Continuous Industrial Cyber Risk Mitigation with Managed Services Monitoring and Alerting Konstantin Rogalas and Arjen van Es, Honeywell

Transcription

1 2015 Honeywell Users Group Europe, Middle East and Africa Continuous Industrial Cyber Risk Mitigation with Managed Services Monitoring and Alerting Konstantin Rogalas and Arjen van Es, Honeywell

2 About the Presenter Arjen van Es Security Service Center Team leader EMEA/APAC; Commissioning engineer Axial/Centrifugal compressors; Service engineer - modular systems; Arjen.van.Es@Honeywell.com Software support engineer; Technical Specialist ICT; Process control systems Network Architect; Open Systems Services - Consultant; Honeywell International All Rights Reserved

3 About the Presenter Konstantin Rogalas MSc, MBA Business Lead for Honeywell Industrial Cyber Security - Europe; in Discrete Automation & Process Control; in Telecommunications: Broadband-M2M/IoT; Konstantin.Rogalas@Honeywell.com 2013 Oil & Gas, Energy, Pharmaceuticals & Chemicals industry Certification study for ENISA in Industrial Cyber Security; ICS Council with policy makers, asset owners and service providers; Member of the European ICS Stakeholders Group Honeywell International All Rights Reserved

4 Agenda Continuous Monitoring in the Security Profile Obstacles & Managed Security Pros-Cons Monitoring & Alerting with Managed Services Conclusions Open Discussion About: Honeywell Industrial Cyber Security Honeywell International All Rights Reserved

5 ICS Continuous Monitoring: Making the Case Continuous Monitoring ensures Industrial Control System (ICS) reliability Detection of availability & performance issues to prevent serious degradation In the context of Cybersecurity: Which ICS Cyber Security controls (technical and non-technical) need to be in place for ICS Continuous Monitoring? Where does ICS Continuous Monitoring belong in the Cyber Security Profile? This section: Introduces the Cyber Security Profile and its underlying principles Places Continuous Industrial Cyber Risk Readiness in the overall Cyber Security Profile context Proves why Continuous Monitoring is in the heart of detecting cyber security anomalies & events which is vital to respond/recover Explains why Continuous Monitoring is an essential performance evaluation principle which increases cyber security maturity Honeywell International All Rights Reserved

6 Typical security level Honeywell International All Rights Reserved

7 Security levels and security capabilities Honeywell International All Rights Reserved

8 C2M2 Maturity Indicator Levels Honeywell International All Rights Reserved

9 Cyber Security Profile 9 SL4 SL3 SL2 SL SL1 SL2 SL3 SL Refining process facilities 1401 Fertilizers 1102 O&G LNG terminals 1403 Petrochemicals 1103 O&G processing 1404 Plastics and fibers 1104 O&G production - on-shore 1405 Specialty chemicals 1105 O&G production - off-shore 1406 Biofuels 1108 O&G Marine - LNG IAS 1501 Alumina 1110 Gas To Liquid 1502 Aluminium 1112 Production - Coal bed M 1503 Base materials 1114 Pipeline - Liquid 1504 Cement 1115 Pipeline - Gas 1505 Coal & coal gasification 1201 Pulp 1506 Iron 1203 Paper 1509 Precious metals 1204 CWS 1510 Steel making 1303 Utility power 1508 Other SL1 SL2 SL3 SL4 MIL0 MIL1 MIL2 MIL3 The target Protection Level is determined by the security design effectiveness (Security Level) and security operations effectiveness (Maturity Level) IEC standard provides the Security Level, Cobit or C2M2 toolkit provides the Maturity Level The Security Profile defines for each facility how to protect and how to organize 2015 by Honeywell International Inc. All rights reserved Honeywell International All Rights Reserved Defines the Security Profile

10 Sustainable security requires a Program 10 SP 16 SP 15 Increase maturity level with an organized Security Operations Center (SOC) 4 SP 12 SP 11 SP 10 SP 7 SP 6 Increase maturity level with Activity/Trend reporting (associated Policies) 2 3 Increase security level with SIEM, NGFW, AWL, Risk Manager SP 5 SP 2 SP 1 1 Increase security level with Monitoring/Alerting (in addition to Anti-Virus, Patching) Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q by Honeywell International Inc. All rights reserved. If you run too fast or jump too high, you might trip Honeywell International All Rights Reserved

11 Agenda Continuous Monitoring in the Security Profile Obstacles & Managed Security Pros-Cons Monitoring & Alerting with Managed Services Conclusions Open Discussion About: Honeywell Industrial Cyber Security Honeywell International All Rights Reserved

12 Obstacles to initial self-monitoring Compatibility with DCS - Logging agents stress the control system Budget for required utilities Developing Logging Agents Servers, Databases, Proxy, etc. Personnel required for administration Initial implementation & testing of components above Analysis of events to determine what is critical Investigation of alerts to determine next steps Other concerns Training on new technology Different expertise per location Honeywell International All Rights Reserved

13 Continuous Monitoring Best Practice Hire a company to monitor your control systems with minimal setup time and for a fraction of the cost, while fulfilling the following: Expertise in Control System Cybersecurity Methodology that complies with IEC Existing set of Passive Agents Responding on monitored problems Serving concurrently 100s of sites Follow the sun support model Honeywell International All Rights Reserved

14 Voice of the Customer 1. For control system performance/availability monitoring, do you have a process and, if yes, which kind of? No monitoring process Manual monitoring process Automated monitoring process 2. How satisfied are you with how you currently monitor the security of your control system? Dissatisfied Needs improvement Satisfied 3. Which disadvantages do you see in using Managed Security Services? Capex/Opex Investment New Internal Processes Corporate IT policy issues Honeywell International All Rights Reserved

15 Where would your Security Profile be? Honeywell International All Rights Reserved

16 Agenda Continuous Monitoring in the Security Profile Obstacles & Managed Security Pros-Cons Monitoring & Alerting with Managed Services Conclusions Open Discussion About: Honeywell Industrial Cyber Security Honeywell International All Rights Reserved

17 Key Events to Monitor Network Activity Logs ACL Rules, Utilization Spikes, Passwords/Strings System Audit Logs Unauthorized Access, Disabling Controls, Configuration Changes System Availability/Performance Application Health, CPU Utilization, Hardware Errors, Overruns Administrative Changes GPO Modifications, Group Additions, Enabling USB Devices Software Update Compliance Aging for Virus Signatures, Security Patches, Software Updates Virus Infections Honeywell International All Rights Reserved

18 What is monitored Performance Analyzers for 550+ Critical parameters Honeywell International All Rights Reserved

19 Performance Monitoring - 1 LEVEL 4 LEVEL 3.5 DMZ LEVEL 3 LEVEL 2 Redundant Servers Service Node PHD Stations (N (N nos.) Corporate Network Firewall LCN A LCN B L3 Switch Relay server ESVT EST US GUS Experion Servers Performance Experion Stations Data and Notifications Rate Performance for ESVT CDA, TPS and DSA State of critical Experion State Performance of Critical Experion services, EST Patches Data and Notifications Rate FTE Performance GUS driver warnings, FTE for CDA, Driver TPS Warnings and DSA Report Data and of Notifications current Experion Rate TPS Performance Current State of Experion Critical Experion Patch patches Controllers installed Performance Data Status Patches and Notifications Rate PHD Event Rate -FTE Driver Warnings Availability State CPU for CDA, of load TPS and DSA Critical Experion State Performance Availability US Current Experion Patch Synchronization Patches TPS of Interface Critical Experion Average - & Synchronization Status Patches Data storage C300 Performance Redundancy FTE Data Driver Rate Warnings FTE - Real Queue state Redundancy Driver Time Warnings Data (RDI) Performance -Parameters Queue state Failure Current TPS Interface per Second Events Experion Average Alerts Patch Current Interface -Failure HEAPFRAG Availability Status CPU Notification load Events Experion Alerts Rate Patch Status - Backup Synchronization Cycle Data Server Request overruns Failed Rate & Availability - Availability Redundancy Queue state Availability I/O Parameter Link bandwidth requests Synchronization - Process/System Failure Events Alerts & State - US Failure Parameter availability Events Rate - Alerts Availability Backup Redundancy RDI State - Server Failed Queue state Backup Peer to Server peer Failed traffic -Failure - Services Controller Events goes Alerts offline Availability -Backup Failover Server of redundant Failed - Controller controllers goes offline - Failover of redundant controllers LEVEL 1 APM HPM AM PM CLM NG CG HG Honeywell International All Rights Reserved

20 Performance Monitoring - 2 LEVEL 4 LEVEL 3.5 DMZ LEVEL 3 LEVEL 2 Redundant Servers Service Node Stations (N nos.) PHD Corporate Network Firewall L3 L3 Switch Switch Relay server ESVT EST US GUS PC Hardware Monitoring Performance Firewall - Windows Hard Disk Applications failures Switches Performance - Predictive (L2 Warnings-HDD and L3) Performance - Memory Usage Failures RAID Memory Input / Output Windows Degradation Usage Rates performance Chassis Input Bandwidth monitoring / Output Usage intrusion Rates Bandwidth Input / Output Load Percentage Usage Errors - - Availability - Input Status Free / physical Output and configuration memory Errors - of each Interface - - Loss Status Used of and Space Redundancy configuration (%) of - each Power Interface Supply failure Availability - Fans Chassis Intrusion Availability - Device Availability Temperature High inside - - Device Ping Status Chassis Availability - - Ping Response Status Time - Response Time LCN A LCN B LEVEL 1 APM HPM AM PM CLM NG CG HG Honeywell International All Rights Reserved

21 Security Monitoring LEVEL 4 LEVEL 3.5 DMZ LEVEL 3 LEVEL 2 LEVEL 1 Redundant Servers Service Node Stations (N nos.) PHD Corporate Network Firewall LCN A LCN B L3 Switch Relay server ESVT EST US GUS Patch & Update Management Performance Anti-virus Windows Update Intrusion Performance Information Detection Performance Anti-virus warning Patch Information Unauthorized Anti-virus error Audit policy status login Engine policies Audit attempts Trail Suspicious Availability packet/traffic Virus scan failure Windows Ability to recognize Security Virus signature Performance patterns typical of attacks database updation Invalid login attempts Analysis failure Authentication of abnormal failure Account activity Locked patterns out Password Tracking user expired policy User violations account expired Unauthorized elevated Privileges Password policy Password complexity/ strength policy Guest account status APM HPM AM PM CLM NG CG HG Honeywell International All Rights Reserved

22 Honeywell Security Service Center (HSSC) Amsterdam Houston Amsterdam Bucharest Houston Honeywell International All Rights Reserved

23 Managed Industrial Cyber Security Services Patch and Anti-Virus Automation Security and Performance Monitoring Activity and Trend Reporting Advanced Monitoring and Co- Management Secure Access Tested and qualified patches for operating systems & DCS software Tested and qualified antimalware signature file updates Comprehensive system health & cybersecurity monitoring 24x7 alerting against predefined thresholds Monthly or quarterly compliance & performance reports Identifying critical issues and chronic problem areas Honeywell Industrial Cyber Security Risk Manager Firewalls, Intrusion Prevention Systems, etc. Highly secure remote access solution Encrypted, two factor authentication Complete auditing: reporting & video playback Monitoring, Reporting and Honeywell Expert Support Honeywell International All Rights Reserved

24 Security and Performance Monitoring Continuous Monitoring - Agentless monitoring solution for system, network and security performance and health - Tested to ensure no impact on systems - Automated monitoring of critical ICS, network, Windows TM and security parameters - Intelligent analysis based on Honeywell engineering & expertise Alerts / Situational Awareness - 24/7 automated, proactive alerting for all monitored devices - Equipment and device specific thresholds - Managed Security Service Center automatically generates an alert or SMS text to site specified contact - Alert messages may include attached troubleshooting techniques Honeywell International All Rights Reserved

25 Activity and Trend Reporting Trend Analysis Complements Alerts - Ability to catch degrading conditions - Captures & reports frequency of intermittent issues Critical Parameter Reports Actionable reports of critical system & network information plus security issues - Out-of-date installation status for Anti-Malware signatures & Windows TM patches - Inventory of all detected networked equipment - Key source of data for compliance documentation Bi-Annual and/or Quarterly Reports - Comprehensive, detailed reports including long term trends, plus expert analysis Audit - Audit capability including access to session recordings Honeywell International All Rights Reserved

26 Get updates Collect monitoring data Get updates Send data Managed Industrial Cyber Security Services Industrial Site Internet Security Service Center Level 4 Corporate Proxy Server Level 3.5 eserver Terminal Server Relay Node Isolates ICS/PCN Ensures no direct communication between L3 and L4 Communication Server Application Servers Level 3 Restricts unauthorized ICS/PCN nodes from sending or receiving data Database Servers Service Node Anti malware Patch Management Monitoring Secure access Level 2 EST/ESF 3 rd Party Historian Domain Controller SSL Encrypted communication Connects to Honeywell Security Service Center ONLY! ACE EST/ ESF Experion Servers Domain Controller Level Honeywell International All Rights Reserved

27 EMEA Managed Security Service Center Estonia Norway Finland SSC and support team Sweden Egypt Kuwait Saudi Arabia Abu Dhabi Oman North Sea Poland United Kingdom Cameroun Belgium France Zwitserland Germany Austria Slovakia SSC Support team Zambia Romania Namibia Italy South Africa Portugal Spain Sites 203 Protection Management 147 Tunisi Monitoring 112 SSC EMEA support Locations: Amsterdam The Netherlands Bucharest - Romania Honeywell International All Rights Reserved

28 Agenda Continuous Monitoring in the Security Profile Obstacles & Managed Security Pros-Cons Monitoring & Alerting with Managed Services Conclusions Open Discussion About: Honeywell Industrial Cyber Security Honeywell International All Rights Reserved

29 Cyber Security Profile 29 SL SL SL SL MIL0 MIL1 MIL2 MIL by Honeywell International Inc. All rights reserved. Manageability requires a S.M.A.R.T. and holistic approach Honeywell International All Rights Reserved

30 Security solutions 30 SL SOC SL SL SL MIL0 MIL1 MIL2 MIL by Honeywell International Inc. All rights reserved. Manageability requires a S.M.A.R.T. and holistic approach Honeywell International All Rights Reserved

31 Industry-Leading Industrial Cyber Security 31 Industrial Cyber Security Experts Global team of certified Industrial Cyber Security experts 100% dedicated to Industrial Cyber Security Experts in process control cyber security Leaders in security standards ISA99 / IEC62443 / NIST Proven Experience 10+ years industrial cyber security 1,000+ successful industrial cyber projects 300+ managed industrial cyber security sites Proprietary cyber security methodologies and tools Investment and Innovation Largest R&D investment in industrial cyber security Partnerships with leading cyber security vendors Industry first Risk Manager First to obtain ISASecure security for ICS product State of art Industrial Cyber Security Solutions Lab Refining & Minerals, Petrochemical Oil & Gas Chemicals Power Generation Metals & Mining Pulp & Paper Proven Industrial Cyber Security Solution Provider Honeywell International All Rights Reserved

32 This is what we do: Open Discussion Honeywell International All Rights Reserved

33 Agenda Continuous Monitoring in the Security Profile Obstacles & Managed Security Pros-Cons Monitoring & Alerting with Managed Services Conclusions Open Discussion About: Honeywell Industrial Cyber Security Honeywell International All Rights Reserved

34 Leading Cyber Security Organization for ICS Honeywell International All Rights Reserved

35 Honeywell ICS Edmonton Vancouver Bracknell Aberdeen Amsterdam Montreal Offenbach Bucharest Global setup to serve global organizations as well as local asset owners Houston Atlanta Dubai Kuala Lumpur Santiago Perth SSC + HICS HICS Office Private LSS SSC HICS Resource(s) Industries served: Oil & gas Gas distribution Power Refineries Chemical Water treatment Pulp & paper Maritime Honeywell International All Rights Reserved

36 Honeywell s Industrial Cyber Security Lab Flexible model of a complete process control network up to the corporate network Honeywell Cyber Security solutions development and test bed Demonstration lab for customers Cyber security related academic programs Hands-on training Simulate cyber attacks Demonstrate Honeywell cyber security solutions Honeywell International All Rights Reserved

37 Typical systems H-ICS have secured Distributed Control Systems E.g. Chemical, Petrochemical, Refining, Offshore platforms Leak Detection Systems, Machine Monitoring Systems, Metering Systems, Compressor Control Systems Supervisory Control and Data Acquisition (SCADA) systems E.g. Gas Distribution, Power utilities, Pipelines, oil fields Distributed Energy Systems E.g. Wind turbines, hydropower Maritime systems E.g. Harbor systems, shipping Honeywell International All Rights Reserved

38 Driven by standards and regulations IEC (Formerly ISA 99) Industrial Automation Control Systems (IACS) Security Global standard for wide range of industry Honeywell ICS is active contributor to the development of the standard through ISA NERC CIP North American Power ANSSI, BSI, CPNI, MSB, etc. European guidelines, best practices and country-specific measures JRC & ENISA recommendations European Union NIST US technology standards (SP ) And others: ISO, API, OLF E.g. ISO 27000, API 1164, OLF 104 Local regulations Honeywell International All Rights Reserved

39 Honeywell ICS specialists background 39 Unique combination of long time experience in process control, networks and cyber security Gain knowledge, demonstrate knowledge and maintain knowledge - CISSP - CCNA - MCSE - CISM - CCNP - MCSA - CEH - CCIE - VCP - CRISC - CCSP Specialists with many backgrounds - Honeywell - Penetration testing Languages - Yokogawa - IT departments - Emerson - Telecom providers - Schneider - ABB 2015 by Honeywell International Inc. All rights reserved Honeywell International All Rights Reserved

40 Honeywell International All Rights Reserved