Mike Assante Lead for Training for ICS and SCADA SANS Industrial Control We are used to taking the fight to the enemy, but we are entering into an age where it is expected that the enemy will be doing the same.

1. Defending Your Base of Operations
How Industrial Control
Systems are being Targeted
TechNet Augusta 2015

2. Role of Cyber in Conflict?

3. Cyber Statecraft
Russia is using cyber attacks including online network
disruptions, espionage, disinformation and propaganda
activities in the Ukraine conflict.
Iran and North Korea now consider disruptive and destructive
cyberspace operations a valid instrument of statecraft, including
during what the U.S. considers peacetime. These states likely
view cyberspace operations as an effective means of imposing
costs on their adversaries while limiting the likelihood of
damaging reprisals.
Terrorist groups and non-state actors also have shown an interest in cyber attacks but lack
the capability of state-sponsored threats.
The director of the Defense Intelligence Agency, Marine Corps Lt. Gen. Vincent Stewart,
House Armed Services Committee
Feb. 3, 2015

5. Artic Competition Scenario

6. Cyber Espionage & IPB
www.fireye.com
FireEye Threat Intelligence assesses that threat actors
aggressively target strategic industries and government and
military organizations in search of valuable economic, political, or
military intelligence.
• State sponsored threat actors
• Possibility of strategic offensive computer network attacks
“Russia-based threat groups are known to target Nordic
governments and industries that compete with Russia in the
European energy market. Russia and its Arctic Circle
neighbors have overlapping territorial claims and conflicting
interests in the region.”
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-nordic-threat-
landscape.pdf

7. IPB & Espionage: The Patient Warrior?
The patient warrior codex: Do no instantly
recognizable harm today. Maneuver to gain the
advantage and accumulate small victories in time. Act
so not to be perceived as striking. All the time learning,
taking, and eventually formulating a decisive blow.
Is IPB the cyber equivalent of the Battle of Ilipa in 206 BC?
Day after day, the battle lines formed up as both sides sized each other up. One side was
being lulled by the routine, while the other was learning and formulating their attack. Each
day the Carthaginian force took the field, Scipio was taking away something valuable from
them...until he understood their critical weakness
…and on any given day we may wake to a surprise as the opponent’s line draws down with
the full benefit of knowing us

8. What Has Changed?
The value-driven business model of targeted cyber attack.

9. Installation ‘ICS’ Susceptibility

10. Dangerous Seas - Behind?
OPM Espionage
Havex
Black Energy
APT1 Energy Campaign
German Iron Works

11. Tip of the Iceberg (ICS Attackers)

12. Observed Attack Trends
• ICS-specific targeting, delivery, payloads (Stuxnet, Havex, BE2)
• Overcome expected defenses - gap jumping (Stuxnet, Havex)
• Protocol custom/capable attacks (Havex)
• ICS-specific exploit tool development (Researchers, Havex, BE2)
• ICS-specific exploit tools used (Honeypot research, Havex, BE2)
• Process-focused & equipment under control (Stuxnet, BSI Incident)
• Firmware aware (Honeypot research)
• Data destruction/resource depletion (Incidents, BE2 Module)
• Sophisticated cyber tradecraft able to defeat security tools

13. Requires Multi-Staged Attacks

14. Stage 1 - ICS Kill Chain

15. Stage 2 - ICS Kill Chain

18. Energy Targeting

22. How Sophisticated is It?

25. ICS 515

27. Importance of Engineering
Technology
O
p
e
r
a
t
i
o
n
s
P
r
o
c
e
s
s
“Attackers are learning the importance
of what is below the waterline…so
should we”

28. Cyber Informed engineering

29. Questions?