SlideShare ist ein Scribd-Unternehmen logo

Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho

Als PPT, PDF herunterladen
Digital Bond
Digital Bond

This document discusses continuous monitoring of industrial networks to detect problems. It describes what aspects of the network should be monitored, including servers, operating systems, processes, protocols, and controllers. It outlines how a test monitoring environment was prepared with a PLC, simulator, monitoring server, and traffic sniffer. Several attacks were performed, like DoS, ARP poisoning, malware infection. The results of monitoring detected these attacks by observing unusual traffic and system behaviors. The conclusion is that establishing a baseline and configuring triggers can help detect anomalies indicating network compromise.

Technologie
1 von 29
Detecting problems in industrial networks through continuous monitoring Marcelo Branquinho & Jan Seidl www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Presentors Marcelo Branquinho Jan Seidl marcelo.branquinho@tisafe.com jan.seidl@tisafe.com • CEO at TI Safe. • Technical Coordinator at TI Safe. • Senior member of ISA and committee • Expert in risk analysis in member of ANSI/ISA-99. • Researcher in security technologies to protect critical infrastructure. www.tisafe.com automation systems. • Researcher in the field of malware engineering. TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Follow us! • Twitter: @tisafe • SlideShare: www.slideshare.net/tisafe • Facebook: www.facebook.com/tisafe • Flickr: http://www.flickr.com/photos/tisafe www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
You don’t have to copy... http://www.slideshare.net/tisafe www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Agenda • What should be monitored in an automation network? • Preparation of the monitoring environment. • The attacks performed. • Results of monitored attacks. • Conclusion. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
What should be monitored in an automation network? www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
What to monitor in an automation network? • The “Health" of critical servers • Runtime errors in operating systems • Processes • High Availability • Data traffic on industrial protocols • Controllers (PLCs) • SNMP traps • ICMP Packets (Ping) www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
The “Health” of critical servers • Critical servers need to have stability and continuity of operations ensured. • Monitor the health allows the prevention of certain failures, as well as some malicious compromise, according to certain symptoms. • The main technical features that can be monitored in critical servers are: • Free disk space. • CPU and Memory. • Unsuccessful login attempts. • Input and Output packets rate. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
O.S. runtime erros • Useful in anticipating hardware failures. • The anticipation of failures, in turn, protects the automation technical team from unscheduled stop for components replacement. • The main runtime errors in operating systems that can be monitored are : • Memory allocation. • Disk read/write. • CPU temperature. • Fan speed. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Processes • The monitoring of process stability can contribute in two situations : • Alerting the responsible team in case of failures in the execution of critical processes. • • Restart the process automatically, when possible. It is also recommended to monitor known exploited process names and ports, such as : • RDP • HTTP/HTTPS • TeamViewer • Cmd.exe • Windows PowerShell www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
High Availability • Aims to minimize the downtime of the monitored resource, anticipating potential failures. • Link states can be checked to see if the plant’s network enters into contingency state. • The monitoring agent can perform automated tasks when necessary. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Data traffic in industrial protocols • Is recommended to do a port mirroring to monitor data traffic on industrial protocols. • In the case of Modbus, for example, a network sniffer can be used to monitor several parameters. • The main parameter to be monitored are: • Disallowed function codes. • Tag values. • Command origin. • Sent and received commands. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Controllers (PLCs) • SNMP monitoring • Monitors network I/O, droped packets, network errors, etc. • Has higher reliability and, according to the errors, diagnose something wrong that might be happening. • ICMP Monitoring (Ping) • Alternatively if SNMP is not supported by the controller. • Used to check connectivity and response time. • Limited information therefore lower accuracy and less reliability. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Preparation of the monitoring environment www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
The Test Environment The sandbox mounted inside TI Safe’s Laboratory includes: • A Wago 741-800 PLC • A simulator of a natural gas plant (Tofino Scada Security Simulator) • A Windows 7 Station (physical) to the supervisory system • A virtual machine acting as the monitoring server (Debian Linux 6 with Zabbix) • A virtual machine acting as Modbus traffic sniffer server (Debian Linux 6 with script in python + scapy) www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
The Monitoring Environment • The monitoring server is a virtual machine running Debian Linux operating system. • This server has been downloaded and installed by running the open source monitoring solution Zabbix 2.0.6 using MySQL 5.1 as the data backend. Figure: The network Sniffer and its structure www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Checking Frequency • Depending on the load that the machine performs, items can be configured to be polled in a defined interval. • • • Servers with lighter load can have shorter checks (each 15 to 30 seconds). Servers with hogher load can have more delayed checks (1 minute or more). ​ The main idea is to preserve the machine computational power and the network bandwidth. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Alerting • Designed to alert the response team. • Best used when launched from a set of probes and reducing the possibility of false positive. • Can generate sound alerts and display visual signaling on a panel, as a blinking server . • The recommended alerts are: • SMS • Jabber • E-mail www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
The attacks performed www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
The Attacker Machine • The attacker machine is a HP laptop directly connected at the plant switch, running Kali Linux 1.0 from a Live-CD. Below is a list of software used on tests: Software / Tool Description Attack Author Hping3 ICMP flood tool Network Layer 3 denial of service http://www.hping.org/ T50 Flood tool Network Layer 3 denial of service https://github.com/merces/t50 Meterpreter Remote access shell Remote compromise, http://www.metasploit.com/ malware infection Arpspoof ARP poison/spoofing tool ARP poison Pymodbus Modbus python library Unauthorized modbus traffic www.tisafe.com http://arpspoof.sourceforge.net/ https://github.com/bashwork/pym odbus TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Attacks performed Attack Attack Vector PLC Denial of Service Communications interception ARP poison PLC, Supervisory Stations PLC Denial of Service Layer 3 network flood, 0day PLC Supervisory station malware infection Modbus malware, Meterpreter shell backdoor Supervisory Stations, Network Supervisory station compromise Meterpreter shell backdoor Supervisory Station Unauthorized remote logon Enabling remote desktop on machine, accessing machine from other machine on network Supervisory Station Unauthorized modbus traffic Sending commands from attacker machine PLC www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Results of monitored attacks www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Results of monitored attacks • $ nmap –sV 192.168.1.1 • Communications interception www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Results of monitored attacks • Denial of Service • Malware infection www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Results of monitored attacks • Unauthorized Modbus traffic www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Conclusion www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Conclusion • The homogeneity of the cyclical behavior in industrial networks and servers allows us to establish the 'healthy' network parameters. • Network and servers analysis and applications monitoring are critical for the detection of unusual network traffic. • More tangible results can be achieved through behavior monitoring than through the monitoring of known keywords, the 'signatures'. • The establishment of a baseline traffic in the network control system is necessary for the detection of anomalous traffic through the analysis of differences. • Triggers can be configured to indicate parameters outside the usual data ranges that can mean a compromise of the assets being monitored. • Alarms (including sounds) can be configured based on triggers. • Only a few commercial tools for IACS monitoring are available for purchase, and we recommend the customization of an open source tool for your own monitoring needs. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Audience Q&A www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
We can help you! Marcelo.branquinho@tisafe.com Jan.seidl@tisafe.com Rio de Janeiro: +55 (21) 2173-1159 São Paulo: +55 (11) 3040-8656 Twitter: @tisafe Skype: ti-safe www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.

Empfohlen

Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 

Empfohlen

Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsItex Solutions
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Digital Bond
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionJim Gilsinn
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...Shah Sheikh
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA Jeffrey Wang , P.Eng
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkMarcoAfzali
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Honeywell
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...AVEVA
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsJim Gilsinn
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code ProtectionDigital Bond
 

Weitere ähnliche Inhalte

Was ist angesagt?

Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsItex Solutions
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Digital Bond
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionJim Gilsinn
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...Shah Sheikh
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkMarcoAfzali
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Honeywell
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...AVEVA
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsJim Gilsinn
 

Was ist angesagt? (20)

Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systems
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and Production
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
 

Andere mochten auch

Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code ProtectionDigital Bond
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)Digital Bond
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Digital Bond
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Modbus Data Communication Systems
Modbus Data Communication SystemsModbus Data Communication Systems
Modbus Data Communication SystemsLiving Online
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Digital Bond
 
Learn 90% of Python in 90 Minutes
Learn 90% of Python in 90 MinutesLearn 90% of Python in 90 Minutes
Learn 90% of Python in 90 MinutesMatt Harrison
 
Introduction to Python
Introduction to PythonIntroduction to Python
Introduction to PythonNowell Strite
 

Andere mochten auch (13)

Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability Analysis
 
PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code Protection
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Modbus Data Communication Systems
Modbus Data Communication SystemsModbus Data Communication Systems
Modbus Data Communication Systems
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
 
Learn 90% of Python in 90 Minutes
Learn 90% of Python in 90 MinutesLearn 90% of Python in 90 Minutes
Learn 90% of Python in 90 Minutes
 
Introduction to Python
Introduction to PythonIntroduction to Python
Introduction to Python
 

Ähnlich wie Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho

Apresentação Técnica - Infecções por Malware no Brasil
Apresentação Técnica - Infecções por Malware no BrasilApresentação Técnica - Infecções por Malware no Brasil
Apresentação Técnica - Infecções por Malware no BrasilTI Safe
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VRISC-V International
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11Waqas Ahmed Nawaz
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfThangDang53
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themGreg Swedosh
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)mike parks
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 
Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Srinivasa Addepalli
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Meeting 3 network administrator tools
Meeting 3 network administrator toolsMeeting 3 network administrator tools
Meeting 3 network administrator toolsSyaiful Ahdan
 
USB-Lock-RP Technical Datasheet version 11.9
USB-Lock-RP Technical Datasheet version 11.9USB-Lock-RP Technical Datasheet version 11.9
USB-Lock-RP Technical Datasheet version 11.9Javier Arrospide
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
Framework and Product Comparison for Big Data Log Analytics and ITOA
Framework and Product Comparison for Big Data Log Analytics and ITOA Framework and Product Comparison for Big Data Log Analytics and ITOA
Framework and Product Comparison for Big Data Log Analytics and ITOA Kai Wähner
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT GatewayLF Events
 
What is "Show Tech" - JANOG Case Study
What is "Show Tech" - JANOG Case StudyWhat is "Show Tech" - JANOG Case Study
What is "Show Tech" - JANOG Case StudyAPNIC
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesInductive Automation
 

Ähnlich wie Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho (20)

Apresentação Técnica - Infecções por Malware no Brasil
Apresentação Técnica - Infecções por Malware no BrasilApresentação Técnica - Infecções por Malware no Brasil
Apresentação Técnica - Infecções por Malware no Brasil
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid them
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
 
Meeting 3 network administrator tools
Meeting 3 network administrator toolsMeeting 3 network administrator tools
Meeting 3 network administrator tools
 
USB-Lock-RP Technical Datasheet version 11.9
USB-Lock-RP Technical Datasheet version 11.9USB-Lock-RP Technical Datasheet version 11.9
USB-Lock-RP Technical Datasheet version 11.9
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
 
Framework and Product Comparison for Big Data Log Analytics and ITOA
Framework and Product Comparison for Big Data Log Analytics and ITOA Framework and Product Comparison for Big Data Log Analytics and ITOA
Framework and Product Comparison for Big Data Log Analytics and ITOA
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
What is "Show Tech" - JANOG Case Study
What is "Show Tech" - JANOG Case StudyWhat is "Show Tech" - JANOG Case Study
What is "Show Tech" - JANOG Case Study
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
 

Mehr von Digital Bond

The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service HardeningDigital Bond
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSDigital Bond
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Digital Bond
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Digital Bond
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Digital Bond
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItDigital Bond
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 

Mehr von Digital Bond (15)

The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security Products
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICS
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze It
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack Vector
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho

  • 1. Detecting problems in industrial networks through continuous monitoring Marcelo Branquinho & Jan Seidl www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 2. Presentors Marcelo Branquinho Jan Seidl marcelo.branquinho@tisafe.com jan.seidl@tisafe.com • CEO at TI Safe. • Technical Coordinator at TI Safe. • Senior member of ISA and committee • Expert in risk analysis in member of ANSI/ISA-99. • Researcher in security technologies to protect critical infrastructure. www.tisafe.com automation systems. • Researcher in the field of malware engineering. TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 3. Follow us! • Twitter: @tisafe • SlideShare: www.slideshare.net/tisafe • Facebook: www.facebook.com/tisafe • Flickr: http://www.flickr.com/photos/tisafe www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 4. You don’t have to copy... http://www.slideshare.net/tisafe www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 5. Agenda • What should be monitored in an automation network? • Preparation of the monitoring environment. • The attacks performed. • Results of monitored attacks. • Conclusion. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 6. What should be monitored in an automation network? www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 7. What to monitor in an automation network? • The “Health" of critical servers • Runtime errors in operating systems • Processes • High Availability • Data traffic on industrial protocols • Controllers (PLCs) • SNMP traps • ICMP Packets (Ping) www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 8. The “Health” of critical servers • Critical servers need to have stability and continuity of operations ensured. • Monitor the health allows the prevention of certain failures, as well as some malicious compromise, according to certain symptoms. • The main technical features that can be monitored in critical servers are: • Free disk space. • CPU and Memory. • Unsuccessful login attempts. • Input and Output packets rate. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 9. O.S. runtime erros • Useful in anticipating hardware failures. • The anticipation of failures, in turn, protects the automation technical team from unscheduled stop for components replacement. • The main runtime errors in operating systems that can be monitored are : • Memory allocation. • Disk read/write. • CPU temperature. • Fan speed. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 10. Processes • The monitoring of process stability can contribute in two situations : • Alerting the responsible team in case of failures in the execution of critical processes. • • Restart the process automatically, when possible. It is also recommended to monitor known exploited process names and ports, such as : • RDP • HTTP/HTTPS • TeamViewer • Cmd.exe • Windows PowerShell www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 11. High Availability • Aims to minimize the downtime of the monitored resource, anticipating potential failures. • Link states can be checked to see if the plant’s network enters into contingency state. • The monitoring agent can perform automated tasks when necessary. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 12. Data traffic in industrial protocols • Is recommended to do a port mirroring to monitor data traffic on industrial protocols. • In the case of Modbus, for example, a network sniffer can be used to monitor several parameters. • The main parameter to be monitored are: • Disallowed function codes. • Tag values. • Command origin. • Sent and received commands. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 13. Controllers (PLCs) • SNMP monitoring • Monitors network I/O, droped packets, network errors, etc. • Has higher reliability and, according to the errors, diagnose something wrong that might be happening. • ICMP Monitoring (Ping) • Alternatively if SNMP is not supported by the controller. • Used to check connectivity and response time. • Limited information therefore lower accuracy and less reliability. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 14. Preparation of the monitoring environment www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 15. The Test Environment The sandbox mounted inside TI Safe’s Laboratory includes: • A Wago 741-800 PLC • A simulator of a natural gas plant (Tofino Scada Security Simulator) • A Windows 7 Station (physical) to the supervisory system • A virtual machine acting as the monitoring server (Debian Linux 6 with Zabbix) • A virtual machine acting as Modbus traffic sniffer server (Debian Linux 6 with script in python + scapy) www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 16. The Monitoring Environment • The monitoring server is a virtual machine running Debian Linux operating system. • This server has been downloaded and installed by running the open source monitoring solution Zabbix 2.0.6 using MySQL 5.1 as the data backend. Figure: The network Sniffer and its structure www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 17. Checking Frequency • Depending on the load that the machine performs, items can be configured to be polled in a defined interval. • • • Servers with lighter load can have shorter checks (each 15 to 30 seconds). Servers with hogher load can have more delayed checks (1 minute or more). ​ The main idea is to preserve the machine computational power and the network bandwidth. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 18. Alerting • Designed to alert the response team. • Best used when launched from a set of probes and reducing the possibility of false positive. • Can generate sound alerts and display visual signaling on a panel, as a blinking server . • The recommended alerts are: • SMS • Jabber • E-mail www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 19. The attacks performed www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 20. The Attacker Machine • The attacker machine is a HP laptop directly connected at the plant switch, running Kali Linux 1.0 from a Live-CD. Below is a list of software used on tests: Software / Tool Description Attack Author Hping3 ICMP flood tool Network Layer 3 denial of service http://www.hping.org/ T50 Flood tool Network Layer 3 denial of service https://github.com/merces/t50 Meterpreter Remote access shell Remote compromise, http://www.metasploit.com/ malware infection Arpspoof ARP poison/spoofing tool ARP poison Pymodbus Modbus python library Unauthorized modbus traffic www.tisafe.com http://arpspoof.sourceforge.net/ https://github.com/bashwork/pym odbus TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 21. Attacks performed Attack Attack Vector PLC Denial of Service Communications interception ARP poison PLC, Supervisory Stations PLC Denial of Service Layer 3 network flood, 0day PLC Supervisory station malware infection Modbus malware, Meterpreter shell backdoor Supervisory Stations, Network Supervisory station compromise Meterpreter shell backdoor Supervisory Station Unauthorized remote logon Enabling remote desktop on machine, accessing machine from other machine on network Supervisory Station Unauthorized modbus traffic Sending commands from attacker machine PLC www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 22. Results of monitored attacks www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 23. Results of monitored attacks • $ nmap –sV 192.168.1.1 • Communications interception www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 24. Results of monitored attacks • Denial of Service • Malware infection www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 25. Results of monitored attacks • Unauthorized Modbus traffic www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 26. Conclusion www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 27. Conclusion • The homogeneity of the cyclical behavior in industrial networks and servers allows us to establish the 'healthy' network parameters. • Network and servers analysis and applications monitoring are critical for the detection of unusual network traffic. • More tangible results can be achieved through behavior monitoring than through the monitoring of known keywords, the 'signatures'. • The establishment of a baseline traffic in the network control system is necessary for the detection of anomalous traffic through the analysis of differences. • Triggers can be configured to indicate parameters outside the usual data ranges that can mean a compromise of the assets being monitored. • Alarms (including sounds) can be configured based on triggers. • Only a few commercial tools for IACS monitoring are available for purchase, and we recommend the customization of an open source tool for your own monitoring needs. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 28. Audience Q&A www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 29. We can help you! Marcelo.branquinho@tisafe.com Jan.seidl@tisafe.com Rio de Janeiro: +55 (21) 2173-1159 São Paulo: +55 (11) 3040-8656 Twitter: @tisafe Skype: ti-safe www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.