Security Measures Industrial Hackers Hope You Ignore
|
|
- Julia Bryan
- 8 years ago
- Views:
Transcription
1 usa.siemens.com/oil-gas Security Measures Industrial Hackers Hope You Ignore An overview for oil and gas industry executives on assessing and mitigating industrial network security risks nsu White Paper Executive Summary Oil and gas industry executives must stay informed of cyber security threats for two reasons: (1) the energy sector is by far hackers #1 target, says the U.S. Department of Homeland Security; and (2) a cyber attack on their own facilities can potentially have serious impacts on operations and profitability as well as grave consequences for the life safety of personnel and nearby communities. This paper provides an executive level briefing of today s top cyber threats, plus an overview of a layered defense-in-depth strategy an industry best practice. Authors Marc Ayala Senior Technical Advisor Cimation Jeff Jensen Application Engineer Siemens Industry, Inc.
2 The U.S. oil and gas industry: the No. 1 industrial target for hackers Among phrases sure to catch the attention of most all oil and gas executives are enhanced asset utilization, production optimization, accelerated resource recovery and capital efficiency. Keep these moving in the right direction and greater profitability and market capitalization will surely grow. But one phrase that might escape their concern could well endanger these others: network security. In fact, executives could be doing a grave disservice to their shareholders and their own fortunes, if they choose to ignore this threat or to delegate their understanding of how it can undermine the safety of people, production and property that are at the core of a thriving oil and gas enterprise. To help, this paper aims to give them the knowledge they need to evaluate the nature of this risk and to ask informed questions about their companies defenses against it. How much of an industry threat is network security? Consider this: Of the top 16 security targets designated as critical by the U.S. Department of Homeland Security, cyber attacks on the energy sector in 2013 were 59% of 256 total attacks deemed serious enough for its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to investigate. 2 That was three times the number of attacks on critical manufacturing facilities, the runner-up, and 30 times the number of attacks on government facilities. And how frequent are those attacks? With hackers automating their network assaults, one can occur every few minutes until a penetration occurs. During a recent session on network security led by a Siemens expert, he prefaced his presentation by opening a new, working web server connected to the Internet with its Modbus TCP/IP port 502 exposed. At the end of his remarks, he checked the web server s security monitoring software and found 35 attacks had occurred from all over the world all in just one hour. In the pages that follow, we offer more detail about the three key points about network security that every oil and gas industry executive needs to know: How industrial network security differs from that of enterprise IT networks; What kinds of vulnerabilities that industrial networks have and hackers use to penetrate them; How to lower risks with a vulnerability assessment and layered defense-in-depth strategy. Industrial network vs. enterprise network security IT professionals have plenty to worry about in defending against cyber attacks on their companies enterprise networks. These are what connect people with each other, via , web collaboration tools and even voice communications, and also with information, via various company databases, customer relationship management (CRM) tools and so forth. After all, malware, data theft and corrupted data or devices can disrupt user productivity and even a company s transactional capabilities. But no one is ever injured or worse. This is one of the biggest differences between enterprise network security and industrial network security. If a hacker, whether a deliberate saboteur or a teenage malcontent, penetrates an industrial network and disrupts critical processes or controls, especially automated life safety protections, someone could get seriously or even mortally hurt. That s why the U.S. Department of Homeland Security set up the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to reduce risks associated with control systems-related incidents and mitigation measures. Both Siemens and Cimation are tuned into ICS-CERT proceedings and the activities of its many private-sector committees, especially the Oil and Natural Gas Committee, comprising all related industry associations of the U.S. and Canada. Today s industrial network realities. Aside from the critical life-safety security distinction of industrial networks, they differ from non-industrial enterprise networks in many other ways, too, as Table 1 below summarizes. First, industrial control systems (ICSs), which include \supervisory control and data acquisition (SCADA) systems, are by definition connected to networks. These ICS and SCADA networks are often linked to enterprise networks, which have external-facing vulnerabilities that can open doors for hackers. Wireless SCADA systems, often operating from remote locations using public IP addresses, are also vulnerable to attack, accessible via their wireless media, including cellular, 900MHz radio, satellite and microwave ICS-CERT_Monitor_Oct-Dec2013.pdf, available at ics-cert.us-cert.gov/
3 Table 1. Enterprise IT networks vs. industrial IT networks: security issues compared Category Information Technology System Industrial Control System Risk Management Requirements Time-critical interaction Communications Data confidentiality and integrity is paramount Less critical emergency interaction Standard communication protocols Human safety is paramount, followed by protection of the process Response to human and other emergency interaction is critical Many proprietary and standard communication protocols Managed support Allow for diversified support styles Service support is usually via a single vendor Component lifetime Lifetime on the order of 3-5 years Lifetime on the order of years Access to components Components are usually local and easy to access - Nist: GUIDE TO Industrial COntrol Systems (ICS) Security Components can be isolated, remote, and require extensive physical effort to gain access Industrial networks must often operate 24x7, in realor near-real time and require 99.9% uptime or better (99.99 or % in the case of public communication networks). In contrast, enterprise IT networks typically must operate on a best-effort basis (so a break in one part of the network forces routers to send data packets down alternate paths) and be available during business hours. Point is, the disruption risks of a security breach in an ICS or SCADA network can be much greater than for an enterprise IT network. Technical vulnerabilities of industrial networks In the past 20 years, industrial automation and control systems have become more vulnerable to cyber security intrusions for many reasons, but primary among them are: The increasing mobility of workers, which has created greater demands for 24x7 remote network access for engineering, operations and technical support personnel, sometimes leading to less secure network connections and security practices. Growing use and integration of commercial and open source technologies, such as Windows and Linux operating systems, SQL databases and Ethernet protocols, all of which can be exploited by hackers to open back doors for the same malware (e.g., viruses, worms and trojans) that can infect enterprise IT systems. Proliferation of how-to documentation and actual code on the Internet, which has lowered the bar for the technical competencies needed to hack industrial control systems. Integration of a company s legacy plant systems with its enterprise systems by interconnecting industrial and corporate networks and external third parties via the public Internet. Not only does external connectivity create vulnerabilities, but the integration also introduces ambiguity within companies as to which group enterprise IT or process engineering owns responsibility for overall cyber security. Another set of security issues with industrial networks involves their evolution from early patchworks of electrical relays or antiquated microprocessor controllers and manually monitored indicator lights, trips and breakers. While those legacy systems might work well enough to operate relatively simple processes even today, they likely lack proper security controls. Nonetheless, they may well be connected to modern distributed control systems (DCSs) that feature the latest programmable logic controllers (PLCs), which are micro-computers using Windows or Linux and are connected over industrial Ethernet to human-machine interfaces (HMIs). In turn, these HMIs are often accessible anywhere in the world via PCs or touchscreen tablets and smartphones by legitimate DCS operators or by hackers exploiting the vulnerabilities in the connections between old and new systems. With modern ICS, SCADA and DCS networks, infiltrations can occur, as shown in Illustration 1, from any of three sources: Top-down from the corporate and data zones (#4, #3 and #2) Bottom-up from the field and safety/control zones (#0 and #1); and Sideways from external sources, either via the Internet, remote operations and facilities or remote business partners and vendors.
4 Illustration 1. Three sources of security vulnerabilities across enterprise networks, including control systems. (Image courtesy of Cimation.) TOP DOWN EXTERNAL BOTTOMS UP 1 FIELD EQUIPMENT 0 How to lower security risks in industrial networks via defense-in-depth Companies can find plenty of information to help guide their efforts to harden and secure their industrial control systems. Three internationally recognized ICS security standards, which can provide excellent starting points and guidance, are: IEC / ISA99 NIST NERC-CIP These standards boil down to three steps: a current state assessment; hardening the environment, both physical and logical; and ongoing vigilance. They incorporate what s known in security circles as the defense-in-depth model. This involves dividing a security deployment strategy into layers, with the most critical systems protected by multiple levels of security. An industrial network s borders should correspond to its physical borders, which should require secure access. Assessment. Every security risk mitigation effort for an industrial control system must start by evaluating the current state of its security. Here are some questions to consider:
5 Does a network s borders correspond to its physical borders? They should. For example, if a SCADA server and its software is locked down to prevent tampering with its configurations and data, is the server itself securely located to prevent unauthorized access to its network ports, removable media drives, keyboard and mouse? In other words, all network elements should be located in locked, physically secured areas. Where are the network s security zones and conduits? An industrial control system should have distinct functional zones (as shown in Illustration 1) that separate the field device control layer from the SCADA remote monitoring layer. In turn, these should be separated from the DCS control layer and more importantly, separated from any layer of safety-critical systems. Finally, the DCS and safety-critical system layers must be separated from the enterprise IT layer. All those layers should communicate with each other only via carefully prescribed and secure conduit connections. And all those layers need to be separated from all external connections, each of which should also be carefully prescribed and secured. What and where is each connection within the industrial control network? This step helps identify what s known as the network attack interface. Look for internal local area network (LAN) connections and wide area network (WAN) connections; remote connections with distant sensors and operating facilities; internal wireless connections, including Internet connections; modem or dial-up connections (yes, they do still exist); and external connections to third-parties, such as business partners, vendors and regulatory agencies. All connections should be catalogued in detail and their current security measures noted, especially their firewall protection and update status. What devices and software applications are connected, and what are their functions? This step helps identify what s known as the software attack interface. Similar to the step above, all hardware devices HMIs, PCs, servers, wireless access points, phones, even printers and video surveillance cameras must be catalogued along with all their operating system versions, software applications and the port numbers that each device uses to communicate. All current security measures should be noted as well as their status regarding updates and patches. Who is in charge of securing the industrial control network? In many companies, this might not be clear yet it s critically important. ICS, SCADA, DCS and safety systems typically evolved with industrial and process engineering teams in charge. During those years, enterprise IT teams had their hands full with rationalizing the corporate IT landscape. That s left a large gray area of unclear responsibilities and sometimes adversarial relationships between the two groups. It can be a classic human story of in-fighting going on while the barbarians are tearing down the city gates. Executives especially CEOs, CIOs and CISOs (chief information security officers) need to recognize this phenomenon and put one qualified company person or team in charge of securing the industrial control system, in concert with enterprise IT and plant or production management. This person or individuals should have clear cyber security roles, responsibilities and authority to formulate and enforce well-defined security governance policies for managers, system administrators and end-users. How vulnerable are the network and software attack fabrics? After identifying all the elements subject to cyber attack, the next step is to conduct penetration testing, to determine each one s vulnerability. This can be a time-consuming, tedious task for large systems comprising hundreds of connections and components or more, but it s needed to fully assess the strengths and weaknesses of ICS, SCADA, DCS and safety networks, which are only as strong as their weakest component. IMPORTANT NOTE: Due to the nature of these critical, real-time production systems, it s vitally important that any penetration testing be conducted in a lab environment and not on the production system itself. With extreme care, caution and coordination, production, operations and process safety management will need to conduct a risk analysis and develop contingency plans with executive management sign-off before doing any penetrating testing or modification of a live control system. Failure to do so could have grave consequences not only for the personnel and property of a plant or production site, but also for the people and property in surrounding communities. This is why any third-parties selected to help with ISC, SCADA, DCS and safety system security testing or modification must be exceptionally wellqualified and experienced in the engineering and workings of your system(s).
6 Hardening. A thorough assessment will reveal all existing and potential security holes and everything that needs strengthening. In effect, the list of all a system s security shortcomings will become its punch list for action. Depending on how long that list is, prioritization may be needed to close the worst vulnerabilities. Assigning Security Access Levels (SALs) to Security Assurance Levels (SAL) are defined in the IEC 62443b/ ISA-99 standards as follows: SAL 1: Protection against casual or coincidental violation. SAL 2: Protection against intentional violation using simple means. SAL 3: Protection against intentional violation using sophisticated means. SAL 4: Protection against intentional violation using sophisticated means with extended resources. each element (see sidebar) can help with prioritization. Next steps in this stage would include: Remove, disable or disconnect anything not needed. An assessment will probably uncover a lot of elements that were never needed but were installed as part of bigger installation or became unnecessary over time. If any unnecessary connections are found, disconnect them. If any unnecessary software applications or default network services are found, remove or disable them. Establish a security strategy based on a layered defense-in-depth model. After the previous step, what s left needs protection. Ensure physical and logical security coincide, with strict access privileges for all users, providing access only to what they need to do their jobs. Logs should be kept for all accesses and video surveillance placed on the locked-down physical confines of network elements HMIs, servers, routers, switches and so on. All firewalls should be up-to-date. Full security features should be turned on in all hardware devices, operating systems, software and hardware devices. Document, document, document. The catalog of a system s network and software attack surfaces should be the start of a full documentation of its security. This should include as-built system architecture diagrams showing all elements, their locations, their functions, their governance (i.e., owners/administrators) and their connections with other elements. Add to that written policies and procedures for: establishing, updating and terminating user accounts; upgrade and patch management policies, procedures and assigned responsibilities for all firewalls, devices and software applications; and scope, frequency and procedures for conducting security audits and penetration testing. All this documentation itself should have both version and access controls, plus always be backed up to an offsite location, so it s available by alternative means if the system goes down due to a cyber attack or some unrelated disaster. Communicate, communicate, communicate. During the hardening stage, many employees and other stakeholders will become aware of what s going on, so it s important to communicate with them the reasons for doing so, let them know who is in charge of the effort, advise them of any changes in their day-to-day work as a result, and set proper expectations for their roles in supporting the effort. Ongoing vigilance. After hardening a company s ICS, SCADA, DCS and safety networks, the heightened protection will begin degrading over time without ongoing efforts to maintain security levels, to watch for and respond to apparent and actual attacks, and to conduct periodic security audits and tests. More specifically: Establish response teams to identify and evaluate potential attack scenarios. The designated person or team in charge of industrial network security should identify potential attack scenarios and then convene the core stakeholders of each scenario into a rapid response team. Each team member needs to imagine, describe and document the potential impact on his or her function should a security attack succeed, as well as what mitigation measures will be taken. Roles and responsibilities need to be assigned and contact information shared in a central place. The team should meet at least annually to reacquaint themselves with each other and with their risk and mitigation scenarios. It s a good idea to conduct so-called tabletop exercises that assume the worst-case scenario has occurred, to provide the team with practice in responding. Conduct periodic audits and penetration testing. The frequency of audits and penetration testing depends on how critical an industrial control system is to a company s functioning or the life-safety of personnel and surrounding communities. Obviously a nuclear plant would require much more frequent audits and systems testing than a dairy products plant. Any industrial facility, however, should conduct an audit and systems testing no less frequently than once a year. Notably, audits often overlook evaluating the currency and relevancy of existing documentation,
7 which in fact becomes as outdated in tandem with the system being documented. That s why it s important to review and update documentation. If production lines are frequently reconfigured, with consequent changes made to their control systems, then mini-audits should then be conducted to avoid introducing any unintended system vulnerabilities. * * * The ultimate goal of securing industrial control systems and networks against cyber attacks is to ensure their reliable and safe operation. Oil and gas industry executives can make tremendous progress in reaching this goal by initiating a thorough systems assessment and needed hardening, then putting in place a formal watchdog process governed by designated, well-qualified people with the knowledge and authority to create and enforce policies and procedures. Doing so will cost money and time, but it will be one of the most important investments that oil and gas operators can make in the safety and well-being of their people, production and property.
8 Subject to change without prior notice Order No: AMWP-CIMAT-0714 Printed in USA All rights reserved Siemens Industry, Inc. Siemens Industry, Inc Old Milton Parkway Alpharetta, GA usa.siemens.com/oil-gas All trademarks used are owned by Siemens or their respective owners. Siemens Industry, Inc., October All rights reserved.
The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationDeltaV System Cyber-Security
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
More informationInnovative Defense Strategies for Securing SCADA & Control Systems
1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: info@plantdata.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet
More informationSecuring The Connected Enterprise
Securing The Connected Enterprise Pack Expo 2015 Las Vegas Chelsea An Business Development Lead, Network & Security PUBLIC Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 8 Connected Enterprise
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationBest Practices in ICS Security for System Operators. A Wurldtech White Paper
Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationSecurity Testing in Critical Systems
Security Testing in Critical Systems An Ethical Hacker s View Peter Wood Chief Executive Officer First Base Technologies Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base
More informationSCADA Security: Challenges and Solutions
SCADA Security: Challenges and Solutions June 2011 / White paper by Metin Ozturk, Philip Aubin Make the most of your energy Summary Executive Summary... p 2 Protecting Critical Infrastructure Includes
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationCyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services
Cyber Risk Mitigation via Security Monitoring Enhanced by Managed Services Focus: Up to But Not Including Corporate and 3 rd Party Networks Level 4 Corporate and 3 rd Party/Vendor/Contractor/Maintenance
More informationHow Secure is Your SCADA System?
How Secure is Your SCADA System? Charles Drobny GlobaLogix, Inc. Houston, TX, USA Our Industry is a Target 40% of cyber attacks on Critical Infrastructure targets are aimed at the Energy Industry The potential
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationAUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005
AUDITOR GENERAL S REPORT Protection of Critical Infrastructure Control Systems Report 5 August 2005 Serving the Public Interest Serving the Public Interest THE SPEAKER LEGISLATIVE ASSEMBLY THE PRESIDENT
More informationThe Advantages of an Integrated Factory Acceptance Test in an ICS Environment
The Advantages of an Integrated Factory Acceptance Test in an ICS Environment By Jerome Farquharson, Critical Infrastructure and Compliance Practice Manager, and Alexandra Wiesehan, Cyber Security Analyst,
More informationLifecycle Solutions & Services. Managed Industrial Cyber Security Services
Lifecycle Solutions & Services Managed Industrial Cyber Security Services Around the world, industrial firms and critical infrastructure operators partner with Honeywell to address the unique requirements
More informationIndustrial Security Solutions
Industrial Security Solutions Building More Secure Environments From Enterprise to End Devices You have assets to protect. Control systems, networks and software can all help defend against security threats
More informationWhite Paper. April 2006. Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks
White Paper April 2006 Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks According to a recent Harris Interactive survey, the country s leading business executives consider
More informationSeven Strategies to Defend ICSs
INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it s not a matter of if an intrusion will take
More informationE-Commerce Security Perimeter (ESP) Identification and Access Control Process
Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American
More informationUnderstanding SCADA System Security Vulnerabilities
Understanding SCADA System Security Vulnerabilities Talking Points Executive Summary Common Misconceptions about SCADA System Security Common Vulnerabilities Affecting SCADA Networks Tactics to Strengthen
More informationSCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP
SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP Today s Topics SCADA Overview SCADA System vs. IT Systems Risk Factors Threats Potential Vulnerabilities Specific Considerations
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?
ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security? Agenda Threats Risk Assessment Implementation Validation Advanced Security Implementation Strategy
More informationConsiderations for Hybrid Communications Network Technology for Pipeline Monitoring
Considerations for Hybrid Communications Network Technology for Pipeline Monitoring Craig Held White Paper April 2012 Abstract The concept of automation (and its corresponding technologies) is a primary
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationBest Practices for DanPac Express Cyber Security
March 2015 - Page 1 Best Practices for This whitepaper describes best practices that will help you maintain a cyber-secure DanPac Express system. www.daniel.com March 2015 - Page 2 Table of Content 1 Introduction
More informationAgenda. Introduction to SCADA. Importance of SCADA security. Recommended steps
Agenda Introduction to SCADA Importance of SCADA security Recommended steps SCADA systems are usually highly complex and SCADA systems are used to control complex industries Yet.SCADA systems are actually
More informationCyber Protection for Building Automation and Energy Management Systems
Cyber Protection for Building Automation and Energy Management Systems IT and Network Operations Managers Perspective PROTECT YOUR INVESTMENT Reinforcing the Integrity of Enterprise Networks The intersection
More informationIT Security and OT Security. Understanding the Challenges
IT Security and OT Security Understanding the Challenges Security Maturity Evolution in Industrial Control 1950s 5/4/2012 # 2 Technology Sophistication Security Maturity Evolution in Industrial Control
More information7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008
U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October
More informationa Post-Stuxnet World The Future of Critical Infrastructure Security Eric Byres, P.Eng.
SCADA and CIP Security in a Post-Stuxnet World The Future of Critical Infrastructure Security Eric Byres, P.Eng. CTO, Byres Security Inc. What is Stuxnet? The Stuxnet Worm July, 2010: Stuxnet worm was
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationUsing ISA/IEC 62443 Standards to Improve Control System Security
Tofino Security White Paper Version 1.2 Published May 2014 Using ISA/IEC 62443 Standards to Improve Control System Security Contents 1. Executive Summary... 1 2. What s New in this Version... 1 3. Why
More informationCyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799
Cyber Security An Executive Imperative for Business Owners SSE Network Services www.ssenetwork.com 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799 Pretecht SM by SSE predicts and remedies
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationEnterprise K12 Network Security Policy
Enterprise K12 Network Security Policy I. Introduction The K12 State Wide Network was established by MDE and ITS to provide a private network infrastructure for the public K12 educational community. Therefore,
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationIndustrial Security for Process Automation
Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical
More informationDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...
More informationWhy Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.
Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks
More informationAre you prepared to be next? Invensys Cyber Security
Defense In Depth Are you prepared to be next? Invensys Cyber Security Sven Grone Critical Controls Solutions Consultant Presenting on behalf of Glen Bounds Global Modernization Consultant Agenda Cyber
More informationState of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005
State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology
More informationWhite Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act
A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationThis is a preview - click here to buy the full publication
TECHNICAL REPORT IEC/TR 62443-3-1 Edition 1.0 2009-07 colour inside Industrial communication networks Network and system security Part 3 1: Security technologies for industrial automation and control systems
More informationThe Four-Step Guide to Understanding Cyber Risk
Lifecycle Solutions & Services The Four-Step Guide to Understanding Cyber Risk Identifying Cyber Risks and Addressing the Cyber Security Gap TABLE OF CONTENTS Introduction: A Real Danger It is estimated
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationfor Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs
for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs EXECUTIVE SUMMARY Supervisory Control and Data Acquisition (SCADA) systems are used for remote
More informationUsing Tofino to control the spread of Stuxnet Malware
technical datasheet Application Note Using Tofino to control the spread of Stuxnet Malware This application note describes how to use the Tofino Industrial Security Solution to prevent the spread of the
More informationZone Labs Integrity Smarter Enterprise Security
Zone Labs Integrity Smarter Enterprise Security Every day: There are approximately 650 successful hacker attacks against enterprise and government locations. 1 Every year: Data security breaches at the
More informationNetwork & Information Security Policy
Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationABB s approach concerning IS Security for Automation Systems
ABB s approach concerning IS Security for Automation Systems Copyright 2006 ABB. All rights reserved. Stefan Kubik stefan.kubik@de.abb.com The problem Most manufacturing facilities are more connected (and
More informationInformation Technology Cyber Security Policy
Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please
More informationSTRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction
Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,
More informationSecurity Issues with Integrated Smart Buildings
Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern
More informationCYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric
CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric Challenges What challenges are there for Cyber Security in Industrial
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationIndustrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk
Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Cyber Security Risk With Today s Cyber Threats, How Secure is Your Control System? Today, industrial organizations are faced
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationWhite Paper. Information Security -- Network Assessment
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
More informationSECURITY CONSIDERATIONS FOR LAW FIRMS
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationEnergy Cybersecurity Regulatory Brief
Energy Understand the regulations that impact the energy industry and accelerate information security initiatives. Contents Overview 3 A Highly Vulnerable Energy Industry 4 Key Regulations to Consider
More informationInternet Content Provider Safeguards Customer Networks and Services
Internet Content Provider Safeguards Customer Networks and Services Synacor used Cisco network infrastructure and security solutions to enhance network protection and streamline compliance. NAME Synacor
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationHow to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager
How to Choose the Right Industrial Firewall: The Top 7 Considerations Li Peng Product Manager The right industrial firewall can strengthen the safety and reliability of control systems Central to industrial
More informationNetwork Instruments white paper
Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features
More informationOPC & Security Agenda
OPC & Security Agenda Cyber Security Today Cyber Security for SCADA/IS OPC Security Overview OPC Security Products Questions & Answers 1 Introduction CYBER SECURITY TODAY The Need for Reliable Information
More informationData Security Concerns for the Electric Grid
Data Security Concerns for the Electric Grid Data Security Concerns for the Electric Grid The U.S. power grid infrastructure is a vital component of modern society and commerce, and represents a critical
More informationIntegrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems. Enzo M. Tieghi etieghi@visionautomation.
Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems Enzo M. Tieghi etieghi@visionautomation.it Security IT & Control System Security: where are we?
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationCyber Security for SCADA/ICS Networks
Cyber Security for SCADA/ICS Networks GANESH NARAYANAN HEAD-CONSULTING CYBER SECURITY SERVICES www.thalesgroup.com Increasing Cyber Attacks on SCADA / ICS Systems 2 What is SCADA Supervisory Control And
More informationSCADA/Business Network Separation: Securing an Integrated SCADA System
SCADA/Business Network Separation: Securing an Integrated SCADA System This white paper is based on a utility example but applies to any SCADA installation from power generation and distribution to water/wastewater
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationEffective OPC Security for Control Systems - Solutions you can bank on
Effective Security for Control Systems - Solutions you can bank on Darek Kominek Manager, Marketing, Matrikon Eric Byres, P. Eng., ISA Fellow CTO, Byres Security Inc. Executive Summary There is a perception
More informationSecurity Policy for External Customers
1 Purpose Security Policy for This security policy outlines the requirements for external agencies to gain access to the City of Fort Worth radio system. It also specifies the equipment, configuration
More informationSCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards
SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationOCR LEVEL 3 CAMBRIDGE TECHNICAL
Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY
More informationINFORMATION TECHNOLOGY ENGINEER V
1464 INFORMATION TECHNOLOGY ENGINEER V NATURE AND VARIETY OF WORK This is senior level lead administrative, professional and technical engineering work creating, implementing, and maintaining the County
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationHow To Secure A Remote Worker Network
Key Steps to a Secure Remote Workforce Telecommuting benefits the employee and the company, the community and the environment. With the right security measures in place, there s no need to delay in creating
More informationDr. György Kálmán gyorgy@mnemonic.no
COMMUNICATION AND SECURITY IN CURRENT INDUSTRIAL AUTOMATION Dr. György Kálmán gyorgy@mnemonic.no Agenda Connected systems historical overview Current trends, concepts, pre and post Stuxnet Risks and threats
More informationISACA rudens konference
ISACA rudens konference 8 Novembris 2012 Procesa kontroles sistēmu drošība Andris Lauciņš Ievads Kāpēc tēma par procesa kontroles sistēmām? Statistics on incidents Reality of the environment of industrial
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationCyber Threats in Physical Security Understanding and Mitigating the Risk
Cyber Threats in Physical Security Understanding and Mitigating the Risk Synopsis Over the last few years, many industrial control systems, including security solutions, have adopted digital technology.
More informationSecuring Industrial Control Systems on a Virtual Platform
Securing Industrial Control Systems on a Virtual Platform How to Best Protect the Vital Virtual Business Assets WHITE PAPER Sajid Nazir and Mark Lazarides sajid.nazir@firstco.uk.com 9 Feb, 2016 mark.lazarides@firstco.uk.com
More informationEvaluation Report. Office of Inspector General
Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationSession 14: Functional Security in a Process Environment
Abstract Session 14: Functional Security in a Process Environment Kurt Forster Industrial IT Solutions Specialist, Autopro Automation Consultants In an ideal industrial production security scenario, the
More informationSecure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment
Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment Introduction 1 Distributed SCADA security 2 Radiflow Defense-in-Depth tool-set 4 Network Access
More informationIndustrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities
Industrial Cyber Security Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities WE HEAR ABOUT CYBER INCIDENTS EVERY DAY IN THE NEWS, BUT JUST HOW RELEVANT ARE THESE
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationKaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management. www.kaseya.com
Kaseya White Paper Endpoint Security Fighting Cyber Crime with Automated, Centralized Management www.kaseya.com To win the ongoing war against hackers and cyber criminals, IT professionals must do two
More information