Industrial. Components Overview

Transcription

1 Kaspersky Industrial CyberSecurity: Components Overview

2 2 ATTACKS ON INDUSTRIAL SYSTEMS ARE ON THE INCREASE Cyber attacks on industrial systems are not only on the increase, but have transitioned from speculative to indisputable. 1 Thirty-two per cent of IT managers responsible for safeguarding industrial systems say their control system assets or networks have been infiltrated at some point; 34 per cent believe their systems have been breached more than twice in the past 12 months. 2 According to PwC, the average number of detected incidents in the power and utilities sector soared six-fold in 2014 by far the highest reported by any industry. 3 The U.S. s ICS-CERT reports that 55 per cent of the attacks it sees involve advanced persistent threats (APTs) or sophisticated actors. 4 Risk to supply chain and business interruption have ranked as the number one business risk concern globally for the past three years; cyber risk is the number one emerging concern. 5 For businesses operating industrial or critical infrastructure systems, the risks have never been greater. Industrial security has consequences that reach far beyond business and reputational protection. In many instances, there are significant ecological, social and macro-economic considerations when it comes to protecting industrial systems from cyber threats. 1 PwC: Global State of Information Security SANS Institute: The State of Security in Control Systems Today, June PwC: Global State of Information Security ICS-CERT Monitor: September 2014 February Allianz Risk Barometer Forrester Research: S&R Pros Can No Longer Ignore Threats to Critical Infrastructure, by Rick Holland

3 3 RISKS AND THREATS In addition to malware and targeted attacks, industrial organizations face a number of threats and risks targeting people, process and technology. As we ve seen, underestimation of these risks could have serious consequences. Kaspersky Lab has developed a comprehensive portfolio of technologies, solutions and services to help our customers tackle and manage many of these risks, among them: Mistakes by SCADA operators or contractors (3rd parties) Insider actions (intentional or otherwise) Infection via contractor devices (removable media or network connection) Hacktivist and cyber terrorist attacks State-sponsored attacks Cyber sabotage Compliance Lack of awareness and hard data for incident forensics Lack of incident reporting In addition to industrial-specific advanced persistent threats such as Citadel, Energetic Bear/ Havex, Miancha or Black Energy 2, many of the threats and vulnerabilities facing industrial systems today come from everyday threats in the business layer in their infrastructure. Industrial-specific attacks use both the enterprise LAN and industrial control systems (ICS) to launch and propagate; Energetic Bear infected OPC server and ICS equipment software with a remote access Trojan, but also exploited known vulnerabilities in Abode PDF software to launch spear-phishing attacks. The attack propagated from one system to another, stealing information from SCADA systems and damaging unhardened ICS by wiping PCs or overloading networks. The Conficker worm, although not industrial-specific, has not only been found in critical medical equipment, but is suspected to have been a door kicker for high-profile industrial attacks such as Stuxnet. Conficker is capable of completely overloading networks and bringing vital processes to a halt. Traditional industrial security techniques don t address these threats very well: air-gap or security through obscurity strategy doesn t address the reality that smart grid systems and web-based applications mean Industrial Control Systems look more and more like consumer PCs. 7 The need for specialized industrial cybersecurity Only cyber security vendors that understand the differences between industrial systems and standard, business-oriented enterprises ones are able to deliver security solutions that meet the unique needs of industrial control systems and industrial infrastructure owners. Forrester Research says that industrial organizations selecting security vendors should Look for specialized industry expertise. 6 It goes on to identify Kaspersky Lab as one of the few vendors offering specialized industrial security solutions with genuine expertise in the sector. 7 EU Agency for Network and Information Security (ENISA): Can we learn from SCADA security incidents?

4 4 Kaspersky Lab: Trusted Industrial CyberSecurity Provider A recognized leader in cyber security and industrial protection, Kaspersky Lab is continually researching and developing solutions that do more to address the constantly evolving threats to industrial and critical infrastructures. From operations management to the SCADA level and beyond, into a future where secure operating environments will be a reality, Kaspersky Lab is playing a leading role in helping industry, regulators and government agencies globally to anticipate changes in the threat landscape and defend against attacks. Already a trusted security provider and partner to leading industrial organizations, which have used our anti-malware protection for many years, Kaspersky Lab also collaborates with leading industrial automation vendors, including Emerson, Rockwell Automation, Siemens and others to establish compatibility, specialized procedures and co-operation frameworks that protect industrial environments from existing and emerging threats, including APTs and highly targeted attacks. Kaspersky Lab is developing a portfolio of specialized solutions to address specific industrial security market needs. These solutions provide effective security at all industrial layers including SCADA servers, HMI panels, workstations, PLCs and network connections from cyber threats without impacting on operational continuity and consistency of the technological process.

5 5 In keeping with Kaspersky Lab s overall multi-layered security strategy, Kaspersky Industrial CyberSecurity delivers a combination of protection types. In addition to the technologies and services that support every stage of the security cycle, Kaspersky Industrial CyberSecurity delivers protection in support of integrity control, intrusion prevention and detection, anti malware and vulnerability assessment, among others, as the below scheme shows.

6 6 Kaspersky Industrial CyberSecurity: Services Our suite of expert services form an important part of Kaspersky Industrial CyberSecurity and includes employee training, industrial network analysis, cybersecurity system design, solution integration, configuration proposals and security incident investigation. Knowledge (Education and Intelligence) CyberSecurity Training: Courses for both IT experts and regular employees on the latest threats, development trends and mitigation techniques and general cybersecurity awareness. Intelligence Reporting: Up-to-date security intelligence reports prepared by leading cybersecurity experts, tailored to customer needs, such as software and infrastructure. Simulation: Kaspersky Lab has developed a training game for managers and technical experts, simulating real-world cyberattacks on industrial automation systems. Different versions are available for different industries i.e. water treatment, power generation etc. Expert Services CyberSecurity Assessment: Kaspersky Lab experts, in co-operation with companies, review and analyse existing IT security systems and practices before developing a site-specific threat model and recommendations for mitigation. Penetration Testing: Kaspersky Lab experts work with in-house staff to locate and mitigate vulnerabilities. Architecture Analysis: Kaspersky Lab experts assist with cybersecurity integration at system design stage, when ICS (and components such as SCADA, PLC and communications devices) are being developed. Solution Integration: Kaspersky Lab experts can support integration with unique or custom components hardware or software including for customer-specific algorithms used to control key industrial process parameters. Policy and Procedure Development: Preparation of a documentation package for implementing and operating cybersecurity based on unique customer industrial and business needs. Maintenance: Technical support, update testing and regular maintenance are available within the framework of Kaspersky Lab s expert technical support service. Incident Investigation: Malware analysis and incident remediation services designed specifically for organizations that have in-house specialists.

7 7 Kaspersky Industrial CyberSecurity Products To ensure the highest levels of protection from all attack vectors, industrial floor level security should operate at both the node and network levels. To ensure optimal control, ease of management and visibility, Kaspersky Industrial CyberSecurity like all Kaspersky Lab protection technologies is controlled via a single management console, Kaspersky Security Center. This centralized management capability ensures ease of control and visibility not only at the industrial layer, but across the surrounding business floors too, as the below image illustrates. Business Floor Kaspersky Security Center Industrial Floor 1 Industrial Floor 2 Industrial Floor 3 Kaspersky Security Center Kaspersky Security Center Kaspersky Security Center PLC PLC PLC

8 8 Kaspersky Industrial CyberSecurity for Nodes Kaspersky Industrial CyberSecurity for Nodes was designed to specifically address threats within ICS/SCADA environments. It works at the ICS/SCADA server, Human-Machine Interface and engineering layer to deliver optimal security from various cyber threats caused by human factor, targeted attacks or sabotage. It s compatible with both the software and hardware components of industrial automation systems, such as SCADA, PCS, and DCS. Threats and Risks factors Launching of unwanted software Malware, incl. 0-day attacks ICS network attacks Connection of unwanted devices ICS software vulnerabilities False alarms on custom (industrial) software Kaspersky Lab technologies that address Application control (white and black listing) and default deny/allow scenarios Advanced anti-malware detection and prevention; Automatic Exploit Prevention Host-based Firewall, IPS/IDS and Network Attack Blocker Device Access Control Vulnerability assessment Certification by leading ICS vendors; trusted updates system Software and Hardware Integrity Control The relatively static nature of ICS endpoint configurations means integrity control measures are significantly more effective than in dynamic, corporate networks. The integrity control technologies in Kaspersky Industrial CyberSecurity for Nodes are as follows: Application Start-up Control and Application Privilege Control Among other things, application control mechanisms enable: Control of application installation and start-up according to whitelisting (best practice for industrial control networks) or blacklisting policies Control of application access to operating system resources: files, folders, system registry etc. Control all types of executable that run in a Windows environment, including: exe, dll, ocx, drivers, ActiveX, scripts, command line interpreters and kernel-mode drivers Update application reputation data

9 9 Pre-defined and customer-defined application categories to manage controlled application lists Fine-tune application controls for different users Prevention or detection-only modes: block any application that isn t whitelisted or, in watching mode, allow applications that aren t whitelisted to run but register this activity within the Kaspersky Security Center, where it can be assessed. Device access control Manage access to removable devices, peripherals and system busses, based on device category, family and specific device ID. Support for both white-and-blacklist approaches Granular, per-computer, per-user policy assignment to a single user/computer or group of users/computers Prevention-or-detection-only mode Host-based Firewall and Network Attack Blocker Set up and enforce network access policy for protected nodes such as servers, HMIs or workstations. Key functionalities include: Control access over restricted ports and networks Detect and block network attacks launched from internal sources, such as contractor laptops, which may introduce malware that attempts to scan and infect the host as soon as it joins the industrial network Automatic Exploit Prevention This enables an isolation layer to protect SCADA processes from malicious memory injections or modifications, such as exploit payloads. PLC integrity check Enable additional control over PLC configuration via periodical checks against a selected, Kaspersky Lab-secured server or workstations. Resulting checksums are compared against saved Etalon values and deviations are reported. Advanced anti-malware protection Kaspersky Lab s best-in-class proactive malware detection and prevention technologies are adapted and re-designed to meet heavy resource consumption and system availability requirements. Works in static or rarely updated environments.

10 10 Kaspersky Lab s anti-malware covers the full spectrum of technologies, including: Signature, heuristics and behaviour-based malware detection On-access and on-demand detection In-memory (resident) detection Rootkit detection Kaspersky Security Network (KSN) and Kaspersky Private Security Network (KPSN) enable the ultimate malware detection service: custom, targeted detection. Trusted updates To ensure Kaspersky Lab anti-malware updates have no impact on protected system availability, compatibility checks are performed prior to both database/component releases and process control system software/configuration updates. Potential resource consumption issues can be addressed using one or more of the following: Kaspersky Lab performs database update compatibility tests with SCADA vendor software in Kaspersky Lab test bed SCADA vendor performs compatibility checks Kaspersky Lab checks anti-malware database updates for customer: SCADA, workstation, server and HMI images are integrated into Kaspersky Lab s test bed Kaspersky Lab anti-malware updates are tested on customer s site and automated via Kaspersky Security Center. Vulnerability assessment Passive vulnerability assessment capability: detection and information on software vulnerabilities with zero disruption of technology processes. Centralized deployment, management and control Kaspersky Industrial CyberSecurity for Nodes is deployed and managed via a centralized console, enabling: Centralized management of security policies; ability to set different protection settings for different nodes and groups. Facilitate the testing of updates before roll-out into network, ensuring full process integrity Role-based access aligned with security policies and urgent actions.

11 11 Kaspersky Industrial CyberSecurity for Networks Designed specifically for industrial control system cyber protection, Kaspersky Lab s network level security solution operates at the process control abstraction layer, analysing and inspecting the sources of traffic while providing integrity control for both industrial network and industrial control processes. Kaspersky Industrial CyberSecurity for Networks addresses multiple industrial-specific threats and risk factors. Threats and Risk factors Lack of information for cyber security officers on the state of technological network and processes Appearance of unauthorized network devices on industrial network Appearance of unauthorized network communications on the industrial network Destructive commands sent to PLC by Operator, engineer or 3rd party (contractor, vendor) by mistake Malware or attacker (APT) Lack of data for cyber incident investigation and forensics Lack of data for SCADA operators on cyber security threats Lack of data on 3rd-party (contractors, vendors) activity on ICS assets Kaspersky Lab Technologies that address Detection of suspicious process control events Network Integrity checking enables the detection of new and unknown connected devices Network Integrity checking enables the detection of new (unauthorized/suspicious) communications between known network nodes Monitoring of communications to and from PLCs and control of commands and parameter values of technology process Monitoring and safe logging of technological network events. Alerting suspicious technological process parameter changes to operator (via HMI integration) Alerting PLC configuration attempts and dangerous process control commands to operator (via HMI integration) Passive industrial network traffic inspection, Effective Security Monitoring Kaspersky Industrial CyberSecurity for Networks delivers passive network traffic analysis while remaining invisible to potential attackers. Installation is as simple as enabling/configuring port mirroring; easy integration into existing industrial infrastructure is achieved via the SPAN port of the existing switch or TAP device.

12 12 Hierarchical architecture, single point of control Network traffic sensors passively connected to the controlled network segment via the SPAN port or TAP device are managed via a single control unit that provides the following functionality: Retrieve and store event data from all sensors use data for incident response and investigation/forensics Report all detected events and anomalies to 3-rd party systems including to SIEM, mail, syslog servers, network management systems through SNMP protocol Monitor overall system health Managed via Kaspersky Security Center, if desired. Network Integrity and Monitoring Kaspersky Industrial CyberSecurity for Networks provides a spread of network integrity monitoring facilities within the controlled network, including: New device detection New device communications detection. Trusted Industrial Process Control Monitoring Kaspersky Lab s solution supplies industrial users with a trusted platform for monitoring process control command flow and telemetry data, enabling, among other things: Detection of any command to reconfigure PLCs or change PLC state, including STOP, PAUSE, change PLC program, PLC firmware change. Control of technology process parameters and algorithms; Protection against outside threats while mitigating the risk of advanced insider interference from engineers, SCADA operators or other internal staff with direct access to systems. Forensics Kaspersky Lab s solution gives to industrial users safe logging system, which provides tools for data analysis and forensic. Moreover, the system prevents changes of system events. Industrial network asset visibility Kaspersky Industrial CyberSecurity for networks enables identification of all Ethernetconnected network assets including SCADA servers, HMI, engineering workstations, PLCs and RTUs. This gives security teams the capacity to develop their own reliable, secure network asset inventory, independent of potentially vulnerable OT/IT asset management tools, which are highly targeted by attackers.

13 13 ADDITIONAL SERVICES FOR KASPERSKY INDUSTRIAL CYBERSECURITY PRODUCTS Kaspersky Security Network (KSN) Kaspersky Security Network is a cloud-based, complex distributed architecture dedicated to gathering and analyzing security threat intelligence from millions of nodes worldwide. KSN not only detects and blocks the newest threats and zero-day attacks, but also helps locate and blacklist online attack sources, providing reputational data for websites and applications. All Kaspersky Lab corporate solutions can be connected to KSN if they choose, including industrial ones. Key benefits include: Superior detection rates Reduced reaction times traditional signature-based responses take hours, KSN responds in about 40 seconds Lower false positive rates Reduced resource consumption for on-premise security solutions. Kaspersky Private Security Network (KPSN) For organizations that have very specific data privacy concerns, Kaspersky Lab has developed the Kaspersky Private Security Network option. It provides almost all the advantages of KSN, but without sending any information whatsoever outside the network. KPSN can be deployed within any organization s own data center, where in-house IT specialists retain complete control over it. Local KPSN installations can help meet country specific compliance requirements or other industry-specific legislation. Key KPSN functions File and URL reputation services: MD5 hashes for files, regular expressions for URLs and malware behavior patterns are centrally stored, categorized and rapidly deployed to client Record Management System (RMS): Sometimes security software makes mistakes and incorrectly categorizes files or URLs as trusted/not trusted. RMS acts as a false positives deterrent, rectifying errors as well as continuously analyzing to improve quality. Cloud-based intelligence and information

14 Twitter.com/ Kaspersky Facebook.com/ Kaspersky Youtube.com/ Kaspersky Kaspersky Lab, Moscow, Russia All about Internet security: Find a partner near you: Kaspersky Lab. All rights reserved. Registered trademarks and service marks are the property of their respective owners. Lotus and Domino are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Linuxis the registered trademark of Linus Torvalds in the U.S. and other countries. Google is a registered trademark of Google, Inc.