IBM: Cognitive Security Transformation for the Enrgy Sector
1 like116 views
The document discusses the rising threat of cyberattacks in the energy sector, highlighting sophisticated techniques used by attackers against industrial control systems (ICS). It emphasizes the need for improved security measures, including cognitive security and advanced detection and response capabilities, due to gaps in resources and skills within organizations. Key recommendations include establishing security operations centers, investing in user behavior analytics, and fostering collaboration for threat intelligence sharing.
IBM: Cognitive Security Transformation for the Enrgy Sector
- 1. Cognitive Security Transformation for the Energy Sector INTRODUCTION TO IBM SECURITY ENERGY ENVIRONMENT & UTILITIES Steven Dougherty October 2017 Associate Partner, Energy Environment & Utilities
- 2. 2 IBM Security Ransomware phishing on a Michigan-based electric and water utility Malware discovered on a fuel system at a Bavaria-based nuclear power plant SCADA systems of three Ukrainian electricity distributors infiltrated Network breach of US natural gas and electricity company SCADA system for a New York dam hacked Ransomware email delivered to the Israeli Electricity Authority Confidential SCADA system data for a hydroelectric generator exposed on the Dark Web Hackers breach a water company’s SCADA system, controlling water flow and chemical levels Sophisticated attacks really trending on the industry nationally and globally April 2016 January 2016 December 2015 June 2015 March 2016 SCADA systems of Kiev Ukrainian electricity distribution infiltrated (again) December 2016 Busy Month! WannaCry Industroyer NotPetya and Cyber Warfare on Ukraine June 2017 Sept 2017 Dragonfly 2.0 USA, Europe & Turkey
- 3. 3 IBM Security The sophistication on energy sector challenges today’s practices • Attack macros far more complex and coordinated ̶ 30% of code used to create noise to confused forensic analysis and hide sources ̶ 69% contained obfuscation of techniques ̶ 1% actual launcher payload ̶ Several teams collaborating • Malware unwrapping in several iterations in empty memory spaces, similar to a process of putting together a puzzle • Malware mimic legitimate hardware driver behavior • Domain servers targeted first • Detailed recon and analyzed infrastructure logging, history, tools, privilege user behavior and activities • Rapid use of mimicry and camouflage through valid credentials and common service software tools of victims to mask activities • External threats can now be indistinguishable from internal threats 11/21/2017
- 4. 4 IBM Security If traditional IT security practices are unsustainable, where does that leave ICS (Industrial Control Systems) MILLION unfilled security positions by 20201.5 PERCENT of CEOs are reluctant to share incident information externally68 85security tools from 45vendors
- 5. 5 IBM Security Network visibility and segmentation How do I get started when all I see is chaos? IP reputation Indicators of compromise Firewalls Network forensics and threat management Virtual patching Sandboxing Malware protection Data access control Data monitoring Application security management Application scanning Access management Entitlements and roles Identity management Transaction protection Device management Content security Workload protection Cloud access security broker Vulnerability management Privileged identity management Incident response Criminal detection Fraud protection Endpoint patching and management Cognitive security User behavior analysis Threat and anomaly detection Threat hunting and investigation Threat sharing Endpoint detection and response
- 6. 6 IBM Security Beyond PIM for insider threats, establish a security immune system Criminal detection Fraud protection Workload protection Cloud access security broker Access management Entitlements and roles Privileged identity management (PIM) Identity management Data access control Application security management Application scanning Data monitoring Device management Transaction protection Content security Malware protection Endpoint detection and response Endpoint patching and management Virtual patching Firewalls Network forensics and threat management Sandboxing Network visibility and segmentation Indicators of compromise IP reputation Threat sharing Vulnerability management Incident response User behavior analysis Threat hunting and investigationCognitive security Threat and anomaly detection
- 7. 7 IBM Security E&U Approach – Until we can protect ICS, invest in detect & respond SECURITY ANALYTICS LogSIEM Vulnerability Cloud UBA DNS EDR THREAT HUNTING Search Link Analysis Visualizations THREAT INTELLIGENCE Sharing Open Interfaces Malware Analysis INCIDENT RESPONSE Orchestration Collaboration Workflow Cognitive Security What do clients want? • End-to-end protection against advanced threats despite resource and skills gaps • Ability to prevent, analyze, hunt, and respond across the enterprise and beyond • Orchestrated people, processes and technology that work together in unison Delivering on client needs by: • Differentiating with cognitive security • Delivering integrated detection and response • Leading with new security orchestration • Enhancing intelligence with malware analysis • Expanding our ecosystem and open platforms • Breaking ground with new threat services Patch Query Remediate
- 8. 8 IBM Security IT OT ICS data collection SIEM Security from gateway to sensor coverage Eric Knapp, Sygress (2012) Solutions: - SCADA level operation data analysis - Industrial honeypot - Deep asset/vulnerability mgmt.& machine learning - Firewall-RAS-encryption & Authentication to PLC - deep operational & security data - Asset discovery + configuration mgmt. Future: - PLC level protection - smart sensor monitoring - Trusted remote industrial component Network based Host based New: IBM: QNI Industrial IoT
- 9. 9 IBM Security Trending SOC analysts gain speed from user behavior analytics
- 10. 10 IBM Security Comprehensive data sets and open analytics to sense malicious users E&U Threat Profile: pull OT UBA to detect internal and external threats mimicking privilege engineers Machine learning on user patterns against risk score and peer groups
- 11. 11 IBM Security UBM Qradar UBA: Machine Learning algorithms Detecting change in activity vs. frequency and deviation from peer groups
- 12. 12 IBM Security IBM - here to deploy and manage optimized E&U security programs IBM Security Transformation Services • Automate governance, risk and compliance programs Security Strategy, Risk and Compliance • Build security operations and security fusion centers Security Intelligence and Operations • Establish proactive incident response programs X-Force Incident Response and Intelligence • Take a programmatic approach to security testing X-Force Red Offensive Security • Modernize identity and access management for the cloud and mobile era Identity and Access Management • Deploy robust critical data protection programs Data and Application Security • Redefine infrastructure and endpoint solutions with secure software-defined networks Infrastructure and Endpoint Security SECURITY TRANSFORMATION SERVICES CEO CIO CISO CRO CCO CLO Systems Integration Management Consulting Managed Security Security Strategy, Risk and Compliance Security Intelligence and Operations X-Force Incident Response and Intelligence Identity and Access Management Data and Application Security Infrastructure and Endpoint Security X-Force Red Offensive Security
- 13. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU
Editor's Notes
- #3: Sophisticated attacks on the energy and utilities industry are increasingly making news. Those shown on this slide are just a sampling of recent threats and breaches: April 2016: Malware was discovered on a fuel assembly loading system at the Bavaria-based Gundremmingen nuclear power plant. Cyber criminals delivered ransomware via phishing to the corporate network of Board of Water & Light (BWL), a Michigan-based public electric and water utility. Administrators shut down the corporate network to isolate the ransomware and prevent it from potentially moving into the company’s operational technology (OT) environment. March 2016: Hackers infiltrated a water company’s SCADA control system and changed the levels of chemicals being used to treat tap water to make it safe to drink. They manipulated the programmable logic controllers (PLCs) regulating the valves and ducts that controlled the flow of water and chemicals. January 2016: An unknown threat actor delivered ransomware via email to the Israeli Electricity Authority, Israel’s electricity regulatory agency. Infected machines were taken off the corporate network for several days to prevent lateral movement, including into the OT environment. December 2015: Investigators disclosed that an Iranian hacker established remote access to a SCADA system controlling the Bowman Dam in New York. The attacker gained access via the system’s cellular modem and gathered information on water levels, temperature and the status of the sluice gate. Security researchers disclosed a campaign in which alleged Iranian threat actors gained access to networks operated by a US natural gas and geothermal electricity company. The actors stole engineering drawings of the company’s networks, including details on devices used to manage the company’s gas turbines, boilers and other critical equipment. The breach was part of a campaign beginning as early as August 2013. An allegedly Russia-backed group establishes remote access to SCADA systems of three electricity distributors in Ukraine after procuring valid network credentials via spearphishing. The threat actors use access to systematically open breakers, causing blackouts for 225,000 customers. June 2015: A cyber criminal advertised the sale of SCADA access credentials on a Dark Web forum dedicated to selling stolen data. The post included a screenshot of the SCADA system’s graphical user interface, IP addresses, and virtual network computing passwords. The system managed a hydroelectric generator.
- #6: 5
- #7: 6
- #13: Security Strategy, Risk and Compliance Automate governance, risk and compliance programs Better manage risks and drive transformative security programs Security Intelligence and Operations Build security operations and security fusion centers Build gold-standard security operations for clients, infused with security intelligence and running at optimal performance Cyber Security Assessment and Response Establish robust security testing and incident management programs Apply threat intelligence to the entire security lifecycle: remediate vulnerabilities, respond to breaches and incidents Identity and Access Management Modernize identity and access management for the cloud and mobile era Provide the right access to the right information at the right time Data and Application Security Deploy robust critical data protection programs Protect “Crown Jewel” data against threats, across all platforms Infrastructure and Endpoint Security Redefine infrastructure and endpoint solutions with secure software-defined networks Solidify network, infrastructure and endpoint security across the enterprise, including Cloud, Mobile, IoT
- #14: Mandatory closing slide with copyright and legal disclaimers.