The Sky is Falling - But It Doesn't Matter

so we do come back in all the sponsors today live in fantastic to the Kansas City community so we didn't think about the statics falling or at least I did from my background or the threat animals within the Department of Defense in the National Intelligence the enemy for over 20 years so when we talk about threats I usually try to emphasize both most dangerous and most common courses of action for many students and that's why we kind of build this early so when I got out threat intelligence in my mind would youwould understandings then we come back into the reality of trying to integrate that threat intelligence with our customers of the clients we find

that the maturity level may not necessarily be there within the ICS and SCADA operational technology spaces so that then able to break this down for a traditional risk model we're talking about threats vulnerabilities risk and risk management actions a little bit about myself like I said 20 years of experience in government intelligence the cyber operations in the intelligence community working counterterrorism and Rick now assists all over the world and then additionally on the consulting side focusing on we listen Philip and municipalities utilities and in addition to that government facilities I will give you to disclaim years before I ever give a speech on threat intelligence that you've heard me speak exactly you see I will sit there and say the information

is based what aggregated open source data and not going to give any secrets away during the course of this conversation the other was talking about a nation-state apt I may say Russia doesn't or China dosas I want to specifically say that I'm talking about government entity I'm not talking about people so I am not in any way shape or means or you want to be disparaging with younger people so we've got a threat overview and the ice hasn't skated workspaces we have three different main problem sets inside militias and non-malicious and then we also have ransomware as a critical vector in 2018 and then within the United States we may see more types of reconnaissance activities from China

we may see more drugs are trying to ADT we may see more types of activities North Korea and also that ran once we instituted sanctions against Iran we've seen an increase of targeting open source of data and reports of that but the one I will definitely talk to you about is Russia so first report was not talked about insider threats depending on who you look at whether you look at McKinsey and company when you look at writing in this number is a basically from my prospective satisfied 50 percent of all cyber business when I'm just waiting on that 60 that means he leave that under thirty nine point nine nine nine percent out there is probably toss a badminton

that's never include the amazing if it wasn't for network administrators no more security professionals and that leaves about point zero zero one percent focus it's all in a number of attacks that are actually possible right actors when you've got good network security and you've got good user groups and people are actually doing things whether or not based upon stats the other report that you have to come back into from last year really looked at what sister did the research

she's documented policies they said about one out of every 200 employees with an intention breaking company policy every quarter so that's a pretty high number grew myself when thinking about a large corporation where people are actively going against your corporate and corporate policies with seizures but when I look at insider threats and militias having worked with former person who's now in prison in reality where I work two steps away from that work student but I think about insider threats inside the national intelligence community or I think about it within ICS all come down to this malicious insiders these people who are actively trying to steal information and with ICS speakest spaces have a lot different problem in 2000 2000 there was

a person who was denied a permanent position an extremely water treatment company at that point they immediately dumping raw sewage into the build tanks of the water treatments that they started poisoning basically the water of that facility addition to that of February 2014 they terminated an employee at a company however they didn't take me there access when they turn it they didn't turn his access he walked into the facilities multiple different system failures and then they went to about 1.1 million dollars in damages plus power outages so we do see insider threats malicious insider threats can be as nice data as being a larger problem big 2018 everybody the oven crypto jacking with ransomware and

the increase of ransomware and I was saying on the ICS and Stata workspaces you have a major problem that major problem is the fact that most of the time smaller medium utilities are illegal and they're legally small local governments and if you hit a small government with a ransomware attack it can shut whole city down one of the big cities that was taken outside so that was September of 2015 was the actress Nebraska's amended Beatrice Nebraska very small town and then whatever city would shut down will be the only see service they had was the ability to contact nine one one until they were able to recover from a ransomware attack the National Guard was deployed to help

out with this attack was a pretty internet speed on ransomware attack and respawns the other two that you come back into is West Haven Connecticut and also aren't so water treatment in one of these resources when they were attacking saying yeah we're not going to pay her $2,000 what was the other one right there was giving Connecticut in the middle of a hurricane just like did decide to pay and they paid $10,000 ransomware to recover their systems now if I come back into the threat acnes in this face I always like to talk about threat actors from a perspective of geopolitical knowledge and I hate utilizing apt numbers and in addition to those apt numbers with little funny

names you cannot talk to an executive and say hey I think fancy very cozy hair our systems because it just sounds beard anything worthy because other things like sandworms and Tony BOTS it just gets even more fun ailments but I want to break this down from a knowledge of everything the geopolitical knowledge fancy there is the main intelligence Directorate or the main director of the ministry a defensive Russia cosy there is the Federal Security Service of Russia so you can break those two DP T's down between collaboration of open-source data and identify whose attack I've been in the military for over 20 years it's like a kind of understand the way that GU operates from a cyber attack position

also working in intelligence I could ask anyway that intelligence operates in the way the differences between those organizations may operate that becomes critical when we look at my CIS packing around the world well the first one was go to the Ukraine the main intelligence Directorate started in 2015 is anyone familiar with this hacker a lot about it awesome there's a lot of negative so I'm gonna go ahead to do and talk with this this is a political situation with Russian overtakes Crimea and the overtaking of Crimea the Russians are still demanding that the Ukrainians if you need to provide them electricity everybody knows this is coming that eventually Ukrainians gonna see no turning off and they know Russia's going

to cyber hack them back so maybe was prepared for that and thought about this ahead of time and sure enough they turn off the power and Russia cyber hacks impact and makes the cyber hacking December 23rd 2015 that affects that area and also another grid hat up in the north of the Ukraine so it turns off power to hundreds of thousands of people now as you look at how much power they have turned off and took off power for about 400,000 people by numbers right and it took that power off for a number of hours completely and then when they switch back to manual they had to steal a manual for months in order to keep our back on to the purpose

and they still suffer continual groans how did this attack happen well this attack happens the same way you are never going to attack interval to a network and into a secure VPN it's going to start in the women GU dancing bear likes to do this because they like to do phishing attacks so what else better get to a simple Excel spreadsheet phishing attack the user open that attack and at last under that machine one of the most interesting things is that all these apts going to living off the land attacks and there is no actual install on the hard drive it is a home run off of RAM and there is never a reboot of any of these corporate

systems once it goes from that system they're looking for specific things they get more hugs until they get to the ITIN publish command and control back to Russia once they stop just commanding control back into Russia they reattach into this administrator the screen captures basic stuff here to get password and then they hit the fire level that segments the IT and the OT systems if you study ICS hacking there is a specific ICS cyber cell chain this is why people don't do this because once you've gone through the IT system you have to go through a firewall back into the OT system this leads back into the entire world and were disciple exploitation of here today gone tomorrow you maintain a

half all of a sudden someone up take something in your copter but they kept it and they kept this a nap on the supervision of the MT Network where you have all these agents and usually for Linux boxes so I have a question for you how long does it take to do the attack that anyone eight bucks here me twice will keep on taking bugs to doing a little bit of interaction going on here after the luncheon with a root beer truck outside so not eight months it took three months to get into build and then they hold up increased 1/3 but for the most part I would say six months is about how long

and they want to make sure that everything's in place to working once it happens they hit the system when we hit the system they immediately start attacking the IT admin he notices that this attack is going on now I know you're all here when you see an attack going on across those two pool tables of touch cables nobody does that as soon as an attack goes on the first thing that everyone will do and why is there immediately going to do with all IT departments do they're going to turn the machine them off and turn the machine back on again and by the time that that happens this attack is over and it's done because this attack part

of it takes 3 minutes 3 minutes fulfilled the access 3 3 months to build it 3 months to maintain it 3 minutes to make it happen in the process and he's logging back on and off right there they tensions password knock them out of the account he tries to go to a different computer maybe the bird would back through the tunnels that we were to the HMI they've destroyed the up systems that they had on place at that system and they wiped the ancient microphones PLC's with the firmware they back off and they like all the devices that they've connected to which is at this point everything and they go back to Russia in there upon making incident

response forensics nearly what's the other thing Russia did here is not petty this is the one that people will ask me and as a person as a stuck Boeing what keeps you up at night and it is not active now is the most expensive cyberattack the world's ever seen causing over 1.2 billion dollars of revenue hitting over 12,000 recorded victims and over 80 different countries but it is a primarily focused founder and attack device focusing on energy and focusing on gas through a third party decorative effect those doing what we do at burns and that we see these third-party vectors in their systems all the time and we understand that this is going to be a major attack however when

this tough across the hint is not internet skin and it is not automatically download not automatically run it does require actual execution and it could get a whole lot worse if it is more like what a pro the weird thing is just like a lot of one time because if we pay the ransom I'm not packed yet you will get nothing even if you just pay the $300 so if each device is the same kind of malware that we see now and where the I like IOT devices so anyone for this it was freaky right here in Kansas they're right across the street companies around for the Kansas City right across the street in Kansas this is uh first

reported sight that they saw Russian activity inside the United States going then to 2015/2016 hydrate when they start to see Russian active us utilities inside of America that went out to 500 different locations the first initial reports little they didn't actually come forward with the systems and then they said well they might have control over some of the systems and then the report came out of gas you could actually start turning on switches through the human-machine interfaces are ancient life so that is where we were at as far as Russia attacking what's really funky about that is that our circle systems we saw both actors fancy fair and toasty they're hitting the same things which is

not uncommon Russia where two people will enter the same room at the same time to compete with each other and this is FSB GU both trying to develop these capabilities why are they developing these Kirikou question there's three different words that I could talk about right there one of the information conflict theory where Russia sees themselves as constantly in an information conflict with the United States another one would be they love deception but the other one is to garrison with dr. producing 2015 by the main intelligence Directorate through that you use and that right there shows that about that emergence of capability is when they want to start the point and develop attack capabilities for future

operations and also reconnaissance to understand third party members and third party entrance into the ICS experience go up garrison GE bar a and it's not and for more on the rocks is correct that it is a deceptive doctor but it's the general same thing it has a lot of poll right now in the now all of that I'm gonna turn this over from the sky is falling from the ceiling to where Russia may be going with third trucks under 20 people nobody's inside of America and I'm gonna turn this over to Josh Maggie who's been doing this for a very long time oh man the Russians are debating my name's Josh may 19 years I was greedy better

primarily focused on cyber security engineering assessments risk management security consulting for utilities and government facilities I actually got my start from one of our sponsors here that TV security fill them here into the chance on a very young and dumb entry-level cyber security professional and gave me a chance and I haven't looked back since uncovering the portion high level our ability seeing but it doesn't matter not to say that threats are not important and we shouldn't be all little worried about how to prepare all the nation state and center actors but the maturity level of the ICS in SCADA systems that we've come across in a much lower they jumping straight to threats and whatever latest hot topics

are security relating the shooters are currently in the music so let's talk about the reality of ICS and Skinit networks in general their number one priority is availability if any of you are familiar with the CIA triad I'm sure was everybody knew should be I would argue they probably also care about integrity but mostly nothing else matter so long as the system remains operational and safe there's a lack of direct security experience from what we've seen most unregulated entities don't have a dedicated security resource and even if they did you can't force them understand as in patching our abilities ICS these data systems are expensive to build and you can't just rip and replace without causing major

disruption to the process that you're arguing so vendors don't really have an incentive that I see SCADA systems are designed with very long life cycles of life and your typical system is geared to the last 20 plus years Darington a life cycle historically a third of vulnerabilities however going back positive technology's released charcoal 20:18 called industrial companies and attack vectors and 73 percent of networks penetration testers were able to gain access to corporate networks of those two thirds of their test cases they weren't trip a lot of it was misconfigurations at the perimeter you know simple stuff in a hundred percent of their test cases they used either dictionary based passwords through full potentials known

vulnerabilities obviously most networks have segmentation flaws the report you know stated that eighteen percent have little or no segmentation at all it's our experience that that based on what we've seen so far that's actually closer to the fifty percent range 64 percent in test cases the flaws and segmentation we're actually close that happens creating and abling remote access I can't tell you how many times we have heard that this system is standalone arrogant and I asked do you have remote capabilities seeing the answer is almost always yes well then it's not really standalone or anything I'm dizzy you know feminine from your corporate assets into your ICS Esqueda systems is the most common attack vector so this is

some high level vulnerability data that we've gathered over the course of doing our assessments properly tuned non-pretentious skin on my ICS system will return on average close to 14 mid-level findings and Senator many critical findings for asset

when we have Prudential students this number jumps to about 54 medium in almost 130 for higher critical I get asked a lot why do we do on Prudential scans the argument typically goes doesn't that lead to a lot of false positives not very effective results in the answer yes or no for one you at least get an external view of your system and to believe it or not sometimes the biggest problems we faced during assessments is administrators just don't know their passwords to these systems these systems were put in place 10 or 15 years ago and nobody ever wrote the bench whatever this leads to the next point it really doesn't matter right a cybersecurity person telling you

vulnerabilities isn't that important I mean a lot of cybersecurity enthusiasts professionals and practitioners and only focus on technical findings and that is only part of the equation you need to actually build out a full fledged starter security program when you only focus on fire billions you end up building a culture that just chases those gangs and don't get me wrong vulnerabilities gaming is a important part of any cybersecurity program you put in place but again it's just a portion of it it's not the end of most ICS now we're saying we've seen don't even have proper architecture in place they don't even know what the assets they have so starting at far really gonna give you much what are you

scanning you can build a house on the terrible day she and your house can look super nice but it's still going from the point I'm trying to make is don't get so wrapped up a technical funny names thing you forget to move forward or get so overwhelmed that you don't make progress we're going to switch our wrists a little bit we're going to talk about risk management risk profiles and a little bit about the actions you can take to marshal yourself the maturity process risk management is an objective management meaning the key word there some organizations things it's about eliminating all risk and that's impossible sit all systems operate with res expecially ICS in SCADA systems that

make up our critical infrastructure right the reason why when we flush the toilet it goes away from a simplistic view like its risks is your threats times for abilities I mean wow depending on your maturity level or I don't mean you come up in fancy equations and threats of our abilities it's important to understand where you're headed your security program is here to help you manage your risk but that's the end goal that's not where you started the solutions you put in place it also always be based around so you can pretty much extrapolate you know the substrate of maturation process to three phases alpha compliance driven and risk-based approach pretty much every small mid-sized

you know organization that has an yes our SCADA system they fall into the app I'm all right they're underfunded there understand it's misunderstood with minimal leadership support Frankie this is brand new to them you know it's the these types of systems haven't been connected as long as we're used to on the IT sever the house so they're they're learning right you got to learn the problem if we're even walking from that's just were there some things you can do to get started right it's really about starting at the organization level organization engineering versus network engineering what I mean by that is the body is the sum of its parts meaning don't look at your business

networks in the ICC ICS networks is two separate unrelated things this leads to continuity problem of your cyber security services end up developing policies and procedures they don't translate across each type of network deploying incomparable technologies or technologies they don't play well together that hampers your ability to gain visibility and respond to incidences across your organization all right a lot of times you know and ICS world we tend to just focus on ice yet your business network is bad we don't want anything to do with it and that's not the right answer all right I mean those systems believe it or not that's why I say it's a really bad juju but we don't have a choice

they're gonna be connected all right there's a lot of legitimate business functions that require pulling data out of that network so we can kind of triangle we can embrace it and make sure that it's done security you know one of the other things you can do is what third party accents do you have it to your into your environment all right when when you treat all of your networks across your organization is separate entities you you lose that visibility right and the last thing you want to happen is being hit by ransomware attack that may be originated with one of your vendors who probably had more access than they should have and it's spread across all of your networks and because

you didn't have an organization when it backup policy or strategy you end up rolling and dying soon thinking that ransom anyway open you can restore our operations again right key takeaway here is the bodies of some of all of its parts you can't just focus on one area of an organization it has to be all over another thing you can do is identify your critical asset services of data what are the things in your organization that would be detrimental if they went offline or leaked sanity's outside of the organization what happens when the toilets no longer flush right what happens when those pumps and they kick in the move that switch through decide you do something

else better hey those are some pretty important things after you have identified which critical know the complete asset inventory you can't protect what you don't know yet and once you know what you have check their badges you don't need a vulnerability scanner to check bachelors I mean you're really dumb you use a corner abilities to generate metrics on the successfulness of your patch management strategy that should be documented in your cybersecurity and believe it or not ICS systems can be benched they might have long lead times you might have to wait a while though you can actually sustain that kind of time but it can be done if properly clean so networks this is really about

your foundations right regarding picture no amount of technologies policies procedures or security controls will ever fully correct or indicate or design decisions I just can so looking at the architecture do you know segmentation properly and links and if you think so do you really are you controlling your integrand egress points do you have water outlets on their networks and doesn't need to be and if so can you implement some sort of layer 2 encryption on top of your Wunderlist mitigate issues and if so does your risk tolerance even conquer them lastly how are you storing your banners that's a very common problem and the ICS is getting industry we hear a lot about word we've got secure passwords require

authentication and everything great I'd love to hear that so we're to be stored oh man we gotta take to our laptops down in defeat

it's now I'm gonna get him back over to James who's gonna walk you through a little Henry surprise occur together happy surprise of our fancy very cozy bearers thank you very much Josh thank you all very much for guys's attention today so happy surprise so we've talked about the styling and we've really seen a very I would say formal more mobility look at all the median utilities who sometimes having a verage here's the highly surprised if you do take a look and it will make a basic key fundamental network security password security protocols you can easily get to a position where it makes it much more difficult for you in a nation-state actor like Russia than abt to enter them

they may still be able to do it I will never say they cannot but you can limit the access from your non trusted outside network that is a simple fix on an issue you can definitely have operator response can be definitely stop t publish it and have some sort of protections on there in a very cheap scale and also make sure that your firewalls particularly SSH is plugged in Telemachus right this is what we do the birds the MacDonald love to talk with you about to talk with you about the futures here in Kansas see additionally did that you can definitely get this feedback for the qrc codes I also a little bit because we could

have about 20 more minutes 50 more minutes on this presentation about [Music] Facebook so we're talking about a couple things and as we've talked about this is in the office one of them is about miscalculation movies are talking about that sighs I love it when you start thinking about threat x Horner ability and turning to put a number associated with it which you could do through this TV you can see the SS you can start to come back in and understand different levels so if we use a model and say let's say your IT network is a 10 and a 10 you get to those countries to throw numbers out there if you look at it from

an OT network or 5 out of 5 into 25 what does that mean these are two totally different networks so we have different network integration models well if you take a deal T kind of standard on that you're gonna do a high watermark and this is wrong sorry so a high watermark would put your total about 125 but at a hundred you're only gonna think about the most critical vulnerability and the most likely threat and you're going to assess that and we're gonna five if you do take some sort of risk aggregation in there you'll take it and say maybe it's 125 but when we start to see larger threats coming that I see a since data

spaces we can do this is pretty crazy math this is just a way that you could take a look at the math and risk management is that you have IT threats and ot threats that they have different threat vectors and different threat actors may want different things you could add those together along with the vulnerabilities on the system because over the ones can flow both ways you do that you into a much different risk for than you would from just high watermark or basic risk aggregation dish Fellini we're talking last night I asked the question last night how he was set and assessed were lost there is really no good way to do down my perspective or also within the ICS

kata workspace management has people's basic industries and lives are on the line with both of these two industries and if we just look at it as a toss of the data where the cost of the accents were missing a large portion of what that can actuall boss be and how that can affect a greater system so that right there at the end of the slides when you're reading answer questions there are

you