Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure...

34
Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato – IACS CyberSecurity Director

Transcript of Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure...

Page 1: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Assessing Energy Infrastructure Cybersecurity with Kics Networks

Eduardo Honorato – IACS CyberSecurity Director

Page 2: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

PenTest Magazine

Page 3: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Munio Security protects against “operational disruptions” caused by cyber

threats, malicious insiders and human error, by providing visibility and control to

industrial networks.

Page 4: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

It’s become apparent that prevention is not enough.A strategic shift is occurring—from prevention-centric strategies to detection and response.

Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update,

April 2016

Note: Excludes security services from estimated overall market spend for enterprise information security

By 2020, 60% of enterprise information security budgets will be allocated

for rapid detection and response approaches, up from 20% in 2015. –

Gartner, 2016

Detection &

Response

IT Budgets 2015

Prevention

Detection &

Response

IT Budgets 2013

Prevention

Detection &

Response

Prevention

IT Budgets 2020

Page 5: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

How does an ICS network look like

Internet

Field network

(ISA 95 – Level 1)

Business LAN

Supervisory

Network

(ISA 95 – Level 2)

SCADA/

HMIHistorian

www @

Control

network

Engineering

WS NTP server

MTURTU IEDs/PLCsIEDs/PLCs

DNS server

Page 6: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Common IT services/protocols

Web: HTTP/HTTPS

Authentication and identity: LDAP

DBs: TCP/IP on specifics ports

File sharing: SFTP, SSH

Secure connection: SSL/TLS

Name service: DNS, LLMNR, SMB

Time synchronization: NTP

Configuration/Patch service: SSH,

TELNET

Network monitoring: SNMP

Common OT protocols

DNP3, IEC 101/104,

ICCP

IEC 61850 (MMS, GOOSE, SV)

MODBUS, MODBUS/TCP

OPC DA/AE

EtherNet/IP,

Proprietary protocols,

Operational Technology (OT)

Information Technology (IT)

IT/OT protocols in ICS networks

Page 7: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Example: Hydroelectric Power GenerationOverview

Page 8: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Example: Hydroelectric Power GenerationSystems & Protocols

HTTP, FTP, SNTP, SMTP, OPC,

Modbus/TCP, EtherNet/IP, …

IEC 104, DNP3

Page 9: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Example: Electric Power DistributionOverview

Source: http://www.moxa.com/

substations

Page 10: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Example: Electric Power DistributionSystems & Protocols

Control

Center

Substations

IEDs

PLCs

RTUs

Transmission

Operators

e.g. ICCP, IEC104

e.g. OPC,

proprietary

protocols

e.g. IEC61850

Page 11: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Electricity is the core of the critical

infrastructure

Palo Alto Networks Proprietary and Confidential 11

Page 12: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Interconnected systems – Chain Disconnections

• Integrated power generation & distribution

• Critical paths on a few substations

• Vulnerabilities exploitaition can easily lead toblackouts

12

Page 13: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

IT network ICS network

IT vs. ICS networks (at least in theory)

Page 14: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

In practice, industrial networks look often like…

Page 15: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

The main problem: lack of visibility

PROCESS

NETWORK

DEVICES

DCS/SCADA

We need to see

what’s going on

under the surface!

Page 16: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Without visibility

you can’t have

Security

Page 17: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Cyber attacks

may paralyze

digital power

structures

Page 18: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Understand

What Needs to be

Protected

Assess Risk to

Devices and

Networks

OT SOC

A Continuous Process for Securing ICS

Can you effectively manage and respond to events?

2

Without visibility

you can’t have

security

Continuously

Monitor

Access

and

Changes

Get Real-time

Alerts3

1

4

Page 19: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

4 Steps to Assessing Energy

Infrastructure Cybersecurity

1. Define protection surface

2. Map the flows, asset and Architecture

3. Asset Management Risk Management

25 | © 20 Palo Alto Networks. All RightsReserved.

4. Monitor and maintain theOT network

Page 20: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

1. Define protection surface

Understand external requirements

– Contractual obligations

– Laws & regulations (e.g NERC-CIP,

ISA/IEC 62443)

Palo Alto Networks Proprietary and Confidential 26

Translate external requirements

into cybersecurity requirements

Page 21: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

1. Define protection surface

Understand external

requirements

– Contractual obligations

– Laws & regulations (e.g NERC-CIP,

ISA/IEC 62443)

Palo Alto Networks Proprietary and

Confidential

26

Translate external

requirements into

cybersecurityrequirements

Page 22: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

1. Define protection surface

Page 23: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

1. Define protection surface

Page 24: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

2 - Pathways inside the control network

• Protecting only the perimeter of the OT

network is not enough.

• There are lots of pathways inside the OT

network that bypass perimetersecurity.

• It’s necessary to protect the factory

floor with modern and in-depth defense

technologies where problems in one area

are not allowed to migrate to another

area.

• The Solution is the use of security zones,

asdefined in ISA-IEC62443standard.

Page 25: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

2 - ISA/IEC 62443 – The Zones and Conduits Model

HMI Zone

Conduit

Parent Zone

Security technologies and policies must be added to enforce

communications security between different zones

Security Zones

Page 26: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Source

Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies Industrial Control Systems Cyber Emergency Response Team September 2016

2 – Defense in Depth

Page 27: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

3 - Asset Management / Risk Management

Automatic Discovery of Industrial

Assets

Discover Current Devices (PCs,

Servers, Laptops, PLCs, Routers)

Current Map of the Communication

Network

View existing network

communications in connection with

detected assets

Configure network map and DPI

rules in one easy to use interface

The Time Machine feature allows

the security officer to forensically

search any network activity over

various time dimensions.

Page 28: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

It´s necessary to monitorand manage equipments 24x7x365

to respond to cyber attacks without causing a production

outage.

We did it through our OT-SOC

Munio Security OT-SOC integrates cybersecurity functions with industrial processes monitoring to

prevent and respond to cyber attacks against critical

infrastructures.

Page 29: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

4. Monitor and maintain - Log sources for OT-SOC

Palo Alto Networks Proprietary and Confidential 36

Active Directory Firewall Industrial FirewallsNetwork

Services such as DNS, DHCP, etc

SCADA Industrial IDS

Network events from Switchesand Firewalls (Physical

and virtuals)

Netflow and Jflow

Layer 7 Packet Analisys

Proxy ServersOperating

Systems Events (Linux / UNIX /

Windows)

Physical Security Systems

Page 30: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

4. Monitor and maintain the OT NetworkOT SIEM – Event Management for the Electrical Sector

• Security intelligence platform with unified

architecture to collect, store, analyze and structure

data of events (logs), network flows, threats,

vulnerabilities and risks of electrical energy

environments: generation, transmission and

distribution.

• Event correlation activities are performed on a

single screen, with the possibility of clear incident

identification, flow telemetry, risk modeling, and

impact analysis.

• Modular and scalable structure that allows you to

manage the security of environments of all types

and sizes.

• Platform established in partnership with

leading technology of big data andanalytics.

• Integrated cyber security dashboards and

operating information, including information on

Modbus,ICCP, DNP-3, IEC 60870-5-104, Siemens

S7 protocols, among others specific to power.

Page 31: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

A new joint product

Energy Clients Kaspersky Kics Munio Security

OT-SOC

Munio Security IACS

Cybersecurity for

Energy

Page 32: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Munio Security Cybersecurity for Energy

CybersecuritypoliciesEdge Security with NextGeneration Firewall

Secure Remote Access

Zones and Conduits Segmentation andDefense in Depth

Vulnerability Monitoring

Malware protectionandControl – Kics Nodes

Continuousmonitoringby Munio Security OT-SOC

4-eyed AuditingandManagement

Visibility– Kics Networks

Page 33: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.

Thank you!

kaspersky.com muniosecurity.com

Page 34: Assessing Energy Infrastructure Cybersecurity with Kics Networks · Assessing Energy Infrastructure Cybersecurity with Kics Networks Eduardo Honorato –IACS CyberSecurity Director.