Cyber Shield AnD for SCADA

Cyber Shield
Presented by: Dennis Murphy Director, SCADA Cybersecurity Elbit Systems Email: dennis.murphy@elbitsystems-­‐us.com Phone: 603-­‐886-­‐2154 TwiJer: @CyberMurphy
Fides SCADA Anomaly Detection System Has Your Six
February 2015
Elbit Systems Corporate Snapshot Elbit Systems of America is a wholly owned subsidiary of Elbit Systems Ltd. (ESL): A leading global source of innovaQve, technology-­‐based systems for diverse defense and commercial applicaQons. q 
Israeli-based, multi-domestic
defense electronics company
q 
Publicly traded on NASDAQ and
Tel Aviv stock exchange (ESLT)
q 
Annual revenues: $2.9B
q 
13,000 employees across 13
countries
Europe 25% USA 30%
Rest Of World 24% Israel 21% History repeats itself… World War II A new dimension on the baJlefield The evoluQon of protecQng against air warfare Comprehensive Defense Maturity THREAT IS RUNNING WILD German Army – Lu[waffe -­‐ launches high level bombers INADEQUATE PREVENTION Barrage balloons of li7le use against high-­‐level bombers OUT OF CONTEXT, SILOED DETECTION Radar is able to warn but not defeat the threat INTEGRATED DETECTION, MITIGATION & CONTROL Integrated War rooms with detec?on and mi?ga?on The evoluQon of protecQng against advanced cyber threats Comprehensive Defense Maturity THREAT IS RUNNING WILD APTs are well-­‐targeted , with mul?-­‐surface a7acks INADEQUATE PREVENTION An?-­‐virus, firewalls and tradi?onal preven?on techniques are inadequate OUT OF CONTEXT, SILOED DETECTION Siloed detec?on capabili?es cannot effec?vely stop the threat in ?me INTEGRATED DETECTION, MITIGATION & CONTROL Centralized cyber opera?on that facilitate integrated early detec?on, effec?ve response, people and policies Market Trends and Challenges “
“
There is no such thing as 100% preven?on and there never will be Gartner 2014 Companies worldwide spend an es5mated $12 billion on basic cyber-­‐crime preven5on Associa'on of Cer'fied Fraud Examiners Stand alone prevenQon is inadequate Too many high priority alerts 10,000 alerts per hour ExisQng blocking and prevenQon capabiliQes are insufficient to protect against moQvated, advanced aJackers Source: Gartner; Bloomberg Business – 13 March 2014 with no ac5onable insight 20 days
alert went unchecked before breach announcement “Those alarms [should] have been impossible to miss, they went off early enough that the hackers hadn’t begun transmiFng the stolen card data out of Target’s network” Why tradiQonal prevenQon doesn’t work THE GREY ZONE Green Light
Red Light
APT – they play in the grey Injec5ons Dropper Crea5ng new process Screen shots Close process Driver load Why tradiQonal prevenQon doesn’t work Hacker
THE GREY ZONE Green Light
Red Light
APT – they play in the grey Injec5ons Dropper Crea5ng new process Screen shots Close process Driver load Blacklist
There is a seismic shi[ to detecQon Enterprise informa5on security budgets allocated to rapid detecQon and response Enterprises with a security data warehouse 60% 40% 10% 2014 5% 2020 2015 Over the next 5 years there will be a significant shi[ to rapid detecQon and response approaches Source: Gartner 2014
1
2020 Elbit Cyber Security Porkolio Context-­‐aware detecQon & miQgaQon for acQonable insight Technologies & tools Advanced technology for full range of cyber threats Policies, prac5ces, procedures Holis5c approach to protec5ng your organiza5on Trained personnel Coopera5on, collabora5on, intelligence Trained professionals equipped for dynamic threat Leverage wider “community” for enhanced protec5on Cyber Shield Porkolio Cyber Shield Training & SimulaQon Cyber Shield Analysis & DetecQon Cyber
Shield AnD
for SCADA
Cyber
Shield
AnD for IT
Cyber Shield MiQgaQon & Response Cyber Shield Context-­‐aware cyber threat detecQon & miQgaQon for acQonable insight Intelligent holis5c view of advanced cyber threats across mul5ple types of infrastructure for early detec5on and effec5ve response to protect isolated and semi-­‐isolated networks Cyber Shield Conceptual Architecture Cyber Shield TnS Cyber Shield MnR (Training and SimulaQon) (Mi5ga5on and Response) • 
• 
• 
• 
Cyber Shield AnD Event management Situa5onal awareness Contextual Impact Engine SOC Manager (Analysis Detec5on) •  Anomalies detec5on of behavioral paXerns •  Cross domain correla5on Cyber Shield Sensors
•  Detect local anomalies •  Smart data collec5on CS-­‐ICS (SCADA) External
Info
PrevenQon CS-­‐IT
CS -­‐ Weapon Systems Mapping & Assessment IT infrastructure
CS-­‐Mobiles SIEM
Active
Directory
Firewall
IT infrastructure enrichment
CyberShield AnD SCADA
(Analysis & Detection)
Protecting Critical Infrastructure
SCADA Networks • 
Most critical networks are geographically dispersed.
• 
The applications and protocols used in the SCADA network were designed without security.
• 
All security measures are aimed to isolate the control network from the enterprise – but in reality, interconnectivity is increasing.
• 
Good news – SCADA networks tend to be more deterministic and predictable, especially at the protocol level.
SoluQon Goal Monitoring and APT detec5on system of Independent SCADA/DCS network Reliability Visibility Control Safety Security Cyber Shield AnD Cyber Shield AnD for SCADA Compliance Cyber Shield AnD for SCADA -­‐ Module Overview BlackBox Appliance A small-­‐form “blackbox” that logs SCADA protocol traffic by passively monitoring the data communica5on between the field devices and the control center Insight Forensic & Analysis This module stores the blackbox collected data in a rela5onal database and allows to query, view, filter and run intelligent analysis in an ad-­‐hoc fashion AlerQng Applica5on-­‐aware profiler that alerts of network anomalies, mainly to detect malicious ac5vi5es NetMap Inventory and load monitoring of the control network and its nodes, with visualiza5on and trending features Cyber Shield AnD -­‐ SCADA sensors Cyber Shield SCADA sensors are small
modular computing nodes
Distributed architecture scalable up to
hundreds of monitoring appliances per
server installation
Passively monitors the SCADA network
traffic without reconfiguring or
redesigning the existing network
architecture
The sensors are capable of monitoring
RS-232 and RS-485 network protocols
such as Profibus and IEC-101
Cyber Shield AnD for SCADA – Typical Deployment Control Center
Enterprise Management
HMI
HMI
Corporate LAN
Syslog \ SNMP
FEP
SCADA Server
AnD Server
Syslog \ SNMP
Historian
CommunicaQon Backbone
Vlan\Inline\Separate Physical Network
SCADA Network
Remote SCADA Network
Switch
SOC
Mirror\Tapping port Ethernet\Serial
AnD Blackbox
RTU
IED
PLC
SIEM / Incident Management
AnD Components
ExisQng System
Cyber Shield AnD for SCADA – OperaQon Network Forensics
SCADA Alerts
Built-in client application for network
forensics
Summary list of all alerts
All SCADA network traffic is logged in a
central relational database for historical
analysis and correlation
Columns can be selected and advanced
filters set in place to perform advanced
network forensics
Export capability to rebuild the pcap files
for a defined event or time period
List can be filtered to find relevant
alerts
Allows for advanced analysis of
suspicious traffic anomalies
White List Rule Definition
Enables the user to manually or automatically
define rules on what transmissions are allowed
in the network, a relatively simple definition in
SCADA networks.
Monitors on all layers from physical (MAC) to
application-specific data (process data values)
Supported Protocols DF1
C37.118
UDH
Cyber Shield
TCP/RTU/+
leads the market with the
most comprehensive
support for SCADA
protocols
IEC60870-5-101/104
DNP3 / DNPi
Profinet/Profibus , Teleperm XP, TIM MDLC / MDLC over IP
Cyber Shield AnD for SCADA – Unique Offering AnD for SCADA – a full
suite of features
§ 
§ 
§ 
§ 
Complete Packet logging
for forensics
Context aware alerts
Passive Connectivity
Core Inspection
The only solution
providing legacy serial
inspection integrated
with TCP/IP inspection
Connectivity to
CyberShield provides
context aware
intelligence driven
response to enterprise
cyber security
CyberShield TnS
(Training & Simulation)
Cyber Shield Training and SimulaQon
An Enterprise level trainer - enabling the organization to train the Cyber Defenders and simulate
complex scenarios on the specific IT and SCADA networks
Simulating multistage, highly
advanced APT
attacks
Maximizing the
awareness and
improving the skills
of the cyber
workforce
Automatic attack machine - generating real-life scenarios training all the various Cyber
Defenders roles. Focused on accurately simulating multi-stages, multi-vectors, Cyber
attacks on the enterprise. Reflecting the real - operational network environment,
including IP and SCADA networks
Thank You!
February 2015
Presented by: Dennis Murphy Director, SCADA Cybersecurity Elbit Systems Email: dennis.murphy@elbitsystems-­‐us.com Phone: 603-­‐886-­‐2154 TwiJer: @CyberMurphy