A talk delivered by Vladimir Dashchenko at S4x19 in Miami on the history of Kaspersky Industrial Cybersecurity experience development: from delivering AV to investigation of sophisticated attacks and vulnerabilities in ICS hardware and software to providing the customers with threat intelligence and security awareness services and specific technologies for ICS threats detection and prevention.

1. How We Stopped Being Just Antivirus ─ And
Became A Unique Industrial Infrastructure
Defender

2. Most Tested. Most Awarded. Kaspersky Lab Protection.*
0%
20%
40%
60%
80%
100%
20 40 60 80 100
No of independent tests/reviews
Bitdefender
Sophos
G DATA
Symantec
F-Secure
Intel Security (McAfee)
Trend Micro
Avira Avast
AVG
ESET
In 2017 Kaspersky Lab products participated in 86
independent tests and reviews. Our products were
awarded 72 firsts and achieved 78 top-three finishes. Kaspersky Lab
1st
places – 72.
Participation in 86
tests/reviews.
TOP 3 = 91%
* Notes:
• According to summary results of independent tests in 2017 for
corporate, consumer and mobile products.
• Summary includes independent tests conducted by : AV-Comparatives,
VirusBulletin, ICSA Labs, SELabs, MRG Effitas, AV-Test.
• Tests performed in these programs assess all protection technologies
against known, unknown and advanced threats.
• The size of the bubble reflects the number of 1st places achieved.
ScoreofTOP3places
www.kaspersky.com/top3

3. Our Major Discoveries
2011
2010
2012
Stuxnet
Duqu
Gauss
Flame
miniFlame
2013 2014 2015 2016 2017
NetTraveler
Miniduke
RedOctober
Icefog
Winnti
Kimsuky
TeamSpy
CosmicDuke
Darkhotel
Regin
Careto / The
Mask
Epic Turla
Energetic Bear /
Crouching Yeti
Wild
Neutron
Blue
Termite
Spring
Dragon
Desert
Falcons
Carbanak
Equation
Animal
Farm
Darkhotel
- part 2
MsnMM
Campaigns
Satellite
Turla
Hellsing
Sofacy
Naikon
Duqu 2.0
ProjectSauron
Saguaro
StrongPity
Lazarus
Lurk
Adwind
Metel
Ghoul
Fruity Armor
ScarCruft
Poseidon
GCMan
Danti
Dropping
Elephant
Moonlight
Maze
ATMitch
ShadowPad
BlackOasis
WhiteBear
Silence
WannaCry
Shamoon 2.0
ExPetr/NotPetya
BlueNoroff
StoneDrill
https://apt.securelist.com

4. Anti Targeted Attack
Comprehensive multi-vector discovery and risk mitigation of advanced
threats and targeted attacks
Endpoint Security
The leading multi-layered endpoint protection platform, based on true
cybersecurity technologies
Cloud Security
Borderless security engineered for your hybrid cloud
Cybersecurity Services
Leveraging Threat Intelligence, Security Training, Incident Response
and Assessment from the world leader
Security Operations Center
Empowering your SOC with the tools and information to efficiently detect
and remediate threats
Fraud Prevention
Proactive detection of cross-channel fraud in Real Time
Financial Services Cybersecurity
Providing Financial Services with the tools to raise security levels,
prevent and predict cyber-incidents and respond efficiently
Telecom Cybersecurity
Efficient protection for telecoms infrastructure and information systems
against the most advanced cyberthreats
Healthcare Cybersecurity
Protecting healthcare infrastructures and sensitive clinical data
in a ruthless cyberthreat landscape
Data Center Security
Empowering your data center to detect and respond to the most
advanced cyberthreats
Government Cybersecurity
Security controls and services geared to the demands of government
organizations and related public bodies
Industrial Cybersecurity
Specialized protection for industrial control systems
Technological By Industries
Kaspersky Enterprise Security Solutions

5. Kaspersky Industrial CyberSecurity Expertise and Technologies

6. Kaspersky Lab ICS CERT structure
Vulnerability Researchers
Security auditors
Developers
Security analysts
Industrial engineers
2016
CVE Numbering
Authority

7. Kaspersky ICS CERT: ICS/IIOT Vulnerability Research
More than 170+ ICS / IIoT vulnerabilities have been found since 2016

8. Kaspersky ICS CERT: ICS/IIOT Vulnerability Research
Some of the ICS Vendors we helped
https://ics-cert.us-cert.gov/advisories

9. …This Gemalto solution is used in products by other
software vendors, including such companies as ABB,
General Electric, HP, Cadac Group, Zemax and many
other organizations, the number of which, according to
some estimates, reaches 40 thousand.
…Many products that use the OPC UA technology by
the OPC Foundation may include that server, making
them vulnerable to the XXE attack. This makes this
vulnerability much more valuable from an attacker’s
viewpoint...
Vulnerabilities in Common Components

10. Industrial Cybersecurity Assesments
https://www.securityweek.com/ics-security-experts-share-interesting-stories

11. TANK
Control Valve
Level Meter
Malicious overrides
of process setpoints
Tank overfill / fraud
Malicious changes
of PID parameters
Equipment overstress/disruption
Pump
Malicious changes of
measurement values
Tank overfill / fraud
Malicious changes of
process control logic
hydraulic surge, equipment
damage, emergency shutdown
Malicious STOP command
Process out of control
PLC
SCADA
OIL REFINERY POWER GRID
CHEMICALMANUFACTURING
Kaspersky ICS Security Assessment: Impact Analysis

12. Threat Intelligence
Web crawlers
BotFarm
Spam trap
Sensors
APT research team
Partners
OSINT
Honeypots
Kaspersky Lab
Statistics
Kaspersky Lab
Expert Systems
Kaspersky Lab
Analysis
Data Feeds Customer
3
1
4
Whitelisting
Kaspersky
Global Users
5
2

13. ►Threat data sources
►Kaspersky Security Network (KSN)
►Kaspersky Industrial CyberSecurity service projects
►Surveys
►Public sources
► ICS Computers protected by Kaspersky Lab products
►supervisory control and data acquisition (SCADA) servers;
►data storage servers (Historian);
►data gateways (OPC);
►stationary workstations of engineers and operators;
►mobile workstations of engineers and operators;
►Human Machine Interface (HMI).
►ICS Supply Chain participants
Kaspersky ICS CERT: Threat landscape for ICS

14. ►Main findings
►Random malware attacks in ICS
►Cryptominers in ICS
►Ransomware in ICS
►Remote administration tools (RATs)
►Mass-targeting campaigns
►Main sources of malware as always
►Web
►Removable devices
►Mail
Geographical distribution of attacks on industrial automation systems,
H1 2018, percentage of ICS computers attacked in each country
https://ics-cert.kaspersky.com/reports/2018/09/06/threat-landscape-for-industrial-automation-systems-h1-2018/
Kaspersky ICS CERT: Malware in ICS

15. Contribution to the global ICS/IIoT Security standardization

16. Contribution to the global ICS/IIoT Security standardization
Some of the released studies we contributed to

17. State of ICS Security Surveys
https://ics.kaspersky.com/media/2018-Kaspersky-ICS-Whitepaper.pdf

18. Kaspersky ICS Security trainings
Advanced Industrial CyberSecurity in Practice
• 2 DAYS, 10-20 specialists
ICS Penetration Testing for Professionals
• 5 DAYS, up to 10 professionals
ICS Digital Forensics for Professionals
• 4 DAYS, up to 10 professionals

19. Kaspersky ICS CERT: University Cooperation

20. KIPS is an exercise that places business decision makers IT
security teams from corporations and government
departments into a simulated business environment facing a
series of unexpected cyber threats, while trying to maximize
profit and maintain confidence.
Industrial scenarios:
• Oil & Gas
• Power station
• Water plant
• Transportation
References: Government agencies, BASF,
CERN, Mitsubishi, Yokogawa, RusHydro,
Panasonic, ISA, SANS,...
https://media.kaspersky.com/en/business-security/enterprise/KL_SA_KIPS_overview_A4_Eng_web.pdf
Kaspersky Interactive Protection Simulation (KIPS)

21. Kaspersky Lab ICS/IIOT Capture the Flag
Сapture the flag (CTF) contest is a competition for cybersecurity experts organized in the form of a game,
in which the participants solve computer security problems. They must either capture (attack/bring down)
or defend computer systems in a CTF environment.
https://ctf.kaspersky.com

22. Kaspersky Industrial Cybersecurity Conference
https://ics.kaspersky.com/conference/

23. SAS is an annual event that attracts high-
caliber anti-malware researchers, global law
enforcement agencies and CERTs and senior
executives from financial services, technology,
healthcare, academia and government
agencies.
►Nation state cyber-espionage and advanced threat actors
►Internet of Things
►Government surveillance issues and privacy rights
►Threats against banks, financial institutions
►Mobile Malware
►Critical infrastructure protection (SCADA/ICS)
►Law-enforcement coordination and information sharing
►Vulnerability discovery and responsible disclosure
Singapore
April 8-11, 2019
https://sas.kaspersky.com
Kaspersky Security Analyst Summit

24. Kaspersky Industrial CyberSecurity Products

25. KICS for Nodes – Industrial Endpoint Protection
Protection for Industrial Endpoints
• SCADA Servers
• SCADA Clients
• Human Machine Interfaces (HMI)
• Engineering Workstations
• Historians
• OPC Gateways
Security capabilities
• Application whitelisting
• Antimalware protection
• Ransomware protection
• Removable device control
• File Integrity Monitoring
• Exploit Prevention
• Wireless access control
• Log Inspection
• PLC integrity checker
Industrial Specifics
• Easy to deploy
• Local Signature Updates
• Less resource consuming than other EPP
• Legacy OS support
• Tested by ICS/SCADA vendors

26. KICS for Networks – Industrial Network Anomaly and Breach Detection
• Network Activity Monitoring
• Safe Non-Invasive Mode
• Asset Discovery
• Commands and Telemetry Analysis
• Anomaly Detection
• Cyber Attack Detection
• Remote Access Detection
• Malware Spreading Detection
• Network Visualization
• Event Correlation
• SOC/SIEM Integration
Some of the supported devices & protocols

27. KICS for Networks – Industrial Network Anomaly and Breach Detection

28. KICS for Networks powered by Machine Learning for Anomaly Detection
• Detect independently of reason:
• cyber attack,
• human factor,
• equipment faults,…
• Anomaly Interpretation
• Predictive maintenance
• State-of-the-art ML technology
• No need to manually create rules
Case Studies:
Secure Water Treatment System (SWaT)
SUTD, Singapore
Crude & Vacuum distillation units,
at Oil Refining Plant
Chemical plant:
Tennessee Eastman Process (TEP)

29. Kaspersky Lab is cited in 4 categories for its
dedicated OT security portfolio, KICS:
 OT Endpoint security
 OT Network Monitoring and Visibility
 Anomaly Detection, Incident Response, Reporting
 OT Security Services
Competitive Landscape: Operational Technology Security, Ruggero Contu, 29 October 2018.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
Comprehensive approach to Operational Technology Security
https://ics.kaspersky.com/KICS-cited-in-Gartner-competitive-landscape-OT-security
Get a complimentary copy of this Gartner report:

30. Kaspersky Industrial CyberSecurity Experience
• German Glass Manufacturer
• Challenge:
• Needs to prevent delays in production and
a complete breakdown of the production
lines due to cyber attacks, that can not
only incur cancellation fees, but in many
cases expensive contractual penalty
charges, too.
• Solution:
• KICS for Nodes System
• KICS for Networks System
• Case Study Link
• Czech Brewery
• Challenge:
• Needs to make sure the production lines
and all OT related software and hardware
of brewing part and bottling lines,
including in total 2 brew houses and CCT
areas and 8 packaging lines in Pilsen
plant were resistant to cyber attacks, and
that the company was ready to implement
a holistic industrial cybersecurity strategy
• Solution:
• Industrial Cyber Security Assessment
Service
• Case Study Link
• Danish ICS Security Service Company
• Challenge:
• Needs of additional qualifications to
conduct pentesting in the industrial area,
and enhancing ICS knowledge in a prompt
and efficient manner.
• Solution:
• Industrial Penetration Testing Training
• Case Study Link
• Russian Steel Producer
• Challenge:
• Improve protection of modern automation
infrastructure combining the computing
resources of industrial control systems
(ICS) in several territorially distributed
data centers and reduce maintenance
costs
• Solution:
• KICS for Nodes System
• KICS for Networks System
• Case Study Link

31. ►Kaspersky OS (KOS)
►key feature is a sophisticated approach that makes possible to control inter-
process communications in accordance with specified security policies
►Kaspersky Security System (KSS) for Linux
►a security policy verdict computation engine. It works in conjunction with
KasperskyOS (or can be embedded into Linux-based firmware) that
enforces KSS verdicts.
►Kaspersky Secure Hypervisor (KSH)
►a Type 2 hypervisor that runs on the KasperskyOS microkernel with
Kaspersky Security System, that can run multiple untrusted guest operating
environments on a single HW platform and avoid their unwanted influence to
each other as well as to the host operating system
https://os.kaspersky.com
Kaspersky OS: Family

32. ►Telecom equipment
►Trusted Layer 3 Routing Switch by Craftway
►Trusted Network Equipment by Eltex
►Connected cars
►Vehicle Secure Communication Unit by AVL
►Internet of Things
►Kaspersky IoT Secure Gateway by Kaspersky Lab
►Industrial equipment
► CODESYS protection by BE.services’s Security Shield (ESS)
Kaspersky OS: Implementation

33. Customer data
storage and processing
Software
assembly
Opening
Transparency center
Independent
supervision and review
by third-party organization
Switzerland
For Europe, with the U.S., Canada,
Singapore, Australia, Japan and South Korea,
as well as other countries, to follow later
For compiling software before
distribution to customers worldwide
For trusted partners to review the
source code and software updates
Global Transparency Initiative (GTI): Kaspersky Lab
moves core infrastructure to Switzerland

34. Let’s talk!
ICS-CERT.kaspersky.com
ICS.kaspersky.com
OS.kaspersky.com
@KasperskyICS