Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Transcription

1 Cyber Risk Mitigation via Security Monitoring Enhanced by Managed Services

2 Focus: Up to But Not Including Corporate and 3 rd Party Networks Level 4 Corporate and 3 rd Party/Vendor/Contractor/Maintenance Connections IT Cyber Security Firewall Level 3.5 DMZ Domain Controller ESF PHD Server Experion Server EAS Terminal Server Patch Mgmt Server Anti Virus Server 3 RD Party App Subsystem Interface eserver PHD Shadow Server Level 3 Router ESC ESF ACE Experion Server EST ESVT Optional HSRP Router Safety Manager Terminal Server Domain Controller Industrial Cyber Security Level 2 Qualified Cisco Switches Level Honeywell International All Rights Reserved

3 ICS Continuous Monitoring: Making the Case Honeywell International All Rights Reserved

4 Critical Infrastructure Cybersecurity Framework Function IDENTIFY PROTECT DETECT RESPOND Maps controls to: - ISO ISA 99/IEC NIST SP COBIT 5 - CCS CSC RECOVER Honeywell International All Rights Reserved

5 Critical Infrastructure Cybersecurity Framework Function IDENTIFY PROTECT Elements Hardware & Software Inventory, Policy & Procedures Network Topology, Security Risk Assessments Firewalls, Passwords, Antivirus, Patching, USB Control Physical Security, Change Control, Backup & Recovery DETECT? RESPOND? RECOVER? Honeywell International All Rights Reserved

6 Industrial Cyber Attacks & Incidents Are Rising Worm Targeting SCADA and Modifying PLCs Large-Scale Advanced Persistent Threat Targeting Global Energy Virus Targeting Energy Sector Largest Wipe Attack APT Cyber Attack on 20+ High Tech, Security & Defense Cos. Virus for Targeted Cyber Espionage in Middle East Cyber-Espionage Malware Targeting Gov t & Research Organizations Worm Targeting ICS Information Gathering and Stealing Information Stealer Malware Security Bug and Vulnerability Exploited by Attackers Industrial Control System Remote Access Trojan & Information Stealer Honeywell International All Rights Reserved

7 What do these 3 Plants have in common? German Steel Plant Iranian Nuclear Facility Turkish Pipeline Honeywell International All Rights Reserved

8 Increased Activity & Success Nov 20, 2014 NSA Chief FINALY states: It s already happened! Jan 23, 2015 Cisco CEO states Cyber Attacks will double this year Honeywell International All Rights Reserved

9 Common Thread Most of these attacks could have been stopped using good protection and detection capabilities The results/effects of ALL of these attacks could have been reduced via continuous monitoring Is your ICS currently infected or under attack? Honeywell International All Rights Reserved

10 ICS Continuous Monitoring: Key Elements Honeywell International All Rights Reserved

11 Key Events to Monitor Network Activity Logs ACL Rules, Utilization Spikes, Passwords/Strings System Audit Logs Unauthorized Access, Disabling Controls, Configuration Changes System Availability/Performance Application Health, CPU Utilization, Hardware Errors, Overruns Administrative Changes GPO Modifications, Group Additions, Enabling USB Devices Software Update Compliance Aging for Virus Signatures, Security Patches, Software Updates Virus Infections Honeywell International All Rights Reserved

12 Key Devices to Monitor Control Systems Servers Controllers Safety Managers Historians Network Devices (firewall, switch, wireless) Windows Servers Workstations (operator & engineering) System Backups Virtual Hosts Honeywell International All Rights Reserved

13 Obstacles to effective Monitoring Budget for required utilities Intrusion Detection Systems Security Information & Event Management Logging Agents, Relay Servers, Databases, etc. Personnel required for administration Initial Installation of components above Analysis of events to determine what is critical Investigation of alerts to determine next steps Other concerns Competing DCS priorities Training on new technology Different expertise per location Honeywell International All Rights Reserved

14 Continuous Monitoring Best Practice Hire a company to monitor your systems for ¼ the price, but only if they have the following: Expertise in Control System security Methodology that complies with IEC Passive, Comprehensive, Secure 100s of current ICS customers Follow the sun support model Geographically separate operating facilities Vendor Agnostic Honeywell International All Rights Reserved

15 Questions??? Honeywell International All Rights Reserved

16 Voice of Customer 1. For patching updates, are you using manual or automated processes? Manual Automated 2. For antivirus updates, are you using manual or automated processes? Manual Automated 3. On a scale of 1-10 (10 being very satisfied), how satisfied are you with how you currently monitor the security of your control system? 4. If you are not currently using Whitelisting, how soon do you intend to add Whitelisting to your cyber security program? Within 6 months 1 year 2 years or beyond Never Honeywell International All Rights Reserved

17 Thank You Honeywell International All Rights Reserved