CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Similar documents
CYBER SECURITY. Is your Industrial Control System prepared?

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Industrial Security for Process Automation

IT Security and OT Security. Understanding the Challenges

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Cyber Security for NERC CIP Version 5 Compliance

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

DeltaV System Cyber-Security

Using Tofino to control the spread of Stuxnet Malware

Decrease your HMI/SCADA risk

Innovative Defense Strategies for Securing SCADA & Control Systems

Effective Defense in Depth Strategies

GE Measurement & Control. Cyber Security for NEI 08-09

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

How To Secure Your System From Cyber Attacks

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Designing a security policy to protect your automation solution

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Security Testing in Critical Systems

OPC & Security Agenda

Seven Strategies to Defend ICSs

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Industrial Security Solutions

Verve Security Center

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Are you prepared to be next? Invensys Cyber Security

a Post-Stuxnet World The Future of Critical Infrastructure Security Eric Byres, P.Eng.

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

Dr. György Kálmán

Enterprise Cybersecurity: Building an Effective Defense

Critical Controls for Cyber Security.

Using ISA/IEC Standards to Improve Control System Security

An Analysis of the Capabilities Of Cybersecurity Defense

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Network/Cyber Security

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

ICANWK406A Install, configure and test network security

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Protecting Your Organisation from Targeted Cyber Intrusion

ISACA rudens konference

This is a preview - click here to buy the full publication

Protecting productivity with Plant Security Services

Security all around. Industrial security for your plant at all levels. siemens.com/industrialsecurity. Answers for industry.

Global Partner Management Notice

13 Ways Through A Firewall

Patch Management. Is it recommended to patch an Industrial Automation Control System and, if so, why? Siemens AG All Rights Reserved.

13 Ways Through A Firewall What you don t know will hurt you

GE Measurement & Control. Cyber Security for Industrial Controls

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Best Practices for DanPac Express Cyber Security

SCADA Security Training

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Chapter 9 Firewalls and Intrusion Prevention Systems

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Cisco Advanced Services for Network Security

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Security Policy for External Customers

Protecting Organizations from Cyber Attack

SCADA Cyber Security

Windows Server 2003 End of Support. What does it mean? What are my options?

Building Secure Networks for the Industrial World

Effective OPC Security for Control Systems - Solutions you can bank on

Industrial Control Systems Security Guide

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

INTRUSION DETECTION SYSTEMS and Network Security

March

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Operational Guidelines for Industrial Security

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Penetration testing & Ethical Hacking. Security Week 2014

Building A Secure Microsoft Exchange Continuity Appliance

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

Protecting Critical Infrastructure

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Cybersecurity considerations for electrical distribution systems

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Recommended IP Telephony Architecture

Ovation Security Center Data Sheet

Defending Against Data Beaches: Internal Controls for Cybersecurity

Assessing the Effectiveness of a Cybersecurity Program

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

A Decision Maker s Guide to Securing an IT Infrastructure

A Rackspace White Paper Spring 2010

CMPT 471 Networking II

APPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW

PCI Requirements Coverage Summary Table

Transcription:

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Challenges What challenges are there for Cyber Security in Industrial Control Systems (ICS)?

ICS Challenges Control Systems control real-world processes Manufacturing / Material Processing Critical Infrastructure Power, Water, Transport, Communications Speed, Reliability, Connectivity, Availability Focus on performance, not Security Plants run 24/7 with as little downtime as possible

Control System Lifecycle 1950 2010 http://endangereddurham.blogspot.com.au/2011/02/north-side-treatment-plant.html

Legacy Systems & thinking Security by Obscurity Proprietary protocols & bespoke operating systems One-off applications Specific knowledge required Isolated Networks Perimeter Firewall only defence IT stops at the Firewall, then Control Engineer s domain

Consequences IT Systems Defacing of website Damage to computer systems Loss of consumer personal information Loss of intellectual property Financial loss Control Systems Loss in productivity Downtime Damaged hardware Loss/theft of information or intellectual property Environmental Incident Licence to operate Personal Injury or Death Crippled Critical Infrastructure

So what s changed? Why is Cyber Security for ICSs only an issue now?

STUXNET Advanced worm, discovered July 2010 Targeted Siemens PCS7, S7 PLC and WinCC systems Infected at least 22 manufacturing sites worldwide Including it s supposed target, Iran s Nuclear program Unprecedented level of sophistication Gained media, industry, government and hacking community attention STUXNET code is available for modification

Not so obscure anymore Cyber Security is the current Hot Topic But previously it s all been about Standardisation Openness Connectivity Ethernet Everywhere Smart Devices / Instruments Control Networks are not isolated Often the only Security is a perimeter firewall

Standardisation Server 2008 13.8% New ICS Sales in 2012 Server 2003 9.0% Vista 1.2% Other 0.6% Win 7 35% 99.4% for Windows ~50% of new orders for obsolete OSes in Extended Support CE 19.7% XP 20.7% (2012 Sales data from 23 ICS Vendors)

Vulnerabilities, Exploits and Zero Days Software Vulnerability Flaw or weakness in code that could theoretically be exploited by a malicious program or user Exploit Working code that makes use of a vulnerability Client-Side Exploit Remote Exploit Zero-Day Exploit An exploit for which there is no patch The vendor has had zero days to respond

Drive-By Exploit When a legitimate Website is compromised and malicious code uploaded to attack visitors #1 Threat Trend for Critical Infrastructure (28/09/12) ENISA - European Network and Information Security Agency Feb 2013 - ios App developer forum was used to deploy Zero-Day Java exploit code (www.iphonedevsdk.com) Microsoft, Apple, Facebook and Twitter have all reported they had corporate PCs compromised http://blogs.technet.com/b/msrc/archive/2013/02/22/recent-cyberattacks.aspx http://arstechnica.com/security/2013/02/microsoft-joins-apple-facebook-and-twitter-comes-out-as-hack-victim/

Hacking tools & knowledge Easily accessible information YouTube, forums etc. Highly developed tools available Penetration Platforms / Frameworks Standardised all common functionality Regular updates for all newly published exploit code SCADA+

ShodanHQ.com Hardware Search Engine If your site / device is internet connected, it is indexed.

Java Vulnerabilities Multi-Platform 3 Billion Devices run Java, Windows, Linux, Mac Patches for 55 Security Vulnerabilities already in 2013 Vulnerability announcements almost a weekly occurrence From an audit on 25th March 75% of users use a version more than 6 months old 93.77% of Java users were still vulnerable to CVE-2013-1493 2 months after it had been reported 20 days after a patch was released Versions below 1.7.15 and 1.6.41 still vulnerable http://community.websense.com/blogs/securitylabs/archive/2013/03/22/how-are-java-attacks-getting-through.aspx

Demo Java Exploit Recorded version here: http://youtu.be/de3mzif3bsi VM1 VM2 VM3 INTERNET HACKER 202.73.145.222 202.73.145.100 10.0.0.1 VICTIM 10.0.0.10

Defence in Depth Mitigating the risks

Cyber Security Strategy There is no Magic Bullet Proper Cyber Security is a Defence in Depth strategy, consisting of: Secure Products Secure Architectures Security Policies & Employees

Secure Products

Secure Products Secure by Design Security Features Access Control Security Configuration Securely Coded / Developed Products WurldTech s Achilles Certification ISA Secure Certification New Cyber Security Certification Centre Achilles Certified Lab in North Andover (Boston) Constantly assessing our existing products Involved from development for new products

Secure Products Secure Implementation Device Hardening applies to all cyber assets PCs PLCs / PACs, HMI Panels Switches, Routers Smart Instruments, Legacy Field Devices Enable and configure the provided security features Non-default, Strong passwords Configure access control

Secure Products Secure Implementation Disable unused functionality Unused embedded Web portals Unnecessary plugins: Flash, Java etc. Disable USB Ports Disable unused ports on switches Keep firmware up to date Place higher priority on Security Updates Use downtime periods to apply and test other major upgrades

Industrial Firewalls

Secure Products Industrial Firewalls Connexium Industrial Firewall TCSEFEC Tofino Industrial Firewall TCSEFEA

Connexium Industrial Firewall (TCSEFEC) 3 Modes of operation Router (Layer 3) Switch / Transparent (Layer 2) PPPoE (Point to Point over Ethernet) Packet Filtering - Firewall Rules Denial Of Service protection VPN Built for Industrial conditions Din Rail, 0-60 C operating temp, MTBF = 50+ Years Configurable alarm relay connection Copper & Fibre variants Redundancy Dual Power Supply (12 48 VDC or 24 VAC) VRRP Virtual Router Redundancy Protocol (Layer 3)

ConneXium Tofino Firewall (TCSEFEA) Industrial Firewall, plus additional features MODBUS Enforcer Deep packet inspection for Modbus Can block traffic based on Function codes Register or coil addresses Station ID No. Non-standard Modbus traffic 1000 packets per second with full content inspection Ideal for protection of legacy Modbus devices Event Logger

ConneXium Tofino Firewall (TCSEFEA) Preconfigured firewall templates for Schneider Hardware

Secure Architectures

Secure Architecture Multiple levels of defence Network Separation Perimeter Protection Control Network Segmentation ENTERPRISE ZONE Business Servers OPERATION ZONE Historian Business Workstations SCADA Client Term Svr SCADA Server SCADA Client Unity Workstation DMZ CTRL 1 CTRL 2 SAFETY CTRL 3 Legacy / 3 rd Party

Security Policies & Employees

Security Policies Established, maintained and enforced by a crossdiscipline team Full asset audit / diagram / documentation Establish the baseline minimal configuration Risk Assessment Ownership / responsibilities Consider: Access Control (Physical) / Privileges / Password Policies Patch / Upgrade Management Change Management Backup / Recovery plans / procedures Incident Response / Forensics

Incident Handling How would you handle an Incident at your facility? Wipe and restore affected assets? Take plant offline and await forensic analysis? Contact Law enforcement? Contact Industrial authorities / regulators? Inform customers about potential data loss/leak? Establish the risks and responses for your site now

Employees Assign ownership & responsibilities Maintain & enforce Security Policies Monitor Network & Security logs Provide Training Awareness of Social Engineering & other security risks Security Policies Incident Detection and Handling

Patch Management Have a plan for patching Auto-update isn t safe or practical for ICS Assess the impact of the patch, test, deploy Prioritise patches based on risk Deploy Compensating measures until patches can be deployed Disable a vulnerable interface until patched Modify firewalls Deploy IDS rules to detect / block known attacks

Complimentary Technology Host-Based Anti-Virus / Application Control Traditionally using virus Signatures Whitelisting would work better for ICS Servers Block all, allow only approved programs VPN Two-Factor authentication IDS / IPS Systems HIDS / HIPS Host-based NIDS / NIPS Network-based SIEM Centralize Logs

Summary

Defence in Depth Assets Highest Value Assets Employees / Policies Segmentation Firewalls Perimeter Firewalls Network Monitoring DMZ Secure Products (Bricks) Threats

Further Information www.schneider-electric.com/sites/corporate/en/support/cybersecurity/cybersecurity.page Schneider-Electric How Can I Reduce Vulnerability to Cyber Attacks in the Control Room? TVDA Control Room Cybersecurity DHS: Improving Industrial Control Systems Cybersecurity with defence-in-depth Strategies (2009) The original Defence-in-Depth strategy that Schneider has adopted DHS: Cyber Security Procurement Language for Control Systems (2009) Provides guidance and wordings for procurement, FAT, SAT and maintenance requirements DHS: Catalog of Control Systems Security: Recommendations for Standards Developers (2011) A good guideline on developing security standards and policies for End-Users SANS 20 Critical Controls for Effective Cyber Defence (2013) A concise list of 20 security measures derived from NIST SP 800-53 r3 Includes steps on how to implement, automate and measure their effectiveness. ISA 62443 3-3 (Draft 4, Jan 2013) A comprehensive set of System Security Requirement. NIST-800-61 rev2 Computer Security Incident Handling Guide (2012) How to organize a Computer Security Incident Response Capability and how to handle an incident NIST-800-40 rev3 Guide to Enterprise Patch Management Technologies A guide to developing a Patch Management Strategy and the different technology available.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information