Post on 18-Aug-2015
2 © 2015 Honeywell International All Rights Reserved
Eric D. Knapp @ericdknapp
About the Presenter
• Global Director of Cyber Security Solutions and Technology for Honeywell Process Solutions
• Over 20 years of experience in Information Technology; Over 10 years dedicated to Industrial Cyber Security
• Specializing in cyber security for ICS, security analytics, risk, and advanced cyber security controls
• Patents pending for risk management metrics and methodologies
• Author of Industrial Network Security and Applied Cyber Security and the Smart Grid
3
What is (cyber security) Risk?
“…the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.” (ISO)
“…a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that
adverse event on the organization” (NIST)
4
What is the Cyber Security Risk Manager?
A tool that continuously monitors for indicators of cyber security risk i.e., Threats & vulnerabilities that could impact the ICS
5
Measurements & Methodologies
Risk is an indication of Threat, Vulnerability and Impact
• Many methodologies: ISA-99 / 62443, ISO27005:2011, etc.
– Likelihood x Impact (R = L x I)
– Threat x Vulnerability x Consequence (R = T x V x C)
• Determining what “V” “I” and “C” are is the hard part – These can be subjective without standards and precise methodologies!
9
Quiz Time!
Level 3
Level 3.5
Level 4
Level 2
Level 1
Advanced Control
Supervisory Control
DMZ
Business Network
PC “A” is a print server. It will not impact anything if compromised.
PC “B” is an Operators workstation. If compromised it could directly impact production Q: What option would you choose for PC “A” from the following?
A B
11
Measurements & Methodologies
If R = L x I … How do we determine “Likelihood?”
• L is a function of both Vulnerability and Threat
Vulnerability “A vulnerability does not cause harm itself …” (ISO27005:2011)
Threat “A threat has the potential to harm assets … e.g. unauthorized actions, physical damage, technical failures” (ISO27005:2011)
12
Measurements & Methodologies
If R = L x I … How do we determine “Likelihood?”
• L is a function of both Vulnerability and Threat
Vulnerability Threat
(specific) Counter-measure
Threat (actor)
13
Assess the Vulnerability of the ICS
• “Vulnerability” can be a broad or focused lens:
– Each asset needs to be assessed
– The entire system needs to be assessed
– You need to understand threat to understand vulnerability
• Example:
– If HMI software is susceptible to a buffer overflow, this is a very specific vulnerability of a specific software asset.
– However, if the HMI can be used to directly impact the entire system, it is also a systemic vulnerability
– This is because malicious control of the HMI is equivalent to having a bad guy at the console, and you can easily gain control of an HMI over the network (understanding the threat)
14
Assess the Vulnerability of the ICS • Perform Vulnerability Assessments, but do them carefully
– Slow scans
– Redundant pairs
– Passive methods
– No exploits!!!
• Understand the limits – Aggressive scans tell you a lot
… but they aren’t safe to use
– Less-aggressive scans are safer
… but they tell you less
– No scan can tell you everything … you can’t scan for zero-days
• Enlist assistance from someone qualified and experienced in assessment ICS systems
15
Quiz Time!
Level 3
Level 3.5
Level 4
Level 2
Level 1
Advanced Control
Supervisory Control
DMZ
Business Network
PC “X” and “Z” are both scanned by a VA scanner and 6 critical vulnerabilities are found on each.
PC “Z” is patched fully, but PC “X” is left as is. Q: Which of the machines is vulnerable?
Z
X
16
Understanding Vulnerabilities
• Risk Manger looks for indicators of vulnerability
– Weak system defenses
– Poor access controls
– Susceptibility to misuse
17
Identify Threats Against the ICS
• What are cyber threats?
– Malware (viruses, trojans, RATs, APTs, etc)
– Hackers (script kiddies, semi-professionals, disgruntled employees, professionals, hacker-for-hire, cyber crime, nation-state)
– Accidents (insider / employees, outside / unintentional incidents)
18
Identify Threats Against the ICS
– You need to understand vulnerability to understand threat
…wait? Which came first?
(just don’t hide from the truth)
20
Understanding Threats
• Risk Manager looks for various indicators of active threats – Active intrusions
– Exploits of vulnerabilities
– Unauthorized activity
21
What Does Risk Manager do with all of this?
Risk Manager evaluates indicators of risk using patented algorithms to generate accurate risk scores in line with
industrial risk management standards
22
How risky is my system from a security perspective?
Assess Your Cyber Security Posture
Has something happened that I need to act on?
Where do I start?
How can I show that we are improving our security posture?
Is my control system up to date?
Am I following best practices?
When something goes wrong, what should I do?