We encourage the energy sector to think about their security imperatives across IT and OT in a more organized fashion. Structured and centered around a core discipline of security analytics and services. This core is enabled by cognitive intelligence that continuously learns the many variables within IT and Operations domains.
Minimizing AI Hallucinations/Confabulations and the Path towards AGI with Exa...
IBM: Cognitive Security Transformation for the Enrgy Sector
1. Cognitive Security Transformation for
the Energy Sector
INTRODUCTION TO IBM SECURITY ENERGY ENVIRONMENT & UTILITIES
Steven Dougherty
October 2017
Associate Partner, Energy Environment & Utilities
2. 2 IBM Security
Ransomware phishing on
a Michigan-based
electric and water utility
Malware discovered on a fuel
system at a Bavaria-based
nuclear power plant
SCADA systems of
three Ukrainian electricity
distributors infiltrated
Network breach of US
natural gas and
electricity company
SCADA system for a
New York dam hacked
Ransomware email
delivered to the Israeli
Electricity Authority
Confidential SCADA system
data for a hydroelectric
generator exposed on
the Dark Web
Hackers breach a water
company’s SCADA system,
controlling water flow and
chemical levels
Sophisticated attacks really trending on the industry nationally and globally
April
2016
January
2016
December
2015
June
2015
March
2016
SCADA systems of
Kiev Ukrainian electricity
distribution infiltrated
(again)
December
2016
Busy Month!
WannaCry Industroyer
NotPetya and Cyber
Warfare on Ukraine
June
2017
Sept
2017
Dragonfly 2.0
USA, Europe &
Turkey
3. 3 IBM Security
The sophistication on energy sector challenges today’s practices
• Attack macros far more complex and coordinated
̶ 30% of code used to create noise to confused forensic analysis and hide sources
̶ 69% contained obfuscation of techniques
̶ 1% actual launcher payload
̶ Several teams collaborating
• Malware unwrapping in several iterations in empty memory spaces, similar to a process of putting
together a puzzle
• Malware mimic legitimate hardware driver behavior
• Domain servers targeted first
• Detailed recon and analyzed infrastructure logging, history, tools, privilege user behavior and activities
• Rapid use of mimicry and camouflage through valid credentials and common service software tools of
victims to mask activities
• External threats can now be indistinguishable from internal threats
11/21/2017
4. 4 IBM Security
If traditional IT security practices are unsustainable, where
does that leave ICS (Industrial Control Systems)
MILLION
unfilled security
positions by 20201.5
PERCENT of CEOs are
reluctant to share incident
information externally68
85security tools from
45vendors
5. 5 IBM Security
Network visibility and segmentation
How do I get started when all I see is chaos?
IP reputation
Indicators of compromise
Firewalls
Network forensics and threat management
Virtual patching
Sandboxing
Malware protection
Data access control
Data monitoring
Application security management
Application scanning
Access management
Entitlements and roles
Identity management
Transaction protection
Device management
Content security
Workload
protection
Cloud access
security broker
Vulnerability management
Privileged identity management
Incident response
Criminal detection
Fraud protection
Endpoint patching
and management
Cognitive security
User behavior analysis
Threat and anomaly detection
Threat hunting and investigation
Threat sharing
Endpoint detection
and response
6. 6 IBM Security
Beyond PIM for insider threats, establish a security immune system
Criminal detection
Fraud protection
Workload
protection
Cloud access
security broker
Access management
Entitlements and roles
Privileged identity management (PIM)
Identity management
Data access control
Application security management
Application scanning
Data monitoring
Device management
Transaction protection
Content security
Malware protection
Endpoint detection
and response
Endpoint patching
and management
Virtual patching
Firewalls
Network forensics and threat management
Sandboxing
Network visibility and segmentation
Indicators of compromise
IP reputation Threat sharing
Vulnerability management Incident response
User behavior analysis
Threat hunting and investigationCognitive security
Threat and anomaly detection
7. 7 IBM Security
E&U Approach – Until we can protect ICS, invest in detect & respond
SECURITY
ANALYTICS
LogSIEM
Vulnerability Cloud
UBA DNS
EDR
THREAT
HUNTING
Search Link Analysis
Visualizations
THREAT
INTELLIGENCE
Sharing
Open Interfaces
Malware Analysis
INCIDENT
RESPONSE
Orchestration
Collaboration Workflow
Cognitive Security
What do clients want?
• End-to-end protection against advanced threats
despite resource and skills gaps
• Ability to prevent, analyze, hunt, and respond
across the enterprise and beyond
• Orchestrated people, processes and technology
that work together in unison
Delivering on client needs by:
• Differentiating with cognitive security
• Delivering integrated detection and response
• Leading with new security orchestration
• Enhancing intelligence with malware analysis
• Expanding our ecosystem and open platforms
• Breaking ground with new threat services
Patch
Query
Remediate
8. 8 IBM Security
IT
OT
ICS data collection SIEM
Security from gateway to sensor coverage
Eric Knapp, Sygress (2012)
Solutions:
- SCADA level operation
data analysis
- Industrial honeypot
- Deep asset/vulnerability
mgmt.& machine learning
- Firewall-RAS-encryption
& Authentication to PLC
- deep operational &
security data
- Asset discovery +
configuration mgmt.
Future:
- PLC level protection
- smart sensor monitoring
- Trusted remote industrial
component
Network based
Host based
New:
IBM: QNI
Industrial IoT
10. 10 IBM Security
Comprehensive data sets and open analytics to sense malicious users
E&U Threat Profile: pull OT UBA to detect internal and
external threats mimicking privilege engineers
Machine learning on user patterns against
risk score and peer groups
11. 11 IBM Security
UBM Qradar UBA: Machine Learning algorithms
Detecting change in activity vs. frequency and deviation from peer groups
12. 12 IBM Security
IBM - here to deploy and manage optimized E&U security programs
IBM Security Transformation Services
• Automate governance, risk and compliance programs
Security Strategy, Risk and Compliance
• Build security operations and security fusion centers
Security Intelligence and Operations
• Establish proactive incident response programs
X-Force Incident Response and Intelligence
• Take a programmatic approach to security testing
X-Force Red Offensive Security
• Modernize identity and access management
for the cloud and mobile era
Identity and Access Management
• Deploy robust critical data protection programs
Data and Application Security
• Redefine infrastructure and endpoint solutions
with secure software-defined networks
Infrastructure and Endpoint Security
SECURITY TRANSFORMATION SERVICES
CEO CIO CISO CRO CCO CLO
Systems
Integration
Management
Consulting
Managed
Security
Security Strategy, Risk and Compliance
Security Intelligence and Operations
X-Force Incident Response and Intelligence
Identity and Access Management
Data and Application Security
Infrastructure and Endpoint Security
X-Force Red Offensive Security
Sophisticated attacks on the energy and utilities industry are increasingly making news. Those shown on this slide are just a sampling of recent threats and breaches:
April 2016:
Malware was discovered on a fuel assembly loading system at the Bavaria-based Gundremmingen nuclear power plant.
Cyber criminals delivered ransomware via phishing to the corporate network of Board of Water & Light (BWL), a Michigan-based public electric and water utility. Administrators shut down the corporate network to isolate the ransomware and prevent it from potentially moving into the company’s operational technology (OT) environment.
March 2016:
Hackers infiltrated a water company’s SCADA control system and changed the levels of chemicals being used to treat tap water to make it safe to drink. They manipulated the programmable logic controllers (PLCs) regulating the valves and ducts that controlled the flow of water and chemicals.
January 2016:
An unknown threat actor delivered ransomware via email to the Israeli Electricity Authority, Israel’s electricity regulatory agency. Infected machines were taken off the corporate network for several days to prevent lateral movement, including into the OT environment.
December 2015:
Investigators disclosed that an Iranian hacker established remote access to a SCADA system controlling the Bowman Dam in New York. The attacker gained access via the system’s cellular modem and gathered information on water levels, temperature and the status of the sluice gate.
Security researchers disclosed a campaign in which alleged Iranian threat actors gained access to networks operated by a US natural gas and geothermal electricity company. The actors stole engineering drawings of the company’s networks, including details on devices used to manage the company’s gas turbines, boilers and other critical equipment. The breach was part of a campaign beginning as early as August 2013.
An allegedly Russia-backed group establishes remote access to SCADA systems of three electricity distributors in Ukraine after procuring valid network credentials via spearphishing. The threat actors use access to systematically open breakers, causing blackouts for 225,000 customers.
June 2015:
A cyber criminal advertised the sale of SCADA access credentials on a Dark Web forum dedicated to selling stolen data. The post included a screenshot of the SCADA system’s graphical user interface, IP addresses, and virtual network computing passwords. The system managed a hydroelectric generator.
5
6
Security Strategy, Risk and ComplianceAutomate governance, risk and compliance programsBetter manage risks and drive transformative security programs
Security Intelligence and OperationsBuild security operations and security fusion centersBuild gold-standard security operations for clients, infused with security intelligence and running at optimal performance
Cyber Security Assessment and ResponseEstablish robust security testing and incident management programsApply threat intelligence to the entire security lifecycle: remediate vulnerabilities, respond to breaches and incidents
Identity and Access ManagementModernize identity and access management for the cloud and mobile eraProvide the right access to the right information at the right time
Data and Application SecurityDeploy robust critical data protection programsProtect “Crown Jewel” data against threats, across all platforms
Infrastructure and Endpoint SecurityRedefine infrastructure and endpoint solutions with secure software-defined networksSolidify network, infrastructure and endpoint security across the enterprise, including Cloud, Mobile, IoT
Mandatory closing slide with copyright and legal disclaimers.