cip malicious code with...cip-003-8; cip-005-6 •ids/ips cip-007-6 •authentication cip-10-3...

Kenath Carver

Manager, CIP Compliance Monitoring

CIP Malicious Code

2

November 18, 2020

Antitrust Admonition

Texas Reliability Entity, Inc. (Texas RE) strictly prohibits persons

participating in Texas RE activities from using their participation as a

forum for engaging in practices or communications that violate

antitrust laws. Texas RE has approved antitrust guidelines available on

its website. If you believe that antitrust laws have been violated at a

Texas RE meeting, or if you have any questions about the antitrust

guidelines, please contact the Texas RE General Counsel.

Notice of this meeting was posted on the Texas RE website and the

open portion of this meeting is being held in public. Participants should

keep in mind that the listening audience may include members of the

press, representatives from various governmental authorities, and

industry stakeholders.

Kenath Carver

Manager, CIP Compliance Monitoring

CIP Malicious Code

4

November 18, 2020

THREATS + VULNERABILITIES = RISKS

Reliability & Security

Compliance Controls

5

November 18, 2020

Risks

Advanced Persistent Threat

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)

Malicious Code and Communications

SQL Injection

Malware

Virus

Trojan

Spyware

Ransomware

Worm

Social Engineering

Black Energy

Stuxnet

Spectre

Cryptolocker

WannaCry

Spear Phishing

Dragonfly

OilRig

Sandworm

6

November 18, 2020

Industrial Control Systems

Programable Logic

Controllers

Distributed Control Systems

Supervisory Control and

Data Acquisition

Remote Terminal Units

Human-Machine Interface

Intelligent Electronic Devices

Data Historian RelaysCommunication

Processors

7

November 18, 2020

Lockheed Martin - The Cyber Kill Chain®

Reconnaissance Weaponization Delivery Exploitation InstallationCommand &

ControlActions on Objectives

8

November 18, 2020

The MITRE Corporation (MITRE) - ATT&CK®

Initial Access

Execution Persistence Evasion DiscoveryLateral

MovementCollection

Command and Control

Inhibit Response Function

Impair Process Control

Impact

9

November 18, 2020

The Cyber Kill Chain® versus ATT&CK®

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command & Control

Actions on Objectives

ATT&CK®

1. Initial Access

2. Execution

3. Persistence

4. Evasion

5. Discovery

6. Lateral Movement

7. Collection

8. Command and Control

9. Inhibit Response Function

10. Impair Process Control

11. Impact

10

November 18, 2020

ATT&CK® for Industrial Control Systems

Initial Access

• Data Historian Compromise

• Drive-by Compromise

• Engineering Workstation Compromise

• Exploit Public-Facing Application

• External Remote Services

• Internet Accessible Device

• Replication through Removable Media

• Spear Phishing Attachment

• Supply Chain Compromise

• Wireless Compromise

CIP-003-8; CIP-005-6

• Network segmentation

CIP-007-6

• Host-based Firewall

• Security Patch Management

• Antivirus protection

• White-listing

• Security Event Logs

• Authentication

CIP-010-3

• Vulnerability assessments

CIP-013-1

• Supply Chain Risk Management

11

November 18, 2020


Execution• Change Program State

• Command-Line Interface

• Execution through API

• Graphical User Interface

• Man in the Middle

• Program Organization Units

• Project File Infection

• Scripting

• User Execution

CIP-004-6• Access Management

CIP-003-8; CIP-005-6• IDS/IPS

CIP-007-6• Authentication

CIP-10-3• Baseline Configuration

• Baseline Monitoring

12

November 18, 2020


Persistence

• Hooking

• Module Firmware

• Program Download

• Project File Infection

• System Firmware

• Valid Accounts

CIP-004-6

• Account privileges auditing

CIP-003-8; CIP-005-6

• Network Segmentation

• Inbound and outbound permissions

CIP-010-6

• Software and security patch authenticity and integrity

13

November 18, 2020


Evasion

• Exploitation for Evasion

• Indicator Removal on Host

• Masquerading

• Rogue Master Device

• Rootkit

• Spoof Reporting Message

• Utilize/Change Operating Mode

CIP-007-6


• Antivirus protection

• White-listing

CIP-010-3

• Baseline Configuration



14

November 18, 2020


Discovery

• Control Device Identification

• I/O Module Discovery

• Network Connection Enumeration

• Network Service Scanning

• Network Sniffing

• Remote System Discovery

• Serial Connection Enumeration

CIP-003-8; CIP-005-6


• Multi-factor Authentication

CIP-012-1

• Encrypt Network Traffic

15

November 18, 2020


Lateral Movement

• Default Credentials

• Exploitation of Remote Services

• External Remote Services

• Program Organization Units

• Remote File Copy

• Valid Accounts

CIP-004-6

• Access Management

CIP-005-6


CIP-007-6

• White-listing Software


• Password Policies

CIP-010-3

• Monitoring Baselines

• Vulnerability Scanning


16

November 18, 2020


Collection

• Automated Collection

• Data from Information Repositories

• Detect Operating Mode

• Detect Program State

• I/O Image

• Location Identification

• Monitor Process State

• Point & Tag Identification

• Program Upload

• Role Identification

• Screen Capture

CIP-005-6



CIP-004-6

• Personnel Training


CIP-007-6

• Authentication

• Password Policies

CIP-011-2

• Information Protection

• Encryption

17

November 18, 2020


Command and Control

• Commonly Used Port

• Connection Proxy

• Standard Application Layer Protocol

CIP-005-6


• IDS/IPS

CIP-007-6

• Ports and Services

18

November 18, 2020


Inhibit Response Function

• Activate Firmware Update Mode

• Alarm Suppression

• Block Command Message

• Block Reporting Message

• Block Serial COM

• Data Destruction

• Denial of Service

• Device Restart/Shutdown

• Manipulate I/O Image

• Modify Alarm Settings

• Modify Control Logic


• Rootkit

• System Firmware

• Utilize/Change Operating Mode

CIP-004-6


CIP-005-6



CIP-007-6

• Authentication

19

November 18, 2020


Impair Process Control

• Brute Force I/O

• Change Program State

• Masquerading

• Modify Control Logic

• Modify Parameter

• Module Firmware


• Rogue Master Device

• Service Stop

• Spoof Reporting Message

• Unauthorized Command Message

CIP-004-6

• Account Management

CIP-005-6


CIP-007-6

• White-listing

CIP-010-3


20

November 18, 2020


Impact

• Damage to Property

• Denial of Control

• Denial of View

• Loss of Availability

• Loss of Control

• Loss of Productivity and Revenue

• Loss of Safety

• Loss of View

• Manipulation of Control

• Manipulation of View

• Theft of Operational Information

CIP-008-6

• Identification, classification, and response to Cyber Security Incidents.

CIP-009-6

• Redundancy

• Backup and Recovery

CIP-011-2

• Data loss prevention

• Encryption

21

November 18, 2020


Audit

• Processes, Procedures, Plans, etc.

• Network Traffic

• Blocked and allowed communications

• Access and Privileges

• Security Event Logs

• Baselines

• Internet Access

• Wireless

• Network Interface Cards

• Vulnerability Assessments

22

November 18, 2020

Resources

• https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

The Cyber Kill Chain®

• https://attack.mitre.org/matrices/enterprise/MITRE ATTACK®

• https://cve.mitre.org/cve/MITRE CVE List Home

• https://nvd.nist.gov/NIST National

Vulnerability Database

23

November 18, 2020

Resources

• https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities

• https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

E-ISAC SANS Ukrainian Attack Report

• https://www.ferc.gov/sites/default/files/2020-09/FERC%26NERC_CYPRES_Report.pdf

2020 FERC, NERC and REs Report Cyber Planning for Response and Recovery

Study (CYPRES)

24

November 18, 2020

Questions?

cip malicious code with...cip-003-8; cip-005-6 •ids/ips cip-007-6 •authentication cip-10-3...

Documents