If System = ICS, Then Pwn4g3 is Greater Than Root

[Music] okay all right hello welcome to the 4:30 presentation you should be in food comas so you've retired or about to get called into work I'll try to keep this interesting if not please let me know and I'd like the cat calls again this side of the room matters cat calls from this side should just ignore all right so here to talk about and control system attacks and why routing a control system is just not enough you to get complete pwnage or full control of a process I know that most of you think that pwnage is where the best thing to get everyone wants the admin that I control environment role system environment that's not enough you actually have to

physically control the process or a controller physical process itself so route is just not enough today hey my name is freer Olson and today I'm presenting to you on some new defensive research I'm doing based on as Hat concepts for the new by Jason Larson Jason good put your hand up alright so the group of hecklers over here are ICS attack teams and I'm the ICS and the token blue hat so I'm as a token ICS blue team person okay so when I tell you about this research it means because those guys are going to go out and do bad things then I get a phone call later thing Bri did you helped um clean up I

don't work these guys anymore why are you calling me okay so I've been in telecom or cybersecurity for 20 years I've been doing I see a specific research for a really really long time about 15 16 years I do tend to be a little bit different from some of our other defensive teams I am a researcher which means that okay shiny object ooh okay I don't fit I don't do to day-to-day for you our work thing the am the research I'm presenting day is my personal research is what I do my every time because I got forward with my projects at work and my boss could become wincing cool enough keep me oxide and so Dennison I learned as a defender

my introduction to cybersecurity see this group of people right over here I&L staff go ahead and raise your hand if they does those two role those two or three rows right there my introduction to cybersecurity was with a red team that was told in all seriousness my boss told them it's okay if you had freeze workstation if she can't defend it she probably needs to learn how so my work laptop and desktops we're a permanent state of tonnage I learned defense because I was self defense and so my approach to defense there is very red team focused so just keep that in mind when we're talking today it also means the depending on the moment I am a

little bit bipolar about whether I'm blue team or red team just because I had to stop and think that I'm not supposed to tell my customers oh my god that malware was awesome they totally can't slap your system that's a bad thing to say when you're the blue hat I'm not so so expressed I kind of cooled the factor okay let's do didn't work I just finished my presentation so I apologize is it learning defense as only defensive person on a red team was really really helpful in a lot of ways when it comes to doing ICS security because we're talking about a space but not a lot of people plan strangely I now again

contain yourself most people really don't enjoy cybersecurity and a smaller percentage of the population of the world enjoys ICS cybersecurity and now brace yourselves for the excitement's with about to come and so what do I do is research I've already told them a blue hat I'm a defender my expertise is in threat intelligence I really like to know who's doing what and how they're planning attack so I can anticipate what they're going to do on my network I do defensive work does I hate to lose so I like to be able to try to anticipate as much as possible what the red team guys are going to do you to my networks how they're going to

do it and what I can do to make their lives miserable as an attacker alright so and for this presentation well we're talk about two Talos normally I would tell you if I didn't make the rules not on necessarily a follow on that's why I'm security right when we talk about defense and cyber security and ICS phase a successful attack is really about how physics rules Wow truly I think that we should have been doing it going with chemistry as the as a primary thing here because physics is really not exciting to me but I'll suck it out the safe space is its rules because again see that three table slide over here they all liked physics

better than chemistry and now I'm stuck with it alright so how many people have worked with control systems before are very familiar with what they what it means okay with a couple of you except the three crew table heckling crowd so a control system for what we talked about today is specifically those systems used to control the physical process and these these endpoints software hardware environments whatever we're looking at a sure control physical process they make cameras move they unlock doors and they trigger the fire suppression systems security cameras the other thing that's interesting it is a tell chrome at generation and or transmission and reception IOT or SCRs are both also what I was considered cellphones and ICS

because it does produce the electro manic wave that's really interesting to the criminal teams are moving into popping STRs and forcing to generate a different type of signal which means we'll have to defend like we would an ICS not like we develop defend a typical cyber system okay so we're going to talk about chemistry today my exemplar will be chemistry based not based just because I food today and how many of you are familiar with phosphorus elemental phosphorus show of hands for those people who have expose it to oxygen and watch it blow up or split oh you guys come on to the pitiful hand raised if you expose elemental phosphorus to oxygen you guys like to

blow stuff up put your hands near be proud come on see the table see that hole three tables have it so you have a couple people in here who look like they might be breakers that's good to know so I don't know if y'all we're aware of it but one of the biggest elemental phosphorus producing plants in the in the world was up in Pocatello Idaho it was shut down and now it's a Superfund cleanup site but when we talk about the damage that can be done with a control system we're talking about physical damage the largest elemental phosphorus producing plant in the country because the color which is not far from a major faultline

and Yellowstone Park imagine what happens with there's a mistake with a process or a hacker breaks and takes control and exposes the phosphorus to oxygen we're losing big chunks of Southeast Idaho northern Utah so today's example of what you don't want to see someone control is an old FMC planet Pocatello [Music] okay say that at a constant we need to talk about they are the makers versus breakers typically speaking when we're working with ICS the makerspace is gonna be filled with our engineers and operators or technicians they like to make sure things are working the way they are supposed to did it wasn't designed this way if it's operating at five spec they get kind of uptight they

don't really like it and I really big with root cause failure analysis so it doesn't happen again they clean stuff up as they go it's part of how they keep their jobs and it's part of how they prevent physical damage from occurring breakers on the other hand tables two three and four over here are kind of a shock to the engineering and tech systems and okay into the people themselves when they first meet them because engineers and text who run a process don't understand why you'd want to break it a as a fundamental problem and it's a culture clash that as an attack team I would have to accommodate for and it's a culture clash that I have

a defensive coordinator would also have to accommodate for these groups do not work well together they do not play in the sandbox well oh my goodness they really don't play in the sandbox well so you'll know a maker because when there's a problem they need to go try to figure out what happened and what they can do to prevent it again and so they built all these phases the failsafe into their systems to make sure that an assault problem once or twice it can't be it's on a reoccurring problem or can't be triggered and and expectedly occur again right they clean up as they go breakers on the other hand they like to just see

what happens oh I was not so push that button and I know you told me if I press the red button all the water came down but Hitler believed you now again this is a really really important concept because we will talk about the two payloads problem especially with the Ukrainian attacks we can see where they're bringing in teams and how they work together right now those teams are not working together very well the fact that they're training means when they're ready to go live with a real attack we probably won't seem common because they have learn to work out those differences this particular maker versus breaker space is our biggest actual indicator for when an ICS attack is running the

cyber team will play around someone who doesn't have that engineering experience will play around an ICS face-to-face break it open so they get root on an HMI they don't really know what to do with it as an engineer is given route on an HMI they know what to do with it but they're really not going to push the buttons that break anything you can see them actually physically pause I think they start twitching most of the time you want me to learn of what what you want me to break it we just could really do some damage that's the point okay and any questions on why makers versus breakers is important this is when I

tell you this is our single biggest indicator right now for an ICS attack I fully expect that my security tools will not give me any warning that I've got someone on my ICS network as they have admin access I really expect my makers to see the stuff first what I need to do is make sure that they know to call me and say hey we got something kind of suspicious happening we take a look at it and see if it's a cyber attack my idea is not going to pick this up and that is why another of my endpoint detection it's going to be functional failures so I need my makers to be at least aware of what breakers can view

and why they would do it even if they don't ever plan on being a breaker themselves okay so that apart by getting into an ICS attack is understanding exactly what you have to beat so with the cyber attacks we when you think about beating something we think about beating the technology thing about being an idea systems doing bypassing evasion making sure our CNC channels are working the way they're supposed to when you're beating a control or trying to gain control the process you have to beat people need to be actual workflow and process and you have to be technology you also have to be able to anticipate the physics and and if you don't know

the physics you're probably not gonna control the process thoroughly or at least not enough to be a granular control you probably just gossiped and there'll be two bring it back up that's not long term control about what we're talking about today so when we talk about makers or ICS teams you're typically going to see three different three types of types of people going to see the process teams who are typically engineers to make the process run in this case this is a distillation process for elemental phosphorus when a process engineer at Sarasota Springs plant the Monsanto client and adult and Soda Springs looks at the technology they look at the control system they look at

the server's they're not really seeing the technology they're seeing how this makes that's work how do they actually take the raw materials and get elemental phosphorus into the tank they don't really care about the tech they might new it they may be able to save some key words but this is not their focus they do however play a really big important role in setting up a fail-safe where something happens to the process the hacker breaks in and takes control of it tries to subvert it ruin the profit quality or the material quality at the end these are the guys we're going to catch that they're the ones monitoring whether or not the phosphorous came out

the way was supposed to you if it's meeting our test requirements so we have to beat these guys and what they're doing for reliability and for quality control for process operations so things operate outside of spec they're going to be taken with that that's one area that we're looking at the second is the process automation change these guys are looking at the very same equipment so the same sensors the same vibration sensors same variable frequency drives but they actually see the process technology and how their tech makes it possible to move the raw materials through the distillation process results in liquid phosphorous and get it into the tank but they tend to see these things in terms of end

points and what should be talking not network protocol but what should be happening okay this tank is full and now we need to pipe it into our overflow tank right there so the one they look at the tech not looking it's a Microsoft operating system talking on Modbus TCP or mod that's IP instead of Modbus not IP they're really looking at a saying oh that overflow sensor isn't working right it's not reporting back and our operators are ignoring alarm too often okay so these guys are looking at how that the automation of the technology is facilitating the process flow that's a very different approach that IT admin would take so what they're looking for to make sure the process is running

smoothly and efficiently is something we also have to beat as an attacker I have to make sure that these guys don't see any indications I'm running my attack or trying to take control the system okay and we talk about culture clash between makers and breakers right hackers and engineers working together so they're really really big and critical culture clash we'll see you're getting corporate IT teams and who are working with a control system groups they look at stuff and say oh this rock wall statics which is actually just a Cisco switch with some rock wall software running on top of it but it's just go under the hood why can't I manage it like I manage everything else

they see stuff like in a typical network diagram that's all they're concerned about what they don't understand is this particular gear is controlling a typical process if we lose control the physical process it's like parking your running car on top of the hill in San Francisco keeping it at neutral and walking away what I hope that doesn't hit anything over to the rule downhill I hope that you know I'll get sued or put in jail for absolute neglect so when an IT team is working with an ICS team and this includes security to be helping you detect stuff they have to understand what the difference is if I lose control the physical process people can die

environmental damage physical damage the company loses billions of dollars that's not something IT people typically considered so when we're doing security we don't always look at the indicators the way we should for an ICS or process attack right indicators have different context therefore they have different meaning we have to look at the vendors have to look at it a little bit differently to dissipate what the worst-case scenario is going to be and any questions up to this point just feel comfortable with the basics you're wide awake okay yeah this gentleman over here in the red shirt that gray sweatshirt I'm like yeah no wig okay so we talked about what we as defenders let's take a look at attackers this is

always fun why gets work from the first time people have worked with control system software before the first time they look at the common configurations they're like oh my god is like heaven in here they have lock downs there's no ACS on the firewall not doing any packet filtering they're like oh man I'm going I'm getting to pull me award I want to kill this thing they actually do you kill something they force reboots they force the process out of control I've been out of out of spec but the failsafe for the engineering teams elimination teams were put in place will typically stop them from causing permanent process damage it just stopped it from working momentarily

so granular control the process like we saw with flux meant they were able to spoof jeiza said that the process looked like it was they should excuse in several different areas a they need a physics in addition to the cyber most cyber people or hackers who come in and look at ICS for the first time they get really happy and don't realize that the beat all the safety reliability and failsafe faith in by the engineering teams it's why they get caught is why we can expect in the next couple years as the criminal teams get more interested in ICS targets so they can monetize them fairly easily and then ransomware am i HMI we're going to pay that right

we have tella the HMI working so most teams are going to pay for that criminal teams will learn to monetize and they are going to learn more about ICS our best chance right now catching them is before they have full control the process because they didn't know they needed a blended TAC team where they didn't know the rules of physics so we're going to limit them all right so this comes down to why we have two payloads so from a cyber perspective and I'm going to be referring to it as a payload for me they're actually two different workflows so an attack team comes in to an ICS space I expect to see two teams and are two different major

projects that the teams have to accomplish and then have a different toolkit for each one of them at a different purpose different task a different timeline different schedule okay going into it if I know that I've got a better chance of detecting it again if I can expect what those would be where they would have to go get their information to learn the process I understand what it's going to take for them learn to control how their test hits I've got a better chance of detecting it and making sure my engineering teams are aware say hey we have something happening it just doesn't look right we don't have a good process explanation for why it's happening this

is what will catch them as they're learning the process and that's the Delta second payload okay that I get asked this how many people here know about the underpants gnomes show hand okay look that past the audience that didn't know I am not the only one see I didn't know about the underwear gnomes from South Park and really okay now see I said South Park underpants gnomes now who knows okay I am NOT the only person who did not know so apparently the underpants gnomes have a very undefined business process if you collect underwear and I can ask why and you do something magical with us and you make money we're not sure what that

middle stage might be we're not sure exactly how you monetize or what the value would be but you share some G's you at it and you make money by collecting other people's Underpants or I don't know what reason okay so ICS pwnage no cyber teams will go in thinking it's gonna be the same kind of thing and I'm going to get route we're going to go work some cyber magic and they're going to blow up the world nope and we have engineers we have engineers who don't like their process to go wrong you have engineers to get really really like oh there was one error in a million that's that whole I knew you are familiar with 617

engineering okay I just want to know that ICS engineers love that stuff they'd like to be able to say oh we had a thousand tons of phosphorus go out and we only had like one one-hundredth of a percent as you know our product had extra chemical and they get very excited about it I think they must get bonuses because they talked about it a lot and I like the tech but I don't really hear about those metrics so when a cyber team comes in that middle area that number two where they're like that magic cyber juju where that happens again this is something that they're going to have to solve there's a problem I have to

solve that they want full control of the process most teams don't know that going into it so we can as they're learning the hard way so this is what they're going to have to do develop that's like a payload we as defenders have a real opportunity to catch them in fact I tell you that I think our ability to catch an attack once they're starting to go live there on their test hits on an ICS environment it's probably better than it is and in a corporate IT space even with all the tools available in a corporate IT space you have engineers in a process environment notice it is real little details and document it everything we've

got a much better shot at watching people come through and learn our space okay so the first time Jason talked about the key payload problem I was kind of interested in expose doing some work on how to characterize attack paths and get better at predicting how attack scenes were making their decisions though strategic decisions or building our toolkits how they decided to pivot one way or use one technique to pivot instead of another the two Kato problems really interesting you the first time I applied it I did not apply it to a physics and into an ICS file or a physics problem aside it to a financial attack and it really cleaned up my threat analysis I was I was like oh okay

so maybe he's got something here maybe maybe he was right in one area okay I'll fess up he was we know with a cyber team the char that you're seeing right now is the attack lifecycle it's based on its how I interpret the Lockheed Martin or Lockheed Martin cyber kill chain as a defender okay so I know anyone who comes in to take a fiber network isn't half of the USM target development work when they then when they run their first attack or going to try to get a foothold on my network that initial point of entry then I have to pivot to the targets of value they have specific tasks and tools associated with that

okay so in the maintenance or attack operation stage they're going have to have a CNC channel because they have to be able to talk fat those systems they call supplies have to be able to talk back to them or what's the point noting and you can't do anything with them but when you look at this chart there is no indication of anything other than they got admin or able to do code execution right and this is a fairly comprehensive chart on what an attacker attacking would have to do if they owned your corporate network that they want to be data exfiltration there's nothing in here that says come on I have to make sure that vibration sensor when I'm

trying to make the generator rock or blow it up doesn't trigger a much summative that they get a problem up front so most cyber teams are very use of planning this when they're working with the engineering team you start to see the handoffs get a little sloppy okay so that when you see an ICS attack occur these tasks you'll see these happen you'll see additions of the engineering stress and where the engineers have to step in and say okay you've gotten root on the HMI here's what we have to do you see the change and use you see the change in focus they start making errors we're going to see that that to palos that's the first indicator that we got a

problem or they're learning with two feet the second payload should be okay I really like the slide as well and Sergei brass from Dartmouth the ICS who's with Dartmouth right okay so it's software actually the software exploitation is unexpected computation right when you ran the attack exploded the system something happened that the developers were not expecting and the SIS admins we're not expecting Jason thinks that cyber physical exploitation can be explained is unexpected physics so if you've got questions Jason go ahead and put your hand out Jason will explain it to you later you could go into it but I don't like physics I like chemistry better so I'm a shot Jim shouldn't you get over to him cyber physical

exploitation is when we've gotten we've gotten route we've own the fiber system I always put in place this I could pay loads the controls of physics and something that engineers we're not expecting happened and they're going to go crazy with it because they weren't expecting this to happen and nothing in the prophecy indicates it should be occurring so as a defender what does that mean for me when I think about unexpected physics I think okay if my engineers were not expecting this physical process to run the way it was I need to be setting up my defenses into fines when we have unanticipated physical conditions where there is no new indicator in actual physics itself

so where the process is running like how the e/m waves are generated there's no indication that process controls software that we've changed something that would say okay let's go ahead and generate you know an FM radio signal instead of 802 11 and this is an unexpected physical condition as such this type of anomaly is a valid indicator for us so it's a physical indicator of a cyberattack the ICS space is only place I know where we can actually cross map physical indicators safety or reliability indicators to identify when a cyber team is running is hit enough so we have two or three times of data available to with my TF space identify a cyberattack now when we talk about out

of control process what we're really talking about is it differently physical damage of some sort is in our curve right because we use the technology controlled physical process the phosphorous leaks out as a tank is not immersed or contained in water it hits oxygen it spontaneously combust okay for the e/m waves it generated an FM radio signal instead of the m8o 2.11 okay the engineers will mostly tell you there your equipment broke the people died or that plants gonna lose their freedom to operate the states going to shut them down what I the defender need to know that the process failsafe so we're baked into that did not work with expected I don't have to compensate for that when we do

the root cause failure analysis I'm going to be looking at what could have triggered this type of process they'll fail phase to fail out or fail hard instead of keeping our process contained there will be a cyber reason for it it could be a security event or it could be a functional failure like I didn't know our antivirus was mistakenly installed in the HMI and the it quarantined the data files and the Rockville factory talked dll's that we're supposed to be working did not so AV installed an HMI can actually cause the same kind of interruptions but it's a functional failure not a security event the unexpected loss of control the process with my first indicator that we had a

cyber problem now it's physical damage okay let's go back to that how many people here really get kind of I think it might be fun to blow stuff up show hands hey come on you put my PI we're at a security conference okay so physical damage is a holy grail of an ICS attack right now right so Stuxnet and that was a beautiful okay you'll I had to go on this rant for a moment the point of entry was beautiful right they clearly use Eastern European point of entry yet a lot of Russians they're understanding it a as a Microsoft operating system and they use the registry better than most of my devs do / qà in reaction the till

the D framework in the middle of kind of lame clearly not written by anyone who has any criminal experience is they didn't really care as I got attack I mean nothing was huge and the bypass invasion was just not creative effective but not very creative it was really boring to look at the payload for Stuxnet was a thing of beauty right so when that payload was developed that team had a very very good understanding of exactly how the physical process occurred like what they were doing today what's the variable frequency drives need to do what the sensors needed to do what the operators were going to see in their screen what the engineering designs were

supposed to look like and how that influenced the process design okay so section is the holy grail right now but as the criminal teams I think become more interested in the space and they see more ways to monetize I think the first energy and the problems that caused the blackout in 2003 to Northeast blackout in 2003 I think that's actually it's better than ample what we can expect to see as criminals get into the ICS game a little bit more thoroughly they're going to find different ways to monetize as you're coming in to compete with an established ICS competitor like say you're an ISP and I can I can force all of your infrastructure gear offline

temporarily or spike up your traffic so you can't handle it like the Mirai botnet then with the IOT chef and if years were aware of this but most teams found out they were infected with the my IOT botnet not because their systems bailed out but because their bill was like six thousand a month to one hundred eighty one thousand of it one my customers had hey if you have that kind of continued service level you're having problems your service level your customers are coming back to attic their villages all the time because you at an ISP or telecom provider can't detect those kind of surges they're going to leave you and go find someone else the

Northeast blackout is going to be a subtle I think we're gonna see more on that mind there was a sudden subtle cascading effect that impacted millions of people I think there were seven or eight different states many states New York Pennsylvania Ohio I mean seven states in the Northeast lost power because of a software bug caused by us here there's cascading failures if I have an attacker can mimic that to be pretty hard for someone else to find out what's going on else have much better control because of the small series of cascading steps defected that if I can control each step as soon as some else pays up right they shut down the first loop we

lose power to 500,000 people company doesn't pay it when you lose power to a million people they're going to start paying attention because you're losing money this is what I think the next round of attacks are gonna look like okay now the major difference is when we're talking about that second payload when you're building the second payload you have to be able to bypass the fail-safes from the process teams the process automation teams the IT teams and ICS security people and you had understand of physics that's a lot more work just about quadruples your workload if you're running an attack into space hey you know spend four or five times that resources just trying to understand

what the process does and how it needs to be fully controlled to get that subtle effect not just a temporary boss that when they reboot and bring it back online bring the plant back up they're still functioning if you want sex now you're going to spend a ton of money doing it okay the cyber payload when you talk about the Stuxnet malware all day long and it was beautiful right I just told you I thought the point of entry attacks oh I do have a bias of a preference for Eastern European attacks are always a lot more interesting and cyber was not decipher damage was not the real problem with Stuxnet the real problem was the fact that we forced or

whoever attacked it I should say we can i'm defender and forced the physical gear out of specification right the engineers couldn't tell what was causing exid spooped the data and it looks like everything was operating the way it should and a huge surge in the number of equipment failures again the engineers freaked out about the rule of statistics right I didn't like one in a hundred million problems with their chemistry losing equipment the way they were you know I think they care when the specifics I had looked it up but the amount of equipment they lost in a single year was way more than I had at any point prior to that so the damage occurred because they

rotate you get granular control the physical process and a way that process is running okay loading loading the Stuxnet malware didn't do anything right if you weren't running those drives you weren't running that specific combination of technology nothing happened on your network to get infected with Stuxnet nothing happened that was not a big deal control the process was which means this to payload problem is something we have to be more aware of fiber was just a tool the real damage came from that second payload we aside where people tend to think this fiber is the primary payload because it's you know it's malware Nakul but that's not what we have to be looking at from ifes perspective we have to

understand more what the engineers are worried about and how they would find these problems if we expect to fix them our interests our needs and what we're doing the tools were using those are secondary right we're just supporting actors when we're doing ICS incident management then Jen you're going to be running the show as an ICS and fiber person that sometimes hard for us to understand if you do a little bit more em adjustment to our detection approach when we do this the other thing to know about is the blended teams you will never see an ICS attack run without makers the engineers and Tech's working with hackers and at that team hasn't worked together for quite a while you're

going to see the blips and a handoff because they're going to be fussing and fighting amongst themselves trying to figure out why they need to do something or trying to understand what the other person was telling them right because makers are speaking German and the breakers are speaking Spanish which is not happening Brianna's PD miscommunications we're going to see the failed handoff that's where we can step in and do something it's also a pretty clear indicator why when you start looking at the set of the two payload problems and consider them separately when we are analyzing into an ICS attack if we don't do that we will not be able to understand anticipate or the criminal and nation-state teams are

capable of doing to us all right so we're at the consider those separately I'm going to keep looking at it like it's a criminal cyber team attacking a bank not how they're going to blow up or control something in a physical space okay so you guys any questions right now about why that second payload is such an interesting concept and why it will change the way we look at defense as you guys come on you're killing me here you better get your raise your hand and no one has questions except the squad of hecklers over here if there are no legitimate questions you're opening me up for look I hope you all feel guilty yes

thank you Brian so go ahead and repeat that occurred and so in an actual attack against like say the Ukrainian power grid attack they had a combined squad they had engineers working with cyber teams this either guy's got him on and then engineers had to try to fly around this process but you see where the cyber guys are just pushing buttons trying to make something happen they make the distribution Steph occurred but that's how the engineers got inside okay dapeng actually shut down distribution the cyber seams would have done what they were doing if you look at an HMI screen most people don't know what the alarms mean and how happy bypass we'd have had those and I've been

looking at attack teams that have capabilities where one fiber person or one engineer has boasted breaking and making fields necessary right now I tell you that out think that the Tier one hackers I'm aware of not more than one or two have actually done that so one or two people say I don't know mall so you get 20 people worldwide have but the physics and engineering understanding necessary to implement a second payload without the help of an engineering team so that kind of long shot odds means that they'll have engineers and technicians and as well as cyber teams okay so one of the things I do find interesting when we take a look at a

Swiss banking attacks that was my I thought that was an awesome example of the two payload problem and why it has greater applicability for my defensive analysis outside because the Swiss banking tax weren't a problem again when the malware got loaded no one cares the real damage occurred when they were able to figure out what the inter banking transfer process looked like and these millions of dollars into an account get the money out of that second account for the recipient account before anyone could detect it and reverse the transaction that's a clear indicator that someone needs a money system right someone knew how the financial interbank process works I know about you guys I went out and looked up just after that

just some random searches on how those interbank transfers where the Swift transfers actually work there's very little available and I am fairly sure that when you do Google searches from a random computers they're providing that to you just saying so it's something to consider I thought about that after the fact so just learn from my mistakes and said when I looked at that's what the tag what I would do to detect the malware that was used to get some access that they could learn the particular app environment that they were working in this entire different toolkit and different team or different set of tasks so they had to do what I would have had to look forward to yeah they're doing a

interbank transfer that wasn't really legitimate with an entirely different set of indicators involve people and financial process I wouldn't have used any cyber indicators at all I would have been looking at the like sitting SAT systems on an ERP is the same kind of attack or run against my company I'd have to look at FA P and see how the financial transactions are actually instantiated approved and then finalized I would use cyber at all but a few payroll problems really the key K low detection and strategy is really looking share some promise and how we can get a better idea of how to indle attacks in the future when fiber is not the critical piece right when

they're not just trying to infect us and unlock south ransomware so okay again the excitement's an audience today is reeling please if there are no questions that's great okay that's another heckler guys thank you yes okay so could you with considering the second payload and help us identify when like an insider attack as well as an attack from outside I think it would because what you're really looking at is critical impact or critical damage and critical damage regardless of where what triggered it is critical damage what we do then is reverse back off the damage process and say okay here's how it could occur with the physics and the automation pieces here's how to occur the process just

went wrong so if we introduced like in to your materials or Wow here's all the automation technology that was used if these pieces in a technical chain where has been something how to control it could we achieve critical damage for a power company I have five targets that I'm looking at if I really want to take a transmission or an energy management system offline and look at the energy management system itself and look at the ICCP connections and look at the engineering workstation I'm look at the HMI and ICCP servers probably as well if I take any one of those I can either knock out power or ensure that we can't transmit or transmit power the whale

easy to and destabilize the power bike and so those are my top five targets that's where I'm gonna spend most my time working we can do the same thing with potatoes phosphorus plants so we know what critical damage is and we know where there's a most likely to occur based on historical incident and some historical functional failures that tell us what to go before so most of your hackers are going to take a look at probably now an incident and what we're seeing scenarios for their particular target so like at a paper mill you find a paper desk running around the globe plant Ogden has a single largest hubby's plant in the country and they do miss the North

American and South American production for kimberly-clark if you took that plant out because you happen to work for pampers instead of Peggy's you cause a lot of problems for kimberly-clark and you like your economically damaging them a very significant manner one thing it to do is ignite the paper dust that's I think that's what we can expect in a speech with these attacks and other questions no I don't again you can get root on HMI but you have to understand what the process is doing and when you make a change the process does it trip an indicator right like if you shut down the the data turn back to the historian we would know the state is not logging

or if you change up the data and don't know where all well it propagates or if you all lose it did you prevent someone from you someones more likely to feed it back so you have to know where all the data goes so now I don't I think that understanding and being able to separate the difference was just a tool and the second payload is really what the damage going to happen I didn't become more and more important and more more difficult to do as we see teams and specialized I did just read an article where they have an underground blackhat team it's got a cyber team that's hired financial and economic specialists so they can play

the market right so if you could access the SMP infrastructure and you've got an economist or a financial analyst you can look at that data does the convergence of ICS networks into more mainstream and affect the use of developing second palos or not I think the second sale is always going to be the harder problem the fiber is just an easier to get done that will see the teams get specialized like I said I our financial analyst or an economic researcher and get them active SEC I mean SMP data access come on now you can't you gotta need to make it a fortune with that yes okay so I have a couple things I have to go into when I'm

working with new team and I just started a new job a little under a year ago and that first team I worked with didn't even want me on site like they really did not even want me there so going in and saying and being upfront site look I'm a I'm a trifecta of evil I'm corporate on IP and I'm fiber security i straight-up went into it with that and came into the door came in the door with I think I had six dozen cookies and like a I don't know it make to me for trips to bring all the soda in I'm figuring you know geeks like sugar and caffeine was a preemptive bribe right I know I tea has done me wrong I'm

willing to listen I'm sorry so that's this going with that attitude helps a lot making sure that you have sugar and caffeine has actually stopped by to talk to you that's been really a more effective than I would've thought right so for 10 bucks we'll stop by my office I'm going to take some cookies I don't know about you guys but I don't know any engineers who won't stop buying at that free food and they're highly suspect to me if they don't right I'm looking I'm thinking systems are not right about you are you marketing or communications those people avoid the free food geek teams don't typically do that so I'm going in and recognizing it there's

very big differences in the use case for technology you know IT you know we're making it more efficient to make real-time business decisions the Microsoft operating system in an assortment of applications loaded on an HMI are being used controlled physical process that could actually kill someone not treating them like they're being drama queens what they're saying it's really important those things are available we have to understand a use case guilty' to interpret that and share that as a security person in ICS base my job is not really to secure things to make the process run more effectively to make it more resilient so the majority of my time is actually spent doing ICS IT geek translation okay and making sure

things are administered clean leaks if I can't if the systems aren't administered cleanly I can't secure them Rex I can't tell what the difference is with it the process of stuff working because antivirus didn't work correctly or because they installed a GDI patch to interrupted the rendering on the HMI application or is this actually an attack because the engineering teams are going to want to tell us most of the time that we've got a problem we need that environment to be as clean as possible so we can eliminate we shot ourselves in the foot as a real problem but just come into the table and being willing to listen that's a really big deal and then not saying new all the

time before we had a lot of security tools or the ability to automate or people didn't really understand that security is a problem IT and IT security ended up being a security Nazi that's no longer a realistic customer relationship model if I don't make the process more resilient I have to understand what it's doing what they need to be able to do what technology they they're using to solve those problems and then I can begin security but if I don't understand those three things first I can't do it well and they're not going to work with me so that the sugar and caffeine bribes I'm telling you those work really really well I just went ahead and I printed up

a whole bunch of science to big poster size but I take with me when I go out to sites hi I'm the trifecta of evil I have bribes and I pose aware whatever temporary location I'm in I actually post that and they're really big and gaudy so they can't miss it but I put the cookies and sugar right next to my desk they can't come in and just sneak them out without talking to me just in case you're worried about how to do that effectively I've got a whole bunch of my things I've learned that how sneaky engineers or are about getting food and not trying to talk to the evil person from IP near the questions okay see this

is where it starts getting exciting so this question was how we begin to defend against the second payload and so we tied Jason talked to me about the second payload problem I think in January 2016 it s four by sixteen and I talked to the OSI soft team who are doing some interesting use of the bowtie analysis anticipate stuff if I start looking at functional failures or historic events on this over the physical process I can actually walk back and look at commonalities say oh okay these things happen nine times out of ten because this digit didn't work or we didn't send data at the right time where we lost power or something right there's

there's a lot of commonalities if I can identify an associate the cyber resources they could make the same failure happen that's I have to defend so I'll go students are looking at what's the worst case scenario where my engineers and business people told me our critical impact for their process and what what are the historical figures how what are the historical incidents you've had with this once we get that we can go back and identify the fiber resource and prioritize where we need to do our security work that's been very successful I've now done it three different companies and I mean the best part about it was not that we just we minimize our attack surface

exposure and got better visibility but we saw a great deal more improvement at a process because I was cleaning up administrative problems as well hybrid management so we were able to say we got this twofer right don't make your cross more resilient emit more effective and we can see attacks coming so if we start with worst case that scenarios the engineering teams those are we can identify from there and limit okay so question was did I consider a cyber kill chain ad to be similar to that of the foot okay so to explain a question one more time

yeah

okay so what is there a kill chain for the development of a second payload or the second or the physics payload I think there is right so they're going to design a new implementation I did Nate interview end of life there's a different set of tools for that if you're designing a second payload you have to know how the process works and you have to know what critical impact looks like they're going to the safety and training records so I just went back through and looked at some of our safety and training records and was like oh my god I was able to pull up and based on their safety lessons what critical impact was before the team told me so

that would be designed time I know the 90 to flag those particular systems so if I were trying to mitigate desks with attacks for example I don't want to put flags on all the data that trains you on how to actually run this with software and what they use your application with the user access controls work but that training data and that process space the safety data is critical and the ladder logic is by the engineering design data is really valuable if you know how to interpret or get an engineer who can explain to you but there's a set there's a set number of targets they would have to go to to prep the data for date and

get data acquisition they're going to acquire the data off my servers we know kind of how they're going to do that I can I can track the data with regular DLP tools but implementation how they get point of entry have they get point of entry to the financial process that they take over someones user account or do they like with the business executive compromises they sent us all email that's what they're entering to the financial transaction so yes it does mirror it we just have to kind of step back and look at a little bit weirdly okay um I don't know if that's a liberal arts kind of thing but I'm gonna go ahead and tell you now that when I talk

to the other type of people didn't receive that way I I see the similarities the design implementation maintenance and end-of-life those are the same across the board when you're planning an additive fiber or to physics payloads and the same concept so if we can study and that's when we should be able to anticipate

you

hey yeah so alright so that the comment was that you've noticed people who really like technology like if you like to rip malware apart do you really want to go talk to the engineering teams will do business impact analysis so that's kind of a big difference in personality just like the makers versus breakers thing is and but why wouldn't we then when I blended team if we know that the two tailors are a problem and that we need one team to the room looks a bit bits and bytes in the heavy duty technical why then when we have a security person who likes to play I say we're a major bank why would we want to

have a security person likes to look at cyber fraud or accounting practices I mean I've been telling you to these guys are the hecklers I tell you good for the team I tend to like more the people in the workflow stuff more I don't really actually like the reverse engineering thing I hate coding so I tenet I kind of fill that role when I'm working with them so it is a different skill set but if they attack change are running a blended team why would our defensive team be blended it's just unfortunate that sometimes just talking legal people and I think if as any lawyers in the room okay God knows know what I'm highly suspicious of any EDC

person who wants to talk to lawyers and when you're running an incident you always have talked to us at that point I'd so I have to find someone else to do it so I don't want to

right so Barry's comics neither Kenny and is that when the ICS teams engineering teams are doing a process risk analysis which they do up front especially they're designing new process or a new plant they always do these process risk analysis up front do they know they have all this historical data about what goes wrong it thanks for the cyber person in there we can start getting ahead at the design time and I tied it conversely if we had an incident as a cyber person I'm starting to think that I don't want a cyber person to run incident to coordinate the incident management or response process I want a non-technical person to do it and then the cyber

person is just the technical SME and support or is in the past the cyber people have run the incident I don't think that's going to be a sustainable model long term unless you with a small shot but there are big teams I don't think it'd be able do

all right so I don't know if y'all heard that the nihms process which is focuses more on in response holistically and so just a technical is incorporating that more again holistic approach that includes people who can communicate you can document and you can do the business analysis I don't look at them in steps while to take a look at it any other questions alright well thank thank you for your time it's got any questions afterwards I'll be here and then for a little bit cleaning up and I'll be here tomorrow so thank you for your time and thank you for your patience [Applause]