Industrial Cyber Security 101

Industrial Cyber Security 101 Mike Spear

2 © 2015 Honeywell International All Rights Reserved

Introduction

Mike Spear – Duluth, GA USA Global Operations Manager, Industrial Cyber Security

• Responsible for the Global Delivery of Honeywell’s Industrial Cyber Security Solutions Focus – Cyber Security, Industrial Networks, and

Wireless • Over 30 years of Technical Management and Consulting • Process, Batch, Discrete Manufacturing & Power

Industries • 9th Year with Honeywell Process Solutions • CIS Advisory Board Member – Gwinnett Technical

College

[email protected]


• What is Industrial Cyber Security?

• Is the Risk Real? • Where to start? • Standards • Where can I get more Information?

Agenda


What Is Industrial Cyber Security?

• Body of technologies, processes & people designed to protect industrial networks

• From damage, disruption, unauthorized access or exploitation via electronic means

• Requires deep understanding of industrial control systems/operations + information technology/cyber security expertise

IT Cyber Security

Industrial Cyber

Security

• Confidentiality and information

• Business systems • Process availability, safety,

reliability • No disruptions; never down • Unique, specific requirements


Is there a Real Threat?

Process Industry Accounts for 43%

• 55% APT • 38 % of ICS incidents

classified as unknown Lack of detection and

monitoring

• Industrial Incidents ‒ Energy = 33% ‒ Water = 5% ‒ Chemical = 3% ‒ Nuclear = 2%

*DHS-NCCIC Incident Response/ Activity 2014

*ICS-Cert Industrial Control System Cyber Emergency Response Team APT – Advanced Persistent Threat

• ICS-CERT - 245 Reported Incidents


Are you Immune?

• My PCN ‒ Does Not connect to the

Internet … ‒ We do not allow portable

media… ‒ Has a firewall… ‒ I stayed at a Holiday Inn

Express….

• Therefore, My ICS is 100% secure.

• 35% of ICS Incidents are a result of Malware Most penetrate from WITHIN the

ICS environment

35% of ICS Incidents are a result of Malware! *Honeywell Process Solutions

Penetration Sources

USB/Portable Media 36%

Vendor 28%

Internal Emp. Direct 24%

Remote Access 4%

Corp Network 4%

Unknown 4%


• Trusted attackers are difficult to detect and catch

• Must consider multiple users accessing systems

“Snowden” Threat – An insider who goes rogue

Insider Risks & Threats

Risks – Trusted resources that have been compromised

• Unsuspecting, innocent employee who is exploited

• Laptop compromised outside of the plant via malware

Employees, Vendors & Contractors


Security Design

PROTECT

Technical controls

(Firewall, AWL, AV, IPS, DC,

network segmentation, ….)

DETECT

Technical controls

(IPS, IDS, SIEM, Security

Dashboard …)

RESPOND

Technical controls

(IPS, Recovery CD, …)

RECOVER

Technical controls

(Back-up Control Center, …)

IDENTIFY

Non-technical controls

(Assessments, Risk management)


(Security Policies & Procedures)


(Security monitoring)


(Security incident response,

Disconnection management)


(Data recovery, Disaster recovery)

Technical controls

(Vulnerability scanning,

Monitoring …)

TIME TO BREACH THE PROTECTION

TIME TO DETECT THE

EVENT

TIME TO RESPOND TO THE EVENT > +

IF TRUE THE PLANT IS SECURE

TB > (TD + TR )

What is your Risk Appetite?


Levels of Security Te

chni

cal p

rote

ctio

n le

vel

Governance maturity level

SL 4 – Protects against intentional security incidents using sophisticated means and having extended resources

SL 3 – Protects against intentional security incidents using sophisticated means

SL 2 – Protects against intentional security incidents using simple means

SL 1 – Protects against casual security incidents

ISA 99 62443-3-3 – Security Levels

ML 4 – Practices are adapted based on lessons learned and predictive indicators derived from previous cyber security activities.

ML 3 – Risk practices are approved by management and expressed as policy, policies, processes, and procedures are defined, implemented and validated.

ML 2 – Risk practices are approved by management, staff has adequate resources to perform cyber security duties.

ML 1 – practices are not formalized, often case by case, and risk is managed in an ad hoc and sometimes reactive manner

NIST / C2M2 – Maturity Levels

What is an appropriate protection level for my plant?


Levels of Security

Security level 4

Security level 3

Security level 2

Security level 1

Mat

urity

le

vel 1

Mat

urity

Le

vel 2

Mat

urity

Le

vel 3

Mat

urity

Le

vel 4

Critical infrastructure

Typical critical infrastructure:

Oil & gas, power, water

Non-critical infrastructure

Typical non-critical infrastructure:

Plastics, steel, resins, food, paper, beverages

Classifications of criticality can differ by country!

Where are we today? In our security assessments most companies

score between SL 1 and SL 2 and ML 1 and ML 2


System Profiling

Maturity level

Secu

rity

Leve

l

ML1 ML3 ML2 ML4

SL1

SL2

SL3

SL4

1 2 3 4

5 6 7 8

9 10 11 12

13 14 15 16


Where Do you Want to be?

Awareness


Awareness

• Questions to consider: ‒ Portable Media

What if you find an USB flash drive on the parking lot. What do you do?

‒ Network/Security Documentation What happens with network / security documentation / info. Is it stored in a secure place and only authorized

people can access? Or can everyone in the company get access?

‒ Backups What about back-ups. Containing all documentation including network / security info and also passwords and

other system settings? Are they securely stored or available to many? Will it restore?

‒ People What do you do when a system administrator leaves knowing all the ins and outs of your cyber security? Has

your system been setup such that 1 person has all the info / access rights, etc.?

Are the vendors involved in your security bound by confidentiality?

• General: ‒ What does your company do to create awareness for cyber security?

Training

Policies Procedures, Best Practices

Enforcement

‒ Do you have an updated / accurate incident management plan to execute during a cyber attack?

Segmentation


• Technical Security Controls ‒ Separation from Business

Network ‒ Firewall Segmentation Review Configuration Log Review Rule Management – Especially

Outbound Consider Next Generation Firewall

• Includes advanced inspection functionality

Architecture Segmentation

‒ Zones and Conduits Grouping of nodes with like security requirements Conduits should always be from adjacent zones


•Determine Risk Appetite ‒Current State vs Desired State

•Create Awareness ‒Policies & Procedures

•Implement Architecture Segmentation ‒Zones & Conduits

Getting Started Summary

Standards & Regulations


Cyber Security Standards for ICS

• Oriented toward owner / operators ‒ Security architecture ‒ Procurement ‒ Technical and non-technical security controls ‒ ISMS framework

• Oriented toward suppliers ‒ Equipment requirements ‒ Development requirements ‒ Service delivery

• Oriented toward technical countermeasures ‒ Industry specific (Power, water, pipelines, chemical, offshore, critical infrastructure)

• Oriented toward non-technical countermeasures ‒ Industry specific (Power, water, pipelines, chemical, offshore, critical infrastructure)


IEC 62443

Standards/Guidelines/Frameworks

Just a small overview

Owner / operator

Supplier / vendor

Technical

IEC 62443-4-2

IEC 62443-2-4

ISASecureTM program:

• Embedded Device Security Assurance (EDSA) • System Security Assurance (SSA) • Security Development Lifecycle Assurance (SDLA)

IEC 62443-3-3

IEC 62443-2-2

IEC 62443-2-1

IEC 62443-2-3

IEC 62443-4-1

ISA 99 / IEC 62443 program:

• 13 security standards covering the full spectrum

API 1164

75574 - 75575

Pipeline cyber security Maritime cyber security

NISTIR 7628

NISTIR 7788

NISTIR 7328

NISTIR 7874

Smart grid security guidelines • NISTIR • ENISA

NERC CIP

NERC CIP program:

• 8 security standards • Power utilities

EPRI 1023502

Procurement guidelines • EPRI • DHS

Non-technical


Is that All?

Owner / operator

Supplier / vendor

Technical

Non-technical

IEC 62443

IEC 62443-4-2

IEC 62443-4-1

IEC 62443-3-3

IEC 62443-2-2

IEC 62443-2-1

IEC 62443-2-3 IEC 62443-2-4

NERC CIP

EPRI 1023502

NISTIR 7628

NISTIR 7328

NISTIR 7788

NISTIR 7874

API 1164

75574 - 75575

Unfortunately,

• No, … IEC 61508 – security controls safety IEC 61511 – security controls safety

• Industry specific security standards Chemical - CIDX Water systems - EPA

• National / regional security standards ANSSI – French critical infrastructure VGB – German (nuclear) power

industry OLF – Norwegian offshore CPNI – UK critical infrastructure ICT Qatar guidelines NIST ENISA WIB, etc, etc, etc.

•


• Standards are good however, • Too Many

‒ Overlap ‒ Inconsistent

• Focus primarily on Technical Controls • ICS Standards still need to mature

‒ Business Justification

• Will need to employ a hybrid depending on Industry ‒ IEC-62443 & NIST

• Embedding into overall risk management framework

Man Years of Effort

All progress is precarious, & the solution of one problem brings us face to face with another problem.

Martin Luther King


Other Sources of Information

To Learn more……

Day Time Title Presenter

Monday 2:00 PM “Cyber Security Strategies: Introducing Honeywell Risk Manager” (Grand Oaks Ballroom AB)

Eric Knapp, Director Industrial Cyber Security Solutions & Technologies

4:15 PM Continuous Industrial Cyber Risk Mitigation with Managed Services Monitoring & Alerting” (Grand Oaks Ballroom CD)

Mark Littlejohn, Global Manager-Industrial Managed Security Services

Thursday 1:00 PM “Preventing, Detecting & Recovering from a Cyber Incident” (Cibolo Canyon BR 1/2)

Mike Baldi, Industrial Cyber Security Solutions Architect

1:00 PM “Best Practices for Securing Process Control Networks” (Grand Oaks Ballroom)

Jay Gustin, Engineering Fellow

1:00 PM “Fundamentals of Process Control Design” (Grand Oaks Ballroom PQ)

Sachi Dash, Manager Project Engineering

All Various Knowledge Center Robert Alston, Americas Technical Leader Industrial Cyber Security


Honeywell Industrial Cyber Security

Any questions?


Layered Approach to Governance

Industrial Cyber Security 101

Technology

Transcript of Industrial Cyber Security 101