GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems



Similar documents
Cyber Security for NERC CIP Version 5 Compliance

GE Measurement & Control. Cyber Security for Industrial Controls

GE Measurement & Control. Cyber Security for NERC CIP Compliance

GE Measurement & Control. Cyber Security for NEI 08-09

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Symphony Plus Cyber security for the power and water industries

Industrial Security Solutions

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Information Technology Policy

Verve Security Center

FISMA / NIST REVISION 3 COMPLIANCE

TRIPWIRE NERC SOLUTION SUITE

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

INCIDENT RESPONSE CHECKLIST

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Protecting Critical Infrastructure

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

How To Manage Security On A Networked Computer System

QRadar SIEM 6.3 Datasheet

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

13 Ways Through A Firewall

Designing a security policy to protect your automation solution

SCADA/Business Network Separation: Securing an Integrated SCADA System

Seven Strategies to Defend ICSs

RuggedCom Solutions for

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

United States Trustee Program s Wireless LAN Security Checklist

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Ovation Security Center Data Sheet

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Critical Controls for Cyber Security.

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Ovation Security Center Data Sheet

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Enterprise Computing Solutions

Guideline on Auditing and Log Management

Did you know your security solution can help with PCI compliance too?

Network Security Guidelines. e-governance

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

LogRhythm and NERC CIP Compliance

NERC CIP VERSION 5 COMPLIANCE

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

An Analysis of the Capabilities Of Cybersecurity Defense

Clavister InSight TM. Protecting Values

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

IT Security and OT Security. Understanding the Challenges

Supplier Information Security Addendum for GE Restricted Data

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

Securing the Service Desk in the Cloud

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

13 Ways Through A Firewall What you don t know will hurt you

Goals. Understanding security testing

UNIDIRECTIONAL SECURITY GATEWAYS. Utilizing Unidirectional Security Gateways to Achieve Cyber Security for Industrial Environments

Stronger than Firewalls And Cheaper Too

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

SCADA SYSTEMS AND SECURITY WHITEPAPER

Clean VPN Approach to Secure Remote Access for the SMB

How To Achieve Pca Compliance With Redhat Enterprise Linux

Patch and Vulnerability Management Program

Data Management Policies. Sage ERP Online

A Comparison of Oil and Gas Segment Cyber Security Standards

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

LogRhythm and PCI Compliance

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Safeguarding the cloud with IBM Dynamic Cloud Security

GFI White Paper PCI-DSS compliance and GFI Software products

Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

North American Electric Reliability Corporation (NERC) Cyber Security Standard

The Comprehensive Guide to PCI Security Standards Compliance

Best Practices For Department Server and Enterprise System Checklist

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

The SIEM Evaluator s Guide

Standard: Event Monitoring

SonicWALL PCI 1.1 Implementation Guide

Next Gen Firewall and UTM Buyers Guide

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

The Business Case for Security Information Management

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Cisco Advanced Services for Network Security

Top 20 Critical Security Controls

Security Event Management. February 7, 2007 (Revision 5)

Transcription:

GE Measurement & Control Top 10 Cyber Vulnerabilities for Control Systems

GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes other than that for which it was originally furnished except with written permission of GE Oil & Gas. Copyright 2012 General Electric Company. All rights reserved.

Contents NERC Cyber Infrastructure Protection (CIP), 10 CFR73/54/NEI 08-08, and International Instrument Users Association Working Party on Instrument Behaviour (WIB) Compliance...4 Vulnerability 1:...4 Vulnerability 2:...4 Vulnerability 3:...4 Vulnerability 4:...5 Vulnerability 5:...5 Vulnerability 6:...5 Vulnerability 7:...5 Vulnerability 8:...6 Vulnerability 9:...6 Vulnerability 10:...6 Top 10 Cyber Vulnerabilities for Control Systems 3

NERC Cyber Infrastructure Protection (CIP), 10 CFR73/54/NEI 08-08, and International Instrument Users Association Working Party on Instrument Behaviour (WIB) Compliance GE s cyber security solution provides Power, Oil, and Gas customers an integrated solution to meet industry compliance mandates and to protect their Industrial Computer Systems (ICS) against the continuously increasing threat in the cyberspace with increase system integrity, availability, performance, and confidentiality; and real-time change monitoring and audit-readiness system status reports to sustaining compliance. U.S. National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD23) defines cyberspace as the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people. The security of SCADA systems used in critical energy infrastructure installations throughout the United States relies on a cooperative effort between SCADA product vendors and the owners of critical infrastructure assets. These recommendations can be used by SCADA vendors to deliver and support systems that are able to survive attack without compromising critical functionality, by SCADA integrators to configure their systems securely before they are put into production, and by SCADA owners to perform due diligence in procuring, configuring, securing, and protecting these energy delivery control systems. Idaho National Laboratory, September 2011, http://www.inl.gov GE s cyber security solution addresses the ten common vulnerabilities of the Control Systems identified by the NERC Control Systems Security Working Group. Vulnerability 1: Inadequate policies and procedures governing control system security GE works with customers for continuous improvement for implementation and enforcement of policies and procedures governing protection and control system security. GE participates in Integrated Factory Acceptance Test (IFAT). An IFAT validates hardware and software performance across multiple systems in an offline environment where any issues or complications can be mitigated before a live rollout. This best practice safeguards against in-plant failures that could be costly or insecure. GE works closely with system vendors in hardening cyber assets to be NERC/NEI/WIB compliant for examples: take advantage of advanced management features of Windows 7, patching, appropriate use banner, no backdoor exit, syslog forwarding and event correlation. Vulnerability 2: Rely on security through obscurity GE adopts a process for continuous improvement of defense-in-depth network topology and Host-based Intrusion Prevention System (HIPS). GE s cyber security solution provides a stateful firewall which protects against unsolicited in-bound traffic and prevent intrusion via behavioral rules and signatures. Implementing a Network Intrusion Detection System (NIDS) gives system administrators better visibility of potential and actual threats. With 24 x 7 monitoring, analysis, and logging of network traffic, the NIDS speeds incident response time and simplifies forensics. Vulnerability 3: Untimely implementation of software and firmware patches. Inadequate testing of patches prior to implementation GE has a predefined checklist to verify the proper functioning of control systems to meet regulatory requirement for adequate testing of patches. GE s monthly security patches are released on the second Tuesday of each month to provide timely risk assessment. The validated patches, updates, and signatures for the operating system and software applications installed on HMIs and other cyber assets. By replicating a client s platform in GE s technology partner, FoxGuard s secure lab environment, FoxGuard can test these updates to ensure safe and smooth deployments. Patch management is purchased as a subscription with solution disks and documentation delivered in monthly intervals. It is available for implementation at discrete control devices or across a network via a central server. 4 Top 10 Cyber Vulnerabilities for Control Systems

Vulnerability 4: Use of inappropriate wireless communication. Lack of authentication in the 802.11 series of wireless communication protocols. Use of unsecured wireless communication for control system networks. GE supports encryption for administration of network devices within the control system over Ethernet and enforces two-way authentication of all network traffic (WIB BP.07.06: Role-based access for network devices). GE encourages customers who use wireless communication on laptops to implement wireless fidelity protected access (WPA) encryption and 802.1x device registration along with unregistered device detection; use public key infrastructure (PKI) and certificate servers; use non-broadcasting server set identifications (SSIDs); utilize media access control (MAC) address restrictions; and implement 802.11i. Vulnerability 5: Use of nondeterministic communication for command and control such as Internet-based SCADA. Inadequate authentication of control system communication protocol traffic. GE implements defense-in-depth architecture of multiple firewalls between control network and other networks. GE s solution provides a stateful firewall which protects against unsolicited in-bound traffic and prevent intrusion via behavioral rules and signatures to reduce operational risk for network operations. GE will provide firmware hashes as an additional tool to verify the integrity of GE firmware files to ensure customers that the firmware received from the factory is complete and unaltered prior to sending the firmware to the vendor controlled device. Customers can use the GE portal to verify that the firmware file in their possession is a known good GE firmware release by comparing the calculated hash value of the firmware in their possession with the hash value provided on the GE Portal. Vulnerability 6: Poor password standards and maintenance practices. Limited use of virtual private network (VPN) configurations in control system networks. GE implements role-based access control. GE s solution provides an integrated protocol anomalydetection and active response technology, behavior-based HIPS to protect VPNs. It provides an integrated Password Policy Enforcer to enforce granular password policies for Windows for NERC CIP- 007 R5 and WIB BP.20.03: Minimum password strength and BP.20.04: Password lifetimes and reuse restrictions. For networked devices, GE assists with the configuration of an Access Management console to regulate logons, set user and group permissions, and strengthen security policies (e.g. password parameters and session locks) as part of IFAT to increase overall accountability and authorization control and reduces the time and resources needed to manage user accounts. Vulnerability 7: Lack of quick and easy tools to detect and report on anomalous or inappropriate activity among the volumes of appropriate control system traffic. GE s security solution includes Network Intrusion Detection/Prevention device (NIDS) and Security Incident and Event Management (SIEM) with event correlation appliance for monitoring virtual devices and enable SNMPv3 privacy/encryption method as required by NEI and WIB BP.10.03 Log and event management. SIEM aggregates data from many sources including firewalls, applications, databases, etc. and presents it from a single interface using graphical dashboards. SIEM determines potential threats by correlating this data and instantaneously detects incidents through automated log file parsing. Autorun is a major infection threat vector identified by National Institute of Standards and Technology (NIST) and Nuclear Energy Institute (NEI). GE encourages customers to disable autorun as a best practice. Top 10 Cyber Vulnerabilities for Control Systems 5

Vulnerability 8: Dual use of critical control system low bandwidth network paths for noncritical traffic or unauthorized traffic. GE s security solution includes Network Intrusion Detection/Prevention device (NIDS) and SonicWall NSA 240 Unified Threat Management (UTM). During the Integrated Factory Acceptance Test (IFAT) GE works with customers in defining critical network paths and work on fine-tuning NIDS to evaluate network traffic and control system point counts and polling rates. SIEM provides analytical data for optimizing existing resources for critical network paths and fine-tuning prevention devices against protocol anomalies. Vulnerability 9: Lack of appropriate boundary checks in control systems that could lead to buffer overflow failures in the control system software itself. GE s solution monitors applications and critical address space for buffer overflow protection. The NETCAP system is designed to operate during normal plant operations. The bandwidth of the backups is set to 10% to minimize network resources, patches are set to never reboot the machine, so that the operators can schedule the reboot as needed. This design is tested as part of the Factory Acceptance Test (FAT). The SIEM is collecting logs at all times, but does not impose any noticeable impact to the network bandwidth to ensure plant operations personnel are in complete control over the system and will operate the system within their parameters. GE s security solution collects logs locally on the Windows machines as well as the network equipment through the use of buffering mechanisms. Vulnerability 10: Lack of appropriate change management/change control on control system software and patches. GE s solution houses a vast amount of data that is critical for CIP compliance. The Security Server has a database that keeps an inventory of machines and the history related to security related patches that were applied to those particular machines. It also has a database of information concerning the status of Anti-Virus signatures that are loaded on the HMIs. A backup will be performed by and stored on the Security Server. The Security Server was designed to store up to one (1) years worth of backups for up to ten (10) machines. The SIEM will store all the event logs from all Windows HMIs in the GE ICS. It will also store all the security events that are created on the network equipment, such as logon and logoff events, configuration change events, etc. This information will be stored and backed up using a stored procedure on the SIEM. The NIDS logs will also be stored on the SIEM, showing any incident that matched the NERC/NEI/WIB rules that are set up in the NIDS device, giving customers the confidence of audit-readiness. 6 Top 10 Cyber Vulnerabilities for Control Systems

GE Measurement & Control 1800 Nelson Road Longmont, CO 80501 15401387-8726 18881943-2272 GE4Service@ge.com http://www.ge-mcs.com/controlsolutions Controls Connect customer portal: ge-controlsconnect.com * Denotes a trademark of the General Electric Company. Copyright 2012 General Electric Company. All rights reserved. GEA20361 (10/2012)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information