Chapter 13 - 04 - Discuss the Security in OT-enabled Environments - 02_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
2021
Tags
Related
- Chapter 13 - 03 - Understand OT Concepts, Devices, and Protocols PDF
- Chapter 13 - OT Concepts, Devices, and Protocols PDF
- Certified Cybersecurity Technician Exam 212-82 PDF
- Chapter 13 - 03 - Understand OT Concepts, Devices, and Protocols - 01 PDF
- Certified Cybersecurity Technician IoT and OT Security PDF
- 01 Handout 1 PDF - Information Systems Security
Full Transcript
Certified Cybersecurity Technician Exam 212-82 loT and OT Security International OT Security Organizations OQ Global cybersecurity or...
Certified Cybersecurity Technician Exam 212-82 loT and OT Security International OT Security Organizations OQ Global cybersecurity organizations such as OTCSA and OT-ISAC are committed to providing appropriate s N = security policies and insights into improving the security resilience of critical infrastructures resourcen tesowoes ¥W in contact Operational Technology Cyber Security Alliance (OTCSA). » OTCSA educates operators and manufacturers R Operationat The ot Technology Tecteiogy Cyoms Bemty Allance Cyber Secunty Ao with constant technical awareness and provides Meeting the security guidelines to apply essential changes, updates, challenges of a digital world integrations, etc. v [t [ ] M March March 31, 31, 2021 2621 MITRE ATT&CK for ICS: How OT Stakeholders Can Benefit https//otcsolionce.org Copyright © by EEC-Council CL cil AN Rights Reserved, Reserved. ReproductionIs Strictly Prohibited International OT Security Organizations As OT is being widely spread and interconnected with IT, security researchers need to be more cautious and implement strong security policies to strengthen the OT networks. Some global cybersecurity organizations are committed to providing appropriate security policies and insights into improving the security resilience of critical infrastructures. Listed below are a few international organizations that alert companies of threats and provide IT/OT solutions to protect the OT industries against cyber-attacks. = OTCSA Source: https://otcsalliance.org The Operation Technology Cybersecurity Alliance (OTCSA) educates operators and manufacturers with constant technical awareness and provide guidelines to apply essential changes, updates, integrations, etc. The security team in OTCSA also provides support in understanding OT security challenges and solutions to safeguard the assets of the industry. Module 13 Page 1625 Certified Cybersecurity Technician Copyright © by EG-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 loT and OT Security blog 3,‘.’,?,',',‘,3,8; resources ¥ in contact - The Operational Technology Cyber Security Alliance Meeti.ng the security challenges of a digital world ] March 31, 2021 MITRE ATT&CK for ICS: How OT Stakeholders Can Benefit Figure 13.25: Screenshot of OTCSA = OT-ISAC Source: https://www.otisac.org The Operational Technology Information Sharing and Analysis Center (OT-ISAC) is a core hub to share threat information among OT industries such as energy and water utility sectors. The organization offers various tools and techniques to exchange information securely between the OT/IT spectrum to protect industrial systems or networks against malicious intrusions. Being associated with various information sharing centers, the OT- ISAC obtains information regarding imminent threats and provides timely solutions to fortify the industrial systems of registered companies. Module 13 Page 1626 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 10T and OT Security %) OT-ISAC RTINS, TEOSELOST TEOSCLOST PACMITON NG BN MO MULTES CENTER HOME m WHATWEDD PARTNERS EVENTS GRF NETWORK NEWS ABOUT US Operational Technology Information Sharing and Analysis Center (OT-ISAC) Is a secure threat Information sharing community, for warning and mitigation. A member company can securely and anonymously share threat information with OT-ISAC analysts who further enrich and disseminate actionable alerts, intelligence and best practices for all community members to defend themselves and take mitigating action against malicious actors, their tools, and system exploits. OT-ISAC also partners with government, private vendors and other information sharing organizations to acquire and disseminate timely and relevant Information for the resilience of member companies. Figure 13.26: Screenshot of OT-ISAC Module 13 Page 1627 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 loT and OT Security l1oT OT Security Solutions 1 * Firewalls are used in the network for monitoring and controlling the incoming and outgoing network Firewalls | traffic 1 * You can use firewall solutions such as SCADAWall, and Waterfall for securing the OT network Unified Identity !I *®= Access management helps industries to centralize certain operations like adding, securing, changing, and and OT Access : removing user access to the OT systems Management 1 * You can use tools such as OTaccess, and FireEye for identifying and managing access to industrial systems Asset Inventory I1 =® Asset inventory helps in connecting only authorized devices to the network and detect vulnerabilities and Device : in the devices Authorization I1 * Youcan You can use tools such as SCADAfence, and CyberLens for asset inventory and device authorization OT Network I = OT network monitoring employs machine learning algorithms for easy detection and identification of Monitoring and : malicious behaviors Anomaly Detection | = You can use tools such as Claroty, and OT ThreatFeed for OT network monitoring and anomaly detection Decoys to 1 1 **= Decoys are honeypots used in OT environments to lure attackers to reveal their presence and activities Deceive 1 Attackers 1 * You can use decoy tools such as ThreatDefend, Conpot, and GasPot for protecting the network Copyright © by EC-Ce EC-Co L AN Rights Rights Reserved. Reproduction Reproduction IIs Strictly Prohibited. OT Security Solutions The industrial and corporate sectors are rapidly digitizing their operational value chain, giving access to OT devices from a broader range of the Internet. The cost of managing security in the heavy industrial sectors is being largely overlooked, leading to several security challenges. Hence, it is considered safer for all the industrial sectors to invest in cybersecurity programs and solutions. Cybersecurity professionals should deploy solutions by sensibly examining the recent cybersecurity challenges and requirements they face in the current trend that can be combined with suitable operational changes. Hence many incumbent OEM providers and start-ups have developed several recent tactics and technologies for protecting the OT environment. As the heavy industries have a decentralized nature, the security solutions can be integrated into all technology-linked decisions across IT and OT. In addition, the second line of defense can be implemented by using Information Risk Management (IRM). Some industries also provide a third line of defense by implementing internal audit functions. Some of the emerging technology solutions used by organizations to protect the OT environment are as follows: "= Firewalls Firewalls Firewalls are used in a network for monitoring and controlling the incoming and outgoing network traffic. Firewalls help in improving security controls by inspecting the traffic that traverses the gateway between the OT and IT networks. They can also help in identifying and blocking new threats. Thus, the attacker can be limited from traversing between the networks after compromising a system. It is also advisable to employ the critical assets and systems in a DMZ away from the SCADA systems. Module 13 Page 1628 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 loT and OT Security Security professionals can use tools such as SCADAWall, Waterfall, and Palo Alto NGFW for protecting the network. = Unified Identity and OT Access Management Access management helps industries to centralize certain operations like adding, securing, changing, and removing user access to the OT systems. All this data is linked with the organization’s identity-management system, which can provide strong authentication. The access management helps minimize the attack risk by providing the least privileges to superuser accounts. This helps the security personnel to trace the critical assets and helps in identifying the attack sources. Security professionals can use tools such as OTaccess, FireEye, etc. for identifying and managing access to industrial systems. = Asset Inventory and Device Authorization Asset inventory helps in connecting only authorized devices to the OT network, and it can detect all the connected devices. It can also detect the vulnerabilities in the devices, which are categorized based on the device manufacturer, version, and type. These tools can also be used to identify faults in the connected devices in the network, and it can also enhance the efficiency of the device. Security professionals can use tools such as SCADAfence, CyberLens, Guardian, and Dragos for asset inventory and device authorization. = OT Network Monitoring and Anomaly Detection OT network monitoring is used for constantly monitoring the systems in industrial networks. These monitoring tools help in tracking the traffic in a non-invasive way. These tools perform anomaly detection, which is the process of identifying any malicious or unexpected events. Most of these tools use machine-learning algorithms for easy detection and identification of malicious behaviors. Security professionals can use tools such as Claroty and OT ThreatFeed for OT network monitoring and anomaly detection. = Decoys to Deceive Attackers Decoys are honeypots used in the OT environment that incorporate deception technology to automate the creation of traps or decoys to lure the attackers into revealing their presence and activities. This adds an extra layer of protection from attackers trying to penetrate the industrial network. Security professionals can use tools such as ThreatDefend, Conpot, and GasPot to protect the network. Module 13 Page 1629 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 10T and OT Security OT Security Tools O - | ° Flowmon Flowmon empowers manufacturers and utility companies to ensure the reliability of their industrial networks to avoid downtime and disruption of service continuity @ Togs Togsomtonnnn lomtonenn for oot 0t 170 bunes beewy S|G | Strutere St ool serhen seevhion At Ik fss bt bt 070 bens deans S| T e matrseeran sy | tenable.ot \ https://www.tenable.com & Profles 1.1[ el L | haa L © 3¢ Analysls Forescout https://www.forescout.com PA-220R ot hoedoe bybernsd Bt bewned F114 6042 042 PHIE PRI 00140108 D014 0108 B4 https://www.paloall https://www.paloali ks.com Let R ot R ovrt Psl Iet Bter stS 1)T L Raaiy e Asion o e.. fote bb bsvermel Dote b 1114 st 4107 10 20200 1114 gy01 | e Fortinet ICS/SCADA solution @O Tip ivtmns ke e Tig it 100 fon oved 100 fin https://www.fortinet.com Bt fos dyborsad £t dyborsal J004 G427 JO04 6422 3000 2000 20204 805 845 (armanen 100 10 ey Trewrerres sk tan e o s s b @ Posts oty weth tep ot searmtons searmbonsfoe fee | ® e o e "- “ i o [ o 10 10 (bt Y oo N IS o Y WS S " Y TS " ST YT Nozomi Networks Guardian Butae bl et bl 3614 614 6032 6132 2288 2385 3614 6130 4130 38 B3H ( https://www.nozominetworks.com https/fwww. flowmon.com htps//www.flowmon.com Copyright © by EC All Rights Reserved. Reproduction Is Strictly Prohibited OT Security Tools Discussed below are various tools you can use to secure OT systems and networks: * Flowmon Flowmon Source: https://www.flowmon.com Flowmon empowers manufacturers and utility companies to ensure the reliability of their industrial networks confidently to avoid downtime and disruption of service continuity. This can be achieved by continuous monitoring and anomaly detection so that malfunctioning devices or security incidents, such as cyber espionage, zero-days, or malware, can be reported and remedied as quickly as possible. Module 13 Page 1630 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 1oT and OT Security loT (-1 Dashboard () & Top hostnames for last 12 hours x @ Steucture of services traffic for last 12 hours & @ Top source autonomous systems (.f. @ ©® Sources Oistrvution of TOP 10 Distribution of TOP 10 s- Distribution of TOP 10 - 3 g~g Profiles M xl‘. tR} ER ) P“ ~L] 1 g | S L ekl g 1L A 1..[ A € Analysis Jaa 27 2004 Jan 000 00 100 400 a0 ol [ Jan 20 2004 Reports WITP hostname MHTTP hostname Transterrea Transterred e s> Source ASAS Source vits/s bits/s Trare Tran Servico vitsss n saupdate.dnsmlorg 7.56 bt [ o WrATHI 297,67 kvl 1 L Alerts i | oscodminceentay 18818. [ e 45.00 8 45.00m8 116 M0/s 1,16 Mb/s.48 k005 3.68 k05 B3 BB ruesyerpongs).amazonkws.con ruesyerporgsd.amazonsws.con 18360 1.8 W8 ) : o [| 22 QUEUENEN JUEUENEN 40K/.40 kD78 an. e 00. e r.08m8 r.08 M8 9.52 4013 13 1.36 1.34 kbis ks BN servecesanves.cz 3.00 K8 B Msterinternet Master internet 20083075 209.63b/s 11.C g Active devices g~ = ::' “'“. "" w [y e Y 4 ERAT YITO MBS YLIOMDS 904,36 b/s 905,36 5o KN n, stancom : 67740 sro [ It 1.06 M8 1.06M8 PR 443008 20044 20068 b/sb/ KW ost turcpe Host Curope 82.48b/s 2150/ 278 08 n 100053t S 50T 1IN T000::5820:2)50:0771:7900):5357 RIS 399K 19 SR WE _—— [y. oo 141,59 0818 71200/.o Y 20.670/3 26,67 b/s ' Gt GrbH 192.168.3, 11415087 3.65 kb BEW Heteesr Onine tetzear Oniva A00b/s 8L 284 214 e - B e tiap \ oon obi obls obss obs 3 192,160.3,13118387 192,160,310 30:5387 35 350 = :"”; " - oor. onrl [7 L el b oblsil obrs s - N CLSNET 2.3.p.0. cosnerzape. W2 1920/ 10 o A1 B 192.164.3.200:5)57 192,160.3,13018387 192,168.3,120:8387 | 23708 2400 24000 [ T T TT T I YT S BT LTS I wcrosort mrosoft Corparation Corporation 24300 743008 4, swupmf. adobe.com e 478 Dita for interval Data for aterval 2014.01:27 2014.01:27 2055 20:55 -- 2014-01-28 2014-01-78 06:55 06155 o£ B - Qoudmark, Coudnark, lnc. Inc. 2.75bis ERETE) a0 “0. Il Concast concast Catle Catie 5.40b/3 f.400/5 n. @ Structure of averall overall traffic for last 12 hours -" Connuscations, Connurcations, Ing, Inc, Bl BEl Amzoncon, Amzon.com, 2904 2800.1. 19m 19m [[ 1ne, nc, -~- im a TOR 1010 TOF a Wb/ 304,42 w0 kb | Data for Data for §nterval nterval 2014.01:27 2014.01:27 20:00 20:00 -- 2014-01:28 2014-01-28 (o (.. f i5H) wox o l I |. ‘| Blacklisted Blacklisted 0 b obs eN Aot L 1.2ebh 12664 X¥ ° Ao Jan 3T 27 2004 o0t 0% 100 10 400.o (X Jan Jan 20 20 2004 2014 Yotal Yotal 304,43 kb 304.4) khis @ Top network services over TCP for Data for bnterval nterval 2014.01:27 20:00 - 2014014 201401+ Distribution of TOP 10 Distribution of TOP 10 source Source Transterred maxsmal bits/s bitsss bits/s [1. R 17660 1,76 G0 1,42 /s Mb73 Ja849an7s 348,490078 @ @ losts losts with with top top data data transfers transfers for for ||. on op obis onls ovls [T [y e ob ov ovls ovis ovrs ovis Oistribution of Onstribution of TOP 10 TOP 10. 00 on op obis ovis = = LT | 700 | aMa | ek Any L Port snsferred Transterred "5 :n'": Data for faterval 20140127 20:55 - 2014-01:28 08:55 Data for fnteryal 2014:01:27 20:55 - 2014-01:28 06:55 G bt — smtp 45,02 02 W M8 Figure 13.27: Screenshot of Flowmon Listed below are some additional tools for securing an OT environment: = tenable.ot (https.//www.tenable.com) = Forescout (https://www.forescout.com) = (https.//www.paloaltonetworks.com) PA-220R (https://www.paloaltonetworks.com) * Fortinet ICS/SCADA solution (https://www.fortinet.com) (https.//www.fortinet.com) =* Nozomi Networks Guardian™ (https.//www.nozominetworks.com) Module 13 Page 1631 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.