2015 Honeywell Users Group Europe, Middle East and Africa Continuous Industrial Cyber Risk Mitigation with Managed Services Monitoring and Alerting Konstantin Rogalas and Arjen van Es, Honeywell
About the Presenter Arjen van Es Security Service Center Team leader EMEA/APAC; 1991 1995 Commissioning engineer Axial/Centrifugal compressors; 1995 1998 Service engineer - modular systems; Arjen.van.Es@Honeywell.com 1998 2005 Software support engineer; 2005 2007 Technical Specialist ICT; 2007 2009 Process control systems Network Architect; 2009 2011 Open Systems Services - Consultant; 2 2015 Honeywell International All Rights Reserved
About the Presenter Konstantin Rogalas MSc, MBA Business Lead for Honeywell Industrial Cyber Security - Europe; 1989 1998 in Discrete Automation & Process Control; 1999 2012 in Telecommunications: Broadband-M2M/IoT; Konstantin.Rogalas@Honeywell.com 2013 Oil & Gas, Energy, Pharmaceuticals & Chemicals industry Certification study for ENISA in Industrial Cyber Security; 2014 2015 ICS Council with policy makers, asset owners and service providers; Member of the European ICS Stakeholders Group. 3 2015 Honeywell International All Rights Reserved
Agenda Continuous Monitoring in the Security Profile Obstacles & Managed Security Pros-Cons Monitoring & Alerting with Managed Services Conclusions Open Discussion About: Honeywell Industrial Cyber Security 4 2015 Honeywell International All Rights Reserved
ICS Continuous Monitoring: Making the Case Continuous Monitoring ensures Industrial Control System (ICS) reliability Detection of availability & performance issues to prevent serious degradation In the context of Cybersecurity: Which ICS Cyber Security controls (technical and non-technical) need to be in place for ICS Continuous Monitoring? Where does ICS Continuous Monitoring belong in the Cyber Security Profile? This section: Introduces the Cyber Security Profile and its underlying principles Places Continuous Industrial Cyber Risk Readiness in the overall Cyber Security Profile context Proves why Continuous Monitoring is in the heart of detecting cyber security anomalies & events which is vital to respond/recover Explains why Continuous Monitoring is an essential performance evaluation principle which increases cyber security maturity 5 2015 Honeywell International All Rights Reserved
Typical security level 6 2015 Honeywell International All Rights Reserved
Security levels and security capabilities 7 2015 Honeywell International All Rights Reserved
C2M2 Maturity Indicator Levels 8 2015 Honeywell International All Rights Reserved
Cyber Security Profile 9 SL4 SL3 SL2 SL1 13 14 15 16 9 10 11 12 5 6 7 8 1 2 3 4 SL1 SL2 SL3 SL4 1001 Refining process facilities 1401 Fertilizers 1102 O&G LNG terminals 1403 Petrochemicals 1103 O&G processing 1404 Plastics and fibers 1104 O&G production - on-shore 1405 Specialty chemicals 1105 O&G production - off-shore 1406 Biofuels 1108 O&G Marine - LNG IAS 1501 Alumina 1110 Gas To Liquid 1502 Aluminium 1112 Production - Coal bed M 1503 Base materials 1114 Pipeline - Liquid 1504 Cement 1115 Pipeline - Gas 1505 Coal & coal gasification 1201 Pulp 1506 Iron 1203 Paper 1509 Precious metals 1204 CWS 1510 Steel making 1303 Utility power 1508 Other SL1 SL2 SL3 SL4 MIL0 MIL1 MIL2 MIL3 The target Protection Level is determined by the security design effectiveness (Security Level) and security operations effectiveness (Maturity Level) IEC 62443 standard provides the Security Level, Cobit or C2M2 toolkit provides the Maturity Level The Security Profile defines for each facility how to protect and how to organize 2015 by Honeywell International Inc. All rights reserved. 9 2015 Honeywell International All Rights Reserved Defines the Security Profile
Sustainable security requires a Program 10 SP 16 SP 15 Increase maturity level with an organized Security Operations Center (SOC) 4 SP 12 SP 11 SP 10 SP 7 SP 6 Increase maturity level with Activity/Trend reporting (associated Policies) 2 3 Increase security level with SIEM, NGFW, AWL, Risk Manager SP 5 SP 2 SP 1 1 Increase security level with Monitoring/Alerting (in addition to Anti-Virus, Patching) Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 2015 by Honeywell International Inc. All rights reserved. If you run too fast or jump too high, you might trip 10 2015 Honeywell International All Rights Reserved
Agenda Continuous Monitoring in the Security Profile Obstacles & Managed Security Pros-Cons Monitoring & Alerting with Managed Services Conclusions Open Discussion About: Honeywell Industrial Cyber Security 11 2015 Honeywell International All Rights Reserved
Obstacles to initial self-monitoring Compatibility with DCS - Logging agents stress the control system Budget for required utilities Developing Logging Agents Servers, Databases, Proxy, etc. Personnel required for administration Initial implementation & testing of components above Analysis of events to determine what is critical Investigation of alerts to determine next steps Other concerns Training on new technology Different expertise per location 12 2015 Honeywell International All Rights Reserved
Continuous Monitoring Best Practice Hire a company to monitor your control systems with minimal setup time and for a fraction of the cost, while fulfilling the following: Expertise in Control System Cybersecurity Methodology that complies with IEC 62443 Existing set of Passive Agents Responding on monitored problems Serving concurrently 100s of sites Follow the sun support model 13 2015 Honeywell International All Rights Reserved
Voice of the Customer 1. For control system performance/availability monitoring, do you have a process and, if yes, which kind of? No monitoring process Manual monitoring process Automated monitoring process 2. How satisfied are you with how you currently monitor the security of your control system? Dissatisfied Needs improvement Satisfied 3. Which disadvantages do you see in using Managed Security Services? Capex/Opex Investment New Internal Processes Corporate IT policy issues 14 2015 Honeywell International All Rights Reserved
Where would your Security Profile be? 15 2015 Honeywell International All Rights Reserved
Agenda Continuous Monitoring in the Security Profile Obstacles & Managed Security Pros-Cons Monitoring & Alerting with Managed Services Conclusions Open Discussion About: Honeywell Industrial Cyber Security 16 2015 Honeywell International All Rights Reserved
Key Events to Monitor Network Activity Logs ACL Rules, Utilization Spikes, Passwords/Strings System Audit Logs Unauthorized Access, Disabling Controls, Configuration Changes System Availability/Performance Application Health, CPU Utilization, Hardware Errors, Overruns Administrative Changes GPO Modifications, Group Additions, Enabling USB Devices Software Update Compliance Aging for Virus Signatures, Security Patches, Software Updates Virus Infections 17 2015 Honeywell International All Rights Reserved
What is monitored Performance Analyzers for 550+ Critical parameters 18 2015 Honeywell International All Rights Reserved
Performance Monitoring - 1 LEVEL 4 LEVEL 3.5 DMZ LEVEL 3 LEVEL 2 Redundant Servers Service Node PHD Stations (N (N nos.) Corporate Network Firewall LCN A LCN B L3 Switch Relay server ESVT EST US GUS Experion Servers Performance Experion Stations Data and Notifications Rate Performance for ESVT CDA, TPS and DSA State of critical Experion State Performance of Critical Experion services, EST Patches Data and Notifications Rate FTE Performance GUS driver warnings, FTE for CDA, Driver TPS Warnings and DSA Report Data and of Notifications current Experion Rate TPS Performance Current State of Experion Critical Experion Patch patches Controllers installed Performance Data Status Patches and Notifications Rate PHD Event Rate -FTE Driver Warnings Availability State CPU for CDA, of load TPS and DSA Critical Experion State Performance Availability US Current Experion Patch Synchronization Patches TPS of Interface Critical Experion Average - & Synchronization Status Patches Data storage C300 Performance Redundancy FTE Data Driver Rate Warnings FTE - Real Queue state Redundancy Driver Time Warnings Data (RDI) Performance -Parameters Queue state Failure Current TPS Interface per Second Events Experion Average Alerts Patch Current Interface -Failure HEAPFRAG Availability Status CPU Notification load Events Experion Alerts Rate Patch Status - Backup Synchronization Cycle Data Server Request overruns Failed Rate & Availability - Availability Redundancy Queue state Availability I/O Parameter Link bandwidth requests Synchronization - Process/System Failure Events Alerts & State - US Failure Parameter availability Events Rate - Alerts Availability Backup Redundancy RDI State - Server Failed Queue state Backup Peer to Server peer Failed traffic -Failure - Services Controller Events goes Alerts offline Availability -Backup Failover Server of redundant Failed - Controller controllers goes offline - Failover of redundant controllers LEVEL 1 APM HPM AM PM CLM NG CG HG 19 2015 Honeywell International All Rights Reserved
Performance Monitoring - 2 LEVEL 4 LEVEL 3.5 DMZ LEVEL 3 LEVEL 2 Redundant Servers Service Node Stations (N nos.) PHD Corporate Network Firewall L3 L3 Switch Switch Relay server ESVT EST US GUS PC Hardware Monitoring Performance Firewall - Windows Hard Disk Applications failures Switches Performance - Predictive (L2 Warnings-HDD and L3) Performance - Memory Usage Failures - - - RAID Memory Input / Output Windows Degradation Usage Rates performance - - - Chassis Input Bandwidth monitoring / Output Usage intrusion Rates - - - Bandwidth Input / Output Load Percentage Usage Errors - - Availability - Input Status Free / physical Output and configuration memory Errors - of each Interface - - Loss Status Used of and Space Redundancy configuration (%) of - each Power Interface Supply failure Availability - Fans Chassis Intrusion Availability - Device Availability Temperature High inside - - Device Ping Status Chassis Availability - - Ping Response Status Time - Response Time LCN A LCN B LEVEL 1 APM HPM AM PM CLM NG CG HG 20 2015 Honeywell International All Rights Reserved
Security Monitoring LEVEL 4 LEVEL 3.5 DMZ LEVEL 3 LEVEL 2 LEVEL 1 Redundant Servers Service Node Stations (N nos.) PHD Corporate Network Firewall LCN A LCN B L3 Switch Relay server ESVT EST US GUS Patch & Update Management Performance Anti-virus Windows Update Intrusion Performance Information Detection Performance Anti-virus warning Patch Information Unauthorized Anti-virus error Audit policy status login Engine policies Audit attempts Trail Suspicious Availability packet/traffic Virus scan failure Windows Ability to recognize Security Virus signature Performance patterns typical of attacks database updation Invalid login attempts Analysis failure Authentication of abnormal failure Account activity Locked patterns out Password Tracking user expired policy User violations account expired Unauthorized elevated Privileges Password policy Password complexity/ strength policy Guest account status APM HPM AM PM CLM NG CG HG 21 2015 Honeywell International All Rights Reserved
Honeywell Security Service Center (HSSC) Amsterdam Houston Amsterdam Bucharest Houston 22 2015 Honeywell International All Rights Reserved
Managed Industrial Cyber Security Services Patch and Anti-Virus Automation Security and Performance Monitoring Activity and Trend Reporting Advanced Monitoring and Co- Management Secure Access Tested and qualified patches for operating systems & DCS software Tested and qualified antimalware signature file updates Comprehensive system health & cybersecurity monitoring 24x7 alerting against predefined thresholds Monthly or quarterly compliance & performance reports Identifying critical issues and chronic problem areas Honeywell Industrial Cyber Security Risk Manager Firewalls, Intrusion Prevention Systems, etc. Highly secure remote access solution Encrypted, two factor authentication Complete auditing: reporting & video playback Monitoring, Reporting and Honeywell Expert Support 23 2015 Honeywell International All Rights Reserved
Security and Performance Monitoring Continuous Monitoring - Agentless monitoring solution for system, network and security performance and health - Tested to ensure no impact on systems - Automated monitoring of critical ICS, network, Windows TM and security parameters - Intelligent analysis based on Honeywell engineering & expertise Alerts / Situational Awareness - 24/7 automated, proactive alerting for all monitored devices - Equipment and device specific thresholds - Managed Security Service Center automatically generates an alert email or SMS text to site specified contact - Alert messages may include attached troubleshooting techniques 24 2015 Honeywell International All Rights Reserved
Activity and Trend Reporting Trend Analysis Complements Alerts - Ability to catch degrading conditions - Captures & reports frequency of intermittent issues Critical Parameter Reports Actionable reports of critical system & network information plus security issues - Out-of-date installation status for Anti-Malware signatures & Windows TM patches - Inventory of all detected networked equipment - Key source of data for compliance documentation Bi-Annual and/or Quarterly Reports - Comprehensive, detailed reports including long term trends, plus expert analysis Audit - Audit capability including access to session recordings 25 2015 Honeywell International All Rights Reserved
Get updates Collect monitoring data Get updates Send data Managed Industrial Cyber Security Services Industrial Site Internet Security Service Center Level 4 Corporate Proxy Server Level 3.5 eserver Terminal Server Relay Node Isolates ICS/PCN Ensures no direct communication between L3 and L4 Communication Server Application Servers Level 3 Restricts unauthorized ICS/PCN nodes from sending or receiving data Database Servers Service Node Anti malware Patch Management Monitoring Secure access Level 2 EST/ESF 3 rd Party Historian Domain Controller SSL Encrypted communication Connects to Honeywell Security Service Center ONLY! ACE EST/ ESF Experion Servers Domain Controller Level 1 26 2015 Honeywell International All Rights Reserved
EMEA Managed Security Service Center Estonia Norway Finland SSC and support team Sweden Egypt Kuwait Saudi Arabia Abu Dhabi Oman North Sea Poland United Kingdom Cameroun Belgium France Zwitserland Germany Austria Slovakia SSC Support team Zambia Romania Namibia Italy South Africa Portugal Spain Sites 203 Protection Management 147 Tunisi Monitoring 112 SSC EMEA support Locations: Amsterdam The Netherlands Bucharest - Romania 27 2015 Honeywell International All Rights Reserved
Agenda Continuous Monitoring in the Security Profile Obstacles & Managed Security Pros-Cons Monitoring & Alerting with Managed Services Conclusions Open Discussion About: Honeywell Industrial Cyber Security 28 2015 Honeywell International All Rights Reserved
Cyber Security Profile 29 SL4 13 14 15 16 SL3 9 10 11 12 SL2 5 6 7 8 SL1 1 2 3 4 MIL0 MIL1 MIL2 MIL3 2015 by Honeywell International Inc. All rights reserved. Manageability requires a S.M.A.R.T. and holistic approach 29 2015 Honeywell International All Rights Reserved
Security solutions 30 SL4 13 14 15 16 SOC SL3 9 10 11 12 SL2 5 6 7 8 SL1 1 2 3 4 MIL0 MIL1 MIL2 MIL3 2015 by Honeywell International Inc. All rights reserved. Manageability requires a S.M.A.R.T. and holistic approach 30 2015 Honeywell International All Rights Reserved
Industry-Leading Industrial Cyber Security 31 Industrial Cyber Security Experts Global team of certified Industrial Cyber Security experts 100% dedicated to Industrial Cyber Security Experts in process control cyber security Leaders in security standards ISA99 / IEC62443 / NIST Proven Experience 10+ years industrial cyber security 1,000+ successful industrial cyber projects 300+ managed industrial cyber security sites Proprietary cyber security methodologies and tools Investment and Innovation Largest R&D investment in industrial cyber security Partnerships with leading cyber security vendors Industry first Risk Manager First to obtain ISASecure security for ICS product State of art Industrial Cyber Security Solutions Lab Refining & Minerals, Petrochemical Oil & Gas Chemicals Power Generation Metals & Mining Pulp & Paper Proven Industrial Cyber Security Solution Provider 31 2015 Honeywell International All Rights Reserved
This is what we do: Open Discussion 32 2015 Honeywell International All Rights Reserved
Agenda Continuous Monitoring in the Security Profile Obstacles & Managed Security Pros-Cons Monitoring & Alerting with Managed Services Conclusions Open Discussion About: Honeywell Industrial Cyber Security 33 2015 Honeywell International All Rights Reserved
Leading Cyber Security Organization for ICS 34 2015 Honeywell International All Rights Reserved
Honeywell ICS Edmonton Vancouver Bracknell Aberdeen Amsterdam Montreal Offenbach Bucharest Global setup to serve global organizations as well as local asset owners Houston Atlanta Dubai Kuala Lumpur Santiago Perth SSC + HICS HICS Office Private LSS SSC HICS Resource(s) Industries served: Oil & gas Gas distribution Power Refineries Chemical Water treatment Pulp & paper Maritime 35 2015 Honeywell International All Rights Reserved
Honeywell s Industrial Cyber Security Lab Flexible model of a complete process control network up to the corporate network Honeywell Cyber Security solutions development and test bed Demonstration lab for customers Cyber security related academic programs Hands-on training Simulate cyber attacks Demonstrate Honeywell cyber security solutions 36 2015 Honeywell International All Rights Reserved
Typical systems H-ICS have secured Distributed Control Systems E.g. Chemical, Petrochemical, Refining, Offshore platforms Leak Detection Systems, Machine Monitoring Systems, Metering Systems, Compressor Control Systems Supervisory Control and Data Acquisition (SCADA) systems E.g. Gas Distribution, Power utilities, Pipelines, oil fields Distributed Energy Systems E.g. Wind turbines, hydropower Maritime systems E.g. Harbor systems, shipping 37 2015 Honeywell International All Rights Reserved
Driven by standards and regulations IEC 62443 (Formerly ISA 99) Industrial Automation Control Systems (IACS) Security Global standard for wide range of industry Honeywell ICS is active contributor to the development of the standard through ISA NERC CIP North American Power ANSSI, BSI, CPNI, MSB, etc. European guidelines, best practices and country-specific measures JRC & ENISA recommendations European Union NIST US technology standards (SP 800-82) And others: ISO, API, OLF E.g. ISO 27000, API 1164, OLF 104 Local regulations 38 2015 Honeywell International All Rights Reserved
Honeywell ICS specialists background 39 Unique combination of long time experience in process control, networks and cyber security Gain knowledge, demonstrate knowledge and maintain knowledge - CISSP - CCNA - MCSE - CISM - CCNP - MCSA - CEH - CCIE - VCP - CRISC - CCSP Specialists with many backgrounds - Honeywell - Penetration testing - 14+ Languages - Yokogawa - IT departments - Emerson - Telecom providers - Schneider - ABB 2015 by Honeywell International Inc. All rights reserved. 39 2015 Honeywell International All Rights Reserved
WWW.BECYBERSECURE.COM 40 2015 Honeywell International All Rights Reserved