systems IT
• Policy
• Compliance
• Training
• Asset inventory
• Metrics
• New projects
• Technical standards
• Evaluation &
Procurement
• External working groups
• Maintenance
• Incident Response
• Vulnerability & Patch
Management
Key functions & activities

7. 7 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample roadmap

8. 8 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample heatmap

9. 9 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample project plan

10. 10 Copyright © 2014, FireEye, Inc. All rights reserved.
Case Study
Protecting the SCADA

11. 11 Copyright © 2014, FireEye, Inc. All rights reserved.
The challenge
 Customer had invested heavily in a network segmentation
and firewall configuration effort
 Needed a way to validate that:
– No connections were possible directly from the business network
to the SCADA network
– SCADA was not able to communicate with the internet

12. 12 Copyright © 2014, FireEye, Inc. All rights reserved.
The Solution: FireEye PX
 Ultrafast packet capture up to 20Gbps sustained
in single appliance allows for aggregation and cost
savings
 Internal or external storage options (FC or SAS)
 Ultrafast search
 patented tiered indexing system (search TBs
in seconds)
 Session Analysis
 full reconstruction of web, email, DNS, & ftp
traffic
 File extraction
 User extensible
 Industry standard PCAP format for capture data
 Export of index data in Netflow v9 or IPFIX format

13. 13 Copyright © 2014, FireEye, Inc. All rights reserved.
PX deployment options
Firewall/DMZ
Switch
ICS
Router
Firewall/DMZ
Switch
ICS
Router Tap
(OOB)
SPAN
NX
PX
Pivot2Pcap
TAP
NX
PX
Pivot2Pcap
Router
Firewall/DMZ
ICS
Tap
(Inline)
Switch
NX
PX
Pivot2PcapTap
Enterprise Network Enterprise Network Enterprise Network

14. 14 Copyright © 2014, FireEye, Inc. All rights reserved.
Results
15 minutes of network traffic capture data revealed:
 Traffic direct from business network to SCADA zone
 External DNS requests
 Potential multi-homed devices
 Limited segmentation between SCADA zones

15. 15 Copyright © 2014, FireEye, Inc. All rights reserved.
Incident response workflow
FireEye threat prevention
platform (NX, EX, FX, or AX)
detects threat and generates
alert with detailed OS change
report.
Detect
A A
A
A
A
Contain
OS change report is sent to HX
appliance which then generates
indicator and pushes to
endpoint agent.
Operator can contain & isolate
the compromised endpoint by
blocking all
A A
A
A
A
traffic with single click
workflow while continuing with
the investigation.
Analyst can view detailed
exploit timeline from the
endpoint to better understand
the attack.
Validate & Contain
HX HX
PX
Analyst pivots to PX with IP
address and time of infection to
reconstruct kill chain before,
during and after to determine the
scope and impact of a threat via
captured packets.
Forensics Analysis

16. 16 Copyright © 2014, FireEye, Inc. All rights reserved.
Questions?