Decrease your HMI/SCADA risk



Similar documents
Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Symphony Plus Cyber security for the power and water industries

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Document ID. Cyber security for substation automation products and systems

Industrial Security for Process Automation

Industrial Security Solutions

Security Controls for the Autodesk 360 Managed Services

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Network Security Guidelines. e-governance

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

CYBER SECURITY. Is your Industrial Control System prepared?

BM482E Introduction to Computer Security

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

GE Measurement & Control. Cyber Security for Industrial Controls

BMC s Security Strategy for ITSM in the SaaS Environment

Securing the Service Desk in the Cloud

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Dr. György Kálmán

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

GE Measurement & Control. Cyber Security for NEI 08-09

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

SCADA Cyber Security

Protecting productivity with Plant Security Services

Verve Security Center

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Information Security Policy

DeltaV System Cyber-Security

White Paper. BD Assurity Linc Software Security. Overview

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

IT Security and OT Security. Understanding the Challenges

An integrated view of your operations

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

InTouch Access Anywhere

Overview. Edvantage Security

PCI Requirements Coverage Summary Table

8 Steps for Network Security Protection

8 Steps For Network Security Protection

Security in the smart grid

Mitigating Information Security Risks of Virtualization Technologies

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Best Practices for DanPac Express Cyber Security

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Computer System Security Updates

NERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements

Keyfort Cloud Services (KCS)

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

Release Version 4.1 The 2X Software Server Based Computing Guide

SCADA SYSTEMS AND SECURITY WHITEPAPER

INTRUSION DETECTION SYSTEMS and Network Security

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cyber Essentials KAMI VANIEA 2

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

The Internet of Things (IoT) and Industrial Networks. Guy Denis Rockwell Automation Alliance Manager Europe 2015

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Secondary DMZ: DMZ (2)

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Security Best Practice

Supplier Information Security Addendum for GE Restricted Data

Proven LANDesk Solutions

March

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

The Business Case Migration to Windows Server 2012 R2 with Lenovo Servers

Retention & Destruction

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

The Essential Security Checklist. for Enterprise Endpoint Backup

OPC & Security Agenda

2X SecureRemoteDesktop. Version 1.1

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Achieving PCI-Compliance through Cyberoam

Best Practices For Department Server and Enterprise System Checklist

This is a preview - click here to buy the full publication

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Release Version 3 The 2X Software Server Based Computing Guide

GoodData Corporation Security White Paper

Best Practices for DeltaV Cyber- Security

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

Designing a security policy to protect your automation solution

How To Secure Your System From Cyber Attacks

F G F O A A N N U A L C O N F E R E N C E

GE Measurement & Control. Cyber Security for NERC CIP Compliance

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Transcription:

Decrease your HMI/SCADA risk Key steps to minimize unplanned downtime and protect your organization. Are you running your plant operations with serious risk? Most industrial applications lack recommended updates and security patches, which make them a target for hackers. Outdated architectures, backups and spares can also create problems. With the number of attacks on industrial applications rising and the critical need for plant system availability, take simple steps now to minimize risk. You can decrease unplanned downtime while helping to protect your organization. Here s how Check the expiration date Software doesn t usually come with an expiration date. But, the expiration date on your operating system might have already passed. If you re using Windows XP, that expiration date was April 8, 2014 the date that Microsoft stopped supporting XP. Don t use software that is no longer supported by the manufacturer; you could be running with serious risk every day. Our business environment today is constantly changing make sure your software is keeping up. In addition to your OS, make sure your other software packages are still supported. Were any of the vendors acquired? Do the new companies still support those software packages?

GE Intelligent Platforms Schedule HMI/SCADA risk assessments and reviews Minimizing risk isn t a one-time or once-ayear activity. With serious threats on the rise, you need to incorporate risk assessments and reviews into your schedule. The frequency of your risk assessments depends on your particular business, industry and plant applications. Start with a conservative, high-frequency schedule and you can always increase the time between assessments, as needed. Assign a champion to minimize risk in your plant operations to drive leadership and consistency to the program. 10 sample questions for each review 1. Are you using obsolete software (Windows XP or other)? 2. Are you running your application with non-default / non-administrator accounts with low privileges? Have you removed ADMIN and GUEST default accounts, using a separate administrator account? 3. Where are the points of entry/failure? 4. Are you properly isolating (DMZ) servers from untrusted network access? 5. Is your system missing any security patches? Are you using the most up-to-date version of your software? 6. Are you managing Bring Your Own Device (BYOD) securely? 7. Do you have spare parts, and when were they last tested? 8. Have you put additional controls in place to protect the HMI/SCADA security files from unauthorized change? 9. Have you changed the default password for Trusted Network Computing? 10. Do you have an up-to-date backup plan in place?

Upgrade, the right way If you do have outdated software in your plant operations, make a plan now to upgrade the right way. Rethink your HMI/SCADA strategy securely. Some HMI/SCADA users haven t updated their systems in 10 years or more. Don t just upgrade. Review your system with experts and use an upgrade as an opportunity to assess and modernize. Consider technologies that will make the life of your Plant & IT personnel easier. For example: 6 Can existing XP machines be converted into thin clients or virtualized? 6 Can critical applications be migrated to a server-based machine? 6 Time to rethink your app strategy. How many applications are you running that could be consolidated? 6 What applications can you leverage to turn your installation into a web-enabled one? Have you looked into GE Webspace and GE Cimplicity? 6 What applications are available now that can extend the functionality of your HMI/SCADA? Consider new levels of efficiency by adding simple analytics, task management, alarm response management, and more. 6 How are you storing and analyzing your data to improve operations? It might be time to look into a plant-wide Historian. 4 steps to include in your upgrade plan 6 Check and limit users rights 6 Update / install the latest anti-virus software 6 Create a controlled zone around your machines place them behind a firewall 6 Make sure you have installed all of the latest service packs Don t wait for unplanned downtime or a disaster. Take action now.

Put rigor around security Confidentiality General IT Highest Priority Industrial Control System Availabilty Integrity Integrity Availabilty Lowest Priority Confidentiality Source: Cyber Security Assessments of Industrial Control Systems, CNPI / US Homeland Security, Nov 2010. The priority for plant systems has historically been availability. Plant operations simply must keep running in order to achieve organizational success. However, plant operations teams need to include cyber security as a high priority and implement best practices to minimize vulnerabilities. Security is the process of maintaining the confidentiality, integrity, and availability of a system: 6 Confidentiality: Ensure only the people you want to see information can see it. 6 Integrity: Ensure the data is what it is supposed to be. 6 Availability: Ensure the system or data is available for use. General IT goals and industrial control systems goals have historically differed. Make sure you review your goals and adjust as necessary, with consideration for the increase in industrial security threats and requirements for data protection and privacy.

Attack Targets Web Server DMZ Public VPN SCADA Server SCADA Server Firewall Web Server Router Assess your current HMI/SCADA system, preferably with an outside expert, and develop a plan to reduce risk. You can identify common vulnerabilities and take action before a disaster.

Leverage standards and best practices A wealth of current information exists about how to reduce risk in HMI/SCADA systems. Your software vendors have the best information regarding your particular applications. Reach out to them for their advice and best practices. Read your software manuals and follow the instructions, especially concerning networks/connectivity and user accounts/ privileges. For example, if a manual recommends that you disable or remove a certain account after installing an I/O driver, then don t forget to do it. Also, tap into the many industry associations. Learn about new standards and implement the parts that fit your situation. Not every standard or even all sections of a standard will work for you, but you can use the standards as a framework and add to them. Check into ISA, MESA and other plant systems organizations for more information and learning opportunities during the year. Government agencies, such as the U.S. Department of Homeland Security, National Institute of Standards and Technology (NIST), and U.S. Department of Energy, have valuable information which applies to almost every SCADA user. Additionally, some industries such as water and power have entities such as the North American Electric Reliability Corp. (NERC), which provide information on HMI/SCADA risk reduction and security.

HMI/SCADA Security - Best practices example Patch management System hardening Host-based protection HMI/SCADA configuration 6 Define a risk-based patching policy & procedure 6 Apply the latest Microsoft security patches 6 Ensure coverage for all layers and assets (OS, DB, etc.) 6 Disable unnecessary ports, services, accounts & shares 6 Define secure configuration standards for all asset types 6 Consider restricting the use of untrusted USB media 6 Install anti-virus software on control systems PCs 6 Keep anti-virus definitions up-to-date 6 Consider HIPS/HIDS or application white-listing solutions 6 Deploy in a DMZ architecture configuration 6 Install application using a least-privileged user account 6 Disable or remove default accounts 6 Configure applications to require user authentication 6 Configure applications to use SSL or encrypted communication 6 Limit access to functions at all levels: - By role: only give to the users access to what they really need - By server - By runtime/development - By asset/device 6 Implement e-signature for complete regulatory and procedural compliance

Remote Site 1 DMZ Smart with secure-by-design innovation Remote Site 2 Remote Site 1000x Firewall Agent Manager The good news is that HMI/SCADA software designs can inherently minimize some vulnerability to risk. Fundamental engineering principles mandate safe and reliable systems. Additionally, new secure-by-design innovation takes traditional practices to a higher level. As an example, GE s Agent provides an encrypted and authenticated channel to forward monitoring and diagnostic data from remote agents to a central repository over an intranet or the internet, replacing the need for dedicated VPN connections. This secure-by-design technology also delivers functionality to send files and/or create RDP sessions from the GE Agent Enterprise Server to GE Agents over the established connection. External/Remote Data Sources GE Agent can be used to create trusted encrypted remote connections over the internet using standard ports. Controls Network Firewall DMZ Agent Manager Internal Data Sources GE Agent can be used to create trusted connections between networks internally to build a layered defense solution.

Summary Minimizing risk is, and always will be, a top priority for GE Intelligent Platforms and should be a top priority for every HMI/SCADA user. Take advantage of standards, best practices and information sharing. GE works with customers, industry working groups and standards bodies, government agencies, and the security research community to continually improve industrial automation and control systems and global infrastructures. Plan a risk assessment program for your organization and stick with it. Simple steps, such as upgrading unsupported software and limiting user rights, can make a big difference. There are many ways to reduce risk, but it is important to take the steps now before unplanned downtime or a disaster occur.

Useful links GE www.ge.com/digital www.ge.com/digital Microsoft http://www.microsoft.com/en-us/windows/ enterprise/endofsupport.aspx http://windows.microsoft.com/eos Need help with minimizing HMI/SCADA risk? Contact GE for complimentary risk assessment tools and information. www.ge.com/digital Associations / Government Agencies ISA MESA U.S. Department of Homeland Security National Institute of Standards & Technology U.S. Department of Energy North American Electric Reliability Corp EU CSS European Union Network and Information Security Agency About GE GE (NYSE: GE) is the world s Digital Industrial Company, transforming industry with software-defined machines and solutions that are connected, responsive and predictive. GE is organized around a global exchange of knowledge, the "GE Store," through which each business shares and accesses the same technology, markets, structure and intellect. Each invention further fuels innovation and application across our industrial sectors. With people, services, technology and scale, GE delivers better outcomes for customers by speaking the language of industry. www.ge.com Contact information Americas: 1-855-YOUR1GE (1-855-968-7143) gedigital@ge.com www.ge.com/digital 2015 General Electric. All rights reserved. *Trademark of General Electric. All other brands or names are property of their respective holders. Specifications are subject to change without notice.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information