Executive Summary
No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. Evaluating cyber risk in industrial control system (ICS) networks is difficult, considering their complex nature. For example, an evaluation can consider (explicitly or implicitly) up to hundreds of millions of branches of a complex attack tree modelling of cyberattacks interaction with cyber, physical, safety and protection equipment and processes. This paper was written to assist cyber professionals to understand and communicate the results of such risk assessments to non-technical business decision-makers.
This paper proposes that cyber risk be communicated as a Design Basis Threat (DBT) line drawn through a representative “Top 20” set of cyberattacks spread across a spectrum of attack sophistication. These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. Many industrial cyber risk practitioners will find the list useful as-is, while expert practitioners may choose to adapt the list to their more detailed understanding of their own sites’ circumstances.
kaspersky presentation for palette business solution June 2016 v1.0.
This document contains the slides from a Kaspersky Technical Training presentation on cybersecurity given in June 2016. The presentation covers several topics:
- The changing nature of work, security, and threats as more devices and data move to the cloud.
- New rules for security like avoiding complexity, recognizing borderless attack surfaces, and not slowing networks for security.
- Gartner's 2016 Magic Quadrant ratings which recognized Trend Micro, Intel Security, and Kaspersky Lab as leaders in endpoint protection.
- The rise of ransomware as a growing threat.
- Kaspersky's security solutions including their endpoint protection, virtualization security, threat intelligence, and focus on research to discover
This document discusses the evolution of approaches to securing SCADA systems. Early advice based on IT security principles is subtly flawed, as it fails to prevent system compromise and physical damage cannot be undone with backups. More recent approaches focus on prevention over detection and response. The key shift is recognizing SCADA systems must remain uncompromised, as restoring operations from intrusions is impossible unlike with IT systems. Overall confidence in SCADA security remains low due to outdated approaches still in use.
Darktrace Antigena is an automated response capability that allows organizations to respond to cyber threats without disrupting normal business operations. As a "digital antibody", Antigena detects threats uniquely identified by Darktrace and automatically takes measured and targeted responses. This includes terminating abnormal connections while leaving normal activities unaffected. Antigena's dynamic boundary enforces each user and device's normal "pattern of life" to combat threats faster than any security team.
The Evolution of and Need for Secure Network Access
This document discusses the evolution of network access control (NAC) technology into endpoint visibility, access, and security (EVAS). It describes how EVAS provides more comprehensive visibility and dynamic control over network-connected devices compared to traditional NAC. The document also outlines how EVAS can help organizations prevent, detect, and respond to security attacks through continuous monitoring, endpoint profiling, and granular policy enforcement. Finally, it positions Cisco Systems as an early leader in the EVAS market.
As we enter the 2020s, we will see the attacks culminate to where machines, infrastructure, and data become irrecoverable. In these scenarios, our old security paradigm of confidentiality, integrity, and availability no longer apply. Instead, we need a new paradigm of distributed, immutable, and ephemeral design patterns for the next era.
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
The instantaneous shift from a centralized to distributed workforce is creating an imperative for implementing new operational and security frameworks. Zero trust is emerging as the mandated InfoSec policy to address these new security priorities.
Watch the webinar to:
• Understand the zero trust framework and the technical approaches you can take based on your IT architecture
• Determine your path forward for securing and modernizing network access without replacing your existing investments
• Learn how passwordless MFA and anti-phishing capabilities can better secure users and data
• Discover how endpoint management is evolving to address vulnerabilities using AI/ML
View this webinar, hosted by Cybersecurity Insiders now.
Endpoint security involves securing devices like laptops and ensuring they comply with security policies before being granted network access. Major endpoint security solutions include Cisco NAC, Microsoft NAP, and TCG's Trusted Network Connect standard, but all take the approach of evaluating devices and enforcing admission control policies using tools like 802.1x and RADIUS. While endpoint security is important, it also requires significant resources to deploy and its solutions are still evolving.
This document provides information about MultiPoint Ltd., a cyber security company that distributes security and networking software. It discusses MultiPoint's vendors and customers, as well as concepts like the attack lifecycle and challenges of detection. It also summarizes some of MultiPoint's product offerings and how they help customers adapt security posture, optimize resources, manage portfolio risk, and rapidly respond to threats.
The document discusses the evolving threat landscape and introduces Sophos' solution for synchronized security. It notes that attack surfaces are exponentially larger due to more devices and threats are increasingly sophisticated. Sophos' synchronized security integrates next-gen endpoint and network security technologies that share threat intelligence in real-time to accelerate detection and automate response. This provides comprehensive protection across devices and networks through a simple, automated system.
This document discusses the need for advanced threat protection and containment solutions due to the high percentage of cyber attacks that go undetected for months. It notes that traditional prevention-focused security approaches are no longer sufficient. The document then highlights statistics on the financial and resource costs of cyber attacks. It introduces Damballa's automated breach defense platform, which uses behavioral analytics to automatically identify active threats, regardless of prior knowledge. The platform aims to enable a breach resistant organization. The document concludes by presenting several customer case studies where Damballa helped reduce costs, detection times, and improve visibility and response.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
Solar winds supply chain breach - Insights from the trenches
On December 13 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to immediately “disconnect or power down SolarWinds Orion products” as they were being actively exploited by malicious actors.
Infosec Skills author and KM Cyber Security managing partner Keatron Evans is helping numerous clients respond to the breach and mitigate any potential damage. Join him as he discusses:
-What we know about the breach so far
-How his clients have responded to the incident
-What to look for in your environment to see if you’ve been affected
This document summarizes a presentation on cyber security in real-time systems. It discusses threats to industrial control systems and SCADA systems, and the differences between traditional IT and industrial control system cultures. It provides examples of attacks on industrial control systems and poor monitoring of SCADA systems. It suggests that security operations centers may provide common ground between IT and ICS. Finally, it discusses recent media reports relating to hacking of rail signaling systems and aircraft systems.
Symantec and ForeScout Delivering a Unified Cyber Security SolutionDLT Solutions
Tom Blauvelt from Symantec and Sean Telles and Chris Dullea from ForeScout share how both companies together can deliver a unified cyber security solution.
This document discusses 10 important reports for managing vulnerabilities. It begins by explaining the importance of vulnerability management and having an accurate inventory of IT assets. It then describes the top 10 reports:
1. The Network Perimeter Map report provides a graphical view of the network topology and discovered devices.
2. The Unknown Internal Devices report lists devices discovered on the network that have not been approved, to identify rogue devices.
3. The SANS Top 20 Vulnerabilities report identifies the most common and critical vulnerabilities based on the SANS list.
4. The 25 Most Vulnerable Hosts report prioritizes remediation of the most at-risk devices.
5. The High Sever
kaspersky presentation for palette business solution June 2016 v1.0.Onwubiko Emmanuel
This document contains the slides from a Kaspersky Technical Training presentation on cybersecurity given in June 2016. The presentation covers several topics:
- The changing nature of work, security, and threats as more devices and data move to the cloud.
- New rules for security like avoiding complexity, recognizing borderless attack surfaces, and not slowing networks for security.
- Gartner's 2016 Magic Quadrant ratings which recognized Trend Micro, Intel Security, and Kaspersky Lab as leaders in endpoint protection.
- The rise of ransomware as a growing threat.
- Kaspersky's security solutions including their endpoint protection, virtualization security, threat intelligence, and focus on research to discover
This document discusses the evolution of approaches to securing SCADA systems. Early advice based on IT security principles is subtly flawed, as it fails to prevent system compromise and physical damage cannot be undone with backups. More recent approaches focus on prevention over detection and response. The key shift is recognizing SCADA systems must remain uncompromised, as restoring operations from intrusions is impossible unlike with IT systems. Overall confidence in SCADA security remains low due to outdated approaches still in use.
Darktrace Antigena is an automated response capability that allows organizations to respond to cyber threats without disrupting normal business operations. As a "digital antibody", Antigena detects threats uniquely identified by Darktrace and automatically takes measured and targeted responses. This includes terminating abnormal connections while leaving normal activities unaffected. Antigena's dynamic boundary enforces each user and device's normal "pattern of life" to combat threats faster than any security team.
The Evolution of and Need for Secure Network AccessCisco Security
This document discusses the evolution of network access control (NAC) technology into endpoint visibility, access, and security (EVAS). It describes how EVAS provides more comprehensive visibility and dynamic control over network-connected devices compared to traditional NAC. The document also outlines how EVAS can help organizations prevent, detect, and respond to security attacks through continuous monitoring, endpoint profiling, and granular policy enforcement. Finally, it positions Cisco Systems as an early leader in the EVAS market.
New Paradigms for the Next Era of SecuritySounil Yu
As we enter the 2020s, we will see the attacks culminate to where machines, infrastructure, and data become irrecoverable. In these scenarios, our old security paradigm of confidentiality, integrity, and availability no longer apply. Instead, we need a new paradigm of distributed, immutable, and ephemeral design patterns for the next era.
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Ivanti
The instantaneous shift from a centralized to distributed workforce is creating an imperative for implementing new operational and security frameworks. Zero trust is emerging as the mandated InfoSec policy to address these new security priorities.
Watch the webinar to:
• Understand the zero trust framework and the technical approaches you can take based on your IT architecture
• Determine your path forward for securing and modernizing network access without replacing your existing investments
• Learn how passwordless MFA and anti-phishing capabilities can better secure users and data
• Discover how endpoint management is evolving to address vulnerabilities using AI/ML
View this webinar, hosted by Cybersecurity Insiders now.
Endpoint security involves securing devices like laptops and ensuring they comply with security policies before being granted network access. Major endpoint security solutions include Cisco NAC, Microsoft NAP, and TCG's Trusted Network Connect standard, but all take the approach of evaluating devices and enforcing admission control policies using tools like 802.1x and RADIUS. While endpoint security is important, it also requires significant resources to deploy and its solutions are still evolving.
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
This document provides information about MultiPoint Ltd., a cyber security company that distributes security and networking software. It discusses MultiPoint's vendors and customers, as well as concepts like the attack lifecycle and challenges of detection. It also summarizes some of MultiPoint's product offerings and how they help customers adapt security posture, optimize resources, manage portfolio risk, and rapidly respond to threats.
The document discusses the evolving threat landscape and introduces Sophos' solution for synchronized security. It notes that attack surfaces are exponentially larger due to more devices and threats are increasingly sophisticated. Sophos' synchronized security integrates next-gen endpoint and network security technologies that share threat intelligence in real-time to accelerate detection and automate response. This provides comprehensive protection across devices and networks through a simple, automated system.
Damballa automated breach defense june 2014Ricardo Resnik
This document discusses the need for advanced threat protection and containment solutions due to the high percentage of cyber attacks that go undetected for months. It notes that traditional prevention-focused security approaches are no longer sufficient. The document then highlights statistics on the financial and resource costs of cyber attacks. It introduces Damballa's automated breach defense platform, which uses behavioral analytics to automatically identify active threats, regardless of prior knowledge. The platform aims to enable a breach resistant organization. The document concludes by presenting several customer case studies where Damballa helped reduce costs, detection times, and improve visibility and response.
M-Trends® 2013: Attack the Security GapFireEye, Inc.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
Solar winds supply chain breach - Insights from the trenchesInfosec
On December 13 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to immediately “disconnect or power down SolarWinds Orion products” as they were being actively exploited by malicious actors.
Infosec Skills author and KM Cyber Security managing partner Keatron Evans is helping numerous clients respond to the breach and mitigate any potential damage. Join him as he discusses:
-What we know about the breach so far
-How his clients have responded to the incident
-What to look for in your environment to see if you’ve been affected
Review of Considerations for Mobile Device based Secure Access to Financial S...Eswar Publications
The information technology and security stakeholders like CIOs, CISOs and CTOs in financial services organization are
often asked to identify the risks with mobile computing channel for financial services that they support. They are also asked
to come up with approaches for handling risks, define risk acceptance level and mitigate them. This requires them to
articulate strategy for supporting a huge variety of mobile devices from various vendors with different operating systems and hardware platforms and at the same time stay within the accepted risk level. These articulations should be captured in
information security policy document or other suitable document of financial services organization like banks, payment service provider, etc. While risks and mitigation approaches are available from multiple sources, the senior stakeholders may find it challenging to articulate the issues in a comprehensive manner for sharing with business owners and other technology stakeholders. This paper reviews the current research that addresses the issues mentioned above and articulates a strategy that the senior stakeholders may use in their organization. It is assumed that this type of comprehensive strategy guide for senior stakeholders is not readily available and CIOs, CISOs and CTOs would find this paper to be very useful.
This document provides a guide for small and medium businesses on network security. It discusses key threats SMBs face and recommends the following top actions to improve security:
1) Perform a security risk assessment to understand vulnerabilities
2) Develop an information security policy and educate users
3) Design a secure network with firewalls, packet filtering, and a DMZ for public servers
4) Use anti-virus software, personal firewalls, strong authentication, and keep systems patched
Infonetics Network and Content Security Vendor ScorecardCisco Security
This document summarizes a report from Infonetics Research that ranks the top 8 network and content security vendors. Cisco is ranked first overall based on strong scores across criteria like market share, financials, and customer surveys. McAfee ranks second due to a broad product portfolio and financial backing from Intel. Check Point ranks third with solid performance in market share, financials, and solution breadth, though it scores below average in customer surveys.
The document discusses 5 common mistakes organizations make when deploying intrusion detection systems (IDS).
1. Not ensuring the IDS can see all network traffic by improperly planning its infrastructure placement.
2. Deploying an IDS but not reviewing the alerts it generates, diminishing its value as a detection system.
3. Deploying an IDS that generates alerts but having no response policy or understanding of normal vs anomalous activity.
4. Being overwhelmed by a high volume of alerts without properly tuning the IDS to the environment.
5. Not accepting the inherent limitations of signature-based IDS to detect new exploits without updated signatures.
Using a smart building as their case study, Forescout Research Labs investigated how IoT devices can be leveraged as an entry point to a building’s network, where legacy OT assets, IT systems and IoT devices all intersect. Key findings from our research include:
• How the IoT is impacting the organizational threat landscape
• The additional risks that IoT devices introduce
• How to evolve your cybersecurity strategy for the age of IoT
Kudler Fine Foods IT Security Report And Presentation –...Lana Sorrels
The document discusses network security for a small accounting firm. It proposes implementing a network with firewall protection, wireless access points, antivirus software, and user training. A vulnerability assessment is recommended to identify security risks before deploying the network. The network design aims to protect client financial data from theft or loss while enabling file sharing and internet access for employees.
Cybersecurity: A Manufacturers Guide by ClearnetworkClearnetwork
The document provides a guide for improving cybersecurity in the manufacturing industry. It begins by noting that nearly half of all manufacturers have experienced a cyberattack. An effective defensive strategy includes 1) creating continuity and recoverability through reliable backups and disaster recovery plans, 2) protecting critical data through inventory, access control, and encryption, 3) improving system and network security hygiene such as network segmentation and patching outdated systems, 4) not overlooking security for industrial control systems and IoT devices, and 5) improving communication about cyber threats. Insider threats are also a risk that can be mitigated using security information and event management systems to monitor employee activity.
Daniel Ehrenreich, BSc. is a leading Industrial Control System (ICS) expert and acting as consultant and lecturer at Secure Communications and Control Experts (SCCE) consulting entity, based in Israel.
Periodically conducting workshop sessions via Internet and in person for educating international participants on ICS cyber security risks and defense measures for a broad range of ICS verticals.
Studied CISSP in 2014 and is certified as a Lead Auditor for the ISO 27001-2013 standard by the Israeli Institute of Standards.
Daniel has over 30 years of engineering experience with ICS for: electricity, water, oil and gas and power plants as part of his activities at: Tadiran Electronics, Motorola Solutions, Siemens and Waterfall Security.
Reselected as the Chairman for the 6th ICS Cybersec AI&ML 2021 hybrid conference, organized by People and Computers.
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
The “cyber kill chain” is a sequence of stages required for an
attacker to successfully infiltrate a network and exfiltrate data
from it. Each stage demonstrates a specific goal along the attacker’s
path. Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on
how actual attacks happen.
The document discusses Darktrace's Enterprise Immune System technology, which takes inspiration from the human immune system to provide cyber defense. It uses unsupervised machine learning and advanced mathematics to learn what normal network behavior looks like and detect anomalies indicating threats. This self-learning approach can identify new threats that traditional signature-based tools miss. The system also automatically responds to threats with targeted digital responses. Darktrace's technology represents a new approach to cybersecurity that is better suited to today's sophisticated and unpredictable threat landscape.
Network security is a dynamic art, with dangers appearing as fast as black hats can exploit vulnerabilities. While there are basic “golden rules” which can make life difficult for the bad guys, it remains a challenge to keep networks secure. John Chambers, Executive Chairman of Cisco, famously said “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. The question for most organizations isn’t if they’re going to be breached, but how quickly they can isolate and mitigate the threat. In this paper, we’ll examine best practices for effective cybersecurity – from both a proactive (access hardening) and reactive (threat isolation and mitigation) perspective. We’ll address how network automation can help minimize cyberattacks by closing vulnerability gaps and how it can improve incident response times in the event of a cyberthreat. Finally, we’ll lay a vision for continuous network security, to explore how machine-to-machine automation may deliver an auto-securing and self-healing network.
Go to www.esgjrconsultinginc.com
Toward Continuous Cybersecurity With Network AutomationKen Flott
Network security is a dynamic art, with dangers appearing as
fast as black hats can exploit vulnerabilities. While there are
basic “golden rules” which can make life difficult for the bad
guys, it remains a challenge to keep networks secure. John
Chambers, Executive Chairman of Cisco, famously said “there
are two types of companies: those that have been hacked, and
those who don’t know they have been hacked”. The question
for most organizations isn’t if they’re going to be breached, but
how quickly they can isolate and mitigate the threat.
In this paper, we’ll examine best practices for effective
cybersecurity – from both a proactive (access hardening)
and reactive (threat isolation and mitigation) perspective.
We’ll address how network automation can help minimize
cyberattacks by closing vulnerability gaps and how it can
improve incident response times in the event of a cyberthreat.
Finally, we’ll lay a vision for continuous network security, to
explore how machine-to-machine automation may deliver an
auto-securing and self-healing network.
What is the process of Vulnerability Assessment and Penetration Testing.pdfElanusTechnologies
Elanus Technologies is the Best Vulnerability Assessment and Penetration Testing Company in India providing intelligent cyber security and VAPT services on Web, Mobile, Network and Thick Client.
https://www.elanustechnologies.com/vapt.php
This document discusses securing healthcare networks against cyber attacks. It proposes using intrusion detection systems to continuously monitor networks, firewalls to ensure endpoint devices comply with security policies, and biometrics for identity-based network access control. This would help protect patient privacy by safeguarding electronic health records and enhancing the security of hospital networks. The growing adoption of electronic records and devices in healthcare has increased risks of attacks that could intercept patient data or take over entire hospital networks. Strong network security measures are needed to address these risks.
Banking and Modern Payments System Security AnalysisCSCJournals
Cyber-criminals have benefited from on-line banking (OB), regardless of the extensive research on financial cyber-security. To better be prepared for what the future might bring, we try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black- hat hackers and conclude that they could be automated dramatically. To demonstrate the feasibility of our predictions and prove that many two-factor authentication schemes can be bypassed, we have analyzed banking and modern payments system security.
In this research we will review different payment protocols and security methods that are being used to run banking systems. We will survey some of the popular systems that are being used today, with a deeper focus on the Chips, cards, NFC, authentication etc. In addition, we will also discuss the weaknesses in the systems that can compromise the customer's trust.
How to avoid cyber security attacks in 2024 - CyberHive.pdfonline Marketing
Technology continues to evolve at a rapid pace, presenting both opportunities and challenges. Among these challenges, the threat of cyber security attacks looms large. This poses significant risks to individuals, businesses, and governments alike. The importance of adopting robust security measures cannot be overstated. please visit: https://www.cyberhive.com/insights/how-to-avoid-cyber-security-attacks-in-2024/
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
Linux Operating System is being reverenced by many professionals because of its versatile nature. As many network security professionals ,particularly those of ethical hackers use linux in an extensive way, did we ever observe how and why the number of hackers were enhancing day to day. Not only professionals ,every one are unleashing their hacking potentials with the help of Backtrack5R3 operating system which is a comprehensive tool kit for security auditing. This paper emphasizes on the so called SET (Social Engineering Toolkit).In a pen-testing scenario, alongside uncovering vulnerabilities in the hardware and software systems and exploiting them ,the most effective of all is penetrating the human mind to extract the desire information. Such devious technics are known as social engineering ,and computer based software tools to facilitate this form the basis of Social Engineering Toolkit
With the explosion of the public Internet and e-commerce, private computers and computer networks, if not adequately secured are increasingly vulnerable to damaging attacks. Hackers, viruses, vindictive employees and even human error all represent
clear and present dangers to networks. And all computer users from the most casual Internet surfers to large enterprises could be affected by network security breaches. However, security breaches can often be easily prevented. How? This white paper provides you an overview of the most common network security threats and its solution which protects you and your organization from threats, hackers and ensures that the
data traveling across your networks is safe.
Designing Security Assessment of Client Server System using Attack Tree Modelingijtsrd
Information security has grown as a prominent issue in our digital life. The network security is becoming more significant as the volume of data being exchanged over net increases day by day. Attack trees AT technique play an important role to investigate the threat analysis problem to known cyber attacks for risk assessment. The technique is especially effective in assessing and managing the risks from hostile, intelligent adversaries. It is useful for analyzing threats against assets ranging from information systems to physical infrastructure. By using attack tree modeling analysis an organization can understand the ways in which they will be attacked, determine the likelihood and impact damage of these attacks and decide what action to take where the risks are unacceptable. This paper describes the attack tree model for organization based on Client Server Network. It provides the ways for defending and preventing sensitive information from attackers. Attack tree modeling provides for effective security solutions, cost effective security solutions and defensible risk mitigation decisions. Sandar Pa Pa Thein | Phyu Phyu | Thin Thin Swe "Designing Security Assessment of Client- Server System using Attack Tree Modeling" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26727.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/26727/designing-security-assessment-of-client--server-system-using-attack-tree-modeling/sandar-pa-pa-thein
This document provides an overview of network security concepts. It begins by stating the goals of network security are to protect confidentiality, maintain integrity, and ensure availability. It then discusses common network security vulnerabilities and threats that can arise from misconfigured hardware/software, poor network design, inherent technology weaknesses, end-user carelessness, or intentional end-user acts. The document also covers the need for network security due to increased connectivity from closed to open networks and differentiates between open versus closed security models. It emphasizes striking a balance between security and user productivity.
Looking to understand how hackers and other attackers use cyber technology to attack your network and your executives? This slide set provides an overview and details the anatomy of a cyber attack, and the strategies you can use to manage and mitigate risk.
Cyber Security for Critical InfrastructureMohit Rampal
This document discusses cyber security for critical infrastructure and the importance of identifying unknown or zero-day vulnerabilities. It describes how fuzz testing, a technique that involves feeding unexpected input to a system to trigger crashes or failures, can be used to find these unknown vulnerabilities before attackers discover and exploit them. The document outlines a process for conducting unknown vulnerability management that involves identifying targets, testing devices using various fuzzing methods, and generating detailed reports of any issues found to facilitate rapid remediation. Fuzz testing maturity models are also discussed as frameworks for conducting comprehensive fuzz testing programs to systematically uncover previously unknown vulnerabilities in networks and devices.
The module explains that a Security Operations Center (SOC) uses people, processes, and technologies to defend against cyber threats. SOCs assign roles across multiple tiers, with tier 1 analysts monitoring alerts and tier 3 experts conducting in-depth investigations. A SOC relies on security information and event management (SIEM) systems to collect and analyze data, while security orchestration, automation and response (SOAR) helps automate workflows. Key performance indicators like mean time to detect threats are used to measure a SOC's effectiveness. The module also discusses qualifications and experience needed for a career in cybersecurity operations.
Similar to The Top 20 Cyberattacks on Industrial Control Systems (20)
System Administrators are often on the front lines of computer security. This guide aims to support System Administrators in finding indications of a system compromise.
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
INTRODUCTION
Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a
network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense
teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable
weaknesses in “as-built” control systems.
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device CommunicationMuhammad FAHAD
Modbus, an industrial protocol used for server to client communication, has been
used for over 40 years and is still widely deployed in new ICS installations (Mostia,
2019). Modbus can be transported over serial mediums of RS232, RS485, or it can be
wrapped in an IEEE 802.3 TCP segment. Within TCP, the typical implementation is
Modbus Remote Terminal Unit (RTU) contained in the TCP/IP stack Application layer,
which can be easily viewed in Wireshark (Sanchez, 2017). Modbus uses simple function
calls combined with data range requests to read and write bits, called coils. Additionally,
it can also read and write integers or floats, called registers. When engineers were
encapsulating Modbus within TCP, cybersecurity concerns were nonexistent and,
therefore, Modbus RTU does not have any built-in security mechanisms (Rinaldi, n.d.).
From an ICS security perspective, Modbus is rife with many vulnerabilities and is subject
to Probe, Scan, Flood, Authentication Bypass, Spoof, Eavesdrop, Misdirect, Read/Copy,
Terminate, Execute, Modify, and Delete attacks (Draias, Serhrouchni, & Vogel, 2015)
This document provides guidelines for establishing effective computer security incident response capabilities. It assists organizations in creating incident response teams and processes for efficiently handling incidents. The guidelines can be applied independently of specific hardware, software, protocols or applications. The document recommends establishing planning, preparation, detection and analysis, containment, eradication and recovery as key phases in the incident response process.
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of EnergyMuhammad FAHAD
Supervisory control and data acquisition (SCADA) networks contain computers and applications that perform key functions in providing essential services and commodities (e.g., electricity, natural gas, gasoline, water, waste
treatment, transportation) to all Americans. As such, they are part of the nation’s critical infrastructure and require protection from a variety of threats that exist in cyber space today. By allowing the collection and analysis of data and control of equipment such as pumps and valves from remote locations, SCADA networks provide great efficiency and are widely used. However, they also present a security risk. SCADA networks were initially designed to maximize functionality, with little attention paid to security. As a result, performance, reliability, flexibility and safety of distributed control/SCADA systems are robust, while the security of these systems is often weak. This makes some SCADA networks potentially vulnerable to disruption of service, process redirection, or manipulation of operational data that could result in public safety concerns and/or serious disruptions to the nation’s critical infrastructure. Action is required by all organizations, government or commercial, to secure their SCADA networks as part of the effort to adequately protect the nation’s critical infrastructure.
The President’s Critical Infrastructure Protection Board, and the Department of Energy, have developed the steps outlined here to help any organization improve the security of its SCADA networks. These steps are not meant to be prescriptive or all-inclusive. However, they do address essential actions to be taken to improve the
protection of SCADA networks. The steps are divided into two categories: specific actions to improve implementation, and actions to establish essential underlying management processes and policies.
Common Malware Types Vulnerability ManagementMuhammad FAHAD
The document discusses common types of malware including viruses, worms, Trojan horses, spyware, ransomware, rootkits, adware, bugs, and bots. It provides a brief definition of each type and explains how they spread and the harm they can cause. The document also discusses symptoms of malware infections and recommendations for prevention and removal, including using antivirus software, keeping systems updated, and being cautious of downloads.
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
Details of description part II: Describing images in practice - Tech Forum 2024BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data.
The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs.
Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution!
Key Takeaways: Open source, vendor neutral instrumentation is an exciting new reality as the industry standardizes on openTelemetry for observability. OpenTelemetry is on a mission to enable effective observability by making high-quality, portable telemetry ubiquitous. The world of observability and monitoring today has a steep learning curve and in order to achieve ubiquity, the project would benefit from growing our contributor community.
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
Best Practices for Effectively Running dbt in Airflow.pdfTatiana Al-Chueyr
As a popular open-source library for analytics engineering, dbt is often used in combination with Airflow. Orchestrating and executing dbt models as DAGs ensures an additional layer of control over tasks, observability, and provides a reliable, scalable environment to run dbt models.
This webinar will cover a step-by-step guide to Cosmos, an open source package from Astronomer that helps you easily run your dbt Core projects as Airflow DAGs and Task Groups, all with just a few lines of code. We’ll walk through:
- Standard ways of running dbt (and when to utilize other methods)
- How Cosmos can be used to run and visualize your dbt projects in Airflow
- Common challenges and how to address them, including performance, dependency conflicts, and more
- How running dbt projects in Airflow helps with cost optimization
Webinar given on 9 July 2024
Quantum Communications Q&A with Gemini LLM. These are based on Shannon's Noisy channel Theorem and offers how the classical theory applies to the quantum world.
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
How RPA Help in the Transportation and Logistics Industry.pptxSynapseIndia
Revolutionize your transportation processes with our cutting-edge RPA software. Automate repetitive tasks, reduce costs, and enhance efficiency in the logistics sector with our advanced solutions.
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
Best Programming Language for Civil EngineersAwais Yaseen
The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus—they’re a game changer in this era.
Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.
An invited talk given by Mark Billinghurst on Research Directions for Cross Reality Interfaces. This was given on July 2nd 2024 as part of the 2024 Summer School on Cross Reality in Hagenberg, Austria (July 1st - 7th)
Choose our Linux Web Hosting for a seamless and successful online presencerajancomputerfbd
Our Linux Web Hosting plans offer unbeatable performance, security, and scalability, ensuring your website runs smoothly and efficiently.
Visit- https://onliveserver.com/linux-web-hosting/
find out more about the role of autonomous vehicles in facing global challenges
The Top 20 Cyberattacks on Industrial Control Systems
1. The Top 20 Cyberattacks
on Industrial Control Systems
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
Andrew Ginter, VP Industrial Security Waterfall Security Solutions
Executive Summary......................................................................... 2
Introduction....................................................................................... 3
The Top 20 Attacks........................................................................... 4
Water Treatment System Example...........................................12
Attack Evaluation...........................................................................13
Improving ICS Security.................................................................15
Attack Evaluation...........................................................................16
Summary...........................................................................................19
About Waterfall Security Solutions .........................................19
TableofContents
2. - 2 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
ExecutiveSummary
No industrial operation is free of risk, and different industrial enterprises may legitimately have different“appetites”for certain types of risks.
Evaluating cyber risk in industrial control system (ICS) networks is difficult, considering their complex nature. For example, an evaluation
can consider (explicitly or implicitly) up to hundreds of millions of branches of a complex attack tree modelling of cyberattacks interaction
with cyber, physical, safety and protection equipment and processes. This paper was written to assist cyber professionals to understand and
communicate the results of such risk assessments to non-technical business decision-makers.
This paper proposes that cyber risk be communicated as a Design Basis Threat (DBT) line drawn through a representative “Top 20” set of
cyberattacks spread across a spectrum of attack sophistication.TheseTop 20 attacks have been selected to represent cyber threats to industrial
sites across a wide range of circumstances, consequences and sophistication. Many industrial cyber risk practitioners will find the list useful
as-is, while expert practitioners may choose to adapt the list to their more detailed understanding of their own sites’circumstances.
The Top 20 attacks, sorted loosely from least to most sophisticated, are:
A Top 20 DBT diagram for a hypothetical water treatment plant is illustrated in Figure (1).
Figure (1) Water treatment system example – two different security postures
In the figure, attacks under the DBT line are defeated reliably. Attacks above the line are not. The“first-generation”DBT illustration at left is of
the water treatment system defended by an ICS security program typical of first generation, best practice guidance from roughly 2003-2013.
The “Modern protection” illustration at right reflects a proposed change to the security program to incorporate modern ICS best practices,
including: a strict removable media control policy, unidirectional security gateways at network perimeters, and an upgrade to the control
system test bed.
No network is absolutely secure. Any DBT diagram should therefore illustrate a number of attacks likely to breach the defensive posture
under consideration. In any such set of not-reliably-defeated attacks, there is always a least sophisticated or simplest attack or set of attacks
1. ICS Insider 8. Market Manipulation 15. Compromised Remote Site
2. IT Insider 9. Sophisticated Market Manipulation 16. Vendor Back Door
3. Common Ransomware 10. Cell-phone WIFI 17. Stuxnet
4. Targeted Ransomware 11. Hijacked Two-Factor 18. Hardware Supply Chain
5. Zero-Day Ransomware 12. IIoT Pivot 19. Nation-State Crypto Compromise
6. Ukrainian Attack 13. Malicious Outsourcing 20. Sophisticated Credentialed ICS Insider
7. Sophisticated Ukrainian Attack 14. Compromised Vendor Website
3. - 3 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
with serious consequences. It is this set that should be the focus of communication with business decision-makers.The question for business
decision makers is,“Do these simplest, non-defeated attacks represent acceptable risks, and if not, how much are we willing to pay to close
the gap for a particular attack/risk?”
The goal of this paper is to provide a foundation for more consistent cyber risk assessment for industrial sites, and clearer communication
of those risks to business decision makers, so that those decision makers can make more informed decisions about funding for industrial
cybersecurity initiatives.
Introduction
The technique for evaluating the risk of cyber-sabotage of industrial processes is highly developed. Essentially, such risk assessments evaluate
a typically large inventory of possible cyberattacks against the cyber physical system in question, and render a verdict. Communicating the
verdict to business decision-makers who are not familiar with cybersecurity on a deeper level is more difficult, especially for the low-frequency,
high-impact (LFHI) type of attacks for which there is little statistical data. The experience of such communications suggests that business
decision-makers can more easily understand and make more effective decisions if given specific examples of cyberattacks, than when given
abstract risk scores resulting from evaluating millions of attacks.
This paper recommends using a standard set ofTop 20 attacks as a methodology for communicating cyber sabotage risk, with theTop 20 set
representing attacks of varying levels of cyber and engineering sophistication, and with varying degrees of undesirable physical consequences.
We recommend that a standard Top 20 includes both attacks that are reliably defeated by existing cyber defenses, and attacks that are not
so defeated.
The Design BasisThreat (DBT) is a line dividing the list of attacks.The set of attacks below the line are the set of attacks that a site is confident
of defeating reliably using an existing, or proposed, security posture.The set above the line represent attacks the site has no such confidence
in defeating.
It is the simplest attacks we do not defeat reliably that we use to start our dialog with risk managers. Describe these attacks and consequences,
and ask if this situation is acceptable. If not, begin a discussion of how we should draw the DBT line, what security measures might be required
to bring about these changes, and what these measures will cost.
To Defeat Reliably
To defeat an attack reliably means to prevent the physical consequence of the attack essentially every time this class of attack is launched.
For example:
• Anti-virus systems (AV) do not defeat common malware reliably, because attacks are launched into the wild before anti-virus signatures
are available for the attacks. If common malware reaches a vulnerable system between the time of malware launch and the time that AV
signatures are applied, the system is compromised, even though an AV system is deployed.
• Security updates do not defeat exploits of known vulnerabilities reliably because it takes time for a vendor to create, and end users to install,
the updates. Systems are vulnerable in this time interval. In addition, security updates are occasionally erroneous, and when erroneous,
are not effective in eliminating the known vulnerability that is their motivation.
• Intrusion detection systems (IDS) are detective measures, not preventive. Many cybersecurity best practice documents hold up an IDS as
the pinnacle of a security program, but detective measures such as an IDS do not defeat attacks reliably. After all, intrusion detection and
incident response take time. In that time, compromised equipment is being operated either manually by a remote attacker, or automatically
by autonomous malware, which may be enough to bring about the consequences we seek to prevent.
In contrast, the following are examples of security measures that do reliably defeat a specific class of attack:
• Phishing attack for password theft - two-factor authentication based on RSA-style password dongles reliably defeats remote password
phishingattempts.Onecouldpostulateanattackthatphysicallystealsthepassworddongle,butthatwouldnolongerbea“phishing”attack.
A distant attacker only able to forge email and produce look-alike websites is not able to defeat this kind of two-factor protection system.
• Encryption key scraping software - trusted platform modules (TPMs) reliably defeat attempts to search compromised equipment’s memory
and persistent storage to steal encryption keys.TPM hardware is designed such that encryption keys never leave the hardware modules,
or appear in memory in the computer running theTPM. More sophisticated attacks, such as physically dismantling the hardware modules
of stolen computers, might succeed in retrieving these encryption keys. Such attacks though, are no longer the indicated attack – i.e.
software searching a machine's memory and hard drive for keys.
• Internet-controlled malware - unidirectional security gateways reliably defeat Internet-controlled malware. The gateways are physically
able to send information in only one direction – from an ICS network to an IT/corporate/Internet network, with no ability to send
information back. In unidirectionally-protected networks, no control signal is physically able to be sent from the Internet to malware on
a compromised ICS network.
In short, determining that a given security posture defeats a particular attack reliably can be challenging.“Defeats reliably”is a high standard.
Achieving this standard is generally possible only by describing a particular attack, or attacker's capabilities, very specifically.
4. - 4 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
TheTop20Attacks
The proposed Top 20 attacks are listed below, in roughly least-sophisticated to most-sophisticated order. The list represents a wide range of
industrial cyberattacks useful to compare security postures between sites and between defensive systems. Even if experts in an organization
decide to define their own list, starting with a standardized list such as theTop 20 can be useful to ensure that a suitably wide range of attacks
is considered in the custom assessment process.
Each attack in the Top 20 list below indicates both the level of sophistication of the attack and attackers, and the consequences of the attack:
Sophistication is a characteristic of both the attack, and of the attacker. Did the attack use standard attack tools downloaded from the Internet,
professional-gradetools,orcustom-builttools?Aretheattackerscyberexperts?Dotheyneedtounderstandthephysicsoftheindustrialprocess,
to bring about their attacks goals? Do they need to understand the design of relevant industrial control systems enough to connect physical
outcomes with cyber manipulations? How much inside information that is not available from public sources do the attackers need to design
and run their attack? Do the attackers have inside assistance? Or can they operate the entire attack from outside of their target organizations?
Consequences are primarily physical states of the industrial system that we are trying to avoid, and secondarily changes in control system
computers. Physical consequences are most often one of: impaired or poor-quality production, unexpected shutdown of the physical process,
damage to physical equipment, injury to workers at the industrial site, or threats to public safety
The Top 20 ICS cyber security attacks are:
#1 ICS Insider A disgruntled control-system technician steals passwords by “shoulder surfing” other technicians, logs in to
equipment controlling the physical process using the stolen passwords, and issues shut-down instructions to
parts of the physical process, automatically triggering a partial plant shut-down.
Sophistication:This is a moderately sophisticated attack. ICS technicians tend to have good knowledge of how
to operate control system components to bring about specific goals, such as a shutdown, but less knowledge
of fundamental engineering concepts or safety systems designed into industrial processes.
Consequences: This class of incident is most often able to cause partial or complete plant shutdowns. More
seriousphysicalconsequencesmaybepossible,dependingontheinsider,andondetailsoftheindustrialprocess.
#2 IT Insider A disgruntled IT insider shoulder-surfs remote access credentials entered by an ICS support technician visiting
a remote office.The disgruntled insider later uses the credentials to log into the same distant ICS engineering
workstation that the technician logged into. The insider looks around the workstation and eventually finds
and starts a development copy of the plant HMI. The insider brings up screens more or less at random, and
presses whatever buttons seem likely to cause the most damage or confusion. These actions trigger a partial
plant shut-down.
Sophistication: This is an unsophisticated attack. IT insiders generally have little knowledge of cyber systems,
control systems or physical processes, but often do have social engineering opportunities that can yield
credentials able to log into control system networks.
Consequences: This class of incident might cause a shut-down, or might just cause confusion. At best, each
such incident triggers an engineering review of settings at the plant, to ensure that no physical equipment
has been left mis-configured and able to cause a malfunction in the future.
5. - 5 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#3 Common Ransomware An engineer searching for technical information from an ICS-connected engineering workstation accidentally
downloads ransomware. The malware exploits known vulnerabilities that have not yet been patched on the
industrial network, encrypts the engineering workstation, and spreads to most of the Windows hosts on the
industrial control system. Most Windows hosts in the industrial network are encrypted, shutting down the
controlsystem.Theimpairedcontrolsystemisunabletobringaboutanorderlyshutdown.Withinafewminutes,
the plant operator triggers an emergency safety shutdown. The emergency shutdown procedure damages
important equipment at the plant, impairing production for months, even after the ransomware has been
cleaned out of the control system and the plant is restarted.
A variation of this attack: ransomware infects an IT workstation and spreads via AUTORUN files on network
shares, USB drives, and known network vulnerabilities for a number of days, before triggering the encryption.
A number of machines on both IT and ICS networks are thus infected, with the same consequences as above.
Sophistication: Authors of autonomous ransomware can be very sophisticated cyber-wise, producing malware
that is able to spread quickly and automatically through a network, and even malware that is able to evade
common anti-virus systems and other security measures. Such authors though, tend to have no understanding
of physical industrial processes or industrial control systems.
Consequences: Most often, the minimum damage caused by this kind of incident is an unplanned shutdown
lasting for as many days as it takes to restore the control system from backups, and restart the industrial process
- typically 5-10 days of lost production. In the worst case though, important equipment can be irreparably
damaged by an uncontrolled shutdown. In this case, replacements for the damaged equipment need to be
purchasedandinstalled,andwherereplacementsarenotreadilyavailable,replacementsfordamagedequipment
must themselves be manufactured, so they can be installed and activated.Worst-case plant downtime in these
cases can be up to 12 months.
#4 Targeted Ransomware AnattackerwithgoodcomputerknowledgetargetsITinsiderswithphishingattacksandmaliciousattachments,
gaining a foothold on the IT network with Remote AccessTool (RAT) malware.The attacker uses the RAT to steal
additional credentials, eventually gaining remote access to an industrial control system. The attacker seeds
ransomware throughout the ICS, and demands a ransom. The site quickly disables all electronic connections
between the affected plant and outside networks, and tries to pay the ransom. The payment mechanism fails
and the ransomware automatically activates, having received no signal from the attacker that the ransom was
paid. The ransomware erases hard drives and BIOS firmware in all infected equipment. The plant suffers an
emergency shutdown, damaging equipment. It takes a month to replace and reprogram damaged control
system computers, and more months before damaged physical equipment is replaced.
Sophistication:Theattackeriscyber-sophisticated.Increasingly,weseeorganizedcrimeorganizationsbecoming
involved with ransomware. These organizations have access to professional-grade malware toolkits and
developers, and professional-grade RAT operators.
Consequences: Computer, network and other equipment with erased firmware generally must be replaced - the
equipment has been“bricked”in the parlance of cyberattacks. Again, an emergency shutdown may damage
physical equipment.
#5 Zero-Day Ransomware An intelligence agency mistakenly leaves a list of zero-day vulnerabilities in operating systems, applications,
and firewall sandboxes on an Internet-based command and control center. An attack group, similar to the
“Shadow Brokers”who discovered the NSA zero-days, discovers the list and sells it to an organized crime group.
This latter group creates autonomous ransomware that propagates by exploiting the zero-day vulnerabilities
in file sharing software in the Windows operating system. The malware is released simultaneously on dozens
of compromised websites world-wide, and immediately starts to spread. At industrial sites able to share files
directly or indirectly with IT networks, the malware jumps through firewalls to infect and encrypt the industrial
site, causing an emergency shutdown and damaging physical equipment.
Sophistication:Cyberattacksonlybecomemoresophisticatedovertime.Securityresearchersandothersdiscover
zero-day vulnerabilities, and intelligence agencies have been known to“lose track”of the zero days they have
discovered or purchased.This attack was very sophisticated cyber-wise, and unsophisticated engineering-wise.
Consequences:Again,theminimumdamagecausedbythiskindofincidentisanunplannedshutdownlastingfor
as many days as it takes to restore the control system from backups, and restart the industrial process - typically
5-10 days of lost production. In the worst case though, important equipment can be irreparably damaged,
necessitating costly replacement which make take additional weeks or months.
6. - 6 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#6 Ukrainian Attack A large group of hacktivist-class attackers steal IT remote access passwords through phishing attacks. These
attackers eventually compromise the ITWindows Domain Controller, create new accounts for themselves, and
give the new accounts universal administrative privileges, including access to ICS equipment. The attackers
log into the ICS equipment and observe the operation of the ICS HMI until they have learned what many of
the screens and controls do. At that time, the group takes over the HMI and uses it to mis-operate the physical
process. At the same time, co-attackers use the administrative credentials to log into ICS equipment, erase the
hard drives, and where practical, erase the equipment firmware.
Variations: When targeting other kinds of industries, similar attacks are possible, erasing control system
equipment, and triggering unplanned shutdowns.
Sophistication: This is a summary of the attack techniques used in the 2016 attack on a number of Ukraine
electric distribution companies. The attackers had good knowledge of cyber systems, but limited knowledge
of electric distribution processes and control systems.
Consequences: In the case of the attacks on Ukraine, power was shut off to over 200,000 people, for up to 8
hours. Power was only restored when technicians travelled to each of the affected substations, disconnected
control system computers, and manually turned on power flows again. More generally, unplanned shutdowns
are a consequence of this class of attack, and possibly emergency, uncontrolled shutdowns with the potential
equipment damage that accompanies such shutdowns.
#7 Sophisticated Ukrainian
Attack
A more sophisticated group of attackers used the techniques of the Ukraine attack, and are more sophisticated
with respect to cyber-attack tools and the engineering details of electric systems. In addition to the actions of
attackersintheUKRAINEATTACKscenario,themoresophisticatedgroupusescompromisedITdomaincontrollers
to defeat two-factor authentication, connects to protective relays and reconfigures them, effectively disabling
the relays. The group now very quickly connects and disconnects power flows to the affected consumers,
damagingrefrigerators,sumppumps,andothermotorsinconsumers'homesandbusinesses.Theattackersalso
redirect power flows in the small number of high-voltage transmission substations managed by the distribution
utilities, destroying high-voltage transformers by overloading and overheating them.
Sophistication: This group of attackers is moderately sophisticated, both cyber-wise and engineering-wise.
Consequences: Consequences of this attack are more serious. Many large refrigerators in grocery stores have
been rendered inoperable, large water pumps in water distribution systems are similarly damaged, and a large
numberofsmallerpiecesofequipmentinconsumers'homesarerenderedinoperable.Highvoltagetransformers
must be replaced on an emergency basis, which takes over a week. There is no world-wide inventory of such
transformers, so while replacement transformers are manufactured, emergency replacements are acquired by
reducing redundancy and capacity in other parts of the electric grid.
#8 Market Manipulation An organized crime syndicate targets known vulnerabilities in Internet-exposed services and gain a foothold
on IT networks. They seed RAT tools into the compromised system, eventually gaining Windows Domain
Admin privileges. The attackers reach into ICS computers that trust the IT Windows domain and propagate
RAT technology to those computers. Because the ICS computers are unable to route traffic to the Internet,
the attackers route the traffic via peer-to-peer connections via compromised IT equipment. Once in the ICS
network, attackers download and analyze control system configuration files. They then reprogram a single
PLC, causing it to mis-operate a single, vital, piece of physical equipment, while reporting to the plant HMI that
the equipment is operating normally. The equipment wears out prematurely, in a season of high demand for
the plant's commodity output - e.g.: gasoline. The plant shuts down for emergency repairs, of this apparently
random equipment failure.
The same attack occurs at two nearby plants. Once the equipment has failed, the perpetrators erase all evidence
of their presence from the affected plants' ICS networks. Prices of the affected commodity spike on commodities
markets.When plant production at all plants returns to normal, commodity prices return to normal.This attack
is repeated in the next season of high demand.
Sophistication: Cyber-sophistication of this attack and these attackers is moderate - no zero-days were used,
and no code was written. Engineering sophistication of this attack is high. The attackers needed access to an
engineer able to interpret the control system configurations, select physical equipment to target, identify the
PLC controlling that equipment, download the existing program of that PLC, and design and upload a new
program able to wear out the targeted physical equipment prematurely, while reporting to the HMI that the
equipment is operating normally.
Consequences: Lost plant production and emergency equipment repair costs.
7. - 7 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#9 Sophisticated Market
Manipulation
More cyber-sophisticated attackers carry out the market manipulation attack, but in a way that is harder to
defend against. They use known vulnerabilities in Internet-facing systems to compromise the IT network of
a services company known to supply services to their real target. The attackers write their own RAT malware
and deploy it only at the services company, so that anti-virus tools cannot detect the RAT. The attackers use
the RAT to compromise the laptops of personnel who routinely visit the real target.When they detect that the
compromised laptops are connected to the real target's IT network, the attackers operate the RAT by remote
control and propagate the RAT into the target's IT network.
Inside the target's IT network, the attackers continue to operate the RAT. Intrusion detection systems are
blind to the activity of the RAT, because the attack is low-volume, using command lines rather than remote-
desktop-style communications, and command-and-control communications are steganographically-encoded
in benign-seeming communications with compromised websites.The attack ultimately propagates to the ICS
network, with the same consequences as the Market Manipulation attack.
Sophistication: Cyber-sophistication of this attack and these attackers is high. No zero-days were used, but the
attackers developed custom malware with steganographically-encoded communications. The engineering
sophistication, like the Market Manipulation attack, is high.
Consequences: Lost plant production and emergency equipment repair costs.
#10 Cell-phone WIFI Sophisticated attackers seek to inflict damage on a geography they are unhappy with for some reason. The
attackers create an attractive cell phone app - call it the world's fanciest free flashlight app. The attackers use
targetedsocialmediaattackstopersuadeofficeworkersatcriticalinfrastructuresitesintheoffendinggeography
to download the app, which requests more permissions than a flashlight app should really request, but these
workers are not cyber-sophisticates and think nothing of it.
The app runs continuously in the background of the cell phone.While at their critical-infrastructure workplaces,
the app instructs the phone to periodically scan forWIFI networks and report such networks to a command and
control center. The attackers again, use social media, social engineering and phishing attacks to impersonate
insiders at the target organization, and extract passwords for the WIFI networks. Several of these password-
protected networks are part of critical-infrastructure industrial control systems.
The attackers log into these networks using the compromised cell phones, and look around the networks
by remote control until they find computer components vulnerable to simple denial of service attacks, such
as erasing hard drives or SYN floods. The attackers compromise plant operations triggering an unplanned
shutdown, disconnect from the WIFI networks, and repeat a few days later.
Variation: Plant malware on the laptops of office workers who work within range of ICS WIFI networks.
Sophistication: This attack currently needs a high degree of cyber-sophistication, because toolkits enabling
this kind of hiddenWIFI hacking from cell phones currently do not exist on the open Internet, and so attackers
need to write this malware themselves, or buy it. Once such attack tools are widely and publicly available, this
class of attack will come within the means of hacktivist groups annoyed with industrial enterprises.The attack
needs only very low engineering sophistication.
Consequences: Repeated plant shutdowns from a source that is difficult to identify. Plant personnel should
eventually determine that the source of the attack is a WIFI network and shut down all WIFI at the plant, or at
least change all the passwords
8. - 8 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#11 Hijacked Two-Factor Sophisticatedattackersseektocompromiseoperationsatanindustrialsiteprotectedbybest-practiceindustrial
security. So, they write custom RAT malware to evade anti-virus systems, and target support technicians at
the industrial site using social media research and targeted phishing emails.The technicians activate malware
attachments and authorize administrative privileges for the malware because they believe the malware is a
video codec, or some other legitimate-seeming technology.
Rather than activate the RAT at the industrial site, where the site's sophisticated intrusion detection systems
might detect its operation, the attackers wait until the technician victim is on their home network, but needs
to log into the industrial site remotely to deal with some problem.The technician activates theirVPN and logs
in using two-factor authentication. At this point the malware activates, moving the Remote Desktop window
to an invisible extension of the laptops screen, and shows the technician a useful error message along the lines
of“Remote Desktop has stopped responding. Click here to try to correct the problem.”
The malware provides remote control of the invisible Remote Desktop window to the attackers.The technician
starts another Remote Desktop session to the industrial site, thinking nothing of the interruption. In this way,
sophisticated attackers have access to industrial operations for as long as the technician's laptop and VPN are
enabled.The only hint of the problem the ICS IDS sees is the technician logged in twice.The attackers eventually
learn enough about the system to mis-operate the physical process enough to seriously damage equipment,
or cause an environmental disaster through a discharge of toxic materials.
Sophistication: Currently this requires a high level of cyber-sophistication, since no such two-factor-defeating
remote access toolkit is available for free download on the open Internet. To bring about a serious physical
consequence, within a limited number of remote access sessions, likely requires a high degree of engineering
sophistication as well.
Consequence: Any attacker willing to invest sophisticated, custom malware in this kind of attack is most likely
going to persist in the attack until significant adverse outcomes are achieved.
#12 IIoT Pivot Hacktivists annoyed with the environmental practices of an industrial site learn from the popular press that the
site is starting to use new, state-of-the-art, Industrial Internet ofThings edge devices from a particular vendor.
The attackers search the media to find other users of the same components, at smaller and presumably less-
well-defended sites. The hacktivists target these sites with phishing email and gain a foothold on the IT and
ICS networks of the most poorly-defended of these IIoT-using sites.
The hacktivists gain access to the vendor's IIoT equipment at the sites and discover that the operating system
for these devices is an older version of Linux, with many known vulnerabilities. The attackers take over one
of the IIoT devices. After looking at the software installed on the device, they conclude that the device is
communicating through the Internet with a database in the cloud from a well-known database vendor. The
attackers download Metasploit to the IIoT device and attack the connection to the cloud database with the
most recently-released exploit for that database vendor.
They discover that the cloud vendor has not yet applied a security update for that vulnerability and they take
over the database servers in the cloud vendor. In their study of the relational database and the software on
the compromised edge devices, the hacktivists learn that the database has the means to order edge devices
to execute arbitrary commands.This is a“support feature”that allows the central cloud site to update software,
reconfigure the device, and otherwise manage complexity in the rapidly-evolving code base in this edge device.
The hacktivists use this facility to send commands and standard attack tools and other software to the edge
devices in those ICS networks the hacktivists regard as environmentally-irresponsible targets. Inside those
networks, the attackers use these tools and remote-command facilities to look around for a time and eventually
erase hard drives or cause what other damage they can, triggering unplanned shutdowns.
In short, hacktivists attacked a heavily-defended client of cloud services, by pivoting from a poorly-defended
client, through a poorly-defended cloud.
Sophistication:These attackers are of moderate cyber-sophistication.They can download and use public attack
tools that can exploit known vulnerabilities, they can launch social engineering and phishing attacks, and they
can exploit permissions with stolen credentials. Hacktivists usually have a very limited degree of engineering
sophistication.
Consequences: Unplanned shutdowns, lost production, and possible equipment damage.
9. - 9 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#13 Malicious Outsourcing An industrial site has outsourced a remote support function to a control system component vendor - for
example: maintenance of the plant historian.The vendor has located their world-wide remote support center
in a country with an adequate supply of adequately-educated personnel, and low labor and other operational
costs. A poorly-paid technician at this support center finds a higher-paying job elsewhere, and before leaving,
decidestotakerevengeonpersonnelataparticularindustrialsite-personnelwhocomplainedtothetechnician's
manager about the technician's performance.
The technician uses her legitimately-acquired remote access and two-factor credentials, and the VPN to the
targeted site to gain access to the site.The technician logs into all of the computers she has access to, and leaves
a tiny script running on each that, one week later, erases the hard drives on each computer.
Sophistication: This is an adversary with limited cyber sophistication, or engineering sophistication, who is
unable to produce custom malware.This attacker does have credentials and the ability to log into their target
remotely, and has some knowledge of how that system works - in particular, how to leave a small, simple script
running, or schedule such a script to run in the future with administrative privileges.
Consequences: Consequences of such an attack vary. For example, no power plant relies on the veracity of its
historians for second-by-second operation - at such a target, if the historians were targeted, the consequences
would be the loss of historical data since the last backup. Historians targeted at a pharmaceutical plant would
likely trigger the loss of the current batch, since many such plants store their batch records in the historians,
and are unable to sell product for batches whose records are impaired. Such batches can range in value from
hundreds of thousands of dollars to hundreds of millions of dollars.
#14 Compromised Vendor
Website
Most of us trust our ICS vendors - but should we trust their websites? Hacktivists find a poorly-defended ICS
vendor website and compromise it. They download the latest copies of the vendor software and study it. In
particular, they learn where in the system the name or some other identifier for the industrial site is stored.
These attackers then determine which of the industrial enterprises that the attackers are currently annoyed
with are identified in public media as users of this vendor's software.
The attackers use the compromised website to unpack the latest security update for the ICS software and insert
a small script.The attackers re-pack the security update, sign the modified update with the private key on the
web server, and post the hacked update as well as a new MD5 hash for the update.
Over time, many sites download and install the compromised update. At each target, the script activates. If
the script fails to find the name of the targeted enterprise in the control system being updated, the script does
nothing. When the script finds the name, it installs another small script to active one week later, erasing the
hard drive, and triggering an unplanned and possibly uncontrolled shutdown.
Sophistication: This is a hacktivist-class attack, by attackers of moderate cyber sophistication, and limited
engineering sophistication. The attackers did know enough about computer systems to use existing tools,
permissions and vulnerabilities. They did have enough knowledge to unpack control system products and
understand to some degree how they work, as well as unpack and re-pack security updates.
Consequences: Most often, the consequences of this class of attack is an unplanned shutdown. However, if
enough of the control system is affected by a simultaneous shutdown, the failure may trigger an uncontrolled
shutdown which in many industries risks equipment damage.
10. - 10 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#15 Compromised Remote
Site
SCADA systems are control systems that use wide-area-network communications, such as power grids and
pipelines. In such systems, remote sites such as substations and pumping stations are typically unstaffed, with
limited physical security, such as a wire fence, locks and perhaps video surveillance.
In this scenario, an attacker physically cuts the padlock on a wire fence around a remote station and enters
the physical site. The attacker locates the control equipment shed - typically the only roofed building at the
site - and again, forces the door to gain entry to the shed. He walks over to the only rack in the site, plugs a
laptop into the switch, and tapes it to the bottom of a piece of computer equipment low in the rack where it
is unlikely to be detected. The attacker leaves the site.
An investigation ensues, but the investigators find only physical damage and nothing apparently missing.
The extra laptop low in the rack is not noticed. A month later, the attacker parks a car near the remote site and
interacts with the laptop via WIFI, enumerating the network and discovering the connections back into the
central SCADA site. The attacker uses the laptop to break into equipment at the remote site, and from there
into the central SCADA system. He/she then uses Ukraine-style techniques to cause physical shut-downs.
Sophistication: This attack requires physical access to at least one of the remote sites, and an investment of
physical risk, as well as equipment - the laptop. Hacktivist-class cyber expertise is needed to break into the
remote site and the central site. Very limited engineering expertise is needed to bring about a Ukraine-style
consequence.
Consequences: Interruptions to the movement of electricity, natural gas, water, or whatever else the remote
station manages are the simplest consequence of this class of attack. Erased hard drives are another simple
consequence. Attackers with a higher degree of engineering sophistication could reprogram protective relays
or other equipment protection gear, damaging physical equipment such as transformers and pumps. More
sophisticated manipulation of pipeline equipment, especially in liquids pipelines, can result in pressure waves
able to cause pipeline breaches and leaks.
#16 Vendor Back Door A software developer at a software vendor inserts a back door into software used on industrial control systems
networks.This may be ICS software, or it may be driver, management, operating system, networking, or other
software used on the ICS network. The back door may have been installed with the blessing of the software
vendor, as a “support mechanism,” or may have been installed surreptitiously by a software developer with
malicious intent.
The software checks the vendor website weekly for software updates and notifies the user through a message
on the screen when an update is available. The software also, unknown to the end user, creates a persistent
connection to the update notification website when the website so instructs, and permits personnel with
access to the website to operate the machine on the ICS network remotely. Hacktivist-class attackers discover
this back door, compromise the vendor's software-update website with a password-phishing attack on the
vendor, and use the back door to impair operations at industrial sites belonging to enterprises the hacktivists
have imagined they have some complaint against.
Notethatanti-virussystemsareunlikelytodiscoverthisbackdoor,sincethisisnottheautonomously-propagating
kind of malware AV systems are designed to discover. Sandboxing systems are unlikely to discover it either,
since the only network-aware behavior observable by those systems is a periodic call to a legitimate vendor's
software update site asking for update instructions.
Consequences:Plantshutdownsanderasedharddrivesareeasytobringaboutbyhacktivist-classattackerswho
have carried out this kind of attack. More engineering-sophisticated attackers can most likely cause equipment
damage, and sometimes even put worker safety or public safety at risk.
Sophistication: To write the back door into the vendor's product source code, and into the update web site's
source code, takes an intermediate degree of cyber sophistication. Such source code is of course well within
the abilities of software developers working for the vendor though, since such developers are typically hired to
produce code that is much more complex than what is needed for this kind of back door. A moderate degree
of cyber sophistication is required of the hacktivists who discovered the back door. Only limited engineering
sophistication is needed to bring about a plant shutdown. Greater sophistication is needed to bring about
equipment damage and safety-impairing scenarios.
11. - 11 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#17 Stuxnet Sophisticatedattackerstargetaspecificandheavily-defendedindustrialsite.Theyfirstcompromiseasomewhat
less-well-defended services supplier, exfiltrating details of how the heavily-protected site is designed and
protected. The adversaries develop custom, autonomous malware to target that one site, and bring about
physical damage to equipment at the site.The autonomous malware exploits zero-day vulnerabilities. Services
providers carry the malware to site on removable media. Anti-virus scanners are blind to the custom, zero-
day-exploiting malware.
Consequences: The Natanz uranium enrichment site targeted by Stuxnet is thought to have suffered several
months of reduced or zero production of enriched uranium, because of the interference of the Stuxnet worm
in the production process. The site is also estimated to have suffered the premature aging and destruction of
1000-2000 uranium gas centrifuge units. More generally, this class of attack can bypass all but physical safety
and protection equipment, and could bring about loss of life, public safety risks and costly equipment damage.
Sophistication: This class of attack demands high degree of engineering sophistication, to understand the
physical process and control system components, and bypass equipment protection and safety systems with
an attack. The attack demands a high degree of cyber sophistication as well, to encode that new attack into
custom malware that is undetectable by the specific cyber security technologies deployed at the target site.
#18HardwareSupplyChain A sophisticated attacker compromises the IT network of an enterprise with a heavily-defended industrial site.
The attacker steals information about which vendors supply the industrial site with servers and workstations,
as well as which vendors routinely ship that equipment to the site. The attacker then develops a relationship
with the delivery drivers in the logistics organization, routinely paying the driver modest sums of money to
take 2-hour lunch breaks, instead of 1-hour breaks.
When IT intelligence indicates that a new shipment of computers is on its way to the industrial site, the agency
uses the 2-hour window to break into the delivery van, open the packages destined to the industrial site, insert
wirelessly-accessiblesingle-boardcomputersintothenewequipment,andthenre-packagethenewequipment
so that the tampering is undetectable. Some time after IT records show that the equipment is in production,
the attackers access their embedded computers wirelessly, to manipulate the physical process. The attackers
eventually impair equipment protection measures, crippling production at the plant, through what appear to
be a long string of very unfortunate, random, equipment failures.
Consequences: Costly equipment failures and plant production far below targets.
Sophistication: This is an attack be a very sophisticated adversary. This attacker has the physical “feet on the
street”to carry out covert actions, such as breaking into the delivery van, and quickly disassembling, modifying,
re-assembling, and re-packaging compromised equipment.The attacker is cyber-sophisticated, maintaining a
long-termpresenceonthetarget'sITnetwork,andunderstandingthedesignofavarietyofcomputerequipment
enough to understand how to subtly insert additional hardware into that equipment. The attacker has a high
degree of engineering sophistication as well, to understand the structure of the physical process, the control
systems, and the equipment protection systems enough to design and carry out physical sabotage and making
damaged equipment look like random failures.
#19 Nation-State Crypto
Compromise
A nation-state grade attacker compromises the PKI encryption system, either by stealing certificates from a well-
known certificate authority, or by breaking a popular crypto-system and so forging the certificate.The attacker
compromises Internet infrastructure to intercept connections from the site to software vendors, and deceives
the site into downloading malware with what appears to be legitimate vendor signatures.The malware sets up
peer-to-peer communications steganographically tunneled through ICS firewalls and DMZs on what appear to
be legitimate vendor-sanctioned communications channels.The nation-state adversary operates the malware
by remote control, learning about the targeted site. The adversary creates custom attack tools which, when
activated, cause the release of toxins into the environment, serious equipment damage and a plant shutdown.
Consequences: Public safety risks and possible loss of life, costly equipment damage and lost production.
Sophistication: This is a very sophisticated adversary able to defeat the encryption, certificates, signing and
cryptographic hashes that are the foundation of many security programs.
12. - 12 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
# 2 0 S o p h i s t i c a t e d
Credentialed ICS Insider
A sophisticated attacker bribes an ICS insider at an industrial site. The insider systematically leaks information
to the attackers about the design of the physical process, and of the industrial control system. The attacker
develops custom, autonomous malware. The insider deliberately releases the malware on the system with
the insider's credentials. A few hours later the malware activates. A day later, there is an explosion that kills a
number of workers, causes a billion dollars in damage to the plant, and shuts the site down for 12-18 months.
Consequences: Loss of life, costly equipment damage and lost production.
Sophistication:Thisisanattackerwithahighdegreeofsophisticationinphysicaloperations,tobribetheinsider,
a high degree of engineering sophistication to determine what cyberattack has not been anticipated by the
site's safety and equipment protection systems, or to determine how to defeat those protections, and a high
degree of cyber sophistication to produce undetectable, custom, autonomous malware.
WaterTreatmentSystemExample
Consider a water and wastewater treatment system. Cybersecurity priorities for the site include:
1. Do not kill or injure anyone at the site. Site hazards include large reservoirs and pipes able to fill with water, whether or not personnel are
in the way, and large, toxic reservoirs of chlorine gas and fluoride solutions,
2. Do not route unclean water into the water distribution system in quantities that puts public safety at risk, or triggers“boil water”advisories,
and
3. Manage reservoirs, pumping and treatment systems such that clean drinking water is available in quantities and according to schedules
that comply with service-level agreements with the water distribution system.
A water treatment control system is protected to first-generation ICS security best practices, published roughly 2003-2013:
• Firewalls separate networks at grossly different levels of trust,
• Encryption is enabled on all IT and ICS equipment and connections that support such,
• Individual user accounts and passwords are set up on all equipment that supports such, with only the usual exceptions in the ICS space,
e.g.: for equipment with only a single account, or HMI workstations that cannot afford to lose visibility into the physical process if operators
were to log out and log back in on shift change,
• The pumping station SCADA WAN is private, leased telecoms infrastructure,
• A DMZ separates the ICS from IT networks, containing a remote-access jump host, plant historian, and plant AD, AV and other servers
synchronized to the IT AD servers,
• A comprehensive security update program is in place. Industrial plant systems cannot be updated as quickly as can IT systems, because
comprehensivetestingoftheupdatesonareliabilitytest-bedtakesalongtime,mostcontrolsystemnetworksarenotupdatedautomatically.
• Anti-virus systems are deployed on all equipment that supports the corporate AV vendor, with automatic updates,
• Network monitoring information is sent directly from network equipment in the ICS network, through the DMZ, into a central corporate
IT NOC/helpdesk in another city,
• Copies of ICS network traffic from switch span and mirror ports are fed into a large network intrusion detection analysis engine on the
IT network, and
• Logs, AV alerts, IDS alerts, and other security information is sent directly from ICS equipment, through the DMZ, IT and Internet networks
to a third-party cloud security monitoring and analysis service.
The third-party service has remote access credentials, and can log into IT networks and from IT networks into ICS networks via the DMZ jump
server. Policies, procedures, responsibilities and training have been documented and executed according to IT best practices. Figure (2) is a
high-level network diagram for the utility.
13. - 13 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
Figure (2) First-gen ICS best-practice water treatment network overview
AttackEvaluation
Evaluating the twenty example attacks against the above system yields the results below. In the table below, a“Defeated” status means the
attack is defeated reliably, while“Not Defeated”means that there is not a high degree of confidence in reliably defeating the indicated attack.
#1 ICS Insider Not
Defeated
None of the indicated security controls prevent an insider from issuing an inappropriate
“shut down”command that the insider is authorized to issue.
#2 IT Insider Defeated IT best practices include two-factor authentication for the remote-access jump host,
which reliably defeats social-engineered remote access passwords.
#3 Common
Ransomware
Defeated IT best practices applied to ICS networks mean that ICS equipment cannot browse the
Internet or download ransomware. Such best practices also forbid equipment configured
to run“AUTORUN”files.
#4 Targeted
Ransomware
Not
Defeated
Two-factor authentication might prevent the attacker from pivoting through the IT
network into the ICS network, but a targeted remote-control attack of even moderate
sophistication can create new accounts on a compromised IT domain controller, and
two-factor-less accounts on the jump host. Intrusion detection systems on the IT network
might detect the attacker, it depends on how much effort the attacker is making to
minimize their footprint, and on how busy the outsourced SOC and enterprise incident
response teams are with other emergencies.
#5 Zero-Day
Ransomware
Not
Defeated
The site has a file sharing server set up in the DMZ to minimize use of USB drives on ICS
equipment. Many ICS and IT workstations have access to that server. If the zero-day attack
reaches the ICS before anti-virus signatures have been updated or the firewall sandbox
security updates are in place, the site will be compromised.
#6 Ukrainian Attack Defeated A hacktivist-class attack relies on stolen passwords and known vulnerabilities in network-
exposed services. None such are exposed in the water system's architecture.
#7 Sophisticated
Ukrainian Attack
Not
Defeated
Two-factor authentication might prevent the attacker from pivoting through the IT
network into the ICS network, but a targeted remote-control attack of even moderate
sophistication can create new accounts on a compromised IT domain controller, and
two-factor-less accounts on the jump host. Intrusion detection systems on the IT network
might detect the attacker, it depends on how much effort the attacker is making to
minimize their footprint, and on how busy the outsourced SOC and enterprise incident
response teams are with other emergencies.
#8 Market
Manipulation
Not
Defeated
Even when security updates are installed promptly on Internet-facing servers, there may
be times when proof-of-concept exploits circulate in the wild for vulnerabilities for which
no update yet exist. Intrusion detection systems may eventually detect the operation of
professional attackers using low-grade attack tools, but by then the damage may already
be done.
14. - 14 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#9 Sophisticated
Market Manipulation
Not
Defeated
Attackers this sophisticated do not need to log into ICS sites through a jump host, they
more often compromise the IT domain controller. Once so compromised, the attackers
can schedule commands to run on ICS equipment, reaching into DMZ file servers and
downloading their low-volume, peer-to-peer, steganographically-encrypted malware.
Intrusion detection systems might or might not detect this type of attacker, it depends on
how much effort the attacker is making to minimize their footprint, and on how busy the
outsourced SOC and enterprise incident response teams are with other emergencies.
#10 Cell-phone WIFI Not
Defeated
IT best practices do not forbid encrypted WIFI zones in ICS networks. IT best practices
are no guarantee that permissions on ICS networks prevent logging into equipment
with stolen passwords and erasing hard drives. Intrusion detection systems might report
on unusual WIFI connections to ICS WIFI networks, but identifying the source of such
connections can be difficult and time-consuming. It is not clear that all attacks of this class
will be reliably detected and remediated in time to prevent consequences.
#11 Hijacked Two-
Factor
Not
Defeated
This sophisticated attack uses low-volume malware and exploits permissions rather than
vulnerabilities, so standard security update and anti-virus protections on the technician's
laptop are blind to the attack. To intrusion detection systems at the water treatment site,
the incoming connection is simply a technician logging into the jump host, through the
jump host to the control system, and manipulating the operation of the control system.
All of this is normal.
#12 IIoT Pivot Not
Defeated
Unlike conventional ICS equipment, IIoT edge devices communicate directly with cloud
servers rather than moderate their communications through a chain of intervening DMZ
networks and other servers as do conventional ICS communications. This permits attacks
to pivot through vendor (cloud) Internet sites much more easily than is the case with
conventional ICS components.
#13 Malicious
Outsourcing
Not
Defeated
Vendor technicians using their permissions to log into ICS servers is a permitted activity.
Such technicians carrying out minor reconfiguration of the ICS servers they have
passwords for is also permitted, and normal, from the perspective of intrusion detection
systems. At the water system, the most likely consequence of this class of attack depends
on the type of outsourcing. For outsourced historian management, the consequence is
some cyber cleanup. For outsourced control system management, the central technician
may well understand enough about the control system and physical process to configure
more serious consequences, such as a script to persistently send shutdown commands to
pumps all night long, resulting in drinking water reservoirs empty in the morning, which
should have been full and ready for the day's load.
#14 Compromised
Vendor Website
Not
Defeated
Anti-virus sandbox techniques often cannot detect this class of malware, when the
malware activates only on specific machines. Software upgrade testing techniques
generally do not include a step where the clock is set forward repeatedly to trigger
suspicious behavior from embedded malware.
#15 Compromised
Remote Site
Not
Defeated
First-generation ICS protections might, or might not defeat a hacktivist-class intrusion of
this type. The remote site's firewall might be configured to permit connections to a wide
range of ICS hosts, providing the hacktivist with a large selection of attack targets, some
of which are likely to provide access deeper into the control system. Or the firewall might
be configured very cautiously, permitting almost no connectivity with the central site.
Intrusion detection systems at the central site might, or might not, detect the activity of
the hacktivist in time to prevent consequences.
#16 Vendor Back
Door
Not
Defeated
In ICS networks configured to first-generation protection standards, connections between
ICS equipment and specific Internet-based IP addresses belonging to software vendors
are often permitted, bypassing the DMZ, precisely to check for security updates. ICS
software is generally configured never to update automatically, but a configuration that
allows the software to alert site personnel when updates are available is not unusual.
#17 Stuxnet Not
Defeated
Custom malware designed specifically with zero-day exploits to defeat the water utility's
security-update, anti-virus and intrusion detection systems will defeat those systems.
#18 Hardware
Supply Chain
Not
Defeated
Depending on the sophistication of the attacker, physical tampering can be made
arbitrarily difficult to detect. Intrusion detection systems designed to detect rogue access
points may not detect rogue WIFI clients. Host-based protections on existing hosts cannot
prevent this kind of supply chain attack from introducing new CPUs, hosts and WIFI
communications into a network environment.
15. - 15 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#19 Nation-State
Crypto Compromise
Not
Defeated
Cryptosystems are the foundation of many software-based security technologies. When a
cryptosystem is compromised, all bets are off.
#20 Sophisticated
Credentialed ICS
Insider
Not
Defeated
It is very difficult to reliably defeat compromised insiders fronting for sophisticated
attackers.
Given the analysis above, the DBT for this set of attacks and this target can be illustrated as in Figure (3).
Figure (3) Design Basis Threat for first-generation ICS security program
Thewaterutility’sbusinessdecisionmakers,seeingthisillustration,expressdissatisfactionwiththestateofsecurityinthewatertreatmentutility.
They may ask“what are these attacks that are not defeated reliably?”We as security practitioners should explain to them attacks not defeated
reliably, as well as any attacks they show special interest in. When we explain attacks, we generally start with the simplest attacks that are not
defeated reliably, since attackers with a range of attack techniques available to them, often choose the simplest, cheapest attacks that work.
No security posture is infallible - there are always attacks above the DBT line that we can talk to management about. Any practitioner who
sees no such attacks for their security posture either needs to define more powerful attacks, or needs to think hard about whether they have
misrepresented the effectiveness of their security posture.
Again, business decision makers in this example express dissatisfaction, and ask the security team what can be done to improve ICS security,
on a limited budget.
ImprovingICSSecurity
The ICS network engineering team proposes to implement a number of practices they have seen discussed in recently-published government
best-practice documentation: Unidirectional Security Gateways, strict removable media controls, and security testing on the ICS test-bed:
• Waterfall Security Solutions' Unidirectional Security Gateways are combinations of hardware and software. The hardware is physically
able to transmit information in only one direction. The software replicates servers and emulates devices, typically from ICS networks to
external networks, such as corporate networks and the Internet. External users and applications interact with the replicas as if they were
the original servers. Since the gateway hardware is physically able to transmit information in only one direction, a gateway deployment
makes clients on the destination side of the gateway able to monitor ICS servers via the gateway's replicas, without any physical ability
to control, compromise or in any way influence sensitive ICS equipment.
• Strict removable media controls mean that the ability of ICS equipment to mount, read from, and write to removable media such as USB
drives and DVD's is disabled. Any attempt to use such media on an ICS asset results in security alerts and a reminder from the security
team that the offending user has just breached site safety rules. An ICS file server is replicated by the Unidirectional Gateways to the IT
network, so that removable media is not needed for routine tasks transferring ad-hoc files from the ICS network to the IT network. Any
files that must enter the ICS network are written to removable media, scanned by eight different anti-virus engines on a stand-alone
cleansing workstation, and copied to new, known-good media. That media is then transferred to a second ICS workstation that makes
the new files available on the ICS file server.
• An upgraded test bed serves to test security as well as reliability of files entering a network that are complex enough to contain malware,
16. - 16 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
such as ICS software updates. Such files are opened on the test bed under the gaze of a high-sensitivity malware detection system. The
test bed is in every way the water utility can manage, an exact copy of the utility's ICS network. Any malware programmed to recognize
hosts and activate on the ICS network, should recognize the test bed as ICS hosts, activate, and be detected. In short, the upgraded water
treatment system test bed serves as both a test bed and a sandbox.
Figure (4) Modern ICS-security water treatment network proposal
The new network is illustrated in Figure (4). Two independent Unidirectional Gateways are deployed at the interface to the SCADA WAN with
direct connections to SCADA Communications Front End (CFE) equipment. Remote management of pumping station sites is still possible
via remote access workstations at the water treatment plant, workstations that are electrically connected to the SCADA WAN in a badge-in
secure room.The reliability/security test bed is connected unidirectionally to the ICS network, meaning live data from the ICS network can be
replicated to the test bed for testing and training purposes, but no malware, malfunctioning software, or errors in configuring the test/training
system is physically able to send any signal to the live ICS network that might cause the water treatment plant to malfunction.
AttackEvaluation
The proposed defensive posture is evaluated against the 20 attacks as follows.
#1 ICS Insider Not
Defeated
None of the indicated security controls prevent an insider
from issuing an inappropriate“shut down”command that
the insider is authorized to issue.
Unchanged
#2 IT Insider Defeated No online message or signal from the IT network has any
way to reach the ICS network any more. The Unidirectional
Security Gateway at the IT/OT interface are physically able to
send information in only one direction - to the IT network,
not to the ICS network.
Unchanged - still defeated,
but because of Unidirectional
Gateway now, not two-factor
authentication
#3 Common
Ransomware
Defeated No browsing of the Internet is possible through a
Unidirectional Gateway. Strict removable media controls
mean that no media-resident malware can reach sensitive
ICS equipment either.
Unchanged - still defeated,
but because of Unidirectional
Gateway & removable media
controls now, not firewall rules &
AUTORUN policies
#4 Targeted
Ransomware
Defeated No remote-control signal from the IT network or the Internet
can reach the ICS network through the Unidirectional
Gateway.
Changed to defeated
17. - 17 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#5 Zero-Day
Ransomware
Defeated No ransomware can defeat the Unidirectional Gateway’s
physical protection, even with zero-day exploits.
Sophisticated, AV-evading ransomware arriving on physical
media is deployed first to the isolated test-bed, where
the activity of the ransomware is detected by the high-
sensitivity IDS, either when installed, or when the clock on
the entire test-bed is advanced to test for time-bombed
malware.
Changed to defeated
#6 Ukrainian Attack Defeated No remote-access or remote-control signal can penetrate
the IT/OT gateway.
Unchanged – still defeated,
but because of Unidirectional
Security Gateways now, not two-
factor authentication
#7 Sophisticated
Ukrainian Attack
Defeated No remote-access or remote-control signal can penetrate
the IT/OT gateway.
Changed to defeated
#8 Market
Manipulation
Defeated No Internet-based attack can reach the unidirectionally-
protected ICS.
Changed to defeated
#9 Sophisticated
Market
Manipulation
Defeated No Internet-based attack can reach the unidirectionally-
protected ICS.
Changed to defeated
#10 Cell-phone WIFI Not
Defeated
IT best practices do not forbid encrypted WIFI zones
in ICS networks. IT best practices are no guarantee
that permissions on ICS networks prevent logging into
equipment with stolen passwords and erasing hard drives.
Intrusion detection systems might report on unusual WIFI
connections to ICS WIFI networks, but identifying the source
of such connections can be difficult and time-consuming.
It is not clear that all attacks of this class will be reliably
detected and remediated in time to prevent consequences.
Unchanged
#11 Hijacked Two-
Factor
Defeated No Internet-based attack can reach the unidirectionally-
protected ICS. Remote support, when needed, can be
carried out with unidirectional Remote Screen View, which
makes screens from workstations on ICS networks visible to
web browsers on external IT and Internet networks. Such
visibility though, confers no ability for the remote user to
control the ICS workstations though. Control must be carried
out by insiders with access to the indicated workstations'
mice and keyboards, usually with a voice connection to
external support personnel who provide verbal advice to
site personnel, based on the contents of the live screen
image replicated to the support provider.
Changed to defeated
#12 IIoT Pivot Defeated No Internet-based attack can reach the unidirectionally-
protected ICS.
Changed to defeated
#13 Malicious
Outsourcing
Defeated No attack from any external vendor network can reach the
unidirectionally-protected ICS.
Changed to defeated
#14 Compromised
Vendor Website
Defeated All new vendor software is deployed first on the reliability/
security test bed. In this attack scenario, the software detects
that it has been installed on what appears to be a targeted
ICS network. When the clock on the test bed is advanced,
the malware activates, erasing hard drives. The test bed is
quickly restored from backup images, with no harm done to
the unidirectionally-protected ICS network.
Changed to defeated
18. - 18 -
For further information, please contact:
North America +1 (703) 840 5452 | International +972 3 900 3700 | sales@waterfall-security.com
www.waterfall-security.com
#15 Compromised
Remote Site
Defeated The Unidirectional Gateway replicating SCADA system
instructions to remote sites across the SCADA WAN is not
physically able to transmit any attack information back
into the ICS network. The gateway oriented to monitor
remote sites is unable to open new connections from a
compromised remote site into the ICS network - the gateway
is a client of devices at remote sites, not a server, or a router.
Changed to defeated
#16 Vendor Back
Door
Defeated Unidirectional Security Gateways are not routers, and are
unidirectional, and are for both reasons unable to propagate
TCP connections from ICS-resident malware to command
and control centers, whether those control centers are in ICS
vendor websites or not.
Changed to defeated
#17 Stuxnet Not
Defeated
The consequences of malware such as the historical Stuxnet
worm may not be visible on test-bed networks, however
faithfully those test beds try to emulate an ICS environment.
The consequences of Stuxnet were visible only in the
physical process.
Unchanged
#18 Hardware
Supply Chain
Not
Defeated
Malicious behavior of new equipment might be observed by
the high-sensitivity IDS on the test-bed network. However,
attackers who know this test bed exists might also know
how long new equipment is tested on the test-bed before
being deployed into production. Attackers could simply
delay their use of malicious hardware until they know they
are on the production system, and not the test bed.
Unchanged
#19 Nation-State
Crypto Compromise
Defeated Protections for the ICS network are physically unidirectional,
not software-based or cryptographic.
Changed to defeated
#20 Sophisticated
Credentialed ICS
Insider
Not
Defeated
It is very difficult to reliably defeat compromised insiders
fronting for sophisticated attackers.
Unchanged
A comparison of the DBT for the analysis above, and the analysis from the original security posture is illustrated in Figure (5).The modern best-
practice security program reliably defeats a much larger set of attacks than does the original first-generation program. Residual risks in the new
DBT are all risks that require physical access to the SCADA site, or very costly and sophisticated attacks from nation-state-grade adversaries.
Figure (1) Water treatment system example – two different security postures