O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

ICS case studies v2

894 visualizações

Publicada em

Implementing security for ICS (from FireEye)

Publicada em: Dispositivos e hardware
  • Entre para ver os comentários

  • Seja a primeira pessoa a gostar disto

ICS case studies v2

  1. 1. 1 Copyright © 2014, FireEye, Inc. All rights reserved. Case StudiesIndustrial Control Systems Dan Scali, Manager – Industrial Control Systems Mandiant Security Consulting Services
  2. 2. 2 Copyright © 2014, FireEye, Inc. All rights reserved. ICS security threats Enterprise/IT Plant DMZ SCADA/ICS Control SCADA HistorianHMI PLCs, Controllers, RTUs, PACs Threat vector: Attacks on the enterprise Threat vector: Attacks on ICS/SCADA systems and devices
  3. 3. 3 Copyright © 2014, FireEye, Inc. All rights reserved. Case studies  Building a comprehensive program: How an ICS operator used Mandiant Security Consulting Services to build an IT/OT cyber security program  Defending the SCADA & field-level devices: How an ICS operator used passive network monitoring to identify SCADA network configuration flaws
  4. 4. 4 Copyright © 2014, FireEye, Inc. All rights reserved. Case Study Building a cyber security program
  5. 5. 5 Copyright © 2014, FireEye, Inc. All rights reserved. The challenges Maintain compliance Resist targeted attacks Support reliability Business imperative Implications • 10-20k serial assets coming into scope for NERC CIP • Requires coordination across OT & IT Transition from NERC CIP v3 to NERC CIP v5 Detect, respond to, and contain incidents impacting grid assets IT/OT convergence and next-generation grid • Integrated SOC will need visibility into grid assets • IR processes and technologies must be adapted for control system environment • Legacy control systems technology will be replaced • Connectivity & exposure of power systems will increase
  6. 6. 6 Copyright © 2014, FireEye, Inc. All rights reserved. FireEye’s solution: Program strategy Mission: To support the reliable operation of the bulk electric system in accordance with legal and regulatory responsibilities by preventing, detecting, and responding to cybersecurity incidents. Governance Technology Operations Stakeholders: Transmission & Distribution – Cybersecurity – Power Systems IT • Policy • Compliance • Training • Asset inventory • Metrics • New projects • Technical standards • Evaluation & Procurement • External working groups • Maintenance • Incident Response • Vulnerability & Patch Management Key functions & activities
  7. 7. 7 Copyright © 2014, FireEye, Inc. All rights reserved. Sample roadmap
  8. 8. 8 Copyright © 2014, FireEye, Inc. All rights reserved. Sample heatmap
  9. 9. 9 Copyright © 2014, FireEye, Inc. All rights reserved. Sample project plan
  10. 10. 10 Copyright © 2014, FireEye, Inc. All rights reserved. Case Study Protecting the SCADA
  11. 11. 11 Copyright © 2014, FireEye, Inc. All rights reserved. The challenge  Customer had invested heavily in a network segmentation and firewall configuration effort  Needed a way to validate that: – No connections were possible directly from the business network to the SCADA network – SCADA was not able to communicate with the internet
  12. 12. 12 Copyright © 2014, FireEye, Inc. All rights reserved. The Solution: FireEye PX  Ultrafast packet capture up to 20Gbps sustained in single appliance allows for aggregation and cost savings  Internal or external storage options (FC or SAS)  Ultrafast search  patented tiered indexing system (search TBs in seconds)  Session Analysis  full reconstruction of web, email, DNS, & ftp traffic  File extraction  User extensible  Industry standard PCAP format for capture data  Export of index data in Netflow v9 or IPFIX format
  13. 13. 13 Copyright © 2014, FireEye, Inc. All rights reserved. PX deployment options Firewall/DMZ Switch ICS Router Firewall/DMZ Switch ICS Router Tap (OOB) SPAN NX PX Pivot2Pcap TAP NX PX Pivot2Pcap Router Firewall/DMZ ICS Tap (Inline) Switch NX PX Pivot2PcapTap Enterprise Network Enterprise Network Enterprise Network
  14. 14. 14 Copyright © 2014, FireEye, Inc. All rights reserved. Results 15 minutes of network traffic capture data revealed:  Traffic direct from business network to SCADA zone  External DNS requests  Potential multi-homed devices  Limited segmentation between SCADA zones
  15. 15. 15 Copyright © 2014, FireEye, Inc. All rights reserved. Incident response workflow FireEye threat prevention platform (NX, EX, FX, or AX) detects threat and generates alert with detailed OS change report. Detect A A A A A Contain OS change report is sent to HX appliance which then generates indicator and pushes to endpoint agent. Operator can contain & isolate the compromised endpoint by blocking all A A A A A traffic with single click workflow while continuing with the investigation. Analyst can view detailed exploit timeline from the endpoint to better understand the attack. Validate & Contain HX HX PX Analyst pivots to PX with IP address and time of infection to reconstruct kill chain before, during and after to determine the scope and impact of a threat via captured packets. Forensics Analysis
  16. 16. 16 Copyright © 2014, FireEye, Inc. All rights reserved. Questions?

×