More Related Content Similar to ICS case studies v2 (20) ICS case studies v21. 1 Copyright © 2014, FireEye, Inc. All rights reserved.
Case StudiesIndustrial Control Systems
Dan Scali, Manager – Industrial Control Systems
Mandiant Security Consulting Services
2. 2 Copyright © 2014, FireEye, Inc. All rights reserved.
ICS security threats
Enterprise/IT
Plant DMZ
SCADA/ICS
Control
SCADA HistorianHMI
PLCs, Controllers, RTUs, PACs
Threat vector:
Attacks on the enterprise
Threat vector:
Attacks on ICS/SCADA systems
and devices
3. 3 Copyright © 2014, FireEye, Inc. All rights reserved.
Case studies
Building a comprehensive program:
How an ICS operator used Mandiant Security Consulting
Services to build an IT/OT cyber security program
Defending the SCADA & field-level devices:
How an ICS operator used passive network monitoring to
identify SCADA network configuration flaws
4. 4 Copyright © 2014, FireEye, Inc. All rights reserved.
Case Study
Building a cyber security program
5. 5 Copyright © 2014, FireEye, Inc. All rights reserved.
The challenges
Maintain
compliance
Resist targeted
attacks
Support
reliability
Business imperative Implications
• 10-20k serial assets coming into
scope for NERC CIP
• Requires coordination across OT & IT
Transition from NERC CIP
v3 to NERC CIP v5
Detect, respond to, and
contain incidents
impacting grid assets
IT/OT convergence and
next-generation grid
• Integrated SOC will need visibility into
grid assets
• IR processes and technologies must
be adapted for control system
environment
• Legacy control systems technology
will be replaced
• Connectivity & exposure of power
systems will increase
6. 6 Copyright © 2014, FireEye, Inc. All rights reserved.
FireEye’s solution: Program strategy
Mission:
To support the reliable operation of the bulk electric system in accordance with legal and
regulatory responsibilities by preventing, detecting, and responding to cybersecurity
incidents.
Governance Technology Operations
Stakeholders:
Transmission & Distribution – Cybersecurity – Power Systems IT
• Policy
• Compliance
• Training
• Asset inventory
• Metrics
• New projects
• Technical standards
• Evaluation &
Procurement
• External working groups
• Maintenance
• Incident Response
• Vulnerability & Patch
Management
Key functions & activities
7. 7 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample roadmap
8. 8 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample heatmap
9. 9 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample project plan
10. 10 Copyright © 2014, FireEye, Inc. All rights reserved.
Case Study
Protecting the SCADA
11. 11 Copyright © 2014, FireEye, Inc. All rights reserved.
The challenge
Customer had invested heavily in a network segmentation
and firewall configuration effort
Needed a way to validate that:
– No connections were possible directly from the business network
to the SCADA network
– SCADA was not able to communicate with the internet
12. 12 Copyright © 2014, FireEye, Inc. All rights reserved.
The Solution: FireEye PX
Ultrafast packet capture up to 20Gbps sustained
in single appliance allows for aggregation and cost
savings
Internal or external storage options (FC or SAS)
Ultrafast search
patented tiered indexing system (search TBs
in seconds)
Session Analysis
full reconstruction of web, email, DNS, & ftp
traffic
File extraction
User extensible
Industry standard PCAP format for capture data
Export of index data in Netflow v9 or IPFIX format
13. 13 Copyright © 2014, FireEye, Inc. All rights reserved.
PX deployment options
Firewall/DMZ
Switch
ICS
Router
Firewall/DMZ
Switch
ICS
Router Tap
(OOB)
SPAN
NX
PX
Pivot2Pcap
TAP
NX
PX
Pivot2Pcap
Router
Firewall/DMZ
ICS
Tap
(Inline)
Switch
NX
PX
Pivot2PcapTap
Enterprise Network Enterprise Network Enterprise Network
14. 14 Copyright © 2014, FireEye, Inc. All rights reserved.
Results
15 minutes of network traffic capture data revealed:
Traffic direct from business network to SCADA zone
External DNS requests
Potential multi-homed devices
Limited segmentation between SCADA zones
15. 15 Copyright © 2014, FireEye, Inc. All rights reserved.
Incident response workflow
FireEye threat prevention
platform (NX, EX, FX, or AX)
detects threat and generates
alert with detailed OS change
report.
Detect
A A
A
A
A
Contain
OS change report is sent to HX
appliance which then generates
indicator and pushes to
endpoint agent.
Operator can contain & isolate
the compromised endpoint by
blocking all
A A
A
A
A
traffic with single click
workflow while continuing with
the investigation.
Analyst can view detailed
exploit timeline from the
endpoint to better understand
the attack.
Validate & Contain
HX HX
PX
Analyst pivots to PX with IP
address and time of infection to
reconstruct kill chain before,
during and after to determine the
scope and impact of a threat via
captured packets.
Forensics Analysis
16. 16 Copyright © 2014, FireEye, Inc. All rights reserved.
Questions?