Post on 05-Feb-2021
Kenath Carver
Manager, CIP Compliance Monitoring
CIP Malicious Code
2
November 18, 2020
Antitrust Admonition
Texas Reliability Entity, Inc. (Texas RE) strictly prohibits persons
participating in Texas RE activities from using their participation as a
forum for engaging in practices or communications that violate
antitrust laws. Texas RE has approved antitrust guidelines available on
its website. If you believe that antitrust laws have been violated at a
Texas RE meeting, or if you have any questions about the antitrust
guidelines, please contact the Texas RE General Counsel.
Notice of this meeting was posted on the Texas RE website and the
open portion of this meeting is being held in public. Participants should
keep in mind that the listening audience may include members of the
press, representatives from various governmental authorities, and
industry stakeholders.
Kenath Carver
Manager, CIP Compliance Monitoring
CIP Malicious Code
4
November 18, 2020
THREATS + VULNERABILITIES = RISKS
Reliability & Security
Compliance Controls
5
November 18, 2020
Risks
Advanced Persistent Threat
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
Malicious Code and Communications
SQL Injection
Malware
Virus
Trojan
Spyware
Ransomware
Worm
Social Engineering
Black Energy
Stuxnet
Spectre
Cryptolocker
WannaCry
Spear Phishing
Dragonfly
OilRig
Sandworm
6
November 18, 2020
Industrial Control Systems
Programable Logic
Controllers
Distributed Control Systems
Supervisory Control and
Data Acquisition
Remote Terminal Units
Human-Machine Interface
Intelligent Electronic Devices
Data Historian RelaysCommunication
Processors
7
November 18, 2020
Lockheed Martin - The Cyber Kill Chain®
Reconnaissance Weaponization Delivery Exploitation InstallationCommand &
ControlActions on Objectives
8
November 18, 2020
The MITRE Corporation (MITRE) - ATT&CK®
Initial Access
Execution Persistence Evasion DiscoveryLateral
MovementCollection
Command and Control
Inhibit Response Function
Impair Process Control
Impact
9
November 18, 2020
The Cyber Kill Chain® versus ATT&CK®
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Actions on Objectives
ATT&CK®
1. Initial Access
2. Execution
3. Persistence
4. Evasion
5. Discovery
6. Lateral Movement
7. Collection
8. Command and Control
9. Inhibit Response Function
10. Impair Process Control
11. Impact
10
November 18, 2020
ATT&CK® for Industrial Control Systems
Initial Access
• Data Historian Compromise
• Drive-by Compromise
• Engineering Workstation Compromise
• Exploit Public-Facing Application
• External Remote Services
• Internet Accessible Device
• Replication through Removable Media
• Spear Phishing Attachment
• Supply Chain Compromise
• Wireless Compromise
CIP-003-8; CIP-005-6
• Network segmentation
CIP-007-6
• Host-based Firewall
• Security Patch Management
• Antivirus protection
• White-listing
• Security Event Logs
• Authentication
CIP-010-3
• Vulnerability assessments
CIP-013-1
• Supply Chain Risk Management
11
November 18, 2020
ATT&CK® for Industrial Control Systems
Execution• Change Program State
• Command-Line Interface
• Execution through API
• Graphical User Interface
• Man in the Middle
• Program Organization Units
• Project File Infection
• Scripting
• User Execution
CIP-004-6• Access Management
CIP-003-8; CIP-005-6• IDS/IPS
CIP-007-6• Authentication
CIP-10-3• Baseline Configuration
• Baseline Monitoring
12
November 18, 2020
ATT&CK® for Industrial Control Systems
Persistence
• Hooking
• Module Firmware
• Program Download
• Project File Infection
• System Firmware
• Valid Accounts
CIP-004-6
• Account privileges auditing
CIP-003-8; CIP-005-6
• Network Segmentation
• Inbound and outbound permissions
CIP-010-6
• Software and security patch authenticity and integrity
13
November 18, 2020
ATT&CK® for Industrial Control Systems
Evasion
• Exploitation for Evasion
• Indicator Removal on Host
• Masquerading
• Rogue Master Device
• Rootkit
• Spoof Reporting Message
• Utilize/Change Operating Mode
CIP-007-6
• Security Patch Management
• Antivirus protection
• White-listing
CIP-010-3
• Baseline Configuration
• Baseline Monitoring
• Software and security patch authenticity and integrity
14
November 18, 2020
ATT&CK® for Industrial Control Systems
Discovery
• Control Device Identification
• I/O Module Discovery
• Network Connection Enumeration
• Network Service Scanning
• Network Sniffing
• Remote System Discovery
• Serial Connection Enumeration
CIP-003-8; CIP-005-6
• Network Segmentation
• Multi-factor Authentication
CIP-012-1
• Encrypt Network Traffic
15
November 18, 2020
ATT&CK® for Industrial Control Systems
Lateral Movement
• Default Credentials
• Exploitation of Remote Services
• External Remote Services
• Program Organization Units
• Remote File Copy
• Valid Accounts
CIP-004-6
• Access Management
CIP-005-6
• Network Segmentation
CIP-007-6
• White-listing Software
• Security Patch Management
• Password Policies
CIP-010-3
• Monitoring Baselines
• Vulnerability Scanning
• Software and security patch authenticity and integrity
16
November 18, 2020
ATT&CK® for Industrial Control Systems
Collection
• Automated Collection
• Data from Information Repositories
• Detect Operating Mode
• Detect Program State
• I/O Image
• Location Identification
• Monitor Process State
• Point & Tag Identification
• Program Upload
• Role Identification
• Screen Capture
CIP-005-6
• Network Segmentation
• Inbound and outbound permissions
CIP-004-6
• Personnel Training
• Access Management
CIP-007-6
• Authentication
• Password Policies
CIP-011-2
• Information Protection
• Encryption
17
November 18, 2020
ATT&CK® for Industrial Control Systems
Command and Control
• Commonly Used Port
• Connection Proxy
• Standard Application Layer Protocol
CIP-005-6
• Network Segmentation
• IDS/IPS
CIP-007-6
• Ports and Services
18
November 18, 2020
ATT&CK® for Industrial Control Systems
Inhibit Response Function
• Activate Firmware Update Mode
• Alarm Suppression
• Block Command Message
• Block Reporting Message
• Block Serial COM
• Data Destruction
• Denial of Service
• Device Restart/Shutdown
• Manipulate I/O Image
• Modify Alarm Settings
• Modify Control Logic
• Program Download
• Rootkit
• System Firmware
• Utilize/Change Operating Mode
CIP-004-6
• Access Management
CIP-005-6
• Network Segmentation
• Inbound and outbound permissions
CIP-007-6
• Authentication
19
November 18, 2020
ATT&CK® for Industrial Control Systems
Impair Process Control
• Brute Force I/O
• Change Program State
• Masquerading
• Modify Control Logic
• Modify Parameter
• Module Firmware
• Program Download
• Rogue Master Device
• Service Stop
• Spoof Reporting Message
• Unauthorized Command Message
CIP-004-6
• Account Management
CIP-005-6
• Network Segmentation
CIP-007-6
• White-listing
CIP-010-3
• Baseline Monitoring
20
November 18, 2020
ATT&CK® for Industrial Control Systems
Impact
• Damage to Property
• Denial of Control
• Denial of View
• Loss of Availability
• Loss of Control
• Loss of Productivity and Revenue
• Loss of Safety
• Loss of View
• Manipulation of Control
• Manipulation of View
• Theft of Operational Information
CIP-008-6
• Identification, classification, and response to Cyber Security Incidents.
CIP-009-6
• Redundancy
• Backup and Recovery
CIP-011-2
• Data loss prevention
• Encryption
21
November 18, 2020
ATT&CK® for Industrial Control Systems
Audit
• Processes, Procedures, Plans, etc.
• Network Traffic
• Blocked and allowed communications
• Access and Privileges
• Security Event Logs
• Baselines
• Internet Access
• Wireless
• Network Interface Cards
• Vulnerability Assessments
22
November 18, 2020
Resources
• https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
The Cyber Kill Chain®
• https://attack.mitre.org/matrices/enterprise/MITRE ATTACK®
• https://cve.mitre.org/cve/MITRE CVE List Home
• https://nvd.nist.gov/NIST National
Vulnerability Database
23
November 18, 2020
Resources
• https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities
• https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
E-ISAC SANS Ukrainian Attack Report
• https://www.ferc.gov/sites/default/files/2020-09/FERC%26NERC_CYPRES_Report.pdf
2020 FERC, NERC and REs Report Cyber Planning for Response and Recovery
Study (CYPRES)
24
November 18, 2020
Questions?