Securing Campus Utility Systems from Cyber Attack

Transcription

1 Securing Campus Utility Systems from Cyber Attack TC Lau, Industrial Defender VP of Professional Services Bob Manning, Harvard University Engineering & Utilities Associate Director of Operations IDEA s 23RD CAMPUS ENERGY CONFERENCE Feb 9, Industrial Defender All rights reserved

2 Case Study Overview University Situation Challenges Mitigation Options Available Options Comparison Chosen Solution Lessons Learned 2

3 University Situation Campus netw ork characteristics Open academic cultures Students have open access and vulnerable to malicious sites Flat and open netw orks pose additional threats to plant operations Key Concern Availability of Plant Operations Utility system is on campus backbone Utility system is vital to university operations Utility system is NOT isolated from campus netw ork 3

4 Campus Network 4

5 Challenges Architecture No isolation w ith current architecture Need secured communications across distributed campus netw ork Operational Expertise needed in control systems and new security devices Staffing required for 24x7 monitoring services Implementation w ith minimal to no impact on Operations Focus on core competencies 5

6 Mitigation Options 1. Firew alls 2. Netw ork/host Intrusion Detection System (NIDS/HIDS) 3. Internal Security Event Monitoring (SEM) 4. Outsourced to Security Companies 6

7 Options Comparison * Examples include Cisco, Checkpoint & Juniper Pros Firew alls/utm Basic traffic cop firew all functionality Basic Anti-Virus (AV) functionality Basic Intrusion Prevention Services (IPS) Most have AV/IPS automatic signature updates Logged data packets Cons Additional infrastructure to be supported and by w hich group? IT practices may not w ork for Plant Operations Not SCADA protocol aw are (modbus, DNP3, ICCP,etc) Not a defense-in-depth solution 7

8 Options Comparison Netw ork & Host Intrusion Detection (NIDS/HIDS) * Examples include Tripw ire,real Secure, Enterasys, Snort & ISS Pros Some security and performance metrics Detection of malicious traffic Detection of netw ork changes Monitoring unauthorized netw ork access Alert on unknow n, not-understood traffic (w hite-listing) Cons False positive Lack of signatures for SCADA protocols Can impact netw ork or processor utilization consumption Not a defense-in-depth solution Tuning, care and feeding 8

9 Options Comparison Internal Monitoring Systems * Examples include What s Up Gold, HP OpenView, SolarWinds, and several others Pros Cons Can be cost-effective Ease of configuration using SNMP or syslog Great for monitoring up/dow n status Dashboard functionality Robust systems can be very expensive No connectors for RTU, PLC, HMI and PI Robust solutions can require in-depth training Additional infrastructure to be supported Not a defense-in-depth solution 9

10 Options Comparison Outsourced to Security Company * Examples include BT Counterpane and CSC Pros Augment staffing Especially beneficial for 24x7 Operations Elimination of ongoing training needs Allow s focus on core business functions Leverages economies of scales Additional services often available Cons Lack know ledge in SCADA & DCS domain Customer could lose access to critical data Uncertainty about w here sensitive data resides May not be fully integrated 10

11 Chosen Solution Defense-in-Depth Multi-layered approach Fully integrated security Extends time to detect and respond to attacks 11

12 Chosen Solution Industrial Defender s Managed Security Services Fully integrated defense-in-depth 8 distributed firew alls providing isolation and UTM functionality 2 NIDS monitoring key netw ork segments 5 HIDS monitoring security and operational events Co-Managed Security Service Customer has administrative control of systems Customer has access to logs, backups, reports, etc. Customer controls firew all policy changes Customer customized alert priorities Domain Expertise Know ledge of control systems Know ledge of security practice Hardened 24x7 Security Operations Center (SOC) 12

13 Chosen Solution 13

14 Lessons Learned Field devices not connected to UPS systems Prone to potential data loss as a result Unencrypted logs over the campus netw ork Mitigated via VPN tunnels betw een distributed endpoints Coordination of router changes and implementation of new devices Industrial sw itches in use Difficult to access Mounted via DIN rails (not standard for netw ork devices) Concerns about port spanning capabilities Mitigated by replacement w ith standard Cisco sw itches Heat concerns w ith additional systems 14

15 Contact Information Bob Manning, Harvard University Engineering & Utilities Associate Director of Operations Office: TC Lau, Industrial Defender VP of Professional Services Office: Michael Piccalo, Industrial Defender Director of Managed Security Services Office: