SlideShare a Scribd company logo

Security Intelligence for Energy Control Systems

Download as PPTX, PDF
Q1 Labs, profile picture
Q1 Labs

This document summarizes a presentation on security intelligence for energy control systems. The presentation covers introductions, vulnerabilities in smart grids and appliances, security incidents involving energy systems like Stuxnet, risks facing energy companies, log monitoring best practices, and compliance strategies. The presentation aims to help energy companies identify advanced persistent threats, comply with regulations, and improve security through iterative log review and defense improvements.

TechnologyBusiness
1 of 48
Downloaded 76 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Security Intelligence for Energy Control Systems Chris Poulin Q1 Labs, CSO David Swift Accuvant, Solutions Architect Twitter: #Q1energy
Agenda  Introductions and Housekeeping  When Refrigerators Attack  Smart Grid – Vulnerabilities and Security Concerns  Energy Sector Zero Days and Logs  Compliance – Best Practices  Q&A #Q1energy
A man is stuck in traffic on his way to work. #Q1energy
He takes his eyes off the road to glance at his phone. #Q1energy
Did I leave the fridge open? #Q1energy
The man taps an app on his smart phone labeled “Home Automation” #Q1energy
#Q1energy
#Q1energy
Man rolls his eyes and grins at his own obsessive concern #Q1energy
#Q1energy
#Q1energy
#Q1energy
#Q1energy
Level Setting: What is the Power Grid? #Q1energy
Smart Grid Goals #Q1energy
Smart Grid Goals #Q1energy
Smart Grid Goals #Q1energy
Smart Grid #Q1energy
Smart Grid #Q1energy
Smart Grid #Q1energy
Smart Grid Benefits—Utility Side #Q1energy
Smart Grid Benefits—Utility Side #Q1energy
Extending the Grid—Into Every Home #Q1energy
Smart Grid Benefits—Consumer Control #Q1energy
Smart Grid Attacks / Vulnerabilities #Q1energy
Smart Grid Attacks / Vulnerabilities #Q1energy
Notable CIP Security Incidents #Q1energy
Notable CIP Security Incidents: Stuxnet #Q1energy
Notable CIP Security Incidents #Q1energy
Notable CIP Security Incidents #Q1energy
Smart Grid Attacks / Vulnerabilities #Q1energy
Smart Meter Event Monitoring #Q1energy
Smart Meter Event Monitoring #Q1energy
Increased Risk @ Energy Companies #Q1energy
CIA? No, AIC #Q1energy
Side Channel Security Information #Q1energy
3rd Party Power Monitoring #Q1energy
Physical Security Information #Q1energy
Takeaways #Q1energy
SIEM Services Energy & Utilities David Swift Solutions Architect Accuvant
Energy Sector Top Concerns  APTs – Advanced Persistent Threats  Morphing code, DNS fast flux changing Command and Control Channels, Google searches for new C&C hosts  May be state or terrorist sponsored, lots of money and resources behind some of these attacks  Compliance – NERC/FERC/NRC/SOX/PCI  Log, review, report and DOCUMENT #Q1energy
How do you find Zero Days and APTs? Add Context to Events  Use the network hierarchy and remote networks to overly quick source network and destination network NAMES, not just IP addresses.  Use GEO IP information for quick wins and situational awareness.  Use Reference Lists to check for known attackers, known terminated employees, contractors logging in after hours… #Q1energy
Review Logs Analyze Volume and Variety  Firewall  Even when signatures don’t trigger, firewalls (when configured to log accepts), provide a record.  Attacks are sloppy, not single event, look for the spray of bullets, Offender Source IP scans the network or target first with lots of drops.  IDS/IPS  Log Everything  Filter and eliminate in SIEM by comparing Vulnerability Scan/Asset data and Known Attacker/Remote Networks #Q1energy
Review Logs  Look for patterns  Instant messaging logon (IDS event)  IM download (IDS Event)  Anti-Virus/HIPS/FIC event – EVIL FILE  Now we know the source.  Fuzz the logic – Look for anyone else talking to the same source /24 CIDR – Look for the same file name to have been modified on another host  Any Traffic to/from a Known Attacker (remote network or reference list)  Traffic outbound may indicate an already infected system calling home  Any traffic from that is allowed should open an offense #Q1energy
Review Logs  Everything counts in large amounts  Single firewall drop – who cares?  100 firewall drops in 1 minute – Why?  Misconfigurations – noise, chaff that has to be culled  Reconnaissance – phase one of the attack  One IDS event – IM Login – Who cares?  IM Login + File Transfer + Buffer Overflow Attempt – I CARE! #Q1energy
Improve Defenses Iteratively  Review Events by Signature  Count of HOW MANY this month by signature  And, how many unique hosts triggered the sig  10 from one host – hmm, block it, won’t break anything, might help, and check the host  1,000,000 – disable logging, crappy signature – Unless – 1Million from < 10 hosts  0 events for a given signature – block it, won’t hurt  Repeat the process each month for each device #Q1energy
Compliance Strategy A successful log management strategy involves a logging tool, documentation, processes, and procedures. Key Steps:  Define your Scope  Document which devices are in scope for each compliance regulation  Define your Events of Interest (EOI) – and create appropriate reports and alerts to monitor for them  Define an Incident Handling Policy (IH) and process to follow for each EOI  Define Standard Operating Procedures (SOPs) with Service Level Agreements (SLAs), for each EOI and follow up IH process  Create and Maintain an Audit trail showing both EOI’s and IH responses, tracking the mean time to detect (MTD) and mean time to remediate (MTR)  Define the Record of Authority (RoA) for each device in scope for an audit  Document IP’s in scope and where the authoritative log source is for each.  Document the retention period, and the auto-destroy policy followed. #Q1energy
Thank You!

More Related Content

PDF
ICS Network Security Monitoring (NSM)
Digital Bond
 
PPTX
Incubation of ICS Malware (English)
Digital Bond
 
PDF
From IT to IoT: Bridging the Growing Cybersecurity Divide
Priyanka Aash
 
PDF
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
PDF
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
EC-Council
 
PDF
How to Get into ICS Security byChris Sistrunk
EC-Council
 
PDF
Hunting: Defense Against The Dark Arts
Spyglass Security
 
PDF
Predicting exploitability-forecasts-for-vulnerability-management
Priyanka Aash
 
ICS Network Security Monitoring (NSM)
Digital Bond
 
Incubation of ICS Malware (English)
Digital Bond
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
Priyanka Aash
 
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
EC-Council
 
How to Get into ICS Security byChris Sistrunk
EC-Council
 
Hunting: Defense Against The Dark Arts
Spyglass Security
 
Predicting exploitability-forecasts-for-vulnerability-management
Priyanka Aash
 

What's hot (20)

PDF
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
PPTX
Third Party Security Testing for Advanced Metering Infrastructure Program
EnergySec
 
PDF
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
PDF
The Rise of the Purple Team
Priyanka Aash
 
PPTX
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Jim Gilsinn
 
PDF
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Priyanka Aash
 
PDF
Pulling our-socs-up
Priyanka Aash
 
PPT
DHS ICS Security Presentation
guest85a34f
 
PPTX
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
PDF
S4xJapan Closing Keynote
Digital Bond
 
PDF
Compromising Industrial Facilities From 40 Miles Away
EnergySec
 
PPTX
Lessons Learned for a Behavior-Based IDS in the Energy Sector
EnergySec
 
PPTX
Vulnerability Inheritance in ICS (English)
Digital Bond
 
PPTX
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
PPTX
Scada security presentation by Stephen Miller
AVEVA
 
PPTX
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
EnergySec
 
PDF
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
PPTX
From Air Gap to Air Control
EnergySec
 
PDF
Should I Patch My ICS?
Digital Bond
 
PDF
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
Third Party Security Testing for Advanced Metering Infrastructure Program
EnergySec
 
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
The Rise of the Purple Team
Priyanka Aash
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Jim Gilsinn
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Priyanka Aash
 
Pulling our-socs-up
Priyanka Aash
 
DHS ICS Security Presentation
guest85a34f
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
S4xJapan Closing Keynote
Digital Bond
 
Compromising Industrial Facilities From 40 Miles Away
EnergySec
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
EnergySec
 
Vulnerability Inheritance in ICS (English)
Digital Bond
 
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
Scada security presentation by Stephen Miller
AVEVA
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
EnergySec
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
From Air Gap to Air Control
EnergySec
 
Should I Patch My ICS?
Digital Bond
 
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Ad

Similar to Security Intelligence for Energy Control Systems (20)

PPTX
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
stacybre
 
PPTX
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
TheAnfieldGroup
 
PPTX
Information Security: Advanced SIEM Techniques
ReliaQuest
 
PDF
Branndon Kelley Keynote on Cybersecurity and the Smart Utility
EnergyTech2015
 
PPTX
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
MyNOG
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
PDF
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
PPTX
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
PDF
Irv Badr: Managing Risk Safety and Security Compliance
EnergyTech2015
 
PDF
Continuous Monitoring and Real Time Risk Scoring
Q1 Labs
 
PPTX
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
PPTX
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
PPTX
Securing The Smart City
Kyle Chambers
 
PDF
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Andrew Storms
 
PPTX
2012 Reenergize the Americas 3B: Ralph Martinez
Reenergize
 
PDF
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Priyanka Aash
 
PPT
Cybersecurity for Control Systems: Current State and Future Vision pt.1
EnergySec
 
PDF
Qradar ibm partner_enablement_220212_final
Arrow ECS UK
 
PPTX
Cyber Attack Survival: Are You Ready?
Radware
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
stacybre
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
TheAnfieldGroup
 
Information Security: Advanced SIEM Techniques
ReliaQuest
 
Branndon Kelley Keynote on Cybersecurity and the Smart Utility
EnergyTech2015
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire
 
Are you ready for the next attack? Reviewing the SP Security Checklist
MyNOG
 
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
Irv Badr: Managing Risk Safety and Security Compliance
EnergyTech2015
 
Continuous Monitoring and Real Time Risk Scoring
Q1 Labs
 
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Securing The Smart City
Kyle Chambers
 
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Andrew Storms
 
2012 Reenergize the Americas 3B: Ralph Martinez
Reenergize
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Priyanka Aash
 
Cybersecurity for Control Systems: Current State and Future Vision pt.1
EnergySec
 
Qradar ibm partner_enablement_220212_final
Arrow ECS UK
 
Cyber Attack Survival: Are You Ready?
Radware
 
Ad

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
August Patch Tuesday
Ivanti
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Teaching material agriculture food technology
LiaRayya
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Getting Started with Data Integration: FME Form 101
Safe Software
 

Security Intelligence for Energy Control Systems

  • 1. Security Intelligence for Energy Control Systems Chris Poulin Q1 Labs, CSO David Swift Accuvant, Solutions Architect Twitter: #Q1energy
  • 2. Agenda  Introductions and Housekeeping  When Refrigerators Attack  Smart Grid – Vulnerabilities and Security Concerns  Energy Sector Zero Days and Logs  Compliance – Best Practices  Q&A #Q1energy
  • 3. A man is stuck in traffic on his way to work. #Q1energy
  • 4. He takes his eyes off the road to glance at his phone. #Q1energy
  • 5. Did I leave the fridge open? #Q1energy
  • 6. The man taps an app on his smart phone labeled “Home Automation” #Q1energy
  • 9. Man rolls his eyes and grins at his own obsessive concern #Q1energy
  • 14. Level Setting: What is the Power Grid? #Q1energy
  • 15. Smart Grid Goals #Q1energy
  • 16. Smart Grid Goals #Q1energy
  • 17. Smart Grid Goals #Q1energy
  • 18. Smart Grid #Q1energy
  • 19. Smart Grid #Q1energy
  • 20. Smart Grid #Q1energy
  • 23. Extending the Grid—Into Every Home #Q1energy
  • 24. Smart Grid Benefits—Consumer Control #Q1energy
  • 25. Smart Grid Attacks / Vulnerabilities #Q1energy
  • 26. Smart Grid Attacks / Vulnerabilities #Q1energy
  • 27. Notable CIP Security Incidents #Q1energy
  • 28. Notable CIP Security Incidents: Stuxnet #Q1energy
  • 29. Notable CIP Security Incidents #Q1energy
  • 30. Notable CIP Security Incidents #Q1energy
  • 31. Smart Grid Attacks / Vulnerabilities #Q1energy
  • 32. Smart Meter Event Monitoring #Q1energy
  • 33. Smart Meter Event Monitoring #Q1energy
  • 34. Increased Risk @ Energy Companies #Q1energy
  • 35. CIA? No, AIC #Q1energy
  • 36. Side Channel Security Information #Q1energy
  • 37. 3rd Party Power Monitoring #Q1energy
  • 39. Takeaways #Q1energy
  • 40. SIEM Services Energy & Utilities David Swift Solutions Architect Accuvant
  • 41. Energy Sector Top Concerns  APTs – Advanced Persistent Threats  Morphing code, DNS fast flux changing Command and Control Channels, Google searches for new C&C hosts  May be state or terrorist sponsored, lots of money and resources behind some of these attacks  Compliance – NERC/FERC/NRC/SOX/PCI  Log, review, report and DOCUMENT #Q1energy
  • 42. How do you find Zero Days and APTs? Add Context to Events  Use the network hierarchy and remote networks to overly quick source network and destination network NAMES, not just IP addresses.  Use GEO IP information for quick wins and situational awareness.  Use Reference Lists to check for known attackers, known terminated employees, contractors logging in after hours… #Q1energy
  • 43. Review Logs Analyze Volume and Variety  Firewall  Even when signatures don’t trigger, firewalls (when configured to log accepts), provide a record.  Attacks are sloppy, not single event, look for the spray of bullets, Offender Source IP scans the network or target first with lots of drops.  IDS/IPS  Log Everything  Filter and eliminate in SIEM by comparing Vulnerability Scan/Asset data and Known Attacker/Remote Networks #Q1energy
  • 44. Review Logs  Look for patterns  Instant messaging logon (IDS event)  IM download (IDS Event)  Anti-Virus/HIPS/FIC event – EVIL FILE  Now we know the source.  Fuzz the logic – Look for anyone else talking to the same source /24 CIDR – Look for the same file name to have been modified on another host  Any Traffic to/from a Known Attacker (remote network or reference list)  Traffic outbound may indicate an already infected system calling home  Any traffic from that is allowed should open an offense #Q1energy
  • 45. Review Logs  Everything counts in large amounts  Single firewall drop – who cares?  100 firewall drops in 1 minute – Why?  Misconfigurations – noise, chaff that has to be culled  Reconnaissance – phase one of the attack  One IDS event – IM Login – Who cares?  IM Login + File Transfer + Buffer Overflow Attempt – I CARE! #Q1energy
  • 46. Improve Defenses Iteratively  Review Events by Signature  Count of HOW MANY this month by signature  And, how many unique hosts triggered the sig  10 from one host – hmm, block it, won’t break anything, might help, and check the host  1,000,000 – disable logging, crappy signature – Unless – 1Million from < 10 hosts  0 events for a given signature – block it, won’t hurt  Repeat the process each month for each device #Q1energy
  • 47. Compliance Strategy A successful log management strategy involves a logging tool, documentation, processes, and procedures. Key Steps:  Define your Scope  Document which devices are in scope for each compliance regulation  Define your Events of Interest (EOI) – and create appropriate reports and alerts to monitor for them  Define an Incident Handling Policy (IH) and process to follow for each EOI  Define Standard Operating Procedures (SOPs) with Service Level Agreements (SLAs), for each EOI and follow up IH process  Create and Maintain an Audit trail showing both EOI’s and IH responses, tracking the mean time to detect (MTD) and mean time to remediate (MTR)  Define the Record of Authority (RoA) for each device in scope for an audit  Document IP’s in scope and where the authoritative log source is for each.  Document the retention period, and the auto-destroy policy followed. #Q1energy

Editor's Notes

  • #49: Defenses are never complete, and must be continuously tuned.
  • #50: By providing unambiguous prepared and documented sources, events of interest, and incident handling policies to auditors followed by spot checks to confirm both an event was logged, and remediated in accordance with standard operating procedures within the define service level agreement, audits can be made quite quick and painless.