Operational Technology: The Latest Battlefield In The Ongoing Cyber War - Ben Oakley

um so yeah before I get into it just a quick one regarding logarithm and XV Mee a few questions today what's happening so the merge officially went through two days ago so from two days ago there is no longer any such thing as logorithm so I shouldn't really be wearing this t-shirt all the swag we got rid of today was either going to go or go on the bin so now we're officially ex so if you're going to take away one thing this presentation take away AC please I bet we'll still be saying LM I'm I'm going to try not to say log I talk about kind of be approach OT from a vendor side I'm going to try

and stay away from logm so if I say logarithm someone flagged me [Music] up thanks everyone for attending we're going to talk about OT today all right I'm already out that's why I literally went through these slid about 5 minutes ago and made sure I replaced every logorithm with I have not got an ex email address yet so that's why my LinkedIn say x we're going to talk about OT we're going to go for some of my experiences about so why why have I used the word cyber War how does this relate to cyber warfare so around about 10 years ago I was working for the government I was working for BA systems uh we outsa some

work for the and that was military cyber we focused on OT Environ ments just as a FYI this talk is going to be fairly high level mainly because I haven't got two in the week the probably about 8 years now I'll be honest and i' got to be very careful what I disclose when we talk about some of the examples I've worked with in within the military area cyber or OT so just FYI so my name is Ben oy already I'm a Solutions engineer I work for exob beam uh I've been at ex beam now for two days it get it gets even more complex cuz I was at exam then I left and join

logarithm and then they M so technically I've been at EX four and a half years EX for ex exactly that so much that might be the rumor just a big shout out to if they are watching or they watch that one the pre-recorded stuff Ramy ared a they gave me some of the OT examples just see in the slide deck today they've been a big help those guys are kind of the the true engineers and such they get into the weed providing me with the content I'll talk about it uh being sub space in general for coming up 20 years so I started off as a script Kitty from about 14 years old the first the way I got into cyber security

was I was developing a PHP game I was into my text based games at the time I was developing one I released one someone come along and dropped my database completely flushed it I was like what the hell is going on they said you've been sequel injected from that moment therefore I was security I learn how to sanitize that user input and from that day almost 20 years ago I've never looked back so that's all I've done agenda we're going to try and cover up quite a lot head speak fairly fast but there a quite a content to cover so I'll go with some of my experiences we go over the overview of OT we go over

fret Landscaping best practices we go the ex M approach I will share you with you some real world examples which I've seen in the principal Engineers have shared with me and then we'll do a bit of Q&A if you got time is any questions so going back to I mentioned this just now so this is where I first learn of the part of the environment start ICS and this is what open systems before this and like many others if you're in the side security space if you're in the it space of General you don't really know how to exists until you kind of start hearing these stories right I remember back then no one really worked

an OT there were no OT specific vendors there's the lots of clarity armless iron it didn't exist no one was targeting these very Niche systems so in this military division we started to again I'm careful what disclos we started looking at vulnerabilities within areas people would least expect so this is what kind of got me into it um I was looking at vulnerability investigations on a major defense platform uh using lot of met flit wire Shar trying to work out what goes over the wire can I manipulate anything to change a z to a one this leads me into Network traffic manipulation to kind of mislead those ICS platforms so misleading an act operator the best example I like to give

is yeah I'm not going to give anything too specific if you have a radar based system in front of you and you see a friendly entity on there you change zero to one and suddenly that friendly is appearing as an enemy the consequences to that were potentially what comes down World War I this is uh the areas I was working in I hold a lot of it to my Brave very interesting stuff use a Lo of better cap stapy to do that when you got more into the weeds I left the military cyber space I then joined Network visibility so again this relates to OT I was working lot of RSA net witness working for for scout uh

worked on many different OT environments these were not military based more General production lines manufacturing Etc uh and just looking at the traffic going across seeing if there's anything outside of the norm uh and giving us that visibility into that since 2020 so I mentioned I've worked for x l now just X I joined the C and newba space I'll be honest I haven't done too much OT produ projects since 2020 um I've done a lot more of a cloud side of things cloud-based SCS typically when we talk of OT environments OT SCS these usually exist on premise right if you want to do Network capture Etc coming up with span or attack so you on

premise I have done some stuff about ex even that was logarithm with the on premise stuff I've done a little bit so I'll share some of that as well that is my experience as a nutsh the last 10 years on OT so I know this is a technical audience and probably most of you are aware what OT is um probably worked with it might work with technology help protect it Etc but i' like to just give a quick overview into what ier is some of the acronyms using this presentation to just to give a a give over for everyone who's not aware of it so I'm not going to read all of these off the

list I'm just going to leave them up there for literally 30 seconds if that um just in case there is an AC I refer to and you're kind of loose trap the most important one here is the OT RCS St just how that kind of sits together so you can see the master the master Circle there such as the OT ISS existance within it and Scar so there terms we use quite often

so this is probably the most technical slide in the whole slide deck this is the architecture I put this on there from a very high level just to kind of call out how environments are segregated the biggest issue I see of in an OT environment is that segregation between the what we call the manufacturing zone or let's call it the OT zone for now and then we got the Enterprise or the it Zone in the middle here you've got the DMZ you got the firewalls in there you've got them controlling the traffic who's speaking to what how is it being controlled is a lateral movement allowed is it zero trust Etc there going be many different

architectural deployments here but from a very high level this is how we cover it so within this this is where the OT devices sit here is where we segregate and here is our Enterprise or it Zone I refer to this more as the size go on but I just want to give everyone an overview of what a typical OT ITF it architecture looks like so the Fret lands AP so what does the Fret landscape look like so I'm happy to be challenged with some of these uh these are my challenges I flagged up I've spoken to The Wider team within my teams and try to work out what are the biggest challenges so these are

the five challenges I believe to be the biggest within the it space number one as you probably guess Legacy systems of course some of these apply to cyber security in the whole um Legacy systems makes me think of one across within the NHS uh obviously a big problem with an OT environment some of these OT environments are very very old right they've not been maintained you've got Engineers working on them with limited it backgrounds usually they don't even have a cyber security team or a security team or maybe not even an IT team uh back when I was working with it it definitely did not it might have changed a bit over the last few years as

it2 security has grown massively one of the biggest ones for me Legacy systems if somebody's not P not out of date we all know in there how easy it is to exploit interconnected environments this is what I talked about just the previous Slide the architecture you had the it segment you had the manufacturing segment so here making sure that if they are to talk to each other they're talking to each other in a either a zero trust approach or they're talking to each other in a way which can be secured back when I was doing this everything was air gapped I'm pretty sure that's not the case right now I think they start to allow more OT environments to

speak to the it environment mainly for maybe cost efficiency uh ensuring that manufacturing is continuing uh that sort of thing I may be wrong it might not be used as much as I I'm thinking right now but it's trying to work out what that best architecture looks like that's probably one of the biggest challenges right what's the best is it air gaps is it zero trust networks but being a to speed cost in a DMZ um I I guess I'll open it up to the room is there anyone what is anyone seeing types of these what's the common scenario here right now CU I I personally do not know is there anything okay yeah [Music]

nice yeah okay yeah so it sounds like it's it's come a bit more converged since hard work with it even though you're trying to segregate it yeah imagine um lack of security awareness so I think this one's a big one in cyber in in general if this is just on cyber security in general I lack of spirit awareness is number one but this comes down to kind of The Operators not being aware big thing I like to think of is SLU net uh when we talk about how did SLU net get into Iran and kind of spread across those nuclear power PLS Etc I believe it was someone plugging in a USB stick without knowing about it right

very basic stuff exploiting that lack of security awareness I know it's used everywhere but when you do it in an OT a manufacturing a nuclear power plant whatever it may be environment the consequences are even more devastating uh supply chain vulnerabilities and management this is coming up more and more I see this is a bit of a trend in C security to be fair I don't don't know too much about this but I hear more about it ensuring that uh new technology coming into the OT environment is being vetted Personnel coming in and being Ved Ur you're doing that due diligence uh ensuring people are clear to the right levels Etc keeping everything up to date it's very

H hard from what I understand and believe to kind of manage everything outside of your remit as well and that's why I'll put this as number four uh and Challenge number five and this is what we'll kind of speak about of how ex cover this is limited visibility monitoring so being able to see that Network traffic go across these OT environments being able to capture you can't capture log data because you can't always it's an environment you got Legacy systems how do you kind of Monitor and see stuff going across the wire this is where we start to utilize Network analytics network monitoring tools Etc so we'll talk a little bit about that as well so just a recap and this where the

security gaps this L to the challenges this one I actually call out on the previous challenges but I hold this one qu close to my heart I used to work for a a vendor called for Scout and they used to work closely on asset inventory they used to hold into the switches look at the art tables and pull back down and actually show you every single device on your environment I know you can do it from a scene perspective you can probably do it from a network analytics with us as well but the easiest way I ever saw doing that is with for Scout and I used to plug this into a lot of OT

environment and get a nice list of everything on your environment if you've got that nice list I can't turn around and say it always 100% there maybe St stuff missing right it's a difficult task to do itself if you got a nice list you know where to start you know what exists on your uh environment you know what's in your o environment you do hide and checks against Etc no configuration tracking so you might be updating these devices uh you might be pushing up updates Etc but actually you don't know when the last update was done before that uh do you need to rolled it back Etc I see this quite often within PRC and OT

environments undocumented protocols similar to the one I just called out you might have technology in there which is so ancient you don't have the Personnel know how to use it and it might just simply not have the documentation you got a fit kit in there how can you produce a a car manufacturing line or whatever but you've got no idea actually how it actually works can it produce this log what sort of network traffic does it present or generate it's a difficult task outdated equipment pulls back into that so I'm not going to speak about too much more no visibility into networks I mentioned this earlier on Challenge number five how do we actually get visibility in the OT environments

when they're very Legacy you might not have the ability to capture logs uh you know have the ability to look at that Network traffic Etc it convergent something we just talked about on the first architectural slides getting that perfect architecture is a very difficult task so security best practices what do we do with in it what these are what I believe uh to be the best security practices asset inventories I just spoke very fondly about this won't B over it anymore data collection so ensuring that you're collecting all the relevant data that helps obviously populate an asset inventory uh we're seeing all the connected assets to our environments uh Etc contextualized data so if you got an

inventory we're collecting the data we now got to contextualize it so we want to know who on that device where does it exist if it was to go down what would happen Etc goes into process resiliency so how far can the device be shed before it falls over and if it does fall over what are the consequences going to

be so th those are the challenges these are the attacks and impacts so we go maybe we'll go through a couple of these I'll try and get some feedback um on people in the room here unauthorized stop so I've trying to put some little pictures up here so we got a manufacturing car manufacturing line so this could be that we stop a assembly line from producing cars and impact I believe to be qu natural as well as reputational um you see these little icons here I put different ones in there I'll explain to you in a minute why so that's requ stop the next one and I was a bit torn between this one so I'm going to open up

it I know start so for example if you open up a water dams gate and you can see right there imagine opening up when it's not supposed to be fully open maybe there's a a village nearby there might be people working nearby Etc if someone manages to open those Gates and they're not supposed to be I put this little heart in there you obiously got the financial reputational heart I've put in there for he or loss of life does anyone where I was torn was do you you think of any scenarios where unauthorized stop it also caus loss of life power in in the hospital wait you just thought that you thought of that and you thought of that before me so I

agree that heart should be in there um I'm glad you brought up any any any other you think of you can have a manufacturing robot which someone's working with maybe there's a work that's near it or it stops at the wrong time it catches someone's hands yeah yeah or maybe some sort of vehicle ship or plane that you can turn off at I remember learning about um one of the first OT hacks I remember reading about and see President it was a it was a smart car can't remember what smart car was might A tes but they cut off all the brakes within a certain area and it was very easy to do so it as well stopping

emergency communications

yeah oh yeah yeah I know you're yeah yeah yeah anything yeah that's a good one I've got some actual real examples on the CH levels and stuff um move water indry fridges fridg the list go on right and that's why open I think there's probably more in that anal stop than there is in the an stardard monitoring softw

yeah yeah there's T we as you think about it more and this this kind of shows you that the real impact of OT right and this is why it's such a cool area to work in um why people ask me about Cy security if they don't know about it I like to bring up some of the OT

stuff boilers yeah yeah I think we could spend probably another half hour going through stuff uh data compromise so lots of Ip obiously very common in our industry of course this can be affected in OT control compromise so a bit similar to some of the examples we're bringing up just now um one we like to give example is kind of loow the brakers in a power plant it's similar to a St but this is actually getting full use of it boosting the voltages or boosting the amount of Power Water whatever resource it may be go into this machine and cause it to essentially overheat anyone nearby is going to get injured I'm not going to go for all of

these These are more sample threats um we've seen recently me and some colleagues uh the probably most common one to pick up on is fail vations multiple post you're probably going to see this quite it's going to be a common scenario in cyber in general but we see in OT a fair bit failed authentication multiple host so people trying to log into operators machines workstations whatever it may be without any success we like to pick that up and if we see a we see a chain uh of multiple failures within a certain area we can pick that up and slat the analyst uh met exploit payload drop so this is this is something I used to work

with um do a lot of met SP with the government that 10 years ago so I leave that one in there of course are still being used a pale regular basis is operator so this one's interesting operator not acknowledging a triggered alarm high high so what I mean by that is an alarm's triggering and it should be telling you should see it on a HMI and it should be saying to the operator quick do something do something that all the all the bars going off in this case someone's manipulated that traffic or changed something and the operator is not aware a bit so the system the back end thinks that this alarm is going off

but the operators wiser so you can't manually shut that down it might be a manual shutdown think back to the the stop the start you control of that you might have to manually cool down a nuclear power P they're not aware of that they can't do it it's just going to blow up uh unusual Network scanning slow scans again seeing if anyone's scanning across the OT environment we can certainly detect that using network analytics um unscheduled controller change from engineering workstations to seeing something out of the normal if you start to see someone go into their workstation uh at midnight and they usually work at 9 to5 shift suddenly why is there an engineer changing something

on the controller here what shouldn't be un that might point us to a bad Direction so this is where we get into some of the actual content screenshots how do we approach it exam um I'll try and keep it as vendor agnostic as possible I'm not just going to try and sell x i haveed in some other vendors in there but it's fairly high level so how do X do it so we combine C with network monitoring to give OT visibility so we've got our products we got the on Prem scene we've got the cloud scene and the ubaa we've got the network monitoring what we refer to as neton and then we also integrate with

third party OT vendors I'm not naive enough to sit here or stand here and say that X can pure any OT problem that's not that's not right right anyone who's worked with security is a mammoth of a task it's come a long way since and we do integrate with some of these uh what we call Specialists we can start to P in some of that context and bring it into our solution so some of these Clarity Post in the zi talking with some of the tenable people just now out in the vendor uh we can pull in data from that as well as well as that we also do something called OT module so this is

what we call like a Bolton so we can if you're using X beam scene we can deploy these additional bolt-on models which are specific specific content to help with threats and vulnerabilities we typically see in an IT environment uh there's quite a few here some of these are not all relevant you see quite a few related to the US ex being a US company it's kind of uh there's quite more on that nuclear energy there and so forth but these still required to obviously environment in UK as well there's a list here of all the uh mod again someone might P me out that shouldn't say ex logarithm that will say ex soon but we

can see all the modules you can bolt onto our scene technology to have with OT use cases so this is an example of an OT module this is actually what it does what what are these modules what are these B ones what help the see with OT security problems so here is a the list of the rules we use so some of these I might want to call that not it's a bit valer um disabled account so someone trying to use a disabled account to log in uh lateral movement again if you might not have messed up on the r and I converion so might Lally move the network get data off uh a temporary account being used

also have good ones I'm struggling to see a little bit here dos still seeing that a fair bit um accounts El by admin SQL inion you me mention that as my first ever interaction with s scet so there's quite few different rules in there these are the rules we're looking for specific to an OT environment that's not going to be everything right I'll go back to the C mentioned we will start to utilize intelligence we get from the OT specialist as well but when we're using this we can still see that data and I'll show you what that looks like in the minute we can see the data and we start to run these rules to actually start to

help us detect some of these attacks in our environment so this is where we get into the actual examples get a bit more handson so the first example I like to give is with using our tool network monitoring or netmon so how do we do this so we deploy netmon it's put on The Wire of a span or tap Port it's an on premise technology and we're basically just looking for all the network traffic going across the environment doesn't have to be OT specific it could be it it could be both but we have S of see this device technology we use in OT environments again this is I'm not going to overell it I'm not going to Big it up

massively but it's powerful it does have DPI it does that the packet inspection it's a bit like a wire shark on steroids uh it allows you to kind of breakdown in dashboards here what protocols are we seeing we can start to see specific protocols if we want to create a widget to show that we can start to see how that traffic so I mentioned East the west traffic north south Etc what that traffic kind of looks like who it's speaking to is there any IP addresses suddenly you've got a you've got a PRC um in the middle of your R environment and suddenly it's speaking to a server in China or wherever it may be those are the kind of the the low

hanging fruit but this sort of technology is very easy to detest that here is where we start to see some more specific stuff uh so we can start to see what the ports are being used again an OT environment not always but sometimes you should know what sort of ports they're talking across there may be quite a few unique ports because the systems and are so Legacy and undocumented you struggle to work out what ports they are talking to so this is where we list all of those and start go through what ports have been used source and destination IPS try and protect that uh east and west traffic so see what apps are being using here

apologize is a bit fuzzy you got mod bus in there you got other stuff in there as well S7 uh and so forth the specific stuff it's bit bigger this SL I skip to it these are the specific netmon examples we're looking for so in netmon I've seen these used in real world scenarios we've got honey wellow we got Sid we got MMS we got profinet plus many more there is a list on this documentation we'll send this out afterwards but you can see many more on the website there list goes on dmp3 mod a common one S7 com we saw that in the dashboard view but here we can help detect and look into that OT traffic

going across the wire just iset netm is not something you would have run all the time that's something you do for analysis so net one so I'll give you a bit more insight than that net one uh first point net one's got a freear version so if anyone is interested in using it you can actually download it you don't it's not a paid product there is a premium version which you can paper which integrates the logging into your scene but it's a prewar piece of Kit and it runs over time so you stick it on Appliance or you can virtualize it and then you'll stick it onto give it a Spam port or tap and you'll capture the

traffic continuously so ask so you talk about the idea environments separ separate so this is where this is where we start to feed let's say the network traffic and we're only getting let's say for the neton we're doing we're doing OT we're getting an OT Network traffic we're getting the RT network traffic what we can do with neton is we feed both those feed into our centralized SE and that's where we can cidate and centralize that's kind of the power you wouldn't be able to do it just from one single tool using freee like neton you we would have to utilize uh scene technology to do that

so example two this is probably my favorite area this is where I've been working with for the last uh probably about four and a half years now I've moved much more into the cloud space I don't do as much on Perot stuff aslain but we still use cloud scene for OT um scenarios some not all but some still will agree to send that OT data up into a cloud seene specifically uh around if they're using like Network analytics on premise and they're detecting some of those uh key alerts or triggers they send that up into the cloud scene to actually allow us to analyze it from more of a centralized overview so what do some of these examples look

like so we've got a few dashboards in our in our scene project someone these are real examples this is an example taken from one of the colleagues I mentioned at the start they were looking at like of operat operating systems so who is actually logging in where is it being used how often are they using the OT environment top common events top star remote devices uh location of the substations execution States top actions taken again apologize for Sight blade can't see some of those but they are OT specific Dems uh either running something acoss a circuit breaker Etc um so forth scar power distribution this is a cool one the one I like to point out

here is HP VES so they are actually tracking how much uh electricity and power for it environment was was using so it's not always it doesn't have to be security specific right it can be more operational uh learning is anywh we can potentially save money cost efficiency is a big thing uh if we start to see certain systems which are way way more volage output than some of the others then we want to look into those or it could be that it is malicious and someone sending too much power to a certain device is there a risk to that overheating exploding or causing misery again top actions taken operator workstations um top circuit breaker location so where in the world of these

where do they exist again C is just using the log data you could feed in the network data if you wanted to you can get that Network traffic and you can send up to the scene to kind of give you both directions so you got that on premise uh network data such but you've also got the logs why do you need both and why is that on one of our first slides and how we do it is cuz not all Legacy systems can reduce logs right logging isn't always uh possible if it's not possible how do you get that visibility okay let's fall back onto the network data if you can do both in a

single centralized view that is what I believe the solution to OT visibility um so here here's a a kind of correlation rule of fact based rule uh in this in this example it's a very basic example they're looking for if Mal detected uh and then they sort of Circ breaker open so this is a real rule we saw so they do see some sort of Mal outbreak uh and then shortly followed by I think it was five minutes they see a circuit breaker open we know in that case it's an OT specific vulnerability or threet here because they're looking at open that circuit breaker uh here we start Tex that in this case they saw it

I think eight times over the last 24 hours that is what we call the correlation rule we also have oh before I jump into what we also have this is what You' see on The View here so right here is that log related to OT that is kind of the security that's the security alert as such and you see either side of it are the operational logs so it's it's identifying that security log or alert within all your operational logs so it's not getting loss in the weeds what I want to talk about next this is an area probably uh specialized more in to be honest is more of a ubaa and data modeling so I've shown you

dashboarding from a traditional C I've shown you a correlation rule um what we're seeing more and more often especially uh this is where of ex's origin come from was Data modeling in ubaa so some examples I like to give and I'll call out this one specifically if anyone can kind of notice why I pull out this one so this is actually tracking uh door access so from their their bad logs uh a certain user accessing parts of uh the office the reason I call this out if you haven't picked up on it already is an unfortunate top result for this user so you can see the most common the common most common visited place for

this user is is in fact the toilet uh it's one I like to bring up at all trade shows ET because it sticks in people's mind we are not trying to track how often employees are using the toilet it's just a bit of a f example but in this case you would track where in are the your it office do they access or do they even access the OT environment if there are certain if they a certain operator and they're not supposed to be accessing certain parts of the OT environment they access door a every single day um over the last year suddenly accessing door B and we know that's to the nuclear power plan well

we've never done this before this is sort of data modeling we can start to flag up on it would flag up anomalous Behavior this is abnormal why are they doing this we need to investigate so that's why we start to Model A lot of stuff their pass wouldn't give them permission to go into that door if they to go well that's another way think right if it's all monitoring visibility in a nutshell right if everyone can do everything preventive right if antivirus works in the way it should do if all the preventive controls works as it should do then we'd never have any issue we never do monitoring right so it's one of those scenarios actually let let's

assume for some whatever reason it's it's not being configured properly they're not utilizing zero trust uh and in this case they're access in part they shouldn't do yeah preventive tools did their job properly I think monitoring companies such as C probably wouldn't exist um countries for user activity very very common scenario again not specific to OT but I like to pull it up in OT is you can see here the operator or the user only ever logs in from the United States suddenly they they're logging in from Bosnia here what why this is again we're going to Flat this up as AB normal behavior it might potentially be malicious but it's given little indicators to an analyst this

shouldn't be happening every time something like this happens it also boosts up a risk score and it helps triage that I'll show you what that looks like in a minute so here is what we call a timeline view so just coming back to some of those data modeling I just called out physical access so at 10:33 a.m. someone out entered the parking entrance okay first physical access to parking entrance for G Harden so first of all it's the first ever time he's access to parking entrance maybe he walks the um what so we give it a risk plus eight so plus eight is risk okay we know that same time hris Gary Harden gave in his

notice so HR given us an additional context that's why I mentioned context last data earlier they given us additional context to say but Gary is leaving the organization so suddenly we're going to give him a plus five but as an analyst is started to seem a little bit iffy to me first time ENT the parking entrance I know G he only ever uses the front entrance he walks away he's given his notice Maybe into it as time goes by another just under an hour later on first physical time is access to service tions okay we're starting to see more and more potential abnormal behaviors here and you see this risk score will go up and up and up the more of these first

time things we see or abnormal activities we see more that boost at risk or helps us identify that in an IT environment uh it could be better in a nuclear lab or manufacturing door whatever it may be final piece of this data modeling is time of week so we also model when a user or operator or engineer whatever it may be I referred to this earlier when do they access uh their environments when are they coming into office when are they coming into the manufacturing line when are they coming into the plan Etc so we start to see something out of the normal here we can plag that up and you see usually person's coming in about 4:00 uh 12 to

4: uh in this case there is a bit of abnormal behavior someone comes in at midnight our final example is using on premacy so this is the most common this is what we see the most for OT uh deployments because this is on premises is usually the preferred choices of deployment for a scene for an OT company so I took this content from a water company in the UK I want who they were an engineer shared this with me and some of the work they've been doing with this water company is they create custom passes for seing prc's uh scal switches 304 306 there not typically sort of stuff You' see out the box they work on

cating these passes they also figur the KC's to send regular heartbeat log messages to kind of check in the scene the reason they did that is because if we start to see these log message heartbeat messages uh not detected or we call it a silent log Source we stop seeing that we of course we may know that the PRC is down certain m rules they're looking for as well again I talked about some of these earlier defa potentials used and succeeded default potential us and failed very common in OT environments does anyone know why default potentials are probably more common in OT environments any any ideas think back to the the challenges security awareness Legacy

systems to be honest these systems are probably so old no one's logged into them for a long time bothered updating them the amount of times it's just admin admin admin password Etc the very Foundation of cyber security the very Basics you see those apply in OT environments um servers stop stop certain services on devices Etc replication for removable media we talked about this earlier Stu so is obviously being looked into from a monitor rule perspective and then there's some of the correlation rules they use here as well they're looking for factory Reser code being modified configuration changes uh lockouts uh backups being disabled I think now Etc and so forth so that's some of the

content we had an engineer worked with one of our water companies here at EX dashboarding so this is what I mentioned earlier about some of the chlorine stuff uh we've got the rtu and PRC locations uh we've got the water pipe CL state and city so the most common one here is Liverpool uh PPE size and millimeters so we can see what how how many ppes we got at 450 mil again this might not be specific to security but it's a use case in there and they're using it uh chlorine indication so Starly look at if there's any for indication being higher than normal here was a bit of a trend analysis what does that chlorine

indication look like over the last I think that was 24 hours has that changed Etc High chlorine affected cities if the chlorine ination level has gone up where in the world is that being affected uh alerting they were looking at uh High chlorine ranges here as well as rtu intrusion detected so they start to see chlorine or let's say they start to see rtu intrusion and then they saw the chlorine indication go up it's a bit similar to what I showed you earlier the other correlation rule you saw outbreak you then saw a circuit breaker being opened uh very similar case in here so suddenly there's Ru intrusion as well as flooring indication has gone up that is

an OT specific use case and so we've seen in production here at ex how do you respond to it so we get the alert we get some context on it we talked about context many of times we then use our case management system to kind of uh detect that so in this case it took three 3 minutes to detect a certain attack it then took 36 minutes for our our analyst to respond there's paybooks in there how do we respond to certain scenarios and so forth that is me done I appreciate I spoke very quickly I've gone probably a fair bit quicker than what I should have done but I'll keep some Q&A open there

is some further reading in here I will send this out uh to everyone if possible I'll speak to the uh some of the go here at besides the Q&A if there's anything you want to ask me any use cases you're interested in then feel free to ask that's it [Music]

[Music]

yeah so obviously we can about kpi just to repeat it for kpi um going into the start devices uh to show the metrics to the C speed Etc so the way the way i' usually do it if you can't get the data directly from those devices into the sea then that's where we'd utilize some of the Specialists like I mentioned earlier thear and Zi ten because they can go a bit more in all honesty they go a little bit Gran they're kind of the the OT specialist right we will take in anything from a loging perspective a devices can generate but if we can't pull that data or pull that data down other devices can't log that then we'

partner with one of our technical Alliance Partners such as one of the OT specialist on there unless we can get it from a network traffic perspective if it's generating a lot of network traffic can we report that uh we can do it using netmon can we put it into a report yes is it going to be as much as what you want I'm not too sure but we' usually uh work a partner do it how much do

[Music] you so I can only speak so look I mentioned I did I got in the weeds probably eight eight to 10 years ago when I was doing it I was actively working on vulnerabilties and star systems they were incredibly Niche they obviously zero days um and no one really knew about them at the time most of my time I spent studying these systems reading documentation if I get hold of it working out exactly how it worked so I could develop this payload in specific way to expl so I personally have seen vulnerabilities exploits for St based systems I cannot say if it's still going on right now I'd assume it is what because otherwise these OT Specialists

we wouldn't have OT companies deploying it Etc but I know we going from much more lower specifically targeting the PRC I've seen it personally I know it happens uh but does it happen do we see it in the public eye not as much right we don't hear much about OT security that and if we do it's all the manufacturing gone down or be a no longer check in people we don't hear the specifics I like the think it's still happen and there is a large group kind of focusing on those specific exploits because the security is low hanging through some of those machines as I mentioned Legacy systems when I was developing these payloads and

stuff for OT device I found it fairly easy I would load up mle I do a Hail Mary I'd hope the best and nine times out of 10 I'd get something back cuz they haven't been updated in such a long time it was an easy ha um so yeah that's my report on it I don't know if that happens again as much in the last few [Music] years it's very interesting as we are people we tend to think of things in the security space but as you said to or even just the Legacy systems breaking down they could happen that sort of like scenario and um context of Your Love in yeah so just are you asking me for example of

a dis fronted employee and some of the stuff I've seen more like in general like stop breaking down uh but not malicious way but just you because yeah there it's it's kind two different Avenues of attack right there's either a malicious Insider so some doing it deliberately there's always the of a non security aware not security trained accidental compromise uh so it we do detect both and that's why we look at data modeling uh and that's why we look at UEA how does a user typically work so a good example I used to give was we've just seen a user and they've they've given they've estimated their privileges they now got um they got system administrative access

we flagged up the sk's gone crazy why it why the sh got this there must be something malicious run power Etc and then actually if you look at some of their data modeling and ubv timelines this person even though they're from HR and they shouldn't be doing that they're actually interested in getting into cyber security so they're running Labs on their own machine and they're doing that sort of stuff so suddenly that's a false positive so I used to see that not as such in the it space as like or in the it space but it was a very common scenario we used to refer to ex is is it just a general mistake is it a real

false posit POS but actually yeah in that case it was a false positive because it was someone with no malicious intent who accidentally trigging alarm I'm sure you could probably apply the same in an OT environment but the consequences will probably be higher very someone from someone else doing something to help isue it's not something that alerts message like yeah it comes back to kind of that con being the context but if you could if you knew that alert asso that machine but then if you could pull down that context from the Lo of your rtsm and you got that ticket information kind of linked it'll make an analyst job a little bit easier right and that's why

context especially from in a SE is critical because without you wouldn't even have to speak to the user to find that out if you could see the ticket linked to that user if you investigate a certain user and actually you've got an API going into your SN there said actually no there's already a ticket open it looks like someone's troubleshooting his machine oh maybe this probably isn't as critical as what I thought any further questions all right well thank you very much for listening and