ICS Cyber Security and the Occam's Razor principle

Occam's Razor principle states that among competing hypotheses, the one with the fewest assumptions should be selected. Other, more complicated solutions may ultimately prove correct, but—in the absence of certainty—the fewer assumptions that are made, the better.

In the ICS Network area should be the same. With smaller, documented and repetitive functions Networks, Best Cyber Security solutions should be the simplest ones.
If you know the desired behavior for your ICS Network, everything that diverges from that is something to log and investigate. (Network Whitelisting).

In this video I will show you how knowing the operations you need to execute over your ICS Network (MODBUS TCP in this case), you can detect any abnormal behavior and take actions on that. This is the only technology to detect insiders intentional or unintentional actions on your control infrastructure.

I hope you enjoy.

Nasty things to do when Home Alone

May be all these cheap WIFI connected devices we use to buy on big stores are not very well hardened. This is something I have been suspecting when going to other houses of non "dark people" and getting access to their WIFI network. Lot of devices connected (sometimes over 12) and with non clear security measures configuration since they had been installed "Out of the box".
This guy had the same suspects and he has decided to test it own home network.

IoT: How I hacked my home

(Call me paranoid, but I am monitoring inbound and outbound traffic at home)

And the best of all: Who is going to patch those devices when critical vulnerabilities arise ?

Good luck with your own vulnerability test at home (Of course, when Alone).

Re-Assessing the Risk for the Energy Sector

Raj Samani has made a good comment on the espionage Dragon Fly Campaign in the Intel Security Blog.

Working in Spain, and being “World champions” on DragonFly Campaign we were very active on that. (In fact, I translated the Joel Langill and SecurityMatters  White paper to Spanish just to raise some concerns on the Spanish Energy companies. Cyberespionage campaign hits energy companies (Spanish)).

Spain is deploying right now the Critical Infrastructure Protection Law for the Energy sector but, in my personal opinion, we are facing three main problems:

• Lack of budget for new Cyber Security controls in these Companies
• Lack of Detailed Protection Measures (That should include DLP) on ICS Networks from the Spanish Administration.
• The “Political will” on CIP Law enforcement. (We don't still have a clear measures auditing Framework)

On the other hand, We are executing projects out of Europe (Middle East), where DLP and AWL are being deployed  on ICS Networks. (In our case many of the Intel Security/McAfee solutions). Most of the times because we design the Defense-in-depth architecture contemplating these solutions, but sometimes because the IT CSO is asking for that.

I think Raj Samani has done a great reflection and I agree 100% his approach.

ICS Network anomalies detection

Deep Protocol Behavior Inspection

This technology  is based in a revolutionary approach to ICS Network monitoring that is able of building, in a shelf-learning way, the Behavioral Network Blueprint (Normal behavior).

The Behavioral Blueprint defines communication patterns, protocols, message types, message fields, and field values which are allowed in your network (i.e. the Network whitelist). Then, whenever a communication that diverges from the Behavioral Blueprint occurs, sensor system reports it, pinpointing the exact source of the problem.

This technology is known as Deep Protocol Behavior Inspection (DPBI).

Lets see some examples in this video:

ICS Network Behavior monitoring

Security level for all infrastructures that bring essential services to society must be reviewed and supervised in a continuous way.

This supervision must be based on indicators able of offering objectives and sustainable values through time, due the robust and lasting design this infrastructures should had.

In this post I will focus on the first set of indicators to define and manage, all related with the right Industrial Control Network behavior for these infrastructures.

White Paper (Spanish) : Protecting Critical Infrastructure through Network Behavior Management
White Paper (English): Protecting Critical Infrastructure through Network Behavior Management