We encourage the energy sector to think about their security imperatives across IT and OT in a more organized fashion. Structured and centered around a core discipline of security analytics and services. This core is enabled by cognitive intelligence that continuously learns the many variables within IT and Operations domains.

1. Cognitive Security Transformation for
the Energy Sector
INTRODUCTION TO IBM SECURITY ENERGY ENVIRONMENT & UTILITIES
Steven Dougherty
October 2017
Associate Partner, Energy Environment & Utilities

2. 2 IBM Security
Ransomware phishing on
a Michigan-based
electric and water utility
Malware discovered on a fuel
system at a Bavaria-based
nuclear power plant
SCADA systems of
three Ukrainian electricity
distributors infiltrated
Network breach of US
natural gas and
electricity company
SCADA system for a
New York dam hacked
Ransomware email
delivered to the Israeli
Electricity Authority
Confidential SCADA system
data for a hydroelectric
generator exposed on
the Dark Web
Hackers breach a water
company’s SCADA system,
controlling water flow and
chemical levels
Sophisticated attacks really trending on the industry nationally and globally
April
2016
January
2016
December
2015
June
2015
March
2016
SCADA systems of
Kiev Ukrainian electricity
distribution infiltrated
(again)
December
2016
Busy Month!
WannaCry Industroyer
NotPetya and Cyber
Warfare on Ukraine
June
2017
Sept
2017
Dragonfly 2.0
USA, Europe &
Turkey

3. 3 IBM Security
The sophistication on energy sector challenges today’s practices
• Attack macros far more complex and coordinated
̶ 30% of code used to create noise to confused forensic analysis and hide sources
̶ 69% contained obfuscation of techniques
̶ 1% actual launcher payload
̶ Several teams collaborating
• Malware unwrapping in several iterations in empty memory spaces, similar to a process of putting
together a puzzle
• Malware mimic legitimate hardware driver behavior
• Domain servers targeted first
• Detailed recon and analyzed infrastructure logging, history, tools, privilege user behavior and activities
• Rapid use of mimicry and camouflage through valid credentials and common service software tools of
victims to mask activities
• External threats can now be indistinguishable from internal threats
11/21/2017

4. 4 IBM Security
If traditional IT security practices are unsustainable, where
does that leave ICS (Industrial Control Systems)
MILLION
unfilled security
positions by 20201.5
PERCENT of CEOs are
reluctant to share incident
information externally68
85security tools from
45vendors

5. 5 IBM Security
Network visibility and segmentation
How do I get started when all I see is chaos?
IP reputation
Indicators of compromise
Firewalls
Network forensics and threat management
Virtual patching
Sandboxing
Malware protection
Data access control
Data monitoring
Application security management
Application scanning
Access management
Entitlements and roles
Identity management
Transaction protection
Device management
Content security
Workload
protection
Cloud access
security broker
Vulnerability management
Privileged identity management
Incident response
Criminal detection
Fraud protection
Endpoint patching
and management
Cognitive security
User behavior analysis
Threat and anomaly detection
Threat hunting and investigation
Threat sharing
Endpoint detection
and response

6. 6 IBM Security
Beyond PIM for insider threats, establish a security immune system
Criminal detection
Fraud protection
Workload
protection
Cloud access
security broker
Access management
Entitlements and roles
Privileged identity management (PIM)
Identity management
Data access control
Application security management
Application scanning
Data monitoring
Device management
Transaction protection
Content security
Malware protection
Endpoint detection
and response
Endpoint patching
and management
Virtual patching
Firewalls
Network forensics and threat management
Sandboxing
Network visibility and segmentation
Indicators of compromise
IP reputation Threat sharing
Vulnerability management Incident response
User behavior analysis
Threat hunting and investigationCognitive security
Threat and anomaly detection

7. 7 IBM Security
E&U Approach – Until we can protect ICS, invest in detect & respond
SECURITY
ANALYTICS
LogSIEM
Vulnerability Cloud
UBA DNS
EDR
THREAT
HUNTING
Search Link Analysis
Visualizations
THREAT
INTELLIGENCE
Sharing
Open Interfaces
Malware Analysis
INCIDENT
RESPONSE
Orchestration
Collaboration Workflow
Cognitive Security
What do clients want?
• End-to-end protection against advanced threats
despite resource and skills gaps
• Ability to prevent, analyze, hunt, and respond
across the enterprise and beyond
• Orchestrated people, processes and technology
that work together in unison
Delivering on client needs by:
• Differentiating with cognitive security
• Delivering integrated detection and response
• Leading with new security orchestration
• Enhancing intelligence with malware analysis
• Expanding our ecosystem and open platforms
• Breaking ground with new threat services
Patch
Query
Remediate

8. 8 IBM Security
IT
OT
ICS data collection SIEM
Security from gateway to sensor coverage
Eric Knapp, Sygress (2012)
Solutions:
- SCADA level operation
data analysis
- Industrial honeypot
- Deep asset/vulnerability
mgmt.& machine learning
- Firewall-RAS-encryption
& Authentication to PLC
- deep operational &
security data
- Asset discovery +
configuration mgmt.
Future:
- PLC level protection
- smart sensor monitoring
- Trusted remote industrial
component
Network based
Host based
New:
IBM: QNI
Industrial IoT

9. 9 IBM Security
Trending SOC analysts gain speed from user behavior analytics

10. 10 IBM Security
Comprehensive data sets and open analytics to sense malicious users
E&U Threat Profile: pull OT UBA to detect internal and
external threats mimicking privilege engineers
Machine learning on user patterns against
risk score and peer groups

11. 11 IBM Security
UBM Qradar UBA: Machine Learning algorithms
Detecting change in activity vs. frequency and deviation from peer groups

12. 12 IBM Security
IBM - here to deploy and manage optimized E&U security programs
IBM Security Transformation Services
• Automate governance, risk and compliance programs
Security Strategy, Risk and Compliance
• Build security operations and security fusion centers
Security Intelligence and Operations
• Establish proactive incident response programs
X-Force Incident Response and Intelligence
• Take a programmatic approach to security testing
X-Force Red Offensive Security
• Modernize identity and access management
for the cloud and mobile era
Identity and Access Management
• Deploy robust critical data protection programs
Data and Application Security
• Redefine infrastructure and endpoint solutions
with secure software-defined networks
Infrastructure and Endpoint Security
SECURITY TRANSFORMATION SERVICES
CEO CIO CISO CRO CCO CLO
Systems
Integration
Management
Consulting
Managed
Security
Security Strategy, Risk and Compliance
Security Intelligence and Operations
X-Force Incident Response and Intelligence
Identity and Access Management
Data and Application Security
Infrastructure and Endpoint Security
X-Force Red Offensive Security

13. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU