Report Speech BHS 2019 by Robin Massink, Alliander
Wrap-up report Black Hat Sessions 2019 - Presentation Robin Massink written by Vincenzo Santucci- 31 July 2019
Below you will find a brief report written by Vincenzo Santucci (Security Specialist at Secura), of the speech given by Robin Massink.
Robin Massink is a Security Specialist working at Alliander. Robin has provided an in-depth approach to security monitoring and intrusion detection for SCADA systems within utilities. Insight was provided in how threats can be monitored, and a step-by-step approach for implementing relevant monitoring use-cases was given. Besides implementation, several pitfalls that were encountered were discussed and an indication of the type of events which were detected within the SCADA networks was shown.
Robin works for Alliander, a company which is in charge to provide electricity and energy in the Netherlands as such Alliander manages a big OT network in the Netherlands, divided further into two parts which refer to two different data centres. These networks neither face the internet nor have services deployed on the cloud but they are made of approximately thousands of devices. Being an important energy provider, The OT network of Alliander is a target to different kinds of cyberattacks, with a variety in scope. One of the examples given by Robin was regarding damages and denial of service. In such cases, the expenses that are to be faced by the provider to fix any damages are really high. On the other hand, the primary aim of a cyberattack could be to “just” steal information, leading to fewer expenses at first, but likely causing a significant impact later in time. After giving a description of what threats an OT network might face, Robin went on to explain why monitoring is important and how difficult it might be to understand which kind of monitoring has to be applied.
One of the examples given was regarding the CyberSquirrel1 Twitter account( https://twitter.com/cybersquirrel1 ) which keeps track of every disruption that is caused by different kind of animals to technological infrastructures. The Twitter account can be seen as an example of monitoring and a way to shed light to which kind of threats a technological infrastructure might face. Monitoring is important because it enables the benefit of maintaining a less strict workable environment mitigating the risk to an acceptable level. Given this, monitoring helps to keep the balance between applied security measures (often creating difficulties in the working environment such as slowdowns, delays and more.) and risks that should be handled in the event of a cyberattack. Paying attention to monitoring allows anticipating any disturbances resulting from potential cyberattacks.
The fact that monitoring is important is emphasized, but the question remains what should exactly be monitored? It is especially difficult to understand what and how to monitor within an OT network. The underlying causes of this difficulty, often leading to poor monitoring performances are that it is ‘boring, expensive or too strict’. A rigorous monitoring system could generate so many alerts that they do not let people understand and distinct which alerts are really important or not. This, yet again, strengthens the view that monitoring is a matter of balance , between what can be or cannot be managed by the operators. What Alliander does in order to protect its technology infrastructure is having IDS and SIEM systems centrally placed in the two different data centres of the OT networks. Configuring and managing the systems is still a human task, and the questions and doubts concerning the management of the configurations are in short the following:
- Are all proactive controls effective?
- Do we need to compensate for deviations in architecture due to legacy equipment and technical incompatibilities?
- What are real attack vectors; are we allowing SSH connections from the field, or only from central?
- How deep should we monitor to address the identified threats and associated risk?
The SIEM used by Alliander is an OT focused system, it supports blacklisting, anomaly detection and custom scripting. On the other hand, the SIEM that is used is a common product largely fed by a syslog infrastructure, managing and preventing unauthorized communication and access attempts to networks and systems. The risks that are not correctly managed are those coming from the network itself, or the introduction of malware locally, or the management of unwanted and insufficient protected services ( FTP, Telnet, etc.). In short, the following lessons are taught regarding monitoring:
- Relying on an automated learning model does not work, you will need human fine-tuning
- Too many alerts are not manageable, monitor only the bare minimum
- Lots of alerts will be caused by operational issues, have short lines of communication and accept false positives!
- Every alert needs follow up. Do not generate alerts if you are not going to follow up!
- IDS’ are also very useful tools for troubleshooting connectivity issues and hunting. Full packet capture is a must!
- The landscape will change from underneath your feet.
Are you interested in participating? Keep up to date with the latest news about the Black Hat Sessions (BHS), receive exclusive (early bird) discounts and secure your seat for interactive workshops. Sign up for our periodical newsletter and we will keep your informed.