Industrial Cyber Security 101
-
Upload
honeywell-process-solutions -
Category
Technology
-
view
1.032 -
download
0
Transcript of Industrial Cyber Security 101
2 © 2015 Honeywell International All Rights Reserved
Introduction
Mike Spear – Duluth, GA USA Global Operations Manager, Industrial Cyber Security
• Responsible for the Global Delivery of Honeywell’s Industrial Cyber Security Solutions Focus – Cyber Security, Industrial Networks, and
Wireless • Over 30 years of Technical Management and Consulting • Process, Batch, Discrete Manufacturing & Power
Industries • 9th Year with Honeywell Process Solutions • CIS Advisory Board Member – Gwinnett Technical
College
3 © 2015 Honeywell International All Rights Reserved
• What is Industrial Cyber Security?
• Is the Risk Real? • Where to start? • Standards • Where can I get more Information?
Agenda
4 © 2015 Honeywell International All Rights Reserved
What Is Industrial Cyber Security?
• Body of technologies, processes & people designed to protect industrial networks
• From damage, disruption, unauthorized access or exploitation via electronic means
• Requires deep understanding of industrial control systems/operations + information technology/cyber security expertise
IT Cyber Security
Industrial Cyber
Security
• Confidentiality and information
• Business systems • Process availability, safety,
reliability • No disruptions; never down • Unique, specific requirements
5 © 2015 Honeywell International All Rights Reserved
Is there a Real Threat?
Process Industry Accounts for 43%
• 55% APT • 38 % of ICS incidents
classified as unknown Lack of detection and
monitoring
• Industrial Incidents ‒ Energy = 33% ‒ Water = 5% ‒ Chemical = 3% ‒ Nuclear = 2%
*DHS-NCCIC Incident Response/ Activity 2014
*ICS-Cert Industrial Control System Cyber Emergency Response Team APT – Advanced Persistent Threat
• ICS-CERT - 245 Reported Incidents
6 © 2015 Honeywell International All Rights Reserved
Are you Immune?
• My PCN ‒ Does Not connect to the
Internet … ‒ We do not allow portable
media… ‒ Has a firewall… ‒ I stayed at a Holiday Inn
Express….
• Therefore, My ICS is 100% secure.
• 35% of ICS Incidents are a result of Malware Most penetrate from WITHIN the
ICS environment
35% of ICS Incidents are a result of Malware! *Honeywell Process Solutions
Penetration Sources
USB/Portable Media 36%
Vendor 28%
Internal Emp. Direct 24%
Remote Access 4%
Corp Network 4%
Unknown 4%
7 © 2015 Honeywell International All Rights Reserved
• Trusted attackers are difficult to detect and catch
• Must consider multiple users accessing systems
“Snowden” Threat – An insider who goes rogue
Insider Risks & Threats
Risks – Trusted resources that have been compromised
• Unsuspecting, innocent employee who is exploited
• Laptop compromised outside of the plant via malware
Employees, Vendors & Contractors
8 © 2015 Honeywell International All Rights Reserved
Security Design
PROTECT
Technical controls
(Firewall, AWL, AV, IPS, DC,
network segmentation, ….)
DETECT
Technical controls
(IPS, IDS, SIEM, Security
Dashboard …)
RESPOND
Technical controls
(IPS, Recovery CD, …)
RECOVER
Technical controls
(Back-up Control Center, …)
IDENTIFY
Non-technical controls
(Assessments, Risk management)
Non-technical controls
(Security Policies & Procedures)
Non-technical controls
(Security monitoring)
Non-technical controls
(Security incident response,
Disconnection management)
Non-technical controls
(Data recovery, Disaster recovery)
Technical controls
(Vulnerability scanning,
Monitoring …)
TIME TO BREACH THE PROTECTION
TIME TO DETECT THE
EVENT
TIME TO RESPOND TO THE EVENT > +
IF TRUE THE PLANT IS SECURE
TB > (TD + TR )
10 © 2015 Honeywell International All Rights Reserved
Levels of Security Te
chni
cal p
rote
ctio
n le
vel
Governance maturity level
SL 4 – Protects against intentional security incidents using sophisticated means and having extended resources
SL 3 – Protects against intentional security incidents using sophisticated means
SL 2 – Protects against intentional security incidents using simple means
SL 1 – Protects against casual security incidents
ISA 99 62443-3-3 – Security Levels
ML 4 – Practices are adapted based on lessons learned and predictive indicators derived from previous cyber security activities.
ML 3 – Risk practices are approved by management and expressed as policy, policies, processes, and procedures are defined, implemented and validated.
ML 2 – Risk practices are approved by management, staff has adequate resources to perform cyber security duties.
ML 1 – practices are not formalized, often case by case, and risk is managed in an ad hoc and sometimes reactive manner
NIST / C2M2 – Maturity Levels
What is an appropriate protection level for my plant?
11 © 2015 Honeywell International All Rights Reserved
Levels of Security
Security level 4
Security level 3
Security level 2
Security level 1
Mat
urity
le
vel 1
Mat
urity
Le
vel 2
Mat
urity
Le
vel 3
Mat
urity
Le
vel 4
Critical infrastructure
Typical critical infrastructure:
Oil & gas, power, water
Non-critical infrastructure
Typical non-critical infrastructure:
Plastics, steel, resins, food, paper, beverages
Classifications of criticality can differ by country!
Where are we today? In our security assessments most companies
score between SL 1 and SL 2 and ML 1 and ML 2
12 © 2015 Honeywell International All Rights Reserved
System Profiling
Maturity level
Secu
rity
Leve
l
ML1 ML3 ML2 ML4
SL1
SL2
SL3
SL4
1 2 3 4
5 6 7 8
9 10 11 12
13 14 15 16
15 © 2015 Honeywell International All Rights Reserved
Awareness
• Questions to consider: ‒ Portable Media
What if you find an USB flash drive on the parking lot. What do you do?
‒ Network/Security Documentation What happens with network / security documentation / info. Is it stored in a secure place and only authorized
people can access? Or can everyone in the company get access?
‒ Backups What about back-ups. Containing all documentation including network / security info and also passwords and
other system settings? Are they securely stored or available to many? Will it restore?
‒ People What do you do when a system administrator leaves knowing all the ins and outs of your cyber security? Has
your system been setup such that 1 person has all the info / access rights, etc.?
Are the vendors involved in your security bound by confidentiality?
• General: ‒ What does your company do to create awareness for cyber security?
Training
Policies Procedures, Best Practices
Enforcement
‒ Do you have an updated / accurate incident management plan to execute during a cyber attack?
17 © 2015 Honeywell International All Rights Reserved
• Technical Security Controls ‒ Separation from Business
Network ‒ Firewall Segmentation Review Configuration Log Review Rule Management – Especially
Outbound Consider Next Generation Firewall
• Includes advanced inspection functionality
Architecture Segmentation
‒ Zones and Conduits Grouping of nodes with like security requirements Conduits should always be from adjacent zones
18 © 2015 Honeywell International All Rights Reserved
•Determine Risk Appetite ‒Current State vs Desired State
•Create Awareness ‒Policies & Procedures
•Implement Architecture Segmentation ‒Zones & Conduits
Getting Started Summary
20 © 2015 Honeywell International All Rights Reserved
Cyber Security Standards for ICS
• Oriented toward owner / operators ‒ Security architecture ‒ Procurement ‒ Technical and non-technical security controls ‒ ISMS framework
• Oriented toward suppliers ‒ Equipment requirements ‒ Development requirements ‒ Service delivery
• Oriented toward technical countermeasures ‒ Industry specific (Power, water, pipelines, chemical, offshore, critical infrastructure)
• Oriented toward non-technical countermeasures ‒ Industry specific (Power, water, pipelines, chemical, offshore, critical infrastructure)
21 © 2015 Honeywell International All Rights Reserved
IEC 62443
Standards/Guidelines/Frameworks
Just a small overview
Owner / operator
Supplier / vendor
Technical
IEC 62443-4-2
IEC 62443-2-4
ISASecureTM program:
• Embedded Device Security Assurance (EDSA) • System Security Assurance (SSA) • Security Development Lifecycle Assurance (SDLA)
IEC 62443-3-3
IEC 62443-2-2
IEC 62443-2-1
IEC 62443-2-3
IEC 62443-4-1
ISA 99 / IEC 62443 program:
• 13 security standards covering the full spectrum
API 1164
75574 - 75575
Pipeline cyber security Maritime cyber security
NISTIR 7628
NISTIR 7788
NISTIR 7328
NISTIR 7874
Smart grid security guidelines • NISTIR • ENISA
NERC CIP
NERC CIP program:
• 8 security standards • Power utilities
EPRI 1023502
Procurement guidelines • EPRI • DHS
Non-technical
22 © 2015 Honeywell International All Rights Reserved
Is that All?
Owner / operator
Supplier / vendor
Technical
Non-technical
IEC 62443
IEC 62443-4-2
IEC 62443-4-1
IEC 62443-3-3
IEC 62443-2-2
IEC 62443-2-1
IEC 62443-2-3 IEC 62443-2-4
NERC CIP
EPRI 1023502
NISTIR 7628
NISTIR 7328
NISTIR 7788
NISTIR 7874
API 1164
75574 - 75575
Unfortunately,
• No, … IEC 61508 – security controls safety IEC 61511 – security controls safety
• Industry specific security standards Chemical - CIDX Water systems - EPA
• National / regional security standards ANSSI – French critical infrastructure VGB – German (nuclear) power
industry OLF – Norwegian offshore CPNI – UK critical infrastructure ICT Qatar guidelines NIST ENISA WIB, etc, etc, etc.
•
23 © 2015 Honeywell International All Rights Reserved
• Standards are good however, • Too Many
‒ Overlap ‒ Inconsistent
• Focus primarily on Technical Controls • ICS Standards still need to mature
‒ Business Justification
• Will need to employ a hybrid depending on Industry ‒ IEC-62443 & NIST
• Embedding into overall risk management framework
Man Years of Effort
All progress is precarious, & the solution of one problem brings us face to face with another problem.
Martin Luther King
24 © 2015 Honeywell International All Rights Reserved
Other Sources of Information
To Learn more……
Day Time Title Presenter
Monday 2:00 PM “Cyber Security Strategies: Introducing Honeywell Risk Manager” (Grand Oaks Ballroom AB)
Eric Knapp, Director Industrial Cyber Security Solutions & Technologies
4:15 PM Continuous Industrial Cyber Risk Mitigation with Managed Services Monitoring & Alerting” (Grand Oaks Ballroom CD)
Mark Littlejohn, Global Manager-Industrial Managed Security Services
Thursday 1:00 PM “Preventing, Detecting & Recovering from a Cyber Incident” (Cibolo Canyon BR 1/2)
Mike Baldi, Industrial Cyber Security Solutions Architect
1:00 PM “Best Practices for Securing Process Control Networks” (Grand Oaks Ballroom)
Jay Gustin, Engineering Fellow
1:00 PM “Fundamentals of Process Control Design” (Grand Oaks Ballroom PQ)
Sachi Dash, Manager Project Engineering
All Various Knowledge Center Robert Alston, Americas Technical Leader Industrial Cyber Security
25 © 2015 Honeywell International All Rights Reserved
Honeywell Industrial Cyber Security
Any questions?