ICS Cyber Security Briefing
About John Ballentine Who is John Ballentine? Over 20 years of experience in the energy industry, including corporate and consulting roles managing cyber security and regulatory compliance at power generation facilities in North America. Industry service includes: John Ballentine Director of Cyber Security & Compliance Assists HPI customers by reducing their cyber security risk in industrial control system environments. Develops programs that identify, manage and mitigate compliance and regulatory risks. Board of Director of North America Generator Forum (NAGF) US Department of Homeland Security- Cyber Emergency Response Team Graduated from US FBI Compliance Academy CSSA Certified SCADA Security Architect CISSP Certified Information Systems Security Professional CISA Certified Information Security Auditor CCEP Certified Compliance and Ethics Professional GLEG Certified Information Law Specialist
Security, Security, Security HPI LLC Proprietary Information
They Strike Again (Really!) California Power Station Attacked in 2013 is Struck Again Back Up Attack By Matthew L. Wald August 28, 2014 MATTHEW L. WALD AUG. 28, 2014 Back Up Attack The Silicon Valley power substation that was attacked by a sniper in April 2013 was hit by thieves early Wednesday morning, according to the Pacific Gas and Electric Company, despite increased security. The substation, near San Jose, Calif., is the source of energy for thousands of customers, and the idea that it was the target of a well-organized attack, and that it might have been disabled for an extended period, raised anxieties about the possible broader vulnerability of the grid. The attack this week did not involve gunfire, and it did not seem intended to disable the facility. Early Wednesday, an unknown number of thieves cut through a fence and made off with power tools, a pipe bender and ground compactors used to smooth out dirt after excavations, said Keith F. Stephens, a spokesman for Pacific Gas and Electric. The substation has an alarm system, but the fence alarms that went on overnight were not reacted to or addressed in an appropriate manner, Mr. Stephens said. He added that the problem was a result of human error. The company has not determined the value of the items taken. The intruders did not appear to try to damage operating equipment, Mr. Stephens said. In the 2013 attack, shots were fired into the radiators of giant transformers, disabling but not destroying them. Two manhole covers were removed, and communications lines were cut. The utility said damages came to $15.4 million. Some of the transformers were repaired using components borrowed from other utilities; others had been nearing retirement anyway and were replaced.
THE ICS SECURITY LANDSCAPE
Security as a Governance and Practical Matter Security- whether cyber or physical- impacts how energy companies plan, manage and maintain their business objectives. Executives and managers face increasing challenges managing the threats and potential impacts from security issues. HPI s customers typically operate facilities that are vulnerable to attack-and can ill afford business interruption. Our customers need effective strategies to properly design, plan, implement and maintain a security program to meet the modern challenges they face.
Industrial Control Systems Distributed Control System (DCS) and Process Control Systems A group of computers and/or smart field devices networked together to monitor and control industrial processes with direct feedback control. Control systems operate in near real-time and are used in critical sectors such as power generation, oil and gas refining, water treatment, chemicals, etc. May consist of HMI, PLC s, standalone power electronic controllers, microgrid controllers, and substation automation systems Supervisory Control and Data Acquisition (SCADA) System Normally applied to systems connected to devices over a larger area including multiple buildings or even many miles away. Operative word is SUPERVISORY, used in critical sectors such as electrical transmission and distribution, oil and gas pipelines, water/sewer and transportation.
Power System ICS Footprint Generator Control Systems SmartGrid Control and Automation Systems Utility Monitoring and Control Systems Supervisory Control and Data Acquisition (SCADA) Systems Transmission and distribution Fuel Management Systems Power Quality and UPS Systems Renewable Energy Control Systems
Information vs. Operations Technologies Corporate Office/IT Utility/OT/ICS Security Focus: Confidentiality, Integrity People/Equipment Ratio: Number of people ~=# equipment Object Under Protection: Information Risk Impacts: Information disclosure (privacy), economic, legal liability for damages Availability Requirements: 95-99% year (moderate acceptable downtime) System Lifetime: 3-5 year replacement cycles Main Protected Target : Central servers (CPU, memory) and PCs Operating Systems: Windows Software: Consumer software on PCs Protocols: Well known (HTTP over TCP/IP), web-based Main Actors: IBM, SAP, Oracle Security Focus: Availability People/Equipment Ratio: Few people, many types of equipment Object Under Protection: Industrial process Risk Impacts: Safety (life), health, environment, loss of production, downtime, repairs Availability Requirements: 99.9-99.999%/year (no acceptable downtime) System Lifetime: 15-30 years Main Protected Target: Servers, distributed systems, sensors, PLCs Operating Systems: Windows and proprietary Software: Specific, customized configurations Protocols: Industrial TCP/IP, vendor specific, polling Main Actors: ABB, Siemens, Honeywell, Emerson
THREAT ASSESSMENT
Security Threats from Every Direction Internally, externally, domestically, internationally, our clients must prepare to identify and meet the threats head on: Fraud and theft, criminal activity Blunders, errors and omissions Disgruntled employees, insiders Curiosity and ignorance, recreational and malicious hackers Industrial and foreign espionage and information warfare Malicious code
Attack Modes for ICS Loss of View Manipulation of View Denial of Control Manipulate Control Total Loss of Control There are many variations of passages of Lorem Ipsum available but the suffered alteration in
Cyber Intrusion Sequence Surveillance Information Exfiltration System Mapping Pen Test Incident Detection/Response Initial Infection Launch Attack
Attack Sources 1. External threats/ hacktivism 2. Security policy violations, malware and email phishing 3. Insider exploits or other internal activities 4. Industrial espionage
Attack Vectors Method of Compromise Social Engineering 62% Weak passwords File Upload 2% Web Management Console Missing patches 4% 10% 22%
Attack Vectors Time to Break-In 12% 18% 29% 41% Less than 1 Hour 1-4 Hours 4-8 Hours 8-16 Hours
Attack Vectors Level of Compromise 38% 16% 28% 7% 11% External Admin Access Internal User Access External User Access Internal Admin Access Complete Internal Compromise
How Attackers Navigate in ICS
SECURITY PLAN AND APPROACH
Framework Core Detect Identify the occurrences of a cyber security event Protect Safeguards to ensure delivery of CI services. Respond Take action (address) a detected cyber security event Identify Institutional understanding to manage cyber security risk Recover Restore impaired capabilities or CI services from a cyber security event
Keys to Securing Your Operations Technology Assess existing systems, and document policies and procedures. Train personnel and contractors. Segment the control network, and control system access. Harden system components. Monitor and maintain system security.
Importance of Establishing ICS Security Policies Demonstrates Support Demonstrates management support and direction. Technology Independent Stays as technology independent as possible Company Protection Protects the company and preserves management options in the event of a security incident. Structure Analysis Outlines what to achieve, not how to achieve it. Sets Expectations Provides guidance/communicates expectations to employees and suppliers.
Cyber Security Vulnerability Assessment Expert analysis of control system to identify actual and potential security vulnerabilities Network architecture diagrams Network component and host device configurations Access control strategies Software and firmware versions Policies and procedures
Implementation Phase
Security Network Design Goals Restrict physical access to the ICS network and drives Unauthorized physical access to components could cause serious disruption of the ICS s functionality. A combination of physical access controls should be used- such as locks, card readers, and/or guards. Restricting logical access to the ICS network and network activity This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
Security Network Design and Installation
Maintain Phase Security countermeasures must be monitored and maintained Monitor system logs Evaluate, test and deploy patches prudently Plan and prepare incident response plans and drills
Steps to Improve Cyber Security of SCADA Networks Identify all connections to SCADA networks. Disconnect unnecessary connections. Evaluate/strengthen security of any remaining connections to SCADA network. Harden SCADA networks by removing unnecessary services Don t rely on proprietary protocols to protect the system. Implement security features provided by device and system vendors. Establish strong controls over any medium used as a backdoor into the SCADA network. Implement internal and external intrusion detection systems and establish 24-hour incident monitoring. Perform technical audits of SCADA devices and networks, and any other connected networks to identify security concerns. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security.
Establish SCADA Red Teams to identify and evaluate possible attack scenarios. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators and users. Document network architecture and identify systems that serve critical functions or contain sensitive information requiring additional protection. Establish effective configuration management processes. Conduct routine self-assessments. Establish system backups and disaster recovery plans. Establish a rigorous, ongoing risk management process. Establish a network protection strategy based on principle of defense- in-depth. Clearly identify cyber security requirements. Senior leadership should establish expectations for cyber security performance and hold individuals accountable for their performance. Establish policies and train to minimize the likelihood that personnel will disclose information regarding the SCADA system, operations or security controls.
THE HPI ADVANTAGE
HPI Security Approach: Prevent, Detect & Recover Whether you need a full compliance or security solution, or are preparing for an audit or internal control review, HPI s experience as operators will maximize your return on investment. Prevention Detection & Notification Recovery & Restoration People- trained and alert Technologymanaging systems Processesmitigating risks Network access monitoring Anomaly detection Active intrusion monitoring Back-up restoration management Annual compliance testing
HPI Cyber Security & Compliance Service Offerings There IS a starting and end point to get your company optimized to face the threats and reduce the likelihood of interrupting your business: Assessment and Risk Benchmarking Mitigation and Design Services Implementation and Monitoring Cyber Security Systems and Network Risk Assessment; Cyber Vulnerability Assessment (NERC CVA); Standards-based Audits Security Architecture; Operations Network Security Upgrade; Remediation and recovery Plans Security System Conversion; Hardware and Software Monitoring; System Restoration Compliance Applicability Assessments; Controls and Policies Reviews; Mock Audits Compliance Mitigation Plans; Compliance Filings with Govt Agencies; Overall Compliance Program Design Corp Compliance Program Implementation; Install GRC Software and Configure for Monitoring; Compliance-as-a-Service
Defense in Depth Focus Areas HPI subscribes to the Defense in Depth approach of the cyber security professional community Defend the network and infrastructure Backbone network availability Wireless network security System interconnections Defend the computing environment End-user environment Application security Defend the enclave boundary Network access protection Remote access Multi-level security
Bridging the ICS Security Specialization Skill Gap IT Professionals Cyber security professionals Control system professionals Many organizations substitute Information Technology/Network Specialists for Information Security Specialists. Control System Cyber Security Professionals Most IT/Network personnel possess few of the security skills needed to harden a network. Even less have the capability to secure an ICS network. HPI has cyber security skills in the energy industry ICS- the rarest and most sought after skill set in the industry.
Independent Architect and Audit Services Need temporary personnel to fill a missing internal link? We can deploy on short notice to help out. Already have an ICS cyber security team, and just need to fill the gaps? HPI has you covered: Security designs (physical and cyber) Program implementation assessments Compliance gap analysis; Mock audits and gap closures Self-reports and mitigation planning System recovery on short notice
Training and Compliance Monitoring Services TRAINING SOLUTIONS Most clients have broad compliance and security programs with prescribed goals that often require training to achieve objectives. HPI has teamed with online training delivery systems, and can have your course up and running in weeks. COMPLIANCE SERVICES Whether you re in need of frequent determinations or updates on your compliance status or regulatory due diligence on potential acquisitions, HPI has you covered.
The HPI Differentiator Why work with us? HPI customers must be secure so that they can focus on their core business of efficiently producing power to the grid. - Hal Pontez, HPI President & CEO HPI designs, builds, operates, controls, maintains and repairs HPI designs, builds, operates, controls, maintains and repairs power power generation facilities- its in our DNA. generation facilities it s in our DNA. Generic security consultants cannot match our comprehensive understanding of of how those areas link together and form an an aligned aligned approach. approach. Unlike vendors that sell newfangled technology solutions or or pre-packaged systems pre-packaged, HPI customizes systems, HPI security customizes solutions security at significantly solutions at reduces risk. significantly reduces risk. Every area of HPI is completely aligned to the cyber security challenge as the Every key to area protecting of HPI is our completely client s assets. aligned to the cyber security challenge as the key to protecting our client s assets.
Contact Us www.hpienergy.com OFFICE: 713.457.7500 CELL: 512. 705.7242 EMAIL: JBALLENTINE@HPI-LLC.COM https://www.facebook.com/hpillc @hpienergy https://www.linkedin.com/company/hpi-llc/