2015 ISA Calgary Show: IACS Cyber Incident Preparation
-
Upload
cimation -
Category
Technology
-
view
364 -
download
4
Transcript of 2015 ISA Calgary Show: IACS Cyber Incident Preparation
IACS CYBER INCIDENT PREPARATIONby Austin Scott, GICSP, SSCP
Project and Services Delivery Manager, Cimation Canada
IACS CYBER INCIDENT PREPARATIONIndustrial Cyber Security Challenges
2
Disruption in electronic communications between systems or systems and people that impacts:
1. Confidentiality,
2. Integrity, and/or
3. Availability.
IACS CYBER INCIDENT PREPARATIONCyber Incident Defined
3
P.I.C.E.R.L. Lifecycle
1. Preparation2. Identification3. Containment4. Eradication5. Remediation6. Lessons Learned
4
IACS CYBER INCIDENT PREPARATIONIncident Response Framework
• Mitigation of Risk• Reduce Impact• Save Time
IACS CYBER INCIDENT PREPARATIONCyber Incident Industry Trends
5
0
100
200
300
2011 2012 2013 20140
100
200
2011 2012 2013 2014
Incidents Vulnerabilities
Incidents By Industry Attack Vectors
Energy 32% Unknown 40%
IACS CYBER INCIDENT PREPARATIONLife Cycle Approach to Incident Management
6
IACS CYBER INCIDENT PREPARATIONPeople
7
Cyber Drills• Add Cyber Element to
existing ERP / safety drills
Educate Community • Policies • Identification• Escalation
Assign a Team
• Senior Management
• Industrial IT / Programmer / MCSE
• Operations
• Communications Manager
• Legal Representation
IACS CYBER INCIDENT PREPARATIONProcess
8
Who to Contact, Escalation, Incident Logging
IdentificationClassification
Intent
IACS CYBER INCIDENT PREPARATIONTechnology
9
Network Diagram and Asset Inventory
Enable and Protect Network and Windows Event Logging
APPENDIX – 2014 Energy Cyber Incidents
11
11
2014 ENERGY CYBER INCIDENTSEnergetic Bear / Dragonfly Group / Havex / Karagany
WHAT: Systematic targeting of Western energy companies by Russian hackers. Injected a Trojan into industrial control systems with remote control capabilities.
HOW:Spear fishing / Watering hole / Remote Access Tools / Trojans in ICS Software
WHY:Industrial espionage. Industrial sabotage.
IMPACT:Over 1000 energy companies in 84 countries were reported compromised.
WHEN:Reported June 2014. Learn more in Cimation’s report.
12
12
2014 ENERGY CYBER INCIDENTSBlack EnergyWHAT: Russian cyber underground hacking toolkit that provides an advanced Trojan with command and control capabilities. Used to target the users of various Human Machine Interface (HMI) products.
HOW:Targeting GE and Siemens SCADA/HMI products directly connected to the Internet.
WHY:Industrial espionage. Industrial sabotage.
IMPACT:Compromised “numerous” industrial control systems.
WHEN:Reported December 2014
13
WHAT: 300 Energy companies in Norway were targeted by a sophisticated attack. Largest cyber attack in Norway's history.
HOW:Not publicly disclosed.
WHY:Industrial espionage.
IMPACT:50 Energy companies were reported compromised.
WHEN:Reported August 2014
13
2014 ENERGY CYBER INCIDENTSNorwegian Energy Industry Targeted
IACS CYBER INCIDENT PREPARATION2014 ICS-CERT Incidents By Industry
14
Energy32%
Critical Manufacturing
25%
Other26% Healthcare
6%
Government5%
Water5%
Nuclear2%
IACS CYBER INCIDENT PREPARATION2014 ICS-CERT Incident Attack Vectors
15
Unknown38%
Scanning22%
Spear Phishing17%
Misc23%