 Hi everyone. My name is Tom Van Norman. I'm a Director of Engineering Services at Dragos. We're talking about SOP today. It's SOP from the ICS village that we have. Gonna be really, I'm gonna speed through the things here pretty quick because we have to close up and get out of here. Breakdowns we're having at an arcade party tonight. Next door in our village, if you come back at 1030, we have some really cool retro arcade games that we are setting up and and I'm gonna have 1032-30. So as I said, a sock in the village is my talk. Very high level if we have questions afterwards by all means come next door and we'll run through things with you. So what we're gonna do we have an introduction to an ICS sock. Unfortunately we're not gonna do a demonstration because we have to break down everything at six o'clock. So by the time we get down here everything will be turned off. And then understanding the effects of attacks on ICS systems. So what is an OT security operation center anyway and do you really need them? And that that question comes up all the time. And you know some people say you do some people you don't but what are they? Are they did anomaly detection solutions? Next door we have we have a new zone over there, we have clarity over there, we have security matters over there, cyber wrecks, you know all these fantastic products they have but is that really what your sock looks like? Is it a SIM? We have a SIM by Grabwell over there, no T-SIM. Is that your sock? 90S. We had a security onion running over there but we replaced it with some other things. The PewPew maps or they really you know unicorns. Well they really do exist. Who has them? Well many many Fortune 100 companies have them. Operative T socks. Today they are becoming more and more common. Whether it's through an MSP or on site but we are seeing a lot more of that data pushed up from the plant floor up into socks for monitoring. Depending on the size of your company might have multiple socks. Global companies you'll have issues with data leaving the country or leaving that area and privacy and everything else so you might have multiple socks depending on where you're at and how you're operating. Of course you know some of them are outsourced, some are done in the house. So a sock is a combination of people, processes and technologies that proactively search for abnormalities in the environment to identify and respond to security incidents. So you can read just like me but I started to read that. So what exactly are we talking about? Well the people part what it is not you never throw people at a problem to fix it that does not work you know we've seen that time and time and time again that you have a problem so let's just hire a bunch of people. Well that doesn't really really work. What you need is good people various skill levels but they have unique talents and we can go over the talents after this here. You must have the three tiers so your tier one people, all your analysts that are going to look through your logs, your alerts, your different events day after day and say hey you know this does not look right. You'll have the most people in that group. Your tier two are your incident responders. So your tier one of course and I'll push it up to tier two to tier two we're gonna go out, say incident responders see what exactly is going on there. They perform the triage, they're gonna dig a little bit deeper into everything, apply the appropriate mitigations. Now tier three is where we really get into the uniqueness here. Tier one and tier two is the same between you know all the all the different stocks but when we get into tier three for an OT these are the people that are closest to the process. So you have something going on you find some sort of malware. Unlike your conventional IT systems you know you're gonna look at your web servers your email servers and things like that that's pretty standard across the board stuff. OT though you need somebody to understand those controllers you need somebody to understand the system and processes how they how they work so you know if there's a chemical process what's going on in that chemical process what impact does this have and IT guys not gonna know that at all. You need a process engineer you need you need somebody that really understands the process what does that controller do what what is the impact of that. That is the biggest part or the biggest difference to hear. Also when when you do your investigation it can't be left with hey I don't know what happened. You know we have to identify what exactly did happen you know if we went through tier one and tier two obviously something happened. Tier three just can't write it off you have to rule it out rule everything out. Process part documentation and procedures are a must that's so you use a standard investigation every single time document everything that happens again can't stress the documentation part a lot of people including myself really cannot stand documentation however when you do this you have to document every single thing look at the big picture when you're done follow the same procedure every time if it one doesn't exist make it up you know we it doesn't have to be a real super detailed procedure but you have to follow the same steps every time to get a similar outcome. Technology part there is no silver bullet I work for vendor you know we drag us we make a threatening platform I'm the first one to say and everybody else in companies will say there is no silver bullet. Firewalls you know what we are not the answer your anomaly detection units are not the answer there is no one silver bullet any vendor that tells you that and just trying to sell you something. One of the one of the problems that that here in the ICS village that we hear all the time every single event we go to is network visibility I have no idea what my assets are I have no idea what's on my network I how do I do it where I get it the list goes on and on and on you know you talk about spam ports and sometimes you can't get spam ports you know the managed switches three layers up it's down below in the cabinets which is on managed switches how do you how do you bring that data back up. Network visibility is a is a problem you know do you want to do active scanning do you want to keep it all passive it's not an easy problem and every solution can be different. Software defined networking is a is an alternative to it there are a couple a couple vendors out there doing software defined networking for OT networks if you're not familiar with it and say you give me afterwards I'll I'll talk to you a little bit previous life that's what I did for OT networks very interesting technology that's out now so you got all your spam ports you you're you're mirroring your data you're spending your data what do you what do you do with it you know again you could have hundreds of megs of data we have gigs of data depending on how you spend everything what are you doing it to now you input it to a threat detection system and put it to a SIM you know there there's several tools that you you import it to but import it save that data find it find a tool that works best for you fit your budget fit your needs so another problem is correlation of data from multiple systems so what do we mean what do we mean with that I'll have you know my my historian I'll have my my one asset detection tool I'll have an anomaly detection tool I have you know all of these detection tools if I put them up on my screen all these dashboards I can't read it it's really at that point worthless because there's just too much data integrating to a SIM I only show the information that you that you really want so over here in the ICS village we have that problem you know we're running multiple platforms so for DEF CON here we got Gravel who makes a SIM and we fed all of them in there and we made up a dashboard that had resuming clarity and asset management everything up on the one on the one dashboard and there's many SIM solutions out there now important takeaway 100% of the action should be either false positive should be a false positive or or result in a in an affining that that's a very important thing you know you did they said before you get the tier 3 that these are the people that are really hunting down the problem talking to control system engineers maybe our control systems engineers you really need to find the root cause of of that problem may not be easy might be a root kid on your on your PLC might be malware might be something else but it is a challenge so there are many options for running a sock could be MS MSP in-house or a hybrid so a couple things that that I've seen was you know your tier 1 and tier 2 or MSS P's and you push them up there's again meant many those and then your tier 3 since they have to be that highly specialized work with you either your control engineer or work with closely with your control engineer maybe they're in-house employee but a tier 1 and 2 tier 1 and 2 allosaurus might might work pretty good more data is a better for when you talk about socks give it as much data as you can so you can go back and correlate you can track things back technologies never replacement for people just like you can't throw people at a problem and expect a problem to fix you can't replace people for technology technology is a fantastic thing they give you give you that data present the data many different ways but you still need that human to go and look through especially when we're talking about the control system network where it can do funny things you know with that with that control system network we're doing with three things that can go you know bad it's health life and safety when things go bad you know your machine is not going to pick that up but your person will so there's a couple things that we're doing over here and in the ISIS village we built an area where you can interact with SMEs and discuss many different topics IT and OT topics CTF just just finished while I was waiting to get up here I have to say the team drag is one that and you know you avoid the sales pitch and see how things actually work get the proof of concept don't let the vendors come in and say hey you know we got this wonderful thing for you it's gonna solve everything great but in my network let it run for 30 60 90 days 180 whatever you can negotiate for your proof of concept might cost you a few bucks might get it for free every vendors difference but do that proof of concept just don't buy because the salesman said goodbye and I flew through them talk pretty quick that's who I am if you have any questions by all means come up to me later gladly talk to you about this or any other topic thank you