SlideShare a Scribd company logo

CISA GOV - Seven Steps to Effectively Defend ICS

Muhammad FAHAD
Muhammad FAHAD

INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems.

Related slideshows

Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
 
Ijnsa050214
Ijnsa050214Ijnsa050214
Ijnsa050214
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
1 of 7
Download to read offline
1 INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems. Seven Strategies to Defend ICSs Figure 1: Percentage of ICS-CERT FY 2014 and FY 2015 Incidents Potentially Mitigated by Each Strategya a. Incidents mitigated by more than one strategy are listed under the strategy ICS-CERT judged as more effective.
2 If system owners had implemented the strategies outlined in this paper, 98 percent of incidents ICS-CERT responded to in FY 2014 and FY 2015 would have been prevented. The remaining 2 percent could have been identified with increased monitoring and a robust incident response. THE SEVEN STRATEGIES 1. IMPLEMENT APPLICATION WHITELISTING Application Whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by adversaries. The static nature of some systems, such as database servers and human-machine interface (HMI) computers, make these ideal candidates to run AWL. Operators are encouraged to work with their vendors to baseline and calibrate AWL deployments. Example: ICS-CERT recently responded to an incident where the victim had to rebuild the network from scratch at great expense. A particular malware compromised over 80 percent of its assets. Antivirus software was ineffective; the malware had a 0 percent detection rate on VirusTotal. AWL would have provided notification and blocked the malware execution. 2. ENSURE PROPER CONFIGURATION/PATCH MANAGEMENT Adversaries target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help keep control systems more secure. Such a program will start with an accurate baseline and asset inventory to track what patches are needed. It will prioritize patching and configuration management of “PC-architecture” machines used in HMI, database server, and engineering workstation roles, as current adversaries have significant cyber capabilities against these. Infected laptops are a significant malware vector. Such a program will limit connection of external laptops to the control network and preferably supply vendors with known-good company laptops. The program will also encourage initial installation of any updates onto a test system that includes malware detection features before the updates are installed on operational systems. Example: ICS-CERT responded to a Stuxnet infection at a power generation facility. The root cause of the infection was a vendor laptop. Use best practices when downloading software and patches destined for your control network. Take measures to avoid “watering hole” attacks. Use a web Domain Name System (DNS) reputation system. Get updates from authenticated vendor sites. Validate the authenticity of
3 downloads. Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path, and use these to authenticate. Don’t load updates from unverified sources. Example: HAVEX spread by infecting patches. With an out-of-band communication path for patch hashes, such as a blast email, users could have validated that the patches were not authentic. 3. REDUCE YOUR ATTACK SURFACE AREA Isolate ICS networks from any untrusted networks, especially the Internet.b Lock down all unused ports. Turn off all unused services. Only allow real-time connectivity to external networks if there is a defined business requirement or control function. If one-way communication can accomplish a task, use optical separation (“data diode”). If bidirectional communication is necessary, then use a single open port over a restricted network path. Example: As of 2014, ICS-CERT was aware of 82,000 cases of industrial control systems hardware or software directly accessible from the public Internet. ICS-CERT has encountered numerous cases where direct or nearly direct Internet access enabled a breach. Examples include a US Crime Lab, a Dam, The Sochi Olympic stadium, and numerous water utilities. 4. BUILD A DEFENDABLE ENVIRONMENT Limit damage from network perimeter breaches. Segment networks into logical enclaves and restrict host-to-host communications paths. This can stop adversaries from expanding their access, while letting the normal system communications continue to operate. Enclaving limits possible damage, as compromised systems cannot be used to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.c b. ICS-ALERT-14-063-01AP, Multiple Reports of Internet Facing Control Systems, ICS-CERT 2015. c. Improving Industrial Control Systems Cybersecurity with Defense in Depth, ICS-CERT 2009.
4 Example: In one ICS-CERT case, a nuclear asset owner failed to scan media entering a Level 3 facility. On exit, the media was scanned, and a virus was detected. Because the asset owner had implemented logical enclaving, only six systems were put at risk and had to be remediated. Had enclaving not been implemented, hundreds of hosts would have needed to be remediated. If one-way data transfer from a secure zone to a less secure zone is required, consider using approved removable media instead of a network connection. If real-time data transfer is required, consider using optical separation technologies. This allows replication of data without putting the control system at risk. Example: In one ICS-CERT case, a pipeline operator had directly connected the corporate network to the control network, because the billing unit had asserted it needed metering data. After being informed of a breach by ICS-CERT, the asset owner removed the connection. It took the billing department 4 days to notice the connection had been lost, clearly demonstrating that real-time data were not needed. 5. MANAGE AUTHENTICATION Adversaries are increasingly focusing on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Compromising these credentials allows adversaries to masquerade as legitimate users, leaving less evidence than exploiting vulnerabilities or executing malware. Implement multi-factor authentication where possible. Reduce privileges to only those needed for a user’s duties. If passwords are necessary, implement secure password policies stressing length over complexity. For all accounts, including system and non-interactive accounts, ensure credentials are unique, and change all passwords at least every 90 days. Require separate credentials for corporate and control network zones and store these in separate trust stores. Never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks. Example: One US Government agency used the same password across the environment for local administrator accounts. This allowed an adversary to easily move laterally across all systems.

Recommended for you

Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...

IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology

 
by eSAT Publishing House
ijret : international journal of research in engin
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMINTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEM

1. The document discusses intrusion detection systems and proposes a cluster-based intrusion detection system for wireless sensor networks. 2. It proposes a multi-level intrusion detection architecture with detection at both the cluster head and network-wide levels. 3. The proposed system would detect intrusions through anomaly detection and has been evaluated through a survey of 50 experts in the field.

 
by IRJET Journal
irjet
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in

Include at least 250 words in your posting and at least 250 words in your reply.  Indicate at least one source or reference in your original post. Please see syllabus for details on submission requirements. Module 1 Discussion Question Search "scholar.google.com" for a company, school, or person that has been the target of a network or system intrusion? What information was targeted? Was the attack successful? If so, what changes were made to ensure that this vulnerability was controlled? If not, what mechanisms were in-place to protect against the intrusion. Reply-1(Shravan) Introduction:  Interruption location frameworks (IDSs) are programming or equipment frameworks that robotize the way toward observing the occasions happening in a PC framework or system, examining them for indications of security issues. As system assaults have expanded in number and seriousness in the course of recent years, interruption recognition frameworks have turned into an essential expansion to the security foundation of generally associations. This direction archive is planned as a preliminary in interruption recognition, created for the individuals who need to comprehend what security objectives interruption location components serve, how to choose and design interruption discovery frameworks for their particular framework and system situations, how to deal with the yield of interruption identification frameworks, and how to incorporate interruption recognition capacities with whatever remains of the authoritative security foundation. References to other data sources are likewise accommodated the peruse who requires particular or more point by point guidance on particular interruption identification issues. In the most recent years there has been an expanding enthusiasm for the security of process control and SCADA frameworks. Moreover, ongoing PC assaults, for example, the Stunt worm, host appeared there are gatherings with the inspiration and assets to viably assault control frameworks. While past work has proposed new security components for control frameworks, few of them have investigated new and in a general sense distinctive research issues for anchoring control frameworks when contrasted with anchoring conventional data innovation (IT) frameworks. Specifically, the complexity of new malware assaulting control frameworks - malware including zero-days assaults, rootkits made for control frameworks, and programming marked by confided in declaration specialists - has demonstrated that it is exceptionally hard to avert and identify these assaults dependent on IT framework data. In this paper we demonstrate how, by joining information of the physical framework under control, we can distinguish PC assaults that change the conduct of the focused on control framework. By utilizing information of the physical framework we can center around the last goal of the assault, and not on the specific instruments of how vulnerabilities are misused, and how ...

 
by maribethy2y
5 6. IMPLEMENT SECURE REMOTE ACCESS Some adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even “hidden back doors” intentionally created by system operators. Remove such accesses wherever possible, especially modems as these are fundamentally insecure. Limit any accesses that remain. Where possible, implement “monitoring only” access enforced by data diodes, and do not rely on “read only” access enforced by software configurations or permissions. Do not allow remote persistent vendor connections into the control network. Require any remote access be operator controlled, time limited, and procedurally similar to “lock out, tag out.” Use the same remote access paths for vendor and employee connections; don’t allow double standards. Use two-factor authentication if possible, avoiding schemes where both tokens are similar types and can be easily stolen (e.g., password and soft certificate). Example: Following these guidelines would have prevented the BlackEnergy intrusions. BlackEnergy required communications paths for initial compromise, installation and “plug in” installation. 7. MONITOR AND RESPOND Defending a network against modern threats requires actively monitoring for adversarial penetration and quickly executing a prepared response. Consider establishing monitoring programs in the following five key places: 1) Watch IP traffic on ICS boundaries for abnormal or suspicious communications. 2) Monitor IP traffic within the control network for malicious connections or content. 3) Use host-based products to detect malicious software and attack attempts. 4) Use login analysis (time and place for example) to detect stolen credential usage or improper access, verifying all anomalies with quick phone calls. 5) Watch account/user administration actions to detect access control manipulation. Have a response plan for when adversarial activity is detected. Such a plan may include disconnecting all Internet connections, running a properly scoped search for malware, disabling affected user accounts, isolating suspect systems, and an immediate 100 percent password reset. Such a plan may also define escalation triggers and actions, including incident response, investigation, and public affairs activities. Have a restoration plan, including having “gold disks” ready to restore systems to known good states.
6 Example: Attackers render Windows®d based devices in a control network inoperative by wiping hard drive contents. Recent attacks against Saudi Aramco™e and Sony Pictures demonstrate that quick restoration of such computers is key to restoring an attacked network to an operational state. CONCLUSION Defense against the modern threat requires applying measures to protect not only the perimeter but also the interior. While no system is 100 percent secure, implementing the seven key strategies discussed in this paper can greatly improve the security posture of ICSs. DISCLAIMER The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. ACKNOWLEDGMENT This document “Seven Steps to Effectively Defend Industrial Control Systems” was written in collaboration, with contributions from subject matter experts working at the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). d. Windows® is a registered trademark of Microsoft Corp. e. Saudi Aramco™ is an unregistered trademark of Saudi Arabian Oil Company.
7 CONTACT INFORMATION POC Phone e-Mail Department of Homeland Security ICS-CERT 877-776-7585 ICS-CERT@HQ.DHS.GOV Federal Bureau of Investigation Cyber Division - CyWatch 855-292-3937 CyWatch@ic.fbi.gov National Security Agency (Industry) Industry Inquiries 410-854-6091 bao@nsa.gov National Security Agency (Government) IAD Client Contact Center 410-854-4200 IAD CCC@nsa.gov

More Related Content

Similar to CISA GOV - Seven Steps to Effectively Defend ICS

Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Editor IJCATR
 
Ijnsa050214
Ijnsa050214Ijnsa050214
Ijnsa050214
IJNSA Journal
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
Integral university, India
 
Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...
eSAT Publishing House
 
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMINTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEM
IRJET Journal
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
maribethy2y
 
A017130104
A017130104A017130104
A017130104
IOSR Journals
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud Computing
IOSR Journals
 
Firewall buyers-guide
Firewall buyers-guideFirewall buyers-guide
Firewall buyers-guide
Andy Kwong
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
Ken Flott
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN Environment
Saikat Chaudhuri
 
Types of Vulnerability Scanning An in depth investigation.pdf
Types of Vulnerability Scanning An in depth investigation.pdfTypes of Vulnerability Scanning An in depth investigation.pdf
Types of Vulnerability Scanning An in depth investigation.pdf
Cyber security professional services- Detox techno
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Corporation
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?
Ahmed Banafa
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
network_security.docx_2.pdf
network_security.docx_2.pdfnetwork_security.docx_2.pdf
network_security.docx_2.pdf
ahmed53254
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
WilheminaRossi174
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat Management
Lokesh Sharma
 
supply chain management.pptx
supply chain management.pptxsupply chain management.pptx
supply chain management.pptx
MinnySkyy
 

Similar to CISA GOV - Seven Steps to Effectively Defend ICS (20)

Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
 
Ijnsa050214
Ijnsa050214Ijnsa050214
Ijnsa050214
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...
 
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMINTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEM
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
A017130104
A017130104A017130104
A017130104
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud Computing
 
Firewall buyers-guide
Firewall buyers-guideFirewall buyers-guide
Firewall buyers-guide
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN Environment
 
Types of Vulnerability Scanning An in depth investigation.pdf
Types of Vulnerability Scanning An in depth investigation.pdfTypes of Vulnerability Scanning An in depth investigation.pdf
Types of Vulnerability Scanning An in depth investigation.pdf
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
network_security.docx_2.pdf
network_security.docx_2.pdfnetwork_security.docx_2.pdf
network_security.docx_2.pdf
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat Management
 
supply chain management.pptx
supply chain management.pptxsupply chain management.pptx
supply chain management.pptx
 

More from Muhammad FAHAD

Intrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for LinuxIntrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for Linux
Muhammad FAHAD
 
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device CommunicationVulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication
Muhammad FAHAD
 
Computer Security Incident Handling Guide
Computer Security Incident Handling GuideComputer Security Incident Handling Guide
Computer Security Incident Handling Guide
Muhammad FAHAD
 
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of EnergySteps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Muhammad FAHAD
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
Muhammad FAHAD
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability Management
Muhammad FAHAD
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
Muhammad FAHAD
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
Muhammad FAHAD
 

More from Muhammad FAHAD (8)

Intrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for LinuxIntrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for Linux
 
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device CommunicationVulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication
 
Computer Security Incident Handling Guide
Computer Security Incident Handling GuideComputer Security Incident Handling Guide
Computer Security Incident Handling Guide
 
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of EnergySteps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability Management
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
 

Recently uploaded

Penal code eng original of the Cameroon Government.pdf
Penal code eng original of the Cameroon Government.pdfPenal code eng original of the Cameroon Government.pdf
Penal code eng original of the Cameroon Government.pdf
les977
 
Political polarization: threat to international cooperation.
Political polarization: threat to international cooperation.Political polarization: threat to international cooperation.
Political polarization: threat to international cooperation.
aimantahira
 
In Oakmoor ^%[+27633867063*Abortion Pills For Sale In Oakmoor Mesina
In Oakmoor ^%[+27633867063*Abortion Pills For Sale In Oakmoor MesinaIn Oakmoor ^%[+27633867063*Abortion Pills For Sale In Oakmoor Mesina
In Oakmoor ^%[+27633867063*Abortion Pills For Sale In Oakmoor Mesina
magentamoselle
 
In Johannesburg ^%[+27633867063*Abortion Pills For Sale In Johannesburg Hazy...
In Johannesburg ^%[+27633867063*Abortion Pills For Sale In Johannesburg Hazy...In Johannesburg ^%[+27633867063*Abortion Pills For Sale In Johannesburg Hazy...
In Johannesburg ^%[+27633867063*Abortion Pills For Sale In Johannesburg Hazy...
ivory3872
 
The Bellingcat Annual Report for the year 2023
The Bellingcat Annual Report for the year 2023The Bellingcat Annual Report for the year 2023
The Bellingcat Annual Report for the year 2023
VladMihet
 
International Corporation is based on signed treaty
International Corporation is based on signed treatyInternational Corporation is based on signed treaty
International Corporation is based on signed treaty
aimantahira
 
In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Mada...
In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Mada...In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Mada...
In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Mada...
508tomato
 
Malviya Nagar @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
Malviya Nagar @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model SafeMalviya Nagar @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
Malviya Nagar @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
shoeb2926
 
How the Military’s Basic Allowance for Housing Compares With Civilian Housing...
How the Military’s Basic Allowance for Housing Compares With Civilian Housing...How the Military’s Basic Allowance for Housing Compares With Civilian Housing...
How the Military’s Basic Allowance for Housing Compares With Civilian Housing...
Congressional Budget Office
 
Beyond Rhetoric: Youth-led Solutions for a Sustainable and Just Energy Transi...
Beyond Rhetoric: Youth-led Solutions for a Sustainable and Just Energy Transi...Beyond Rhetoric: Youth-led Solutions for a Sustainable and Just Energy Transi...
Beyond Rhetoric: Youth-led Solutions for a Sustainable and Just Energy Transi...
Just Energy Transition in Coal Regions Knowledge Hub
 
Advancing-Womens-Leadership-in-Conflict-Resolution-ID-.pdf
Advancing-Womens-Leadership-in-Conflict-Resolution-ID-.pdfAdvancing-Womens-Leadership-in-Conflict-Resolution-ID-.pdf
Advancing-Womens-Leadership-in-Conflict-Resolution-ID-.pdf
kristelbirgit
 
In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor
In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA OakmoorIn BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor
In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor
periprospective
 
Protection and referral for CBP members.ppt
Protection and referral for CBP members.pptProtection and referral for CBP members.ppt
Protection and referral for CBP members.ppt
Mohammed Nizam
 
In Madadeni [(+27633867063*)] 🏥 Abortion Pills For Sale in Madadeni ● Women's...
In Madadeni [(+27633867063*)] 🏥 Abortion Pills For Sale in Madadeni ● Women's...In Madadeni [(+27633867063*)] 🏥 Abortion Pills For Sale in Madadeni ● Women's...
In Madadeni [(+27633867063*)] 🏥 Abortion Pills For Sale in Madadeni ● Women's...
ogwypas
 
The Bank of Punjab. DigiBop Internet Banking. Discounts & Offers
The Bank of Punjab. DigiBop Internet Banking. Discounts & OffersThe Bank of Punjab. DigiBop Internet Banking. Discounts & Offers
The Bank of Punjab. DigiBop Internet Banking. Discounts & Offers
reema kushawaha
 
In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM
In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARMIn MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM
In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM
euginexenogeneic
 
Session 4 - Digitalisation - Presentation.pdf
Session 4 - Digitalisation - Presentation.pdfSession 4 - Digitalisation - Presentation.pdf
Session 4 - Digitalisation - Presentation.pdf
Support for Improvement in Governance and Management SIGMA
 
BacharLorai (BL) Impact Report 2023-2024
BacharLorai (BL) Impact Report 2023-2024BacharLorai (BL) Impact Report 2023-2024
BacharLorai (BL) Impact Report 2023-2024
anilwasif1
 
MPA 210 :Civil Society Organization.pptx
MPA 210 :Civil Society Organization.pptxMPA 210 :Civil Society Organization.pptx
MPA 210 :Civil Society Organization.pptx
Jo Balucanag - Bitonio
 
MPA 210 : MANAGEMENT CONCEPTS .pptx
MPA 210 : MANAGEMENT CONCEPTS .pptxMPA 210 : MANAGEMENT CONCEPTS .pptx
MPA 210 : MANAGEMENT CONCEPTS .pptx
Jo Balucanag - Bitonio
 

Recently uploaded (20)

Penal code eng original of the Cameroon Government.pdf
Penal code eng original of the Cameroon Government.pdfPenal code eng original of the Cameroon Government.pdf
Penal code eng original of the Cameroon Government.pdf
 
Political polarization: threat to international cooperation.
Political polarization: threat to international cooperation.Political polarization: threat to international cooperation.
Political polarization: threat to international cooperation.
 
In Oakmoor ^%[+27633867063*Abortion Pills For Sale In Oakmoor Mesina
In Oakmoor ^%[+27633867063*Abortion Pills For Sale In Oakmoor MesinaIn Oakmoor ^%[+27633867063*Abortion Pills For Sale In Oakmoor Mesina
In Oakmoor ^%[+27633867063*Abortion Pills For Sale In Oakmoor Mesina
 
In Johannesburg ^%[+27633867063*Abortion Pills For Sale In Johannesburg Hazy...
In Johannesburg ^%[+27633867063*Abortion Pills For Sale In Johannesburg Hazy...In Johannesburg ^%[+27633867063*Abortion Pills For Sale In Johannesburg Hazy...
In Johannesburg ^%[+27633867063*Abortion Pills For Sale In Johannesburg Hazy...
 
The Bellingcat Annual Report for the year 2023
The Bellingcat Annual Report for the year 2023The Bellingcat Annual Report for the year 2023
The Bellingcat Annual Report for the year 2023
 
International Corporation is based on signed treaty
International Corporation is based on signed treatyInternational Corporation is based on signed treaty
International Corporation is based on signed treaty
 
In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Mada...
In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Mada...In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Mada...
In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Mada...
 
Malviya Nagar @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
Malviya Nagar @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model SafeMalviya Nagar @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
Malviya Nagar @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
 
How the Military’s Basic Allowance for Housing Compares With Civilian Housing...
How the Military’s Basic Allowance for Housing Compares With Civilian Housing...How the Military’s Basic Allowance for Housing Compares With Civilian Housing...
How the Military’s Basic Allowance for Housing Compares With Civilian Housing...
 
Beyond Rhetoric: Youth-led Solutions for a Sustainable and Just Energy Transi...
Beyond Rhetoric: Youth-led Solutions for a Sustainable and Just Energy Transi...Beyond Rhetoric: Youth-led Solutions for a Sustainable and Just Energy Transi...
Beyond Rhetoric: Youth-led Solutions for a Sustainable and Just Energy Transi...
 
Advancing-Womens-Leadership-in-Conflict-Resolution-ID-.pdf
Advancing-Womens-Leadership-in-Conflict-Resolution-ID-.pdfAdvancing-Womens-Leadership-in-Conflict-Resolution-ID-.pdf
Advancing-Womens-Leadership-in-Conflict-Resolution-ID-.pdf
 
In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor
In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA OakmoorIn BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor
In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor
 
Protection and referral for CBP members.ppt
Protection and referral for CBP members.pptProtection and referral for CBP members.ppt
Protection and referral for CBP members.ppt
 
In Madadeni [(+27633867063*)] 🏥 Abortion Pills For Sale in Madadeni ● Women's...
In Madadeni [(+27633867063*)] 🏥 Abortion Pills For Sale in Madadeni ● Women's...In Madadeni [(+27633867063*)] 🏥 Abortion Pills For Sale in Madadeni ● Women's...
In Madadeni [(+27633867063*)] 🏥 Abortion Pills For Sale in Madadeni ● Women's...
 
The Bank of Punjab. DigiBop Internet Banking. Discounts & Offers
The Bank of Punjab. DigiBop Internet Banking. Discounts & OffersThe Bank of Punjab. DigiBop Internet Banking. Discounts & Offers
The Bank of Punjab. DigiBop Internet Banking. Discounts & Offers
 
In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM
In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARMIn MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM
In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM
 
Session 4 - Digitalisation - Presentation.pdf
Session 4 - Digitalisation - Presentation.pdfSession 4 - Digitalisation - Presentation.pdf
Session 4 - Digitalisation - Presentation.pdf
 
BacharLorai (BL) Impact Report 2023-2024
BacharLorai (BL) Impact Report 2023-2024BacharLorai (BL) Impact Report 2023-2024
BacharLorai (BL) Impact Report 2023-2024
 
MPA 210 :Civil Society Organization.pptx
MPA 210 :Civil Society Organization.pptxMPA 210 :Civil Society Organization.pptx
MPA 210 :Civil Society Organization.pptx
 
MPA 210 : MANAGEMENT CONCEPTS .pptx
MPA 210 : MANAGEMENT CONCEPTS .pptxMPA 210 : MANAGEMENT CONCEPTS .pptx
MPA 210 : MANAGEMENT CONCEPTS .pptx
 

CISA GOV - Seven Steps to Effectively Defend ICS

  • 1. 1 INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems. Seven Strategies to Defend ICSs Figure 1: Percentage of ICS-CERT FY 2014 and FY 2015 Incidents Potentially Mitigated by Each Strategya a. Incidents mitigated by more than one strategy are listed under the strategy ICS-CERT judged as more effective.
  • 2. 2 If system owners had implemented the strategies outlined in this paper, 98 percent of incidents ICS-CERT responded to in FY 2014 and FY 2015 would have been prevented. The remaining 2 percent could have been identified with increased monitoring and a robust incident response. THE SEVEN STRATEGIES 1. IMPLEMENT APPLICATION WHITELISTING Application Whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by adversaries. The static nature of some systems, such as database servers and human-machine interface (HMI) computers, make these ideal candidates to run AWL. Operators are encouraged to work with their vendors to baseline and calibrate AWL deployments. Example: ICS-CERT recently responded to an incident where the victim had to rebuild the network from scratch at great expense. A particular malware compromised over 80 percent of its assets. Antivirus software was ineffective; the malware had a 0 percent detection rate on VirusTotal. AWL would have provided notification and blocked the malware execution. 2. ENSURE PROPER CONFIGURATION/PATCH MANAGEMENT Adversaries target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help keep control systems more secure. Such a program will start with an accurate baseline and asset inventory to track what patches are needed. It will prioritize patching and configuration management of “PC-architecture” machines used in HMI, database server, and engineering workstation roles, as current adversaries have significant cyber capabilities against these. Infected laptops are a significant malware vector. Such a program will limit connection of external laptops to the control network and preferably supply vendors with known-good company laptops. The program will also encourage initial installation of any updates onto a test system that includes malware detection features before the updates are installed on operational systems. Example: ICS-CERT responded to a Stuxnet infection at a power generation facility. The root cause of the infection was a vendor laptop. Use best practices when downloading software and patches destined for your control network. Take measures to avoid “watering hole” attacks. Use a web Domain Name System (DNS) reputation system. Get updates from authenticated vendor sites. Validate the authenticity of
  • 3. 3 downloads. Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path, and use these to authenticate. Don’t load updates from unverified sources. Example: HAVEX spread by infecting patches. With an out-of-band communication path for patch hashes, such as a blast email, users could have validated that the patches were not authentic. 3. REDUCE YOUR ATTACK SURFACE AREA Isolate ICS networks from any untrusted networks, especially the Internet.b Lock down all unused ports. Turn off all unused services. Only allow real-time connectivity to external networks if there is a defined business requirement or control function. If one-way communication can accomplish a task, use optical separation (“data diode”). If bidirectional communication is necessary, then use a single open port over a restricted network path. Example: As of 2014, ICS-CERT was aware of 82,000 cases of industrial control systems hardware or software directly accessible from the public Internet. ICS-CERT has encountered numerous cases where direct or nearly direct Internet access enabled a breach. Examples include a US Crime Lab, a Dam, The Sochi Olympic stadium, and numerous water utilities. 4. BUILD A DEFENDABLE ENVIRONMENT Limit damage from network perimeter breaches. Segment networks into logical enclaves and restrict host-to-host communications paths. This can stop adversaries from expanding their access, while letting the normal system communications continue to operate. Enclaving limits possible damage, as compromised systems cannot be used to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.c b. ICS-ALERT-14-063-01AP, Multiple Reports of Internet Facing Control Systems, ICS-CERT 2015. c. Improving Industrial Control Systems Cybersecurity with Defense in Depth, ICS-CERT 2009.
  • 4. 4 Example: In one ICS-CERT case, a nuclear asset owner failed to scan media entering a Level 3 facility. On exit, the media was scanned, and a virus was detected. Because the asset owner had implemented logical enclaving, only six systems were put at risk and had to be remediated. Had enclaving not been implemented, hundreds of hosts would have needed to be remediated. If one-way data transfer from a secure zone to a less secure zone is required, consider using approved removable media instead of a network connection. If real-time data transfer is required, consider using optical separation technologies. This allows replication of data without putting the control system at risk. Example: In one ICS-CERT case, a pipeline operator had directly connected the corporate network to the control network, because the billing unit had asserted it needed metering data. After being informed of a breach by ICS-CERT, the asset owner removed the connection. It took the billing department 4 days to notice the connection had been lost, clearly demonstrating that real-time data were not needed. 5. MANAGE AUTHENTICATION Adversaries are increasingly focusing on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Compromising these credentials allows adversaries to masquerade as legitimate users, leaving less evidence than exploiting vulnerabilities or executing malware. Implement multi-factor authentication where possible. Reduce privileges to only those needed for a user’s duties. If passwords are necessary, implement secure password policies stressing length over complexity. For all accounts, including system and non-interactive accounts, ensure credentials are unique, and change all passwords at least every 90 days. Require separate credentials for corporate and control network zones and store these in separate trust stores. Never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks. Example: One US Government agency used the same password across the environment for local administrator accounts. This allowed an adversary to easily move laterally across all systems.
  • 5. 5 6. IMPLEMENT SECURE REMOTE ACCESS Some adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even “hidden back doors” intentionally created by system operators. Remove such accesses wherever possible, especially modems as these are fundamentally insecure. Limit any accesses that remain. Where possible, implement “monitoring only” access enforced by data diodes, and do not rely on “read only” access enforced by software configurations or permissions. Do not allow remote persistent vendor connections into the control network. Require any remote access be operator controlled, time limited, and procedurally similar to “lock out, tag out.” Use the same remote access paths for vendor and employee connections; don’t allow double standards. Use two-factor authentication if possible, avoiding schemes where both tokens are similar types and can be easily stolen (e.g., password and soft certificate). Example: Following these guidelines would have prevented the BlackEnergy intrusions. BlackEnergy required communications paths for initial compromise, installation and “plug in” installation. 7. MONITOR AND RESPOND Defending a network against modern threats requires actively monitoring for adversarial penetration and quickly executing a prepared response. Consider establishing monitoring programs in the following five key places: 1) Watch IP traffic on ICS boundaries for abnormal or suspicious communications. 2) Monitor IP traffic within the control network for malicious connections or content. 3) Use host-based products to detect malicious software and attack attempts. 4) Use login analysis (time and place for example) to detect stolen credential usage or improper access, verifying all anomalies with quick phone calls. 5) Watch account/user administration actions to detect access control manipulation. Have a response plan for when adversarial activity is detected. Such a plan may include disconnecting all Internet connections, running a properly scoped search for malware, disabling affected user accounts, isolating suspect systems, and an immediate 100 percent password reset. Such a plan may also define escalation triggers and actions, including incident response, investigation, and public affairs activities. Have a restoration plan, including having “gold disks” ready to restore systems to known good states.
  • 6. 6 Example: Attackers render Windows®d based devices in a control network inoperative by wiping hard drive contents. Recent attacks against Saudi Aramco™e and Sony Pictures demonstrate that quick restoration of such computers is key to restoring an attacked network to an operational state. CONCLUSION Defense against the modern threat requires applying measures to protect not only the perimeter but also the interior. While no system is 100 percent secure, implementing the seven key strategies discussed in this paper can greatly improve the security posture of ICSs. DISCLAIMER The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. ACKNOWLEDGMENT This document “Seven Steps to Effectively Defend Industrial Control Systems” was written in collaboration, with contributions from subject matter experts working at the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). d. Windows® is a registered trademark of Microsoft Corp. e. Saudi Aramco™ is an unregistered trademark of Saudi Arabian Oil Company.
  • 7. 7 CONTACT INFORMATION POC Phone e-Mail Department of Homeland Security ICS-CERT 877-776-7585 ICS-CERT@HQ.DHS.GOV Federal Bureau of Investigation Cyber Division - CyWatch 855-292-3937 CyWatch@ic.fbi.gov National Security Agency (Industry) Industry Inquiries 410-854-6091 bao@nsa.gov National Security Agency (Government) IAD Client Contact Center 410-854-4200 IAD CCC@nsa.gov