Power Digital Cyber Security - Frame 6 Users...

6B Users Conference | San Antonio, TX | June 19-22, 2017

Power Digital Cyber SecurityRob Putman

© 2017 General Electric Company. Confidential information. All rights reserved.

All relative statements are with respect to GE technology unless otherwise noted.

© 2017, General Electric Company.GE Proprietary Information - The information contained in this document is General Electric Company (GE)proprietary information. It is the property of GE and shall not be used, disclosed to others or reproduced without theexpress written consent of GE, including, but without limitation, in the creation, manufacture, development, orderivation of any repairs, modifications, spare parts, or configuration changes or to obtain government or regulatoryapproval to do so, if consent is given for reproduction in whole or in part, this notice and the notice set forth on eachpage of this document shall appear in any such reproduction in whole or in part. The information contained in thisdocument may also be controlled by the US export control laws. Unauthorized export or re-export is prohibited. Thispresentation and the information herein are provided for information purposes only and are subject to changewithout notice. NO REPRESENTATION OR WARRANTY IS MADE OR IMPLIED AS TO ITS COMPLETENESS, ACCURACY,OR FITNESS FOR ANY PARTICULAR PURPOSE.

1


1. Source: Ernst & Young2. Source: Industrial Internet Report for 2015, GE and Accenture

64% Power leaders believe their security strategy not aligned with today’s risk

environment (1)

31% Power leaders named security as one of the top

concerns in the use of data and analytics (2)

> 90% Power leaders say growth only achieved through

enhanced management of risk with strategic adoption

of technology

Clear Action Is Needed

225K people lost power in the Ukraine from cyber attack

(December 2015)

$38B Damages incurred from MyDoom virus — lost

productivity, network downtime and compromised data

$1MM per day fine for NERC CIP v5 securitycompliance violation

The Stakes Are High


3

Top Exposure Categories – 25 Global Power Sites – 2016

GE Power Digital

“Cyber incidents are inevitable in today’s world. It’s our job to understand what is most important to the business and manage the risk. If an incident does happen, proper response is key in determining the level of impact it will have on your business.”

- Teresa Zielinski, CISO, GE Power

Note: DHS/ICS CERT responded to 295 incidents in 2015. 98% of these incidents could have been mitigated with basic security controls.

OSM and Security Controls


5

Monitoring & Diagnostics Services

• Monitoring & Diagnostics (M&D): data collection of unit controller operation, alarms and events through the use of an On-Site Monitor (OSM)

• Remote Services: advanced troubleshooting, break fix, and root cause analysis of plant control systems through the use of an Remote Services Gateway (RSG), or an OSM

• Remote Tuning: perform site specific configuration to optimize unit operation following outages, system changes, and seasonal conditions through the use of an Human Machine Interface (HMI)


6

Components and SecurityAtlanta Data Highway The ADH is a communications network installed to permit information exchange with GE, the OSM, and any related monitoring systems not residing within the control system networks. The ADH includes a gateway to reach the M&D central collection systems through the customer’s communications infrastructure or through a GE provided managed connection.

On-Site Monitor The OSM is an inert monitoring system and does not influence the operation of devices it communicates with. It is a functionally limited version of an HMI that performs read only inquiry of the unit controller and runs a historian time series database for data collection. The OSM connects to the UDH network through a firewall for interrogating the monitored devices. The OSM resides on the ADH network for collecting data from other monitoring systems and to transfer data to GE.

Remote Services Gateway The RSG is a technician workstation similar to the OSM and HMI with additional tools for detailed analysis of control system devices. Installation of an RSG can be connected to the PDH and UDH and segmented from the ADH by a GE LockBox firewall. Alternatively, the RSG may be integrated into the OSM as a single host, depending on the network infrastructure and needs of our customer.


7

S3C and Cyber Security

To protect the Control Systems network from an OSM request for data, each connection attempt must be interrogated at the Electronic Security Perimeter (ESP) by a fully secured Electronic Access Point. For M&D, the Support Segment Security Connector (S3C) services this role. The S3C is a firewall that filters communications from the OSM to the Controls System security zone within the customer’s ESP. Communications from the OSM are restricted to only the monitored devices and limited to only the required communication types.

GE Control System Communications Your GE power electronics control system relies on two communications networks for management and control of your critical assets. The Plant Data Highway (PDH) is reserved for connections between your Human Machine Interface (HMI) and other control room or plant services control systems. The Unit Data Highway (UDH) is reserved for connections between the HMI and the critical asset Unit Controllers, such as the MarkVI(e).


GE Cyber Portfolio and what problems we want to solve


Top 20 Critical Security ControlsCenter for Internet Security

9

85%By Implementing 1st

five

PrioritizeInvest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.

MeasureEstablish common metrics to provide a shared language for executives, IT/OT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.

Continuously monitorCarry out continuous monitoring to test and validate the effectiveness of current security measures.

AutomateAutomate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics.

85%By Implementing 1st

five


GE Cyber Security Portfolio

Baseline Security Center (BSC)

A set of tools, configurations, and services focused on reduction of cyber risk and follows the Center for Internet Security’s 20 Critical Security Controls.

Risk management platform that provides security tools, configurations, and practices to reduce exposure to cyber risk. Unlike typical vendor products, Baseline Security Center is platform agnostic.

Patch Validation Program (PVP)

Functional validation platform to reduce likelihood of patch deployments compromising availability.

Patch validation program leveraging application container technology to automate validation and deployment for OT controls HMI hosts.

OpShield

A purpose-built IDS/IPS security solution configured to protect critical infrastructure, control systems and operational technology (OT ) assets.

OpShield monitors and blocks malicious activity and reduces disruptions to enable highly available operations and secure productivity.

Managed Security Services

Strategic implementation of log aggregation capability to populate on premise SIEM and remote security operations capabilities.

Remote monitoring and diagnostics of OT control environment security events. Activities are examined on network, ICS, and host environments; User and systems accounts are monitored for malicious or compromising events.

Security Assessment Services

A portfolio of professional services to assess cyber security risk and prioritize remediation action, as well specialized NE RC CIP and IEC 62443-2-4 compliance services.

GE security professionals perform hundreds of cyber vulnerability assessments globally. Specialists are highly qualified to perform both on-site and remote assessments.

Cyber Security Training

A comprehensive portfolio of security training courses for critical infrastructure and Industrial Control Systems (ICS) to increase staff knowledge and awareness.

Training content is developed and delivered by GE’s security experts, who regularly analyze and implement real-world security solutions at operating facilities.


Tiered Mapping to CIS Controls

BSC CIS heat map and maturity capability

11

• CIS is listed in order of priority

• GE BSC is tiered to allow for a prioritized focus on the controls

• More advanced tiers improve security posture and decreases exposure to risk

Edge to Cloud Security


Asset Edge

Operational Edge

Secure Communication

Smart SensorsSensorsActuatorsProgramable Logic Controllers (PLC)Security controlsSafety controls

ComputeApplicationsStorageAnalyticsControls System LogicSecure BootHost Attestation

Software Defined Network (VPN)Encrypted Traffic Defined Access ControlSecurity MonitoringLeap Host (Edge Proxy)

Cloud

Edge to Cloud Security: Defense in Depth

WANWide Area Network

Compute StorageAnalyticsNOCData encrypted at restUser Permission management/audit


APM Reference Architecture

• Secure Edge PlatformSecure BootHost/Cloud Attestation

• Encrypted Communications

• Access Controls on Electronic Security Perimeter (ESP)

• Control system secure by “design”

• Baseline Security Center – OT controls risk management


OO Reference Architecture

• Secure Edge PlatformSecure BootHost/Cloud Attestation

• Encrypted Communications

• Access Controls on Electronic Security Perimeter (ESP)

• Control system secure by “design”

• Baseline Security Center – OT controls risk management

Web Services

Secure OPC UA

OT Protocol

s

Power Digital Cyber Security - Frame 6 Users...

Documents

Transcript of Power Digital Cyber Security - Frame 6 Users...