Effective Defense in Depth Strategies

Transcription

1 Honeywell.com 2014 Honeywell Users Group Asia Pacific Effective Defense in Depth Strategies for Industrial Systems 1 Document control number Honeywell Proprietary

2 Honeywell.com Chee Ban, Ngai About the Presenter Honeywell Industrial Cyber Security, APAC Leader Over 20 years of experience in Information Technology risk management and industrial cyber security. Mechanical engineer by training, Master in Software Engineering, CISSP & CISA Stint in corporate IT at DBS Bank, Maybank, Stanchart and as SOC operations director in APAC. Industrial cyber security at PETRONAS. 2 Document 2014 control number Honeywell Honeywell Proprietary Proprietary

3 Industrial IT usage 8-10 years behind Corporate IT experience Anti-virus & Firewalls Localized concerns Security Standards Security best practices ISO / IEC Regulatory Compliance & CIP Anti-virus & Firewalls Open systems architecture Regulatory standards. Compliance audits. Security Standards Process & Procedures ISA / IEC (ISA-99). Regulatory Compliance & CIP Regulatory audits. 3

4 Case: Lack of fundamental cyber security care & practices Microsoft patches were outdated by 2 months. Anti-virus scanning turned off. Network slowed down whenever PHD server turned on. found infected with Conficker virus HONEYWELL CONFIDENTIAL - FOR INTERNAL USE ONLY 4

5 Case: Lack of fundamental cyber security care & practices Physical access security is important too! Unauthorised access to servers possible. Lack of attention to environmental control. Entry to CCR by card access & Room by biometric fingerprint authentication. HONEYWELL CONFIDENTIAL - FOR INTERNAL USE ONLY 5

6 Testing & Qualification of Microsoft Patch Updates & Anti-Malware Updates for Honeywell Systems Honeywell SUIT LAB, HTS-Hyderabad Security Update Investigation Team 2012 Honeywell Proprietary 6

7 Honeywell tests & qualifies Microsoft Patch Updates for full-compatibility with Honeywell Systems Microsoft published patch available for MS Vulnerability US-CERT issued alert on Microsoft patch necessary for MS Vulnerability Honeywell announced tested patch for MS is available. Honeywell tested MS patch next day after. 7 HONEYWELL - CONFIDENTIAL File Number

8 Testing of Anti-Virus Signature Updates Why is it Important? 8 HONEYWELL - CONFIDENTIAL File Number

9 Secure Delivery of Tested-Patch/Anti-Malware Updates Level 4 Level 3.5 DMZ Level 3 Level 2 Level 1 Anti- Malware Experion EST Industrial PCN Site Windows TM Patch Mgmt (WSUS) Secure Service Node Relay Corporate Proxy SSL Encrypted, Certificate Authenticated Tunnel Initiated by site s Secure Service Node Connect to Managed Security Service Center ONLY Managed Security Service Center Communication Application s Operator Controls ACE Engineering Controls DMZ CORPORATE Domain Controller 3 RD Party Apps ESF Domain Controller Experion Terminal e Corporate Router Internet Tunnel through corporate network provides additional security Database s Relay isolates PCN from Corporate Network Restricts end nodes from sending or receiving data out of PCN DMZ Honeywell Proprietary

10 Network Architecture Security: Zones & Conduits Courtesy: Tofino 10

11 Specifying the Zones Courtesy: Tofino 11

12 Defining the Conduits Courtesy: Tofino 12

13 Limite d L2 to L1 No communications between L1 & L3 or L4 Limite d L2 to L3 Very Limited L2 to L3.5 Very Limited L3 to L3.5 Very Limited L3.5 to L4 No Direct communications between L4 & L3 or L2 ISA-95 PCN Secure Architecture Standard Enterprise Switch Comm flow Level 4 Firewall L4 to L4 Level 3.5 DMZ Domain Controller ESF PHD Experion EAS Terminal Patch Mgmt Anti Virus 3 RD Party App Subsystem Interface e PHD Shadow Limited L3.5 to L3.5 L3 to L3 Level 3 Router ESC ESF ACE Experion EST Optional HSRP Router ESVT Safety Manager Terminal Domain Controller Level 2 Level 1 Qualified Cisco Switches L2 to L2 L1 to L1 13

14 IEC / ISA 99 Cyber Security Standard for ICS Key references: IEC SL, zones & conduits IEC Security Requirements IEC Non-technical controls 14

15 Experion Backup & Restore Campaign and Account Planning Handouts

16 Honeywell.com Defense in Depth Rudimentary Perspective Controlled Physical Access OS Patch & Anti-malware updating Defined Security Zones Cyber security best practices Redundancy Layered Approach to Process Network Security 16 Document control number Honeywell Proprietary

17 ISA / IEC Security Levels (SL) SL 1 PROTECTION AGAINST CASUAL OR COINCIDENTAL VIOLATION (I.e. changing a setpoint to a value outside engineering defined conditions, interception of a password send over the network in clear text.) SL 2 PROTECTION AGAINST INTENTIONAL VIOLATION USING SIMPLE MEANS (I.e. virus infection, exploiting commonly known vulnerabilities of DMZ hosts) SL 3 PROTECTION AGAINST INTENTIONAL VIOLATION USING SOPHISTICATED MEANS (I.e. exploits in operating systems, protocols. Attacker requires advanced security knowledge, advanced domain knowledge, advanced knowledge of the target system. I.e. password cracking.) SL 4 PROTECTION AGAINST INTENTIONAL VIOLATION USING SOPHISTICATED MEANS WITH EXTENDED RESOURCES (Similar to SAL 3 but attacker now has extended resources to their disposal. I.e. StuxNet attack) 17

18 Honeywell.com Defense in Depth so, where do we go from here after all these? 18 Document control number Honeywell Proprietary

19 ISA / IEC Security Levels (SL) SL 1 PROTECTION AGAINST CASUAL OR COINCIDENTAL VIOLATION (I.e. changing a setpoint to a value outside engineering defined conditions, interception of a password send over the network in clear text.) SL 2 PROTECTION AGAINST INTENTIONAL VIOLATION USING SIMPLE MEANS (I.e. virus infection, exploiting commonly known vulnerabilities of DMZ hosts) SL 3 PROTECTION AGAINST INTENTIONAL VIOLATION USING SOPHISTICATED MEANS (I.e. exploits in operating systems, protocols. Attacker requires advanced security knowledge, advanced domain knowledge, advanced knowledge of the target system. I.e. password cracking.) SL 4 PROTECTION AGAINST INTENTIONAL VIOLATION USING SOPHISTICATED MEANS WITH EXTENDED RESOURCES (Similar to SAL 3 but attacker now has extended resources to their disposal. I.e. StuxNet attack) 19

20 Honeywell.com Defense in Depth Advanced Perspective Regular Cyber Security Assessment Security Intelligence Monitoring Interceptions & Control Application Layer Security Security Incidence Response Layered Approach to Process Network Security 20 Document control number Honeywell Proprietary

21 Cyber Security Assessment 1: Discussions, information collation. 2: Documentation, Network architecture reviews. 3: Vulnerability assessment testing. 4: Verification and validation of test results with customer s technical representatives. 5: Presentation of to customer s management. 6: Cyber security assessment report.

22 Security Intelligence Monitoring For assuring cyber security requirements at a glance: Instantaneous view of current cyber posture Drill down to cyber tools Value includes: Quick status assurance Reduced administrative load Meet regulatory requirements Service includes: Vendor flexible interface for: Antivirus Application Whitelisting Security Patching Backup / Restore Network Security Cyber Security Dashboard

23 Honeywell.com Deep Packet Inspection App Hijacking Droppers Worms Viruses Syn Flood, Smurf, Session Hijack RPC attacks, Application Contents Layers 5-7 TCP/UDP Application Contents Header IP Header TCP/UDP Header Application Contents Ethernet Header IP Header TCP/UDP Header Application Contents Layer 4 Layer 3 Layer 2 Layer 1 23 Document control number Honeywell Proprietary

24 Detection Capability Honeywell.com Deep Packet Inspection Application Session Inspection Packet Packet Packet Packet Packet Packet Packet Packet Packet All Packets in a Session are Reassembled, Decoded and Inspected Deep Packet Inspection Packet Packet Packet Packet Packet Packet Each Packet is Decoded and Inspected in Sequence 24 Document control number Honeywell Proprietary

25 Application Whitelisting Whitelisting is the process of preventing malicious software, from infecting your system By defining only what processes are allowed to run And by blocking all other programs

26 Security Incident Response ISA Incident discovery - reporting Authentication Containment Categorization, Response Escalation Recovery Forensics Management reporting Honeywell 2011 version 5.1 slide - 26

27 27 Questions

28 Contacts Chee Ban Ngai Industrial Cyber Security, Leader, Asia Pacific phone: cell: Follow us: Blog: Website: Website: Honeywell Proprietary 28

29 Honeywell.com Thank You 29 Document control number Honeywell Proprietary