Links to Additional IoT/ICS Security Content

Phil Neray, VP of Industrial Cybersecurity

SANS WebinarSeptember 24, 2019

Current State of Industrial CybersecurityBased on data collected by CyberX from 850+ production OT networks across 6 continents & multiple sectors

2

Download full report: cyberx-labs.com/risk-report-2019

Anti-Anti-Virus

43%

57% With anti-virus

No Anti-virus

No internet connections

Mythical Air-Gap

40%60% Internet

connections detected

Broken Windows

47%53% Only modern

Windows versions

Sites with unsupported

Windows boxes

Hiding in Plain Sight

31%

69%Encrypted passwords

Plain-text passwords

Threat Scenarios Detected by CyberX in NIST ICS Report

• Unauthorized Device Is Connected to the Network

• Unencrypted HTTP Credentials

• Unauthorized Ethernet/IP Scan of the Network

• Unauthorized SSH Session Is Established with Internet-Based Server

• Data Exfiltration to the Internet via DNS Tunneling

• Unauthorized PLC Logic Download

• Undefined Modbus TCP Function Codes Transmitted to PLC

• Data Exfiltration to the Internet via Secure Copy Protocol

• Virus Test File Is Detected on the Network

• Denial-of-Service Attack Is Executed Against the ICS Network

• Data Exfiltration Between ICS Devices via UDP

• Invalid Credentials Are Used to Access a Networking Device

• Brute-Force Password Attack Against a Networking Device

• Unauthorized PLC Logic Update — Robotics System

• Unauthorized PLC Logic Update – Process Control System

3

Download executive summary:

cyberx-labs.com/resources/nist-

recommendations-for-iot-ics-security/

Example from NIST Report

4

How CyberX Supports the NIST Cybersecurity Framework (CSF)

5

Threat

Insight

Threat Prevention Threat Detection Threat Response Threat RecoveryIdentify Prevent Detect Respond Recover

Automated OT

threat modeling

OT vulnerability

management &

risk mitigation

Native integration

with firewalls &

NACs

Continuous OT

monitoring with

patented

behavioral anomaly

detection

Deep forensic &

threat hunting tools

Native apps for SIEM

integrations

Asset discovery

Network topology

mapping

Identifying

unauthorized

remote access &

weak credentials

Automated reporting

to stakeholders

Integration with IT

Service Management

(ITSM) and

orchestration toolsOT threat

intelligence feeds

Confidential

To accelerate our clients’ digitalization & Industry 4.0 initiatives with the simplest and most robust solution for

reducing risk from IoT/ICS network threats and unmanaged devices.

CyberX Value Proposition

2

CyberX at a Glance

Only industrial platform built by blue-team experts with a track record

defending critical national infrastructure

Founded in

2013

$48M raised from leading

investors including

Qualcomm,

Norwest Venture

Partners (NVP)

Partnerships with

leading security

companies &

MSSPs worldwide

Simplest, most

mature and most

interoperable

solution

7

Only IoT & ICS

security firm with

a patent for its

M2M-aware

threat analytics

Challenges We Address for Clients

• What devices do I have, how are they connected — and how are they communicating with each other?

• Do we have any IoT or ICS threats in our network — and how do we quickly respond to them?

Continuous IoT & ICS Threat Monitoring,

Incident Response & Threat Hunting

IoT & ICS Asset Discovery

• What are risks to our “crown jewel” IoT & ICS assets — and how do we prioritize mitigation?

Risk & Vulnerability Management

8

• How do I identify & rapidly eliminate inefficiencies from misconfigured or malfunctioning equipment?

Operational Efficiency

• How do we leverage existing investments — people, training & tools — to centralize IT/OT security in our SOCs?

Unified IT/OT Security Monitoring

& Governance

How We’re Different

Easiest to DeployAgentless

No rules or signatures

No prior knowledge

of OT network

Most MatureMost scalable

Most comprehensive

Most interoperable

Backed by experts

Patented M2M AnalyticsFaster learning period

Faster detection

More accurate

Simple, Non-Invasive Deployment – Agentless Monitoring

CMDB asset data,

firewall rules, etc.(OPTIONAL)

Proprietary Deep Packet Inspection

and Network Traffic Analysis (NTA)

OT Network

Network

Traffic Data

SPAN port on

network switch

10Confidential

Partnered with Global Technology Leaders

11

CyberX Native Apps for IBM QRadar, Splunk, ServiceNow, …

More than 1,200 Installations Worldwide

• 2 of the top 5 US energy utilities

• Top 5 global pharmaceutical company

• Top 5 US chemical company

• National electric utilities across EMEA & Asia-Pacific

• National energy pipeline & distribution company

• Top 3 UK gas distribution utility

• Largest water desalination plant in western hemisphere

• …and more

13

Recognized ICS Threat IntelligenceContinuously Discovering New ICS Zero-Day Vulnerabilities

CyberXthreat research

featured in Chapter 7

ICSA-15-300-03A

BUFFER OVERFLOW

ICSA-15-351-01

BUFFER OVERFLOW

ICSA-17-087-02

ARBITRARY FILE UPLOAD

BUFFER OVERFLOW

ICSA-18-228-01

UNCONTROLLED SEARCH PATH

ELEMENT, RELATIVE PATH

TRAVERSAL, IMPROPER PRIVILEGE

MANAGEMENT, STACK-BASED

BUFFER OVERFLOW

ICSA-17-339-01D

IMPROPER INPUT VALID (DDoS)

ICSA-16-306-01

BUFFER OVERFLOW

ICSA-16-026-02

BUFFER OVERFLOW

ICSA-17-278-01A

BUFFER OVERFLOW

14

For More Information

IoT/ICS Security Knowledge Base

• Threat & vulnerability research — white papers

• Transcripts & recordings from past SANS webinars

• CyberX “Global ICS & IIoT Risk Report”

• Presenting OT Risk to the Board

• NIST Recommendations for IoT & ICS Security

• NISD Executive Guide

See Us at Upcoming Events• Cyber Security for Critical Assets (CS4CA) APAC (Sept. 25-26, Singapore)

• Cyber Security for Critical Assets (CS4CA) Europe (Oct. 1-2, London)

• Executive Seminar: Ensuring Cyber Resilience for Industrial & Critical Infrastructure (Oct. 2, Chicago)

• OilComm (Oct. 2-3, Houston)

• ManuSec USA (Oct. 8-9, Chicago)

• Executive Seminar: Ensuring Cyber Resilience for Industrial & Critical Infrastructure (Oct. 17, London)

• ICS Cyber Security (Oct. 21-24, Atlanta)

• Cyber Security for Critical Assets (CS4CA) LATAM (Oct. 29-30, Sao Paulo)

• API Cybersecurity for Oil & Gas (Nov. 12-13, Houston)

• Palo Alto Network IGNITE Europe (Nov. 13-15, Barcelona)

• Executive Seminar: Ensuring Cyber Resilience for Industrial & Critical Infrastructure (Nov. 21, Auckland)

CyberX vulnerability research featured in Chapter 7 — free

download from CyberX

Thank You

phil@cyberx-labs.com