Bounding Cyber in Design Basis Threat, Jacob Benjamin.pdf.md

INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY SAFEGUARDING CIVILIZATION

BOUNDING CYBER IN DBT Evaluating the effectiveness of nuclear power plant cyber defenses against adversaries with cyber capabilities. Dr. Jacob Benjamin Principal Industrial Consultant

SANS ICS Summit Asia Pacific (APAC) November 13, 2020 2

DESIGN BASIS THREAT (DBT) BASICS WHAT IS DBT? HOW ARE THEY DEVELOPED? WHAT DOES A DBT LOOK LIKE? ARE THERE CYBER DBTS? 3

"

EXAMPLE DBT IAEA DBT WORKSHOP Attempt of theft of a significant amount of Nuclear Material (e.g. 10Kg of Pu) by a group of 6 outsiders equipped with 10 Kg TNT explosive, automatic weapons (including light infantry weapons) and specific commercially available intrusion tools. They have a comprehensive knowledge of the facility and associated physical protection measures. Willing to die or to kill. No collusion with insider. 4

PHYSICAL SECURITY ASSESSMENTS Response Time vs Adversary Task Time

NSS 27-G

Alarm Signal Assessment of Alarm Communication of Alarm to Response Force Prep for Deployment Deployment Time Engagement & Neutralization Total PPS Response Time 5

NUCLEAR CYBER SECURITY Cybersecurity risk mitigation for nuclear power plants began in 2002 and 2003, when the NRC included cybersecurity requirements in the Physical Security and Design Basis Threat Orders.

Voluntary Cyber Program NEI 04-04 The Cyber Rule 10 CFR 73.54 Implementing Cyber Security Plans NEI 08-09 & NEI 13-10 6

USING TRADITIONAL DBT ANALYSIS FOR CYBER

Past Cyber Events

Credible Threat Intelligence

Site Specific Targets

Cyber DBT

PAST CYBER EVENTS Nuclear Sector & Energy Sector CREDIBLE THREAT INTELLIGENCE World View, CISA, etc. SITE SPECIFIC TARGETS Crown Jewel Analysis 7

MITRE ATT&CK THREAT BEHAVIOR LEXICON

· MITRE ATT&CK is an encyclopedia of threat behaviors.

TACTICS Technical Goals

TECHNIQUES Achieve Goals

Enterprise Mobile ICS 8

CYBER DBT DEVELOPMENT EXAMPLE

Targets Past Events Threat Intel

Crown Jewels

CrashOverride Trisis Stuxnet

Browns Ferry Davis Besse Wolf Creek

World View CISA / ICS-CERT

Relevance Determination MITRE ATT&CK

Triconex SIS Trisis Xenotime 9

XENOTIME TTPS THREAT BEHAVIOR FROM CYBER DBT

T817 T822

T859

Name Drive-by Compromise External Remote Services Valid Accounts

Tactic(s) Initial Access Initial Access, Lateral Movement Persistence, Lateral Movement

T862 Supply Chain Compromise Initial Access

S0013 Trisis

Various (see next slide) 10

TRISIS THREAT BEHAVIORS 11

"

RESULT CYBER DBT Attempt to cause physical damage to Safety Instrumentation Systems. The adversary has been known to use Drive-By Compromise, External Remote Services, Valid Accounts, and Supply Chain Compromise, and ICS-Tailored Malware. They have destructive capabilities, understand process implications, and have specific knowledge of industrial control systems. Willing to to cause physical harm or kill. No collusion with insider. 12

QUANTITATIVE DATA FROM CYBER DBT A list of potential adversaries and their attributes, characteristics, and possible actions. Analysis determining whether specific adversaries are relevant to potential targets.

FACILITY Targets comprised of SIS ADVERSARY Destructive Capabilities & Intent ICS Process Knowledge Specific Techniques & Tactics REQUIRED DEFENSES Prevent / Detect list of TTPs Resilient against custom tools & novel malware. 1

MITIGATION COVERAGE LEVERAGE THE CYBER DBT

TTP T822

Name External Remote Services

Mitigations M1042, M0135, M1032, M1030

T859

Valid Accounts

M1047, M1037, M1032, M1027, M1026, M1018

T817

Drive-by Compromise

M1021

T862

Supply Chain Compromise M1049, M1016

S0013 Trisis

M1049, M1040, M1038, M1035, M1030 14

VISUALIZING MITIGATION COVERAGE LEVERAGING THE CYBER DBT

ATT&CK M1032 T859 T822 M1049 S0013 T862 M1021 T817

Name Multi-factor Authentication Valid Accounts External Remote Services Antivirus / Antimalware Trisis Supply Chain Compromise Restrict Web-Based Content Drive-by Compromise

15

TITLE SUBTITLE

PREVENTION is ideal, but DETECTION is necessary.

DETECTION, without RESPONSE, is of little value. 16

TRISIS THREAT BEHAVIORS Scripting PowerShell AppleScript Windows Command Shell Unix Shell Visual Basic Python JavaScript/JScript 17

CYBER DBT HOW CAN THEY BE USED?

MITIGATIONS Identification Implementation Efficacy Prioritization

DETECTIONS Identification Development Evaluation

INCIDENT RESPONSE Incident Response Playbooks Identifying Beyond DBT Scenarios

TRAINING Preparedness Realistic Scenarios

1

COMPARISON OF APPROACHES

COMPLIANCE Generic Prescriptive

CYBER DBT Specific

VS

Threat-informed

Ineffective

Measurable

19

THANK YOU