ICS Cyber Security - Honeywell...

of 27 /27
ICS Cyber Security: Continuous Monitoring as a Critical Function Mark Littlejohn

Transcript of ICS Cyber Security - Honeywell...

Page 1: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

ICS Cyber Security: Continuous Monitoring as a Critical Function

Mark Littlejohn

Page 2: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

2 2014

About the Presenter

Mark Littlejohn • Global Leader Cyber Security Managed

Services for Honeywell Process Solutions.

• Over 20 years experience in the field of cyber security.

• Specializing in cyber security solutions, security infrastructure through assessing organizational risk, establishing security goals, implementing sound technical solutions, regulatory compliance and real-time monitoring.

Page 3: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

3 2014

Continuous Monitoring Topics

• Making the Case

• Key Elements

• Honeywell Advantage

Page 4: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

ICS Continuous Monitoring: Making the Case

Page 5: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

5 2014

Focus: Up to But Not Including Corporate and 3rd Party Networks

Router

ESC ESF ESTACE Experion Server

ESVT Safety Manager

Terminal Server

Qualified Cisco Switches

Optional HSRP Router

Domain Controller ESF EAS

PHD Server Experion

Server

Firewall

3RD Party App Subsystem Interface

Corporate and 3rd Party/Vendor/Contractor/Maintenance Connections

Level 3

Level 3.5 DMZ

Level 4

Terminal Server

Patch Mgmt Server

Anti Virus Server

eServer PHD Shadow Server

Patch Anti PHD

Level 2

Domain Controller

Level 1

IT Cyber Security

Industrial Cyber

Security

Page 6: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

6 2014

Critical Infrastructure Cybersecurity Framework Function

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

http://www.nist.gov/cyberframework/

Maps controls to: - ISO 27001 - ISA 99/IEC 62443 - NIST SP 800-53 - COBIT 5 - CCS CSC

Page 7: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

7 2014

Critical Infrastructure Cybersecurity Framework Function Elements

IDENTIFY Hardware & Software Inventory, Policy & Procedures Network Topology, Security Risk Assessments

PROTECT Firewalls, Passwords, Antivirus, Patching, USB Control Physical Security, Change Control, Backup & Recovery

DETECT ?

RESPOND ?

RECOVER ?

http://www.nist.gov/cyberframework/

Page 8: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

8 2014

Industrial Cyber Attacks & Incidents Are Rising

Information Stealer Malware

Worm Targeting SCADA and Modifying PLCs

Virus Targeting Energy Sector Largest Wipe Attack

Virus for Targeted Cyber Espionage in Middle East

Worm Targeting ICS Information Gathering and Stealing

Large-Scale Advanced Persistent Threat Targeting Global Energy

APT Cyber Attack on 20+ High Tech, Security & Defense Cos.

Cyber-Espionage Malware Targeting Gov’t & Research Organizations

Industrial Control System Remote Access Trojan & Information Stealer

Security Bug and Vulnerability Exploited by Attackers

Worm Targeting SCADA

Industrial Control System Remote Security Bug and Vulnerability

Information Stealer Malware

Cyber-Espionage Malware Targeting

Worm Targeting ICS

Virus for Targeted Cyber

Large-Scale Advanced Persistent

Virus Targeting Energy Sector

Threat Targeting

APT Cyber Attack on 20+

Page 9: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

9 2014

What do these 3 Plants have in common?

9

German Steel Plant

Turkish Pipeline

Iranian Nuclear Facility

Page 10: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

10 2014

Increased Activity & Success

Nov 20, 2014 NSA Chief FINALY states:

“It’s already happened!”

Jan 23, 2015 Cisco CEO at 2015 Davos Conference:

“Cyber Attacks will double

this year”

Page 11: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

11 2014

Common Thread

• Most of these attacks could have been stopped using good protection and detection capabilities

• The results/effects of ALL of these attacks could have been reduced via continuous monitoring

Is your ICS currently infected or under attack?

Page 12: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

ICS Continuous Monitoring: Key Elements

Page 13: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

13 2014

Key Item to Monitor

• Network Activity Logs • Attack Signatures, ACL Rules, Utilization Spikes

• System Audit Logs • Unauthorized Access, Disabling Controls, Configuration Changes

• System Availability/Performance • Application Health, CPU Utilization, Hardware Errors

• Administrative Changes • GPO Modifications, Group Additions, Log Clearing

• Software Update Compliance • Aging for Virus Signatures, Security Patches, Software Updates

• Virus Infections

Page 14: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

14 2014

Obstacles to Effective Monitoring

• Budget for required utilities • Intrusion Detection Systems • Security Information & Event Management • Logging Agents, Relay Servers, Databases, etc.

• Personnel required for administration • Initial Installation of components above • Analysis of events to determine what is critical • Investigation of alerts to determine next steps

• Other concerns • Competing DCS priorities • Training on new technology • Different expertise per location

Page 15: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

15 2014

Continuous Monitoring Best Practice

Hire a company to monitor your systems for ¼ the price, but only if they have the following:

• Expertise in Control System security • Methodology that complies with IEC 62443 • 100s of current ICS customers • Follow the sun support model • Geographically separate operating facilities

Page 16: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

ICS Continuous Monitoring: Honeywell Advantage

Page 17: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

172014

Complete Industrial Cyber Security Solutions • Security Assessments • Network & Wireless Assessments • Security Audits

• Firewall • Intrusion Prevention • Access Control • Policy Development

• Patching & Anti-Virus • Application Whitelisting • End Node Hardening • Portable Media & Device Security

• Continuous Monitoring • Compliance & Reporting

• Security Analytics • Security Information & Event Management (SIEM)

• Security Awareness Training

• Current State Analysis • Design & Optimization • Zones & Conduits

• Security Assessments • Network & Wireless Assessments • Security Audits Assessments

& Audits

• Zones & Conduits

Architecture & Design

Network Security

Endpoint Protection

Continuous Monitoring

& Event Management (SIEM)

Situational Awareness

TECHNOLOGY

Response & Recovery

• Backup and Restore • Incident Response

Page 18: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

182014

Managed Industrial Cyber Security Services Technology Enabled

Secure Connection Secure tunnel for services

Perimeter and Intrusion Management Firewall: Configuration rules + log file review and reporting IPS: Signature update validation + log file review and reporting

Protection Management Qualified anti-malware files & operating system patches

Continuous Monitoring and Alerting Monitoring of system, network & cyber security performance 24/7 alerting against thresholds

Intelligence Reporting Weekly compliance and quarterly trend reports

Page 19: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

192014

The Foundation: Honeywell’s Secure Connection

• Customer Initiated Encrypted Tunnel – Customer controlled connection

• Customized with easy to configure Security Policies • Only connects to Honeywell’s Managed Security Service Center

– Two-Factor Authentication and Encryption • Honeywell Certificate based • Keeps information private even through corporate network

• Infrastructure and methodology supports ISA99/IEC-62443 concepts – Zones & conduits, authentication, security logging, input validation and

system integrity checks

• Secure Connection Enables – Protection Management – Continuous Monitoring and Alerting – Intelligence Reporting – Perimeter and Intrusion Management – Secure Troubleshooting

Drawbridge

Secure Connection

Page 20: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

202014

Secure Connection Architecture

Connection Initiated by Site Secure Service Node

• SSL Encrypted, Two-Factor Authenticated Communication

• Connects to Managed Security Service Center ONLY

• Encrypted communication through corporate network provides additional security

Connection Initiated by Site

Internet

Level 3

Level 3.5 DMZ

Level 4

Level 2

Level 1

ACE

ExperionServer

Domain Controller

Domain Controller

ExperionServer

3RD Party Apps

TerminalServer

eServer

EST

ESF

Anti-MalwareServer

DMZ

EngineeringControls

OperatorControls

CORPORATE

MalwareMalwareExperion

MalwareMalwareMalwareMalwareMalwareMalwareMalware

WindowsTMPatch MgmtServer

(WSUS)

CorporateRouter

SSL Encrypted, Two-Factor Authenticated Communication

Encrypted communication through corporate network provides additional security

Communication Server

DMZ

DatabaseServers

Application Servers

CorporateProxyServer

RelayServer Application Application

SecureServiceNode

eServereServer

Domain

• Relay Server isolates ICS/PCN ensuring no direct communication between Level 3 & Level 4/Corporate Network

• Restricts unauthorized ICS/PCN nodes from sending or receiving data

Managed Security Service Center Industrial

Site

Page 21: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

21 2014

Protection Management

Deploying Current Releases Helps Prevent Exploits, Infections and Application Malfunctions

• Automated, secure transfer to site of Honeywell tested and qualified Anti-Malware signature files & Operating System patches – Provides a local source of current, qualified signature files and patches for

installation – Reduces manual, administrative work and delays required to obtain current files

and patches – Maintains integrity of files through Secure Connection’s encrypted file transfer

• Avoids file modification risk via transfers by email or portable media

• Anti-Malware files – Protect against virus, worms, and malware which can compromise the PCN/ICS

• Windows TM and Experion Operating System patches – Block multiple malware vulnerabilities to reduce system breaches, prevent

unauthorized shut downs, and keep Control Systems operating properly

Anti-Malware Files & Operating System Patches

Page 22: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

222014

Continuous Monitoring and Alerting

• Continuous Monitoring – Agentless monitoring solution for system, network

and security performance and health – Tested to ensure no impact on systems – Automated monitoring of critical ICS, network,

Windows TM and security parameters – Intelligent analysis based on Honeywell engineering & expertise

• Alerts / Situational Awareness – 24/7 automated, proactive alerting for all monitored devices – Equipment and device specific thresholds – Managed Security Service Center automatically generates an

alert email or SMS text to site specified contact

Secure Connection Monitoring of Systems, Network & Security

Page 23: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

232014

Intelligence Reporting

• Trend Analysis Complements Alerts – Ability to catch degrading conditions – Captures & reports frequency of intermittent issues

• Weekly Critical Parameter Reports Actionable reports of critical system & network

information plus security issues

– Out-of-date installation status for Anti-Malware signatures & WindowsTM patches

– Inventory of all detected networked equipment – Key source of data for compliance documentation

• Bi-Annual and/or Quarterly Reports – Comprehensive, detailed reports including long term trends, plus expert analysis

• Audit – Audit capability including access to session recordings

Secure Connection Reporting of ICS Status, Trends & Issues

Page 24: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

242014

Perimeter & Intrusion Management Services

Firewalls and IPS only work if properly configured & managed

• Firewall Management Services – Provides expert review of firewall log files, including rule changes – Allows for identification of unauthorized and unplanned changes Note: Corporate firewall management NOT included or supported

• Intrusion Prevention System (IPS) Management Services – Verifies IPS signature updates are appropriate for site – Provides expert review of log files

• Logs and changes are reviewed and monitored for modifications and activity – Avoids erosion of security posture or system interruption

PCN Firewalls & IPS Equipment Configurations Are Critical Elements of Site Protection

Secure Connection Management of Firewalls & Intrusion Prevention Systems

Page 25: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

25 2014

Why Honeywell Industrial Cyber Security?

Global team of certified experts with deep experience across all industries 100’s of successful PCN / Industrial cyber security projects Leaders in security standards ISA99 / IEC62443

Trusted, Proven Solution Provider

Proprietary methodologies specific for process control environment & operations Best practices developed through years of delivering solutions

Comprehensive understanding of unique process control security requirements

First to obtain ICS product security certification with ISASecure Largest R&D investment in cyber security solutions and technology Strategic partnerships with best in class security product vendors

Industry Leading People and Experience

Industry Leading Processes and Expertise

Industry Leading Solutions

Page 26: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Honeywell Proprietary

262014

Contact Information

Contact InformationEmail: [email protected]

www.becybersecure.com

Page 27: ICS Cyber Security - Honeywell Processdownloads.honeywellprocess.com/public/email/pdf/Continuous_Moni... · •Global Leader Cyber Security Managed ... Critical Infrastructure Cybersecurity

Thank you!