Industrial Cyber Security 101. Mike Spear

Transcription

1 Industrial Cyber Security 101 Mike Spear

2 Introduction Mike Spear Duluth, GA USA Global Operations Manager, Industrial Cyber Security Responsible for the Global Delivery of Honeywell s Industrial Cyber Security Solutions Focus Cyber Security, Industrial Networks, and Wireless Over 30 years of Technical Management and Consulting Process, Batch, Discrete Manufacturing & Power Industries 9 th Year with Honeywell Process Solutions CIS Advisory Board Member Gwinnett Technical College Honeywell International All Rights Reserved

3 Agenda What is Industrial Cyber Security? Is the Risk Real? Where to start? Standards Where can I get more Information? Honeywell International All Rights Reserved

4 What Is Industrial Cyber Security? Body of technologies, processes & people designed to protect industrial networks From damage, disruption, unauthorized access or exploitation via electronic means Requires deep understanding of industrial control systems/operations + information technology/cyber security expertise IT Cyber Security Industrial Cyber Security Confidentiality and information Business systems Process availability, safety, reliability No disruptions; never down Unique, specific requirements Honeywell International All Rights Reserved

5 Is there a Real Threat? ICS-CERT Reported Incidents 55% APT 38 % of ICS incidents classified as unknown Lack of detection and monitoring Industrial Incidents Energy = 33% Water = 5% Chemical = 3% Nuclear = 2% *DHS-NCCIC Incident Response/ Activity 2014 *ICS-Cert Industrial Control System Cyber Emergency Response Team APT Advanced Persistent Threat Process Industry Accounts for 43% Honeywell International All Rights Reserved

6 Are you Immune? My PCN Does Not connect to the Internet We do not allow portable media Has a firewall I stayed at a Holiday Inn Express. Therefore, My ICS is 100% secure. 35% of ICS Incidents are a result of Malware Most penetrate from WITHIN the ICS environment Internal Emp. Direct 24% Penetration Sources Corp Network Remote Access 4% 4% Unknown 4% Vendor 28% USB/Portable Media 36% *Honeywell Process Solutions 35% of ICS Incidents are a result of Malware! Honeywell International All Rights Reserved

7 Insider Risks & Threats Snowden Threat An insider who goes rogue Trusted attackers are difficult to detect and catch Must consider multiple users accessing systems Risks Trusted resources that have been compromised Unsuspecting, innocent employee who is exploited Laptop compromised outside of the plant via malware Employees, Vendors & Contractors Honeywell International All Rights Reserved

8 Security Design IDENTIFY PROTECT DETECT RESPOND RECOVER Technical controls Technical controls Technical controls Technical controls Technical controls (Vulnerability scanning, Monitoring ) (Firewall, AWL, AV, IPS, DC, network segmentation,.) (IPS, IDS, SIEM, Security Dashboard ) (IPS, Recovery CD, ) (Back-up Control Center, ) Non-technical controls Non-technical controls Non-technical controls Non-technical controls Non-technical controls (Assessments, Risk management) (Security Policies & Procedures) (Security monitoring) (Security incident response, Disconnection management) (Data recovery, Disaster recovery) TIME TO BREACH THE PROTECTION TIME TO DETECT THE EVENT > + TIME TO RESPOND TO THE EVENT IF TRUE THE PLANT IS SECURE T B > (T D + T R ) Honeywell International All Rights Reserved

9 What is your Risk Appetite?

10 Levels of Security ISA Security Levels What is an appropriate protection level for my plant? SL 4 Protects against intentional security incidents using sophisticated means and having extended resources SL 3 Protects against intentional security incidents using sophisticated means Technical protection level SL 2 Protects against intentional security incidents using simple means SL 1 Protects against casual security incidents NIST / C2M2 Maturity Levels ML 4 Practices are adapted based on lessons learned and predictive indicators derived from previous cyber security activities. ML 3 Risk practices are approved by management and expressed as policy, policies, processes, and procedures are defined, implemented and validated. Governance maturity level ML 2 Risk practices are approved by management, staff has adequate resources to perform cyber security duties. ML 1 practices are not formalized, often case by case, and risk is managed in an ad hoc and sometimes reactive manner Honeywell International All Rights Reserved

11 Levels of Security Security level 4 Critical infrastructure Typical critical infrastructure: Oil & gas, power, water Security level 3 Security level 2 Security level 1 Where are we today? Non-critical infrastructure Typical non-critical infrastructure: Plastics, steel, resins, food, paper, beverages In our security assessments most companies score between SL 1 and SL 2 and ML 1 and ML 2 Maturity level 1 Maturity Level 2 Maturity Level 3 Maturity Level 4 Classifications of criticality can differ by country! Honeywell International All Rights Reserved

12 System Profiling SL Security Level SL3 SL SL ML1 ML2 ML3 Maturity level ML Honeywell International All Rights Reserved

13 Where Do you Want to be? Honeywell International All Rights Reserved

14 Awareness

15 Awareness Questions to consider: Portable Media What if you find an USB flash drive on the parking lot. What do you do? Network/Security Documentation What happens with network / security documentation / info. Is it stored in a secure place and only authorized people can access? Or can everyone in the company get access? Backups What about back-ups. Containing all documentation including network / security info and also passwords and other system settings? Are they securely stored or available to many? Will it restore? People What do you do when a system administrator leaves knowing all the ins and outs of your cyber security? Has your system been setup such that 1 person has all the info / access rights, etc.? Are the vendors involved in your security bound by confidentiality? General: What does your company do to create awareness for cyber security? Training Policies Procedures, Best Practices Enforcement Do you have an updated / accurate incident management plan to execute during a cyber attack? Honeywell International All Rights Reserved

16 Segmentation

17 Architecture Segmentation Technical Security Controls Separation from Business Network Firewall Segmentation Review Configuration Log Review Rule Management Especially Outbound Consider Next Generation Firewall Includes advanced inspection functionality Zones and Conduits Grouping of nodes with like security requirements Conduits should always be from adjacent zones Honeywell International All Rights Reserved

18 Getting Started Summary Determine Risk Appetite Current State vs Desired State Create Awareness Policies & Procedures Implement Architecture Segmentation Zones & Conduits Honeywell International All Rights Reserved

19 Standards & Regulations

20 Cyber Security Standards for ICS Oriented toward owner / operators Security architecture Procurement Technical and non-technical security controls ISMS framework Oriented toward suppliers Equipment requirements Development requirements Service delivery Oriented toward technical countermeasures Industry specific (Power, water, pipelines, chemical, offshore, critical infrastructure) Oriented toward non-technical countermeasures Industry specific (Power, water, pipelines, chemical, offshore, critical infrastructure) Honeywell International All Rights Reserved

21 Standards/Guidelines/Frameworks Owner / operator Just a small overview API 1164 NISTIR 7628 IEC EPRI IEC IEC Technical NISTIR 7874 IEC NERC CIP IEC NISTIR IEC NISTIR 7328 IEC IEC Non-technical Supplier / vendor ISA 99 / IEC program: 13 security standards covering the full spectrum ISASecure TM program: Embedded Device Security Assurance (EDSA) System Security Assurance (SSA) Security Development Lifecycle Assurance (SDLA) NERC CIP program: 8 security standards Power utilities Procurement guidelines EPRI DHS Smart grid security guidelines NISTIR ENISA Pipeline cyber security Maritime cyber security Honeywell International All Rights Reserved

22 Is that All? Owner / operator API 1164 NISTIR 7628 IEC EPRI IEC IEC Technical NISTIR 7874 IEC NERC CIP IEC NISTIR IEC NISTIR 7328 IEC IEC Non-technical Supplier / vendor Unfortunately, No, IEC security controls safety IEC security controls safety Industry specific security standards Chemical - CIDX Water systems - EPA National / regional security standards ANSSI French critical infrastructure VGB German (nuclear) power industry OLF Norwegian offshore CPNI UK critical infrastructure ICT Qatar guidelines NIST ENISA WIB, etc, etc, etc Honeywell International All Rights Reserved

23 Man Years of Effort Standards are good however, Too Many Overlap Inconsistent Focus primarily on Technical Controls ICS Standards still need to mature Business Justification Will need to employ a hybrid depending on Industry IEC & NIST Embedding into overall risk management framework All progress is precarious, & the solution of one problem brings us face to face with another problem Honeywell International All Rights Reserved Martin Luther King

24 Other Sources of Information Day Time Title Presenter Monday 2:00 PM Cyber Security Strategies: Introducing Honeywell Risk Manager (Grand Oaks Ballroom AB) 4:15 PM Continuous Industrial Cyber Risk Mitigation with Managed Services Monitoring & Alerting (Grand Oaks Ballroom CD) Thursday 1:00 PM Preventing, Detecting & Recovering from a Cyber Incident (Cibolo Canyon BR 1/2) 1:00 PM Best Practices for Securing Process Control Networks (Grand Oaks Ballroom) 1:00 PM Fundamentals of Process Control Design (Grand Oaks Ballroom PQ) Eric Knapp, Director Industrial Cyber Security Solutions & Technologies Mark Littlejohn, Global Manager- Industrial Managed Security Services Mike Baldi, Industrial Cyber Security Solutions Architect Jay Gustin, Engineering Fellow Sachi Dash, Manager Project Engineering All Various Knowledge Center Robert Alston, Americas Technical Leader Industrial Cyber Security To Learn more Honeywell International All Rights Reserved

25 Any questions? Honeywell Industrial Cyber Security Honeywell International All Rights Reserved

26 Layered Approach to Governance Honeywell International All Rights Reserved