October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights
reserved.
Scalability of ICS
Cyber Security
By:
Michael Coden, CISSP, Vice President, NextNine Inc.
Pete MacLeod, Senior Manager, Accenture
October 7, 2014
Idaho National Laboratory
Idaho Falls, ID, USA
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 2
Introductions
Michael Coden, CISSP
Vice President
• 30+ years experience in Cyber Security for
Critical Infrastructure Systems
• Research Affiliate at MIT-(IC)3, the M.I.T.
Interdisciplinary Consortium for Improving
Critical Infrastructure Cybersecurity
• Co-Architect of NextNine Secure Remote Site
Cybersecurity Automation Suite
• Co-architect of Real Time Operating Systems
used in Industrial Automation
• Contributor to ISA/IEC 62443-2-3 IACS Cyber
Security Standard
• Received Letter of Appreciation from the White
House for leadership on the NIST Cybersecurity
Framework.
• BSEE, MIT; MSBA, Columbia University; MS
Applied Math, Courant Institute of Mathematical
Sciences, NYU.
Pete MacLeod
Senior Manager – ICS Security
• 30 Years experience in the Oil & Gas Industry
• Data Acquisition, horizontal drilling, production
engineering & systems optimization
• Experience in United States, Canada, Gulf of
Mexico and South America
• 15 Years Designing, Deploying and
Commissioning field data capture, SCADA &
DCS
• 7 Years Industrial Automation & Control
Systems Security
• Contributor to ISA/IEC 62443-3-3 IACS Cyber
security standard
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 3
• Pete MacLeod will walk through a real live case study with actual
results
• Michael Coden will illustrate how centralized OT Cybersecurity
automation results in: improved cyber security, time savings, and cost
savings
How we are going
to do it:
Presentation Goals, and Plan of Attack
• Scalability of a security solution,
• Control Systems Security Project team and Run & Maintain
organization
• Reduce dependence upon rare hard to develop skill sets
• Minimize the Zero Day window of vulnerability
• Reduce the mean time to respond & remediate incidents
We would like to
provide an
understanding of
We plan to illustrate
significant time savings,
security enhancements
& cost reductions in
implementing ICS
cyber security
• How to scale and leverage the limited skill sets
• How to quantify savings and start building reasonable budget
estimates
• Control Systems Security Project team and Run & Maintain
organization
We hope to provide
you with an
understanding of:
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 4
Alignment to Cybersecurity Standards
ISA – International Society of Automation
ISA/IEC 62443 Series
International
2007 – Present
US – CERT
Vulnerability monitoring for industrial systems
US
NERC
Critical Infrastructure Protection (CIP) Standards
US
American Petroleum Institute
API 1164 Pipeline SCADA Security
US
NIST – US Department of Commerce
NIST 800-82 Guide to Industrial Control System Security
US
2011
Consensus Audit Group – SANS 20 Critical Controls
SANS 20 Critical Security Controls v5.0
US
2014
October 7, 2014Coden-MacLeod
5ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights
reserved.
Case Study of Encana Corporation
A Mid-Size Oil and Gas Producer
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 6
ICS Cyber Security Case Study – Actual Example
Identify what you haveClassify what you haveScope of Encana North American Operations Project:
Operations criticality
• Approximately 10% of all
of the Servers, Hosts and
devices were classed as
critical to operations
Safety Rating
• Approximately 7% of the
systems were classed as
SIS level systems
30 Plants and Facilities with:
• 154 Servers, 490 Hosts, 2,500 WinCE Devices L1 – L3
(Excludes WinCE in L0)
• 1,800 of Ethernet Enabled Devices direct networked
• 60 Terminal Servers, 80+ media convertors
• 44 WAP’s or Wireless Mesh (plus 18 unidentified &
unsecured WAP’s)
52 Fields across Colorado, Wyoming, Texas, BC,
Louisiana, Michigan, Alberta, Nova Scotia with:
• 150+ Microwave backhaul Wireless hops & 1000’s of
SCADA Radios
• 30,000+ Wellheads plus 100’s of pipeline custody
transfer meters
• Each Wellhead having from 3-5 devices on average
(~90,000 – 150,000 devices)
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 7
Encana – 30 Plants & 52 Fields:– We Examine a Typical Facility in Detail
Property or Plant SCADA Plant DCS
Fort Nelson BU
Deep Basin BU
Cutbank Ridge Plant #1A XXXXXX XXXXXXXXX
Cutbank Ridge Plant #1B XXXXXXXXX
Cutbank Ridge Plant #1B Field XXXXXX
Cutbank Ridge Plant #2 CygNet DeltaV
Kakwa XXXXXX
Bissette XXXXXX
Resthaven XXXXXX
Sexsmith XXXXXX XXXXXXXXX
Carrot Creek XXXXXXXXX
Cutbank XXXXXX
Edson West XXXXXX
Clearwater BU
North Rockies BU
South Rockies BU
Mid-Continent BU
1 of 5 Plants
and 9 Fields In
1 of 6 Business
Units
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 8
Encana Cutbank Ridge Plant #2:– ICS Asset Inventory Included 19 Types of ICS Systems
Gear On Site
Control System Site
XXXX = 50+ Devices
XXX = 10+ Devices
XX = 3-9 Devices
X = 1-2 Devices
Primary
WAN
Link Ro
ute
r
Sw
itch
Wire
less R
ad
io T
x/R
x
IP -
Se
ria
l C
on
ve
rte
r
Co
rp D
C
Corp
MP
Co
rp A
pp
Se
rve
r
Prin
tin
g
Vo
IP
De
skto
ps
HM
I's
Wo
rksta
tio
ns
Engin
eering S
tations
SC
AD
A a
nd
End c
on
trol D
evic
e
UP
S
SC
AD
A S
erv
er
Po
rt S
erv
er
Pla
nt D
CS
Clu
ste
r
PI D
ata
Co
llecto
r
Space C
onstr
ain
ed
Po
we
r C
on
str
ain
ed
Cutbank Ridge Plant #2 5 Mbps XX XX XX XX X X XX XX XXX XX XX X XXXX X Cyg X DV X
Swan (A-33-I) 6 Mbps X X X X X X X X X
A-33-I Riser 2 Mbps X X X X X X
C-19-H 3 Mbps X X X X X X X XX X
B-29-H 600 Kbps X XX X X X X XX X
1310F 100 Mbps X X X X XX X X
1310G 100 Mbps X X XX X X
1310H 100 Mbps X X XX X X
C-5-G 3 Mbps X X X X X X XX X
B-38-I 3 Mbps X X X X X X XX X
D-29-A 3 Mbps X X X X X X XX X
A-100-B 1 Mbps X X X X X X X X X
D-27-B 3 Mbps X X X X X X XX X
A-85-G 1 Mbps X X X X XX X X X
October 7, 2014Coden-MacLeod
9ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights
reserved.
Comparison of Manual vs. Automated
Asset Inventory
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 10
Step 1 in Securing ICS Systems: Inventory – Know what you need to protect
Identify what you haveClassify what you haveIdentify what you have
Operations criticality
• How critical is this
equipment to the
operations?
Safety Rating
• How critical is this
equipment to the health
and safety of the
operations, employees,
and nearby civilian
locations?
Plant Inventory and walk down
• Windows, Unix, & Linux: Servers & Hosts
• Embedded devices Embedded Linux and Windows CE
• Ethernet enabled PLC’s, RTU’s, and devices
• Networking equipment
• IP – Serial Media Convertors
• WAP’s, Wireless Meshes, etc.
Field Inventory and walk down
• All of the above plus:
• Wireless field communication gear (e.g.: Microwave
backhaul, PTP, PMP
• Inventory of remote unmanned stations
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 11
Step 3: Rebuild existing
networks
Step1: As built Drawings
for existing systems
networks
• Rebuild the network
– Segment the network
according to Perdue
principles
– Minimize IP
Readdressing to
eliminate operations
impacts
– Work within operational
work permitting process
& procedures
• As built drawings were
woefully inadequate
– Years out of date –
representative of “as
designed”
– 100’s of systems/devices
had been added but not
documented.
• Develop As Built
Drawings
– 2 Network Engineers 4
weeks in the Plant
– 2 Network Engineers 8
weeks in the associated
fields
Initial Walk-through and Inventory – Manual – Showed: Lack of, and need for, As-Built Documentation
Step 2: Design secure
network segmentation
baseline
• Redesign a segmented
network along the Basic
Perdue model
– Existing networks
typically designed by
operations and ICS
vendors rather than
skilled ICS network
engineers
– Segment into zones and
conduits based on
ISA/IEC 62443
– Classify zones based on
operational risk
assessment
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 12
• The As-Built drawings are created from the Asset Inventory DatabaseStep 4: Documentation
• An engineer installs a Virtual Security Engine (VSE) –- time to install
< 30 minutes
• The VSE is connected securely to a Central OT Security Center
staffed with experts
• The VSE then auto-discovers and creates a database inventory of
approximately 100 devices per hour (compared to a manual inventory
of 1-2 devices per hour)
• The VSE discovers all devices connected to the network (no matter
in what closet or drawer they are hidden ).
We would like to
provide an
understanding of
Step 1: Before the initial
walk-through
• Then engineer does a walk through to verify all auto-discovered
devices
• Simultaneously, the engineer uses a utility installed on a secure laptop
to inventory “islands” that are not connected to the network
• The engineer answers questions from the centralized secuirty experts
• The engineer collects certain “manual only” data
• The laptop then uploads its data to the VSE
Step 2: Walk-through
with auto-discovered
data, and laptop
discovery of islands
• The VSE securely uploads the complete inventory to a Security
Center database in a regional or corporate headquarters data centerStep 3: Auto-creation
of asset database
Initial Walk-through and Inventory – Automated– Auto-Discovery of Assets, Auto-Creation of Database
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 13
Comparison of Manual vs. Auto Inventory Time and Costs(For 1 of 30 Plants)
Function
Manual
Engineer
Time
Automated
Engineer
Time
Manual
Cost
Automated
Cost
Install VSE Software 0 30 minutes ~$40,000
Discover Networked
Devices
24 Weeks
for ~ 8000
devices
80 hours for
~8000
devices
$252,000 $0
Verify Auto Discovery included 4 weeks $42,000
Auto-Discover Islands Included 1 week $10,500
Enter Manual Information Included 1 week $10,500
Create As-Built Drawings 2 weeks 2 weeks $14,000 $14,000
Total Initial Inventory 26 weeks 8 weeks $266.000 $117,000
Elapsed Time 10 weeks 2 weeks
Ongoing Inventory Update Not Done~1
hour/week$266,000 <$500/week
October 7, 2014Coden-MacLeod
14ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights
reserved.
Modified Perdue Model:
- Greater Security
- Lower Cost
- Secure Remote Connectivity
- Cyber Expert Centralization
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 15
Basic Perdue Model:– How Cyber Security needs vary by level
Real Time0 – 25ms
Near RT25 – 50ms
SIS0-15ms
0%
10%
20%
30%
90%
100%
100%
90%
80%
70%
10%
0%
L E V E L 0
L E V E L 1
L E V E L 2
L E V E L 3
L E V E L 4
L E V E L 5
IT OT
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 16
Typical Actual Perdue Model Implementation:– A “Swiss Cheese” of Remote Access Exceptions
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 17
Limiting the Attack Surface While Implementing DID– Centralization of OT Cyber Security Improves DID
Design your baseline with Defence in
Depth (DiD)
• Implement Perdue model with level
segmentation via firewall with routing
controls
– Proper configuration and maintenance on
Firewalls and ACL’s
– Dropping the firewall and disabling ACL’s is
not an accepted solution to connectivity
issues
• Build and commission a DMZ at level 3.5 for
IT services, agents, patch management etc.
– Virtualization can help solve space and power
constraints
– Virtualization requires proper design,
configuration and tuning
– Connect the DMZ to the Central Security
Operations Center via secure tunnel
– All communication with the remote site should
go through a single, well defended tunnel.
DiD Issues
• Scaling for large companies
– Centralized security experts
– Centralized patch management and AV
consolidation – by vendor, product, model,
version
– Remote distribution of patches and signature
files to plant and field site DMZ servers
– Remote monitoring for Intrusion Detection,
Event Detection
• Scaling for small companies
– Shared resources for effective use of limited
skill sets
– Cross training operations staff, IT staff, and
contractors
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 18
A Single, Carefully Protected, Outbound-Only, Remote Connection Provides
Complete Security, with the Advantages of Centralized Experts & Scalability
Manage Connectivity from Remote Site to Central Site Properly– Single Firewall Rule = The Most Security & Easiest to Manage
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 19
A Single Firewall Rule: One-Port, Outbound Only– Mutual Two-Factor M2M Authentication
Virtual Security Engines: -Use one port, outbound only.
-All remote connectivity is through thissingle outbound only connection.
-FIPS 140-2 Compliant & TLS Encrypted.
Remote Site A
Remote Site B
Remote Site C
Secure Center
– Data is compressed, encapsulated, encrypted.– No possibility of VPN bleed, or fake
connections. – A secure multipurpose tunnel to remote sites.
CertificateSomething I know
CertificateSomething I know
CertificateSomething I know
CertificateSomething I know
Finger PrintSomething I AM
Finger PrintSomething I AM
Finger PrintSomething I AM
Finger PrintSomething I AMFinger Print
Something I AMFinger PrintSomething I AM
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 20
Secure Remote Access – Site Engineers Have Control– Cyber Security Experts are “Virtually On-Site” in Seconds
“Virtual Security Engineers:”
– With Remote Access, view what your remote site
is seeing on their system
– Remote Site controls granting of access
– An invaluable training aid
Remote Site A
Remote Site B
Remote Site C
Secure Center
End-customer approves
remote access
VSE Interface
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 21
Adapted Perdue Model – Single Port for All Remote Access
Virtual
Security =
Engine
Single
Protected
Entry Point
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 22
Minimizing Attack Surfaces – Manual– Turn off and remove all unused ports and services
Network
Equipment
Capabilities
Systems Services
Baseline Imaging
• Remove any
unnecessary
firewall rules
• Close all
unnecessary
ports
• Windows Hosts
Services
• UNIX & Linux
Daemons
• Application
Services
Requirements
Minimize your
Zero-Day
Footprint
• Turn off all
unused ports
• Remove all
unused Windows,
Linux, and UNIX
services
• Minimize your
footprint / attack-
surface, while
meeting your
system
requirements
Zero-Day
footprint is a
measure of the
services running
or the potential
exposure
• Minimize your
exposure duration
of the existing
footprint – this
requires
continuous
review of all
systems for
new open
ports, and
new services
running
Vulnerability
exposure duration
is a measure of
time between a
patch release and
install
Approved Services
Windows Image
Default
Services
ICS Secured Image
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 23
• The As-Built
drawings are
created from the
Asset Inventory
Database
Vulnerability exposure
duration is reduced by
weeks or months, with
no on-site manual
intervention
• Virtual Security engine scans all ports and services in use –
reporting to central Cyber Security experts
• Central Cyber Security Experts create Whitelists and Blacklists
We would like to
provide an
understanding of
System Services
Baseline Imaging
• Central Cyber Security Experts use VSE to remotely close ports
and remove services on hosts
• Similar centralized / automated actions close ports and remove
unnecessary rules on network equipment
Minimize your Zero-
Day Footprint
• Continuously
monitoring your
footprint /
attack-surface
while meeting
your system
requirements
VSE Scans all Assets
and Network
equipment daily
Minimizing Attack Surfaces – Centrally Automated– Ports and Service in use are monitored daily
Scan Open Ports
– Verify against Whitelist & Blacklist
Scan Windows Services
– Verify against Whitelist & Blacklist
Collect Event Logs & Syslogs
– Input to SIEM Analysis Tool
Analyze for Anomalies
- Services Use
- SIEM Output
- Ports Use
Access Equipment to
Investigate Anomalies
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 24
• Virtualization
engines need to
be tuned for AV
scans
• Appropriate
hardware resource
allocation to Real
Time processing
• Remote storage
increases latency
for store and recall
as well as AV
scans
• Deliver to site only
patches qualified
by vendors –
available for
installation
• Installation of
patches and AV
must be tied into
operations work
permitting system
• Make sure to
install only patches
qualified for a
product & version
Protecting ICS from New Attacks - Manually– Installing Patches and Anti-Virus Updates
• Vendor Anti Virus
Directory
Exclusions listing
• install only AV
updates approved
by vendor for each
product
• AV Scheduling
• Avoid batch
processing and
bulk data
extractions
• Take advantage of
existing work
permitting systems
• OS and Product
patches should be
installed as soon
as possible
• You are in a
race: Will you
install the
patch, before
the
vulnerability is
attacked?
Virtualization
Design & Tuning
for Industrial
Control Systems
Operational
Awareness of OS
and Product Patch
Management
ICS Antivirus
Baseline
Patch and A/V
Management is a
Continuous
Process – “A
Lifestyle”
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 25
Dynamics of Threats and Resilience
Systems Not
at RiskSystems At
Risk
Affected
Systems
Risk Promotion
Risk Reduction
Attack Onset
Recovery
Adverse Behaviors &
ManagementRisk Management
Threat
Management
Real-World
Implications
Financial,Data,
Integrity,Reputation
* Verizon Data Breach Report
67% were aided by significant
errors (of the victim)
How did breaches (threats) occur? * 64% resulted
from hacking
38%
utilized Malware
Over 80% of the breaches
had patches available for
more than 1 year
How are security and threat processes (resilience) managed? *
75% of cases go
undiscovered or
uncontained for
weeks or months
Note: System Dynamics Modeling cybersecurity research and breach research courtesy of MIT-(IC)3, the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – http://ic3.mit.edu
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 26
Protecting ICS from New Attacks – Centrally AutomatedCentralized Synchronization of Patches and Anti-Virus Updates
WSUS
ePO
SEP
WSUS
ePO
SEzP
Devices
Systems
Applications
Network
Devices
Virtual
Security
Engine™
Network
& Security
Devices
Virtual
Security
Engineer™
Devices, Systems, Applications
Remote Sites
Internet
External Users
Partner / SI / OEM
Field Service
Full Web UI
Your
Product
Patch
Server
Full Web UI
Internal Users
DMZ
Central
Security Center
Application
Server
Comm
Server
Real-Time
Database
Server
Windows
WSUS
Server
McAfee
ePO
Server
Symantec
SEP
Server
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 27
Securely Backup and Restore Critical Files:Multiple-Sites with Automated Verification
Devices
Systems
Applications
Network
Devices
Virtual
Security
Engineer™
Local
Peronnel
Network
& Security
Devices
Virtual
Security
Engineer™
Local
Personnel
Devices, Systems, Applications
Internet
External Users
Partner / SI / OEM
Field Service
Full Web UI
Backup
Location
# 2 With
Auto-Verify
of Backups
Backup
Location
# 1 With
Auto-Verify
of Backups
Full Web UI
Internal Users
DMZ
Houston
Central Security
Center
Application
Server
Comm
Server
Real-Time
Database
Server
Nigeria
California
Amsterdam
Qatar
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 28
One Critical Thing Missing From the Manual Budget:– Run and Maintain – People, Processes, Technology, COST
Run & Maintain
Hybrid skill sets developed through the project
One critical thing is missing!
OS patch levels, firewalls, network drawings, inventories, remote access,
application patch levels, HW & device firmware versions, code vaults, password
maintenance, backups, restores, emergency remediation ….
Issue 3Issue 1
Make backups,
verify backups,
test restores.
Important to
update Asset
Inventory daily
or weekly –
looking for
rogue devices,
ports, services
and
configuration
changes.
Issue 2
Important to
continuously
patch OS,
Applications, AV
– and to
enforce this
policy.
Have a secure
remote access
capability for
Cyber Security
experts to “be
virtually on-site”
in seconds. We
are in a race
against
attackers.
Issue 4
Centralize OT
Security – The
only scalable &
cost effective
approach.
Issue 5
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 29
Site Compliance Report
Secure Remote Site 1September 30, 2014
Compliance
Criticality Type IP Address Unique ID OS AV Log Complt. RMP Ports Services
WIN2003 Critical Connected 192.168.200.21 911101-D931818F-9752-43D9-9BD2-9B60 False False False True False True False
WIN2008 Critical Connected 192.168.200.22 911101-4B306D51-F7A1-41EE-9EAC-614C True False False True False True False
WIN7 Essential Connected 192.168.200.23 911101-AB0500F9-817D-4468-943A-7CF0 False False False True False True False
WINXP Necessary Connected 192.168.200.24 911101-F32D9FEB-E86D-4062-BC6E-B8FD True False False True False True False
1
Site Compliance Report
Secure Remote Site 1September 30, 2014
Compliance
Criticality Type IP Address Unique ID OS AV Log Complt. RMP Ports Services
WIN2003 Critical Connected 192.168.200.21 911101-D931818F-9752-43D9-9BD2-9B60 False False False True False True False
WIN2008 Critical Connected 192.168.200.22 911101-4B306D51-F7A1-41EE-9EAC-614C True False False True False True False
WIN7 Essential Connected 192.168.200.23 911101-AB0500F9-817D-4468-943A-7CF0 False False False True False True False
WINXP Necessary Connected 192.168.200.24 911101-F32D9FEB-E86D-4062-BC6E-B8FD True False False True False True False
1
Reports are used:
1. By management, on a daily basis, to ensure that assets are
hardened up to date, and to enforce compliance with company
security policies.
2. To provide auditors with a complete picture of the latest cyber
security status
Compliance and Enforcement of Cyber Security Policies
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 30
Instant App Delivery from Central ExpertsHeartbleed Scanner was delivered in 48 hours
DMZ
Central Security
Center
Application
Server
Comm
Server
Real-Time
Database
Server
Network
& Security
Devices
Virtual
Security
Engine™
Devices, Systems, Applications
Remote Site/s
Internet
External Users
Partner / SI / OEM
Full Web UI
Full Web UI
Internal Users
• GUI based App Development Environment
• Develop new Apps in a few hours
• Distribute Apps to all VSE’s
• No recompile or reboot of VSE is
required
• App is used immediately
We are already working on a Shellshock
scanner now!
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 31
Case Study – Cost Comparison – Mid-Size Oil and Gas– Initial Installation
Project Network Engineers – CCNA (Security/Router & Switch)
• As Built diagrams, redesign, VLAN segment, DiD, Firewalls
– 30 Plants and 52 Fields
$3,500,000
Project OS Specialists – MCSE (Desktop/Server)
• Reimage all systems to baseline, patch, software & firmware
– 154 servers, 490 hosts
$2,500,000
Project Automation Technicians & OS Specialist (Windows CE)
• Remediate embedded systems “Windows CE”
– 30,000 wellheads@ 4-12 Wells / day
$4,000,000
Direct Security Project Estimate $10,000,000
Indirect Operations Costs
• Operators & Electricians, Systems & Maintenance Engineers$4,000,000
Total Cost $14,000,000
$5,000,000
$3,000,000
$10,000,000
$18,000,000
$10,000,000
$28,000,000
Initial Installation Costs
• to Secure 30 Plants and 52 Fields
Automated**
with NextNine
Software &
Accenture
Services
Manual
**Note: The Automated costs include installation of a complete
Automated – Centralized Run & Maintain OT Security System
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 32
Case Study – Cost Comparison – Mid-Size Oil and Gas– Annual Run and Maintain Budget / Costs
Manual Run and Maintain Program:
• Inventory – 1/3 of plants each Year
• Patching, Ports & Services Scanning – once per Quarter
• Compliance Reports & Backups – once per Quarter
• Annual Software Cost ……………………………………..
• Annual Labor Cost …………………………………………
N/A
Total Cost $2,500,000
$ 100,000
$3,000,000
$3,100,000
Annual Run & Maintain Costs
• to Keep 30 Plants and 52 Fields Secure
Automated**
with NextNine
Software &
Accenture
Services
Manual
**Increased Cyber Security – Lower Annual Cost – Fewer personnel
Automated – Centralized Run and Maintain Program:
• Inventory of all plants – daily or weekly
• Patching, Ports & Services Scanning – Daily
• Compliance Reports & Backups – Daily
• Annual Software Cost ……………………………………..
• Annual Labor Cost …………………………………………$1,500,000
$1,000,000
Prohibitively
Expensive &
Impractical
to
Implement
October 7, 2014Coden-MacLeod
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 33
Acknowledgements
• The authors would like to acknowledge the important contributions and gracious support of the following organizations in providing the data, research, and resources to produce this analysis and report:
– Encana Corporation
• For graciously permitting us to use their actual data. In particular we would like to thank Mr. Steve Biswangerwithout whose help this analysis could not have been done.
• http://www.encana.com
– NextNine
• http://www.nextnine.com
– Accenture
• http://www.accenture.com
– Massachusetts Institute of Technology (IC)3
• MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity
• http://ic3.mit.edu
ICS-CERT-JWG, Idaho National Laboratory, October 7, 2014. By Michael Coden and Pete MacLeod. Copyright © 2014 NextNine Inc. and Accenture. All rights reserved. 34
Feedback & Brainstorm
34
Thank you
Michael Coden, NextNine
Pete MacLeod, Accenture
Email us for a copy of the presentation!
Top Related