OT SECURITY

UNDERSTANDING OT SECURITY THREATS, CHALLENGES & MITIGATIONS

TONY EL HAIBY
ASSOCIATE PARTNER-CROSS COMPETENCY MEA

w w w . m e n a i s c . c o m
 IT
DIFFERENT
WORLDS

DIFFERENT …YET THEY ARE

SKILLS
● OT & IT security overview CONVERGING
Agenda

● OT security trends & threats

DIFFERENT
● Our Security approach at IBM METHODS

OT
3
Introduction to
OT

3
 What is OT IT
Operational Technology (OT) is hardware and software
that detects or causes a change through the direct
OT
monitoring and/or control of physical devices such as
valves, pumps, temperature sensors, gas sensors, etc.
SCADA
within industrial processes.
4 PLC
DCS
Industrial Control Systems (ICS) are an element of OT
that are used to control valves, engines, conveyors, IED
smelters, mixers, and other machines to regulate RTU
various process values, such as temperature,
pressure, flow, chemical mixtures, and are also used ICS
to monitor them to prevent hazardous conditions.
SIS/ PROTECTION/
ESD
 OT Security Standards Taxonomy

Industries
using
OT

PHARMACEUTICAL OIL & GAS ENERGY BUILDING LOGISTICS & MANUFACTURING WATER
(ELECTRICITY, MANAGEMENT TRANSPORTATION • AUTOMOTIVE
ALTERNATIVE) SYSTEM MANUFACTURING
• ELECTRONICS
• INDUSTRIAL PRODUCTS
 ERP/ Data VPN Remote Access &
Email CORPORATE IT

ENTREPRISE ZONE
Finance Warehouse Corporate Internet Access
LEVEL 4 & 5 SECURITY
IT INFRASTRUCTURE
SYSTEMS &
Purdue Logical APPLICATIONS

Framework Model for

IT / OT Security Convergence [DMS] DMZ
Distribution Management Systems Firewall

MANUFACTURING ZONE
OPERATIONAL
LEVEL 3 - 1 CHALLENGES [MES] [EMS]
Plant TECHNOLOGY
Manufacturing Energy Management SECURITY
LEVEL 3 Execution Systems System Historian
● Legacy communications networks interfaces SITE
● Unmanaged Ethernet switches/ lack of MANUFACTURING
OPERATONS AND
available ports CONTROL
6 ● Latency introduction due to SPAN
● Legacy unsupported OS 3rd Party Remote
or Physical Access
● ICS/OT system vendor certification
requirements for changes
● Attacks from IT into OT LEVEL 2
AREA Digital Bus
● 3rd Party Access to OT SUPERVISORY Control Room
HMI
Process
CONTROLS Workstation Acquisition Historian Supervision
● Limited asset Information accuracy

CELL / AREA ZONE

RTU PLC
Digital Bus
LEVEL 0 -1 CHALLENGES LEVEL 1 DCS SIS
Industrial PC
Industrial
wireless
BASIC CONTROLS
● Legacy systems using proprietary log (Process & Point to point
connection
messages and event triggers Automation Control
Equipment) Digital Bus
● Hard wired interfaces for signaling PLC PLC
Point-to point
connection
● Serial messaging / signal-based OT protocols
Actuators Engine Actuators
LEVEL 0 Sensor
PROCESS / FIELD Remote
DEVICES (Control systems
Manufacturing
Process)
 OT Incidents vs IT Incidents

OT INCIDENTS IT INCIDENTS
POWER OUTAGE DENIAL OF SERVICE
• Unauthorized control commands to IEDs • Infected computers on the internet
7 cause multiple breaker trips, isolating request services from a website.
substations, and cascading power failure. Website shuts down due to extreme load.
PRODUCTION OUTAGE SENSITIVE DATA LOSS
• Malicious malware that changes PLC • Phishing of CEO’s laptop leads to theft
programming causes outage. of financial data, resulting in reputation
loss, and stock price fall.
LOSS OF LIFE
• Safety control PLCs (emergency shutdown COMPANY IT ASSETS DELETED
systems) take offline by malware downloaded to • Malicious insider attains unauthorized
engineering workstation. Part of a coordinated access to Windows domain controller,
malicious attack. Explosion occurs when and sends malware to corrupt/wipe all
threshold temperatures exceeded. computing resources. Users, call center,
partners, and clients loss all services.
 OT Security
8

trends & threats

8
 IN IT ENVIRONMENTS, ATTACKER’S FOCUSING ON STEALING DATA

BILLIONS OF RECORDS AND HUNDREDS OF GIGABYTES

Over the last three years, more than 11.7 billion records and over 11 Terabytes of data were leaked or stolen in publicly
disclosed incidents.

Figure:
9
Sampling of the Impact of Security Incidents by records and Cache Files Compromised, Time and Impact, 2016 through 2018
Source IBM X-Force

2016 2017 2018

 Impact:

OT Threat landscape National security

Market disruption
Physical Infra damage
Financial loss
Human harm
DECEMBER

JUNE

10 Shamoon infects Saudi Aramco and Confidential SCADA

RasGas in Qatar. Also known as W32. system data for a
DisTrack, it overwrites MBR making hydroelectric
disks unusable. Believed to be a state generator exposed
sponsored attack. on the Dark Web

2012 2015
First ever
malware-enabled
blackout in history
(Ukraine)
SCADA system (BlackEnergy)
for a New York
dam hacked

DECEMBER
 Impact:

OT Threat landscape National security

Market disruption
MAY Physical Infra damage
Financial loss
Human harm
Ransomware
phishing on a MAY
Michigan-based
JANURAY electric and
DECEMBER
water utility
Ransomware
encrypts Attack on
11 discovered on a
unpatched E&U Emergency
fuel system at a
Ransomware email process control Shutdown
Bavaria-based
delivered to the systems Systems made
nuclear power
Israeli Electricity (WannaCry) public
plant
Authority (TRISIS)

2016 2017
Hackers breach a Malware “NotPetya”
water company’s taking offline malware
SCADA system, Shamoon 2 substation in stopping e.g.
controlling water devastates oil & Ukraine Chernobyl
flow and chemical gas companies (Industroyer) radiation
levels and crosses into sensors
OT. Wipes disks
and leaves JUNE
political messages
MARCH

DECEMBER
 Impact:

OT Threat landscape National security

Market disruption
Physical Infra damage
Financial loss
Human harm

DECEMBER
MARCH Shamoon 3
cripples Saipem
Advisory on attacks and impacts
(since 2014) using many IT &
12
staging targets on across the Gulf
critical infrastructure
published by US-CERT
MARCH

2018 2019
Backdoor
discovered LockerGoga
which links impacts Norsk
BlackEnergy, Hydro OT & IT
Industroyer and global operations.
NotPetya to Financial impact
same source in excess of 30M

OCTOBER
 SHODAN
THE WORLDS MOST DANGEROUS SEARCH ENGINE
Our Cities and Countries Critical Infrastructures can be searched…easily!
shodanhq.com
Like google searches the internet for publicly accessible devices. SHODAN focused primarily on
ICS devices, like city traffic lights, building/city cameras, water/power stations, nuclear stations.
Anyone can use it, it’s free and newly discovered devices are mapped daily!
13
 SHODAN
INDUSTRIAL
CONTROL SYSTEM

14
 VULNERABLE ICS EXAMPLE

FIND

SEARCH

15

1
 VULNERABLE ICS EXAMPLE

RESEARCH

HACK

16

Default passwords available at:

https://www.perle.com/support_services/documentation_pdfs/iolan
_ ds-ts_ug_v4.5.pdf

3 4
 FIND

GLOBAL NAVIGATION SATELLITE SYSTEMS

RESEARCH

17

1 2
 GLOBAL NAVIGATION SATELLITE SYSTEMS

HACK

18

3
 ELECTRIC APC EXAMPLE

19
 PLC – EXAMPLE

20
 PLC – EXAMPLE

21
 MOST COMMON OT CYBERSECURITY MYTHS

MYTH 1 MYTH 2 MYTH 3

We don’t connect to Control systems are Hackers don’t understand

the Internet behind a firewall control systems

22

MYTH 4 MYTH 5

Our facility is not a Our safety systems will

target protect us
 Security Goals

WHY ARE THESE ATTACKS POSSIBLE? IT

Highest
OT

Priority
Confidentiality Availability

Integrity Lowest Integrity

Priority

Availability Confidentiality

23

LEGACY DEFAULT LESS/NO ENCRYPTION

SYSTEM CONFIGURATION UPDATES LESS/NO

NO POLICIES LESS/NO LATENCY

& PROCEDURES SEGMENTATION CONCERNS
 ATTACK VECTORS REACHING THE
OT NETWORKS

24

REMOVABLE EMAIL PHISHING REMOTE

MEDIA AND ATTACHMENTS TECHNICIANS - VPN

SOFTWARE GUEST NETWORKS LACK OF NETWORK

VULNERABILITIES UNPROTECTED SOCKETS SEGMENTATION
 Commonalities and Key takeaway

Stuxnet Havex Blackenergy 2/3 Shamoon

 Used 4 Windows 0-days for  Part of a campaign against ICS  Opportunistic scanning of vulnerable  Not ICS specific, but used in largest
replication and privilege escalation vendors and their customers, Internet-connected HMIs attack against an ICS industry – Saudi
 LNK/PIF auto execution, Print particularly in the EU  General purpose “toolkit” with Aramco
Spooler, RPC remote execution,  “Watering-hole” type of attack, rootkit and plugin modules  Roughly 35,000 Windows computers
privilege escalation where malware was embedded into  Part of a large, multi-faceted were rendered inoperable within
 Used rootkit to hide and persist code legitimate ICS vendor software, to campaign also targeting hours
25
in PLCs be executed when downloaded government, academia, NATO,  Sophisticated malware which
 Very specific to a particular Siemens  Has components of a general energy, and telecom spreads rapidly via Windows shares
PLC configuration, would not fire purpose Remote Access Trojan  ICS attack module utilized a 0-day and reports back to a C&C server
unless present (RAT), including Command & (CVE-2014-0751) against GE  Built for 32- and 64-bit versions of
 Early version contained MitM code, Control, as well as exfiltration Cimplicity HMI Windows
actual effective attack did not need capability  Reports of attacks against Siemens
to WinCC and Advantech WebAccess
 PLC code modified

Successful attacks on OT do not necessarily need

to exploit OT-specific vulnerabilities
26

Our IBM Security

Approach

26
 IT vs OT and Convergence?

INFORMATION TECHNOLOGY OPERATIONAL TECHNOLOGY

• Data Center Equipment • Control Room
• ERP / SAP Systems
• Various Client-Server IT OT • Plant Execution Systems
INFORMATION OPERATION • SCADA / Historian Systems
Technology (Mail etc.) • Human Machine Interfaces
• Home of CIO & CISO TECHNOLOGY TECHNOLOGY
27 • Safety systems
• Engineering Workstations PLC’s,
RTU’s, DCS’s, IED’s
CONVERGENCE • Home of Operator, Electrical
IT & OT Engineer. In COO/CFO focus.
MAJOR SECURITY RISKS
• Loss of Data
• Confidentiality
• Loss of Data Integrity
• Loss of Data Availability MAJOR SECURITY RISKS
IT & OT COLLABORATION • System & Data Reliability
• System & Process Availability

OT & IT SECURITY RISKS

IT Security issues in OT with
Industrial Impacts
 Inevitable Move Towards IT-OT Integration

28

The OT Security The expected OT 49.4% of the 57.7% of

By 2022, 30% of
Annual Spend will be Security spend is Respondents respondents say that
asset-centric
1,115 million USD to grow at 45.7% suggest that in 3 years they will
enterprises will adopt
while expected OT Compound security is their have an integrated
a hybrid model with
security spend is 380 Annual Growth major concern for IT-OT Governance
traditional security
million USD in Rate (CAGR) IT-OT Integration * Model *
deployed alongside
specialist OT security 2019** from 2016-
technology** 2022**

Source: Gartner**, International Data Corporation (IDC)*

 The Convergence is Putting Pressure for Integrated Cyber Security

Coordination Process Governance Risk Management Technology

29

Increased Development of Design of security Integrated Leverage traditional

coordination Enterprise Security operating model to cyber risk security and adopt
efforts across Framework, Policies enable coordination, management specialized OT
IT and OT and Procedures efficiency and security tools and
environments effectiveness technologies
of security capabilities
across the enterprise
 THE NEED IS TO CREATE AN IT-OT SECURITY VISION AND DIRECTION
Creating IT-OT security strategy will enable organizations define the IT-OT security vision and direction

IT – OT Security Strategy

30

1 2 3 4 5

ASSESS DEFINE IDENTIFY SECURITY BUILD STRATEGIC CONTINUOUS

CAPABILITIES ROADMAP IMPROVEMENT
Current state Cyber security Technology capabilities IT-OT Security roadmap Continuous Improvements
assessment Framework • Identify security • Develop a 2-3 year • Design governance
• Control Assessment • Alignment to capabilities that strategic security framework to define
for remaining standards support the cyber roadmap with projects maturity levels, security
plants • Operating Model security framework that are prioritized for metrics to ensure
• Security policy • IT-OT Converged created. Among business needs adherence and continuously
review Framework others the capabilities improve security Closely
• Network Security • Security policy include OT SOC, IAM, monitor the
Architecture review • Risk management Data Security etc. IT-OT Integration
framework
 TRANSFORM YOUR IT AND OT SECURITY PROGRAMS

BUILD A SECURITY STRATEGY THAT BUILD AN OT & IT SOC

ACCELERATES NEW IT TRENDS
You know what how much oil you refine
● BYoD, Cloud, Mobile, IoT and the ROI. You should know if you are
● SaaS and Cloud based services being attacked, being compromised, or
● ICS/OT security strategy now. Do not scanned for a path into your
be the low hanging fruit environment

31
PLAN
Management
Consulting

OPTIMIZE SECURITY PROGRAMS (DATA,

IDENTITIES, NETWORK DESIGN) ASSESS THE OT AND IT ENVIRONMENT
● Manage identities NOW, particularly You need to know now if you are
privilege accounts vulnerable and to fix it quickly
● Know where the critical data is before Assessing the OT environment is and
RUN BUILD improving security is critical. Imagine an
someone else does. If you do not own your Managed attack that takes down your OT.
critical data, someone else will. Systems
Security integration Test it
● Design OT environment

IT AND OT SECURITY POLICIES AND IT & OT SECURITY AWARENESS

PROCEDURES
When was the last time you tested if
● What is the configuration or standards you could phish one of our
used for equipment or people who executives, admins, or plant
work in OT? engineers.
32

THANK YOU