DEVELOPING SITUATIONAL AWARENESS FOR INDUSTRIAL CONTROL SYSTEM NETWORKS

Similar documents
BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

E-Guide Log management best practices: Six tips for success

How To Manage Security On A Networked Computer System

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Network Segmentation

SANS Top 20 Critical Controls for Effective Cyber Defense

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

Ecom Infotech. Page 1 of 6

Continuous Network Monitoring

Automate Key Network Compliance Tasks

Program Overview and 2015 Outlook

Securing business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

End-user Security Analytics Strengthens Protection with ArcSight

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

HP Cyber Security Control Cyber Insight & Defence

QRadar SIEM 6.3 Datasheet

SECURITY CONSIDERATIONS FOR LAW FIRMS

IBM Internet Security Systems products and services

PCI DSS Reporting WHITEPAPER

Don t let your SIeM become your Nightmare!

Network Security Monitoring: Looking Beyond the Network

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Payment Card Industry (PCI) Data Security Standard

Four Keys to Preparing for a PCI DSS 3.0 Assessment

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Caretower s SIEM Managed Security Services

IBM Global Technology Services Preemptive security products and services

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Verve Security Center

Eliminating Cybersecurity Blind Spots

Cybernetic Global Intelligence. Service Information Package

TRIPWIRE NERC SOLUTION SUITE

PCI DSS. Payment Card Industry Data Security Standard.

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

SURVEY OF INTRUSION DETECTION SYSTEM

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Contents. Facts. Contact. Company Biography...4. Qualifications & Accolades...5. Executive Leadership Team...6. Products & Services...

Logging In: Auditing Cybersecurity in an Unsecure World

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Taxonomy of Intrusion Detection System

CASSIDIAN CYBERSECURITY SECURITY OPERATIONS CENTRE SERVICES

Innovative Defense Strategies for Securing SCADA & Control Systems

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Security and Privacy

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Missing the Obvious: Network Security Monitoring for ICS

Security Management. Keeping the IT Security Administrator Busy

Overcoming PCI Compliance Challenges

Best Practices for PCI DSS V3.0 Network Security Compliance

IT Security & Compliance. On Time. On Budget. On Demand.

Seven Strategies to Defend ICSs

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Achieving Compliance with the PCI Data Security Standard

VULNERABILITY MANAGEMENT

Cyber Watch. Written by Peter Buxbaum

Understanding SCADA System Security Vulnerabilities

PCI Wireless Compliance with AirTight WIPS

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

IT Security and OT Security. Understanding the Challenges

THE TOP 4 CONTROLS.

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

IT INFRASTRUCTURE MANAGEMENT SERVICE ADDING POWER TO YOUR NETWORKS

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

PCI Compliance. Top 10 Questions & Answers

Concierge SIEM Reporting Overview

Enforcing IT Change Management Policy

Transcription:

DEVELOPING SITUATIONAL AWARENESS FOR INDUSTRIAL CONTROL SYSTEM NETWORKS Jarkko Holappa Lead Security Consultant, GICSP, CISSP

INTRODUCTION

Nixu: One-stop shop for high-end cyber security consulting Security consulting since 1988 Capacity and reliability: 140 persons, 17 M turnover Secure premises: Finnish Defence Forces audited facilities No strings attached: Product vendor independent Certifications: CISSP, CISA, CISM, CSSLP, CPTS, GCIH, GICSP, GCFA, GCIA, GSNA, GSSPC, CCNA, ISO27001 Auditor, MCSE, QSA, PA-QSA, etc Payment Card Industry (PCI DSS) Qualified Security Assessor and ASV company c. 140 clients in over 400 assignments during year 2013 Assignments in around 20 countries 09/10/15 Nixu

Why Cyber Security Situational Awareness for Control Systems? Getting visibility to enterprise IT is essential from business, operational security and risk management perspective. Why would you want to leave your industrial control system out from this? (aka 21 Misconceptions 1 )? Nobody Wants to Attack Us We Only Have Obscure Protocols/systems Cybersecurity Incidents Will Not Impact Operations One-Way Communication Offers 100% Protection Serial-Link/4 20 ma Wire Communications are Immune Vendors Have a Full Command of Their Products Security It s Certified,It s Secured Why not to leave out? Cannot manage [cyber] business risks, if you don t know what is happening in your production environment Improves process predictability and robustness 100% Security is impossible Near perfect solu;on is unreasonable expensive Most op;mal solu;on is to build monitoring capabili;es and situa;onal awareness to be able to detect, respond and adapt 1 Piètre-Cambacédès, L.; Tritschler, M.; Ericsson, G.N., "Cybersecurity Myths on Power Control Systems: 21 Misconcep;ons and False Beliefs," in Power Delivery, IEEE Transac;ons on, vol.26, no.1, pp.161-172, Jan. 2011

Updating ICS systems Networking + IT/Office systems - + Patch-level Process control systems - 09/10/15 Nixu

Updating ICS systems Networking Process control systems? + IT/Office systems - + Patch-level - 09/10/15 Nixu 7

Cyber security situational awareness = To detect attacks that have gotten through defences Security Operations Center Vulnerability management Forensics and ediscovery Advanced cyber defense Threat Intelligence Cyber insurance = To detect deviances in the process Support for business risk management

Internet Remote access Enterprise Office worksta;ons Corporate an;virus/patch management/domain controller Manufacturing planning Business resource planning, DMZ Applica;on servers Historians Engineering Sta;on Patch management for DMZ and Control zone Process Control Operator consoles Domain control Field I/O

CASE: SETTING THE STAGE Three main automation systems Control network, DMZ, enterprise network The scope was in the control network and DMZ Relatively low amount of network traffic Single vendor environment Baselining: One month: collecting network traffic mirroring it from the switches Making preliminary asset inventory

CHALLENGES Communications Proprietary communication protocols,(out of the box solutions do not work ) Creative ways of using known protocols, implementations of standardized protocols varies from vendor to vendor Text-based communication Customization: Sensor must be taught to understand proprietary protocol Deviations must be taught. Undocumented log sources, specifications hard to get Monitoring of remote access: who did and what (Shared accounts widely used) Planned outages USB sticks, other previously unknown devices Not possible to do any preventive or active measures Traffic was mirrored from switches Using data diodes to transfer information to dmz

HOW Small steps at the time: Not everything at once, start from manageable entity Establish a baseline Who talks to Whom Changes in the profile: new devices, new network connections (or attempts) Utilize fact that the environment is relatively static, anomaly detection techniques work when the baseline is known Utilise correlation to improve reliability of identified event HMI ßà Network traffic Sent commands (Network) ßà Received commands (PLC) Focus on easy actions to monitor high priority systems 09/10/15 Nixu

Examples of events that can be monitored from control systems Deviations New events in logs or network, New devices or network connections Known attacks, anomalies User actions/change management Settings and access rights changes Configuration changes Logins and logouts Service availability Error messagess and response times in logs Probes (ping, content fetch) Events /time unit (lower or upperlimits Workflow monitoring Environmental Opening and closing of cabinets Heat and moisture variations 12.12.2014 Nixu 2014 - Luottamuksellinen 13

14

BENEFITS Capability to manage risk from security breaches helps optimizing the cyber defence Up-to-date asset inventory à possibility to do passive(no scanning) vulnerability management Real-time visibility to environment s security Centralized view and monitoring of security related events Greater value of existing security technology, more effective use of log and event information. Reduced risk of non-compliance due e.g. improved reporting Better visibility improves reaction times of incidents and reduces downtime caused by them Recording audit trail leads improved forensics capabilities Monitoring the environment for cyber security may reveal other problems

LESSONS LEARNED Co-operation with the ICS vendor is a must Make ICS characterics work for you: Baseline, relatively static environment Typically low amount of network traffic (but also low bandwidth networks..). Possible to record all network traffic over a long period of time for later use (e.g. incident handling, forensics) Analyzing security events and resolving security incidents require special knowledge, experiences and proper tools and a process Security monitoring and incident response is not a side job

www.nixu.com /nixuoy @nixutigerteam /company/nixu-oy

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information