Chapter 13 - 04 - Discuss the Security in OT-enabled Environments - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
loT and OT Security

International OT Security Organizations
OQ Global cybersecurity organizations such as OTCSA and OT-ISAC are committed to providing appropriate
s
N =
security policies and insights into improving the security resilience of critical infrastructures

resourcen
tesowoes ¥W in contact
Operational Technology Cyber
Security Alliance (OTCSA).
» OTCSA educates operators and manufacturers R Operationat
The ot Technology
Tecteiogy Cyoms Bemty Allance
Cyber Secunty Ao
with constant technical awareness and provides Meeting the security
guidelines to apply essential changes, updates, challenges of a digital world
integrations, etc.

v [t
[ ]

M March
March 31,
31, 2021
2621
MITRE ATT&CK for ICS: How OT Stakeholders Can Benefit

https//otcsolionce.org

Copyright © by EEC-Council
CL cil AN Rights Reserved,
Reserved. ReproductionIs Strictly Prohibited

International OT Security Organizations
As OT is being widely spread and interconnected with IT, security researchers need to be more
cautious and implement strong security policies to strengthen the OT networks. Some global
cybersecurity organizations are committed to providing appropriate security policies and
insights into improving the security resilience of critical infrastructures.
Listed below are a few international organizations that alert companies of threats and provide
IT/OT solutions to protect the OT industries against cyber-attacks.
= OTCSA

Source: https://otcsalliance.org
The Operation Technology Cybersecurity Alliance
(OTCSA) educates operators and
manufacturers with constant technical awareness and provide guidelines to apply
essential changes, updates, integrations, etc. The security team in OTCSA also provides
support in understanding OT security challenges and solutions to safeguard the assets of
the industry.

Module 13 Page 1625 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
loT and OT Security

blog 3,‘.’,?,',',‘,3,8; resources ¥ in contact

-

The Operational Technology Cyber Security Alliance

Meeti.ng the security
challenges of a digital world

]

March 31, 2021

MITRE ATT&CK for ICS: How OT Stakeholders Can Benefit

Figure 13.25: Screenshot of OTCSA

= OT-ISAC

Source: https://www.otisac.org
The Operational Technology Information Sharing and Analysis Center (OT-ISAC) is a core
hub to share threat information among OT industries such as energy and water utility
sectors. The organization offers various tools and techniques to exchange information
securely between the OT/IT spectrum to protect industrial systems or networks against
malicious intrusions. Being associated with various information sharing centers, the OT-
ISAC obtains information regarding imminent threats and provides timely solutions to
fortify the industrial systems of registered companies.

Module 13 Page 1626 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
10T and OT Security

%) OT-ISAC RTINS, TEOSELOST
TEOSCLOST PACMITON NG
BN MO MULTES CENTER

HOME m WHATWEDD PARTNERS EVENTS GRF NETWORK NEWS

ABOUT US
Operational Technology Information Sharing and
Analysis Center (OT-ISAC) Is a secure threat
Information sharing community, for warning and
mitigation.

A member company can securely and anonymously
share threat information with OT-ISAC analysts who
further enrich and disseminate actionable alerts,
intelligence and best practices for all community
members to defend themselves and take mitigating
action against malicious actors, their tools, and system
exploits.

OT-ISAC also partners with government, private
vendors and other information sharing organizations to
acquire and disseminate timely and relevant
Information for the resilience of member companies.

Figure 13.26: Screenshot of OT-ISAC

Module 13 Page 1627 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
loT and OT Security
l1oT

OT Security Solutions
1 * Firewalls are used in the network for monitoring and controlling the incoming and outgoing network
Firewalls | traffic
1 * You can use firewall solutions such as SCADAWall, and Waterfall for securing the OT network

Unified Identity !I *®= Access management helps industries to centralize certain operations like adding, securing, changing, and
and OT Access : removing user access to the OT systems
Management 1 * You can use tools such as OTaccess, and FireEye for identifying and managing access to industrial systems

Asset Inventory I1 =® Asset inventory helps in connecting only authorized devices to the network and detect vulnerabilities
and Device : in the devices
Authorization I1 * Youcan
You can use tools such as SCADAfence, and CyberLens for asset inventory and device authorization

OT Network I = OT network monitoring employs machine learning algorithms for easy detection and identification of
Monitoring and : malicious behaviors
Anomaly Detection | = You can use tools such as Claroty, and OT ThreatFeed for OT network monitoring and anomaly detection

Decoys to 1
1 **= Decoys are honeypots used in OT environments to lure attackers to reveal their presence and activities
Deceive 1
Attackers 1 * You can use decoy tools such as ThreatDefend, Conpot, and GasPot for protecting the network

Copyright © by EC-Ce
EC-Co L AN Rights
Rights Reserved. Reproduction
Reproduction IIs Strictly Prohibited.

OT Security Solutions
The industrial and corporate sectors are rapidly digitizing their operational value chain, giving
access to OT devices from a broader range of the Internet. The cost of managing security in the
heavy industrial sectors is being largely overlooked, leading to several security challenges.
Hence, it is considered safer for all the industrial sectors to invest in cybersecurity programs
and solutions.
Cybersecurity professionals should deploy solutions by sensibly examining the recent
cybersecurity challenges and requirements they face in the current trend that can be combined
with suitable operational changes. Hence many incumbent OEM providers and start-ups have
developed several recent tactics and technologies for protecting the OT environment.

As the heavy industries have a decentralized nature, the security solutions can be integrated
into all technology-linked decisions across IT and OT. In addition, the second line of defense can
be implemented by using Information Risk Management (IRM). Some industries also provide a
third line of defense by implementing internal audit functions.
Some of the emerging technology solutions used by organizations to protect the OT
environment are as follows:
"= Firewalls
Firewalls

Firewalls are used in a network for monitoring and controlling the incoming and
outgoing network traffic. Firewalls help in improving security controls by inspecting the
traffic that traverses the gateway between the OT and IT networks. They can also help in
identifying and blocking new threats. Thus, the attacker can be limited from traversing
between the networks after compromising a system. It is also advisable to employ the
critical assets and systems in a DMZ away from the SCADA systems.

Module 13 Page 1628 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
loT and OT Security

Security professionals can use tools such as SCADAWall, Waterfall, and Palo Alto NGFW
for protecting the network.
= Unified Identity and OT Access Management
Access management helps industries to centralize certain operations like adding,
securing, changing, and removing user access to the OT systems. All this data is linked
with the organization’s identity-management system, which can provide strong
authentication. The access management helps minimize the attack risk by providing the
least privileges to superuser accounts. This helps the security personnel to trace the
critical assets and helps in identifying the attack sources.
Security professionals can use tools such as OTaccess, FireEye, etc. for identifying and
managing access to industrial systems.
= Asset Inventory and Device Authorization

Asset inventory helps in connecting only authorized devices to the OT network, and it
can detect all the connected devices. It can also detect the vulnerabilities in the devices,
which are categorized based on the device manufacturer, version, and type. These tools
can also be used to identify faults in the connected devices in the network, and it can
also enhance the efficiency of the device.
Security professionals can use tools such as SCADAfence, CyberLens, Guardian, and
Dragos for asset inventory and device authorization.
= OT Network Monitoring and Anomaly Detection

OT network monitoring is used for constantly monitoring the systems in industrial
networks. These monitoring tools help in tracking the traffic in a non-invasive way.
These tools perform anomaly detection, which is the process of identifying any
malicious or unexpected events. Most of these tools use machine-learning algorithms
for easy detection and identification of malicious behaviors.

Security professionals can use tools such as Claroty and OT ThreatFeed for OT network
monitoring and anomaly detection.

= Decoys to Deceive Attackers

Decoys are honeypots used in the OT environment that incorporate deception
technology to automate the creation of traps or decoys to lure the attackers into
revealing their presence and activities. This adds an extra layer of protection from
attackers trying to penetrate the industrial network.

Security professionals can use tools such as ThreatDefend, Conpot, and GasPot to
protect the network.

Module 13 Page 1629 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
10T and OT Security

OT Security Tools

O - |
° Flowmon
Flowmon empowers manufacturers and utility companies to ensure the
reliability of their industrial networks to avoid downtime and disruption
of service continuity

@ Togs
Togsomtonnnn
lomtonenn for oot
0t 170 bunes
beewy S|G
| Strutere
St ool serhen
seevhion At
Ik fss bt
bt 070 bens
deans S| T e matrseeran
sy | tenable.ot \
https://www.tenable.com
& Profles 1.1[
el L
| haa L

©
3¢ Analysls

Forescout
https://www.forescout.com

PA-220R
ot hoedoe bybernsd
Bt bewned F114 6042
042 PHIE
PRI 00140108
D014 0108 B4 https://www.paloall
https://www.paloali ks.com
Let
R ot R ovrt Psl Iet Bter stS 1)T L Raaiy
e
Asion o

e..
fote bb bsvermel
Dote b 1114 st 4107
10 20200 1114
gy01 | e Fortinet ICS/SCADA solution
@O Tip ivtmns ke e
Tig it 100 fon
oved 100 fin https://www.fortinet.com
Bt fos dyborsad
£t dyborsal
J004 G427
JO04 6422 3000
2000 20204 805
845
(armanen 100 10 ey Trewrerres sk tan
e o s
s b @ Posts
oty weth tep ot searmtons
searmbonsfoe
fee |

®
e o
e "- “ i o [ o 10 10
(bt
Y
oo
N IS
o
Y WS S
"
Y TS
"
ST YT
Nozomi Networks Guardian
Butae bl
et bl 3614
614 6032
6132 2288
2385 3614 6130
4130 38
B3H ( https://www.nozominetworks.com

https/fwww. flowmon.com
htps//www.flowmon.com

Copyright © by EC All Rights Reserved. Reproduction Is Strictly Prohibited

OT Security Tools
Discussed below are various tools you can use to secure OT systems and networks:
* Flowmon
Flowmon

Source: https://www.flowmon.com
Flowmon empowers manufacturers and utility companies to ensure the reliability of
their industrial networks confidently to avoid downtime and disruption of service
continuity. This can be achieved by continuous monitoring and anomaly detection so
that malfunctioning devices or security incidents, such as cyber espionage, zero-days, or
malware, can be reported and remedied as quickly as possible.

Module 13 Page 1630 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
1oT and OT Security
loT

(-1 Dashboard
() & Top hostnames for last 12 hours x @ Steucture of services traffic for last 12 hours &
@ Top source autonomous systems (.f.
@
©® Sources Oistrvution of TOP 10
Distribution of TOP 10 s- Distribution of TOP 10

- 3
g~g Profiles M
xl‘. tR}
ER )
P“ ~L] 1 g | S L ekl g 1L A 1..[ A
€ Analysis Jaa 27 2004
Jan 000
00 100 400
a0 ol
[ Jan 20 2004

Reports WITP hostname
MHTTP hostname Transterrea
Transterred e s> Source ASAS
Source vits/s
bits/s Trare
Tran
Servico vitsss
n saupdate.dnsmlorg 7.56 bt [ o WrATHI
297,67 kvl 1
L Alerts i | oscodminceentay 18818.
[ e 45.00 8
45.00m8 116 M0/s
1,16 Mb/s.48 k005
3.68 k05
B3
BB ruesyerpongs).amazonkws.con
ruesyerporgsd.amazonsws.con 18360
1.8 W8 ) : o [| 22 QUEUENEN
JUEUENEN 40K/.40 kD78 an.
e 00. e r.08m8
r.08 M8 9.52 4013
13 1.36
1.34 kbis
ks
BN servecesanves.cz 3.00 K8 B Msterinternet
Master internet 20083075
209.63b/s 11.C
g Active devices
g~ = ::' “'“. "" w [y e
Y 4
ERAT YITO MBS
YLIOMDS 904,36 b/s
905,36 5o
KN n,
stancom :
67740 sro
[ It 1.06 M8
1.06M8 PR
443008 20044
20068 b/sb/ KW ost turcpe
Host Curope 82.48b/s
2150/ 278
08
n 100053t
S
50T 1IN
T000::5820:2)50:0771:7900):5357
RIS
399K
19
SR
WE _——
[y. oo 141,59 0818 71200/.o
Y 20.670/3
26,67 b/s
' Gt
GrbH
192.168.3, 11415087 3.65 kb BEW Heteesr Onine
tetzear Oniva A00b/s
8L 284
214
e - B e tiap
\ oon obi
obls obss
obs 3
192,160.3,13118387
192,160,310 30:5387 35
350 = :"”; " - oor. onrl
[7 L
el b oblsil obrs s -
N CLSNET 2.3.p.0.
cosnerzape. W2
1920/ 10
o
A1 B
192.164.3.200:5)57
192,160.3,13018387
192,168.3,120:8387
|
23708
2400
24000
[ T T TT
T I YT S BT LTS
I wcrosort
mrosoft
Corparation
Corporation
24300
743008 4,

swupmf. adobe.com e
478 Dita for interval
Data for aterval 2014.01:27
2014.01:27 2055
20:55 -- 2014-01-28
2014-01-78 06:55
06155 o£ B
- Qoudmark,
Coudnark, lnc.
Inc. 2.75bis
ERETE) a0
“0.
Il Concast
concast Catle
Catie 5.40b/3
f.400/5 n.
@ Structure of averall
overall traffic for last 12 hours -" Connuscations,
Connurcations,
Ing,
Inc,
Bl
BEl Amzoncon,
Amzon.com, 2904
2800.1.
19m
19m [[ 1ne,
nc,

-~- im
a TOR 1010
TOF a Wb/
304,42
w0 kb

| Data for
Data for §nterval
nterval 2014.01:27
2014.01:27 20:00
20:00 -- 2014-01:28
2014-01-28 (o
(.. f i5H) wox
o l I |. ‘| Blacklisted
Blacklisted 0 b
obs

eN Aot
L 1.2ebh
12664
X¥
° Ao
Jan 3T
27 2004 o0t
0% 100
10 400.o
(X Jan
Jan 20
20 2004
2014
Yotal
Yotal 304,43 kb
304.4) khis
@ Top network services over TCP for
Data for bnterval
nterval 2014.01:27 20:00 - 2014014
201401+
Distribution of TOP 10
Distribution of TOP 10 source
Source Transterred maxsmal bits/s bitsss
bits/s
[1. R 17660
1,76 G0 1,42 /s
Mb73 Ja849an7s
348,490078
@
@ losts
losts with
with top
top data
data transfers
transfers for
for ||. on
op obis onls
ovls
[T
[y e ob
ov ovls
ovis ovrs
ovis Oistribution of
Onstribution of TOP 10
TOP 10. 00 on
op obis ovis
= = LT | 700 | aMa | ek
Any
L Port snsferred
Transterred
"5 :n'": Data for faterval 20140127 20:55 - 2014-01:28 08:55
Data for fnteryal 2014:01:27 20:55 - 2014-01:28 06:55 G
bt
— smtp 45,02
02 W
M8

Figure 13.27: Screenshot of Flowmon

Listed below are some additional tools for securing an OT environment:
= tenable.ot (https.//www.tenable.com)
= Forescout (https://www.forescout.com)
= (https.//www.paloaltonetworks.com)
PA-220R (https://www.paloaltonetworks.com)
* Fortinet ICS/SCADA solution (https://www.fortinet.com)
(https.//www.fortinet.com)

=* Nozomi Networks Guardian™ (https.//www.nozominetworks.com)

Module 13 Page 1631 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.