− Current State of Control System
− Reasons for Concern
− Options for Greater Visibility
− Potential Ecosystem
− Responding to Events
Why is Network Monitoring Needed?
Today’s computing environment is extremely decentralized
− Creates many, many entry points into your systems
− Giving hackers tremendous advantages
You can’t prevent everything
− End user errors, time to patch systems, third parties, the internet, etc.
Detection is the key step between prevention and corrective action
Adds context to tools (IDS, Firewalls, Proxy, etc)
Use cases alert on things tools will not see
Gives metrics and trends
Supports corrective and preventative actions
The Undiscovered Breach
“Median number of days attackers were present on a victim’s network before
being discovered” in 2013
Source: 2014 Mandiant Threat Report
Reasons for Concern: The Kill Chain
Current State for Monitoring Operations Technology (OT)
HMI = Human Machine Interface WAN = Wide Area Network SIEM = Security Information and Event Management SOC = Security
Operations Center IDS = Intrusion Detection System
Reasons for Concern: Supply Chain
FBI: Counterfeit Cisco
routers risk “IT subversion”
ZDNet, May 12, 2008
Pipeline Sabotage (1982)
Dell on Wednesday said that some
replacement motherboards for
PowerEdge servers may have contained
the W32.Spybot worm in flash storage.
PC Magazine, July 22, 2010
Options for Greater Visibility on the Operations Side
The Enterprise Needs Better Coverage Too
• Conceptually, resources should
be segmented by function so
that monitoring and traffic
restrictions can be effective
• Practically, organizations need
to prioritize where to focus their
efforts and start by isolating
their DMZ, system
administration functions, users,
and operational technology (OT)
DMZ = Demilitarized Zone
Responding to Breaches
Do you know what normal looks like?
− Control system behavior
− Electro-mechanical behavior (don’t forget to read the gauges and use all
Can you operate without computers? If so, for how long?
How will you know when you can trust your computers again?
Are your business processes prioritized and staffed appropriately?
− Outage management/customer service may need more staff without
− What systems need to come back up first?
− What are the dependencies?
− Who gets to decide what’s most important?
All Kill Chain
For more information
Leidos Chief Cybersecurity Technologist
phone: 703-676-0269 | email: [email protected]