WWHMI SCADA-12 Cyber Security Best Practices in the Industrial World

Similar documents
Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Are you prepared to be next? Invensys Cyber Security

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

CYBER SECURITY. Is your Industrial Control System prepared?

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Industrial Security for Process Automation

GE Measurement & Control. Cyber Security for NEI 08-09

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Seven Strategies to Defend ICSs

SANS Top 20 Critical Controls for Effective Cyber Defense

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Symphony Plus Cyber security for the power and water industries

Cyber Security for NERC CIP Version 5 Compliance

Network/Cyber Security

Security in the smart grid

March

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Protecting Your Organisation from Targeted Cyber Intrusion

Document ID. Cyber security for substation automation products and systems

Innovative Defense Strategies for Securing SCADA & Control Systems

Designing a security policy to protect your automation solution

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

How To Secure Your System From Cyber Attacks

Invensys Security Compliance Platform

DeltaV System Cyber-Security

13 Ways Through A Firewall

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

The Business Case for Security Information Management

Security Testing in Critical Systems

Critical Security Controls

Session 14: Functional Security in a Process Environment

Cisco Advanced Services for Network Security

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Critical Controls for Cyber Security.

ISACA rudens konference

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Information Security for the Rest of Us

5 Steps to Advanced Threat Protection

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Secure Software Update Service (SSUS ) White Paper

Network and Security Controls

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Verve Security Center

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Secondary DMZ: DMZ (2)

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Top 20 Critical Security Controls

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities

How To Manage Security On A Networked Computer System

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

13 Ways Through A Firewall What you don t know will hurt you

Cyber Security nei prodotti di automazione

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Security: A Pillar of Wonderware Products and Support Services. By Rashesh Mody, Chief Technology Officer & Vice President of Product Definition

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

ABB s approach concerning IS Security for Automation Systems

GE Measurement & Control. Cyber Security for Industrial Controls

GE Measurement & Control. Cyber Security for NERC CIP Compliance

SECURITY. Risk & Compliance Services

Windows Remote Access

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Network & Information Security Policy

Cyber Security Implications of SIS Integration with Control Networks

End-user Security Analytics Strengthens Protection with ArcSight

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

The Education Fellowship Finance Centralisation IT Security Strategy

Locking down a Hitachi ID Suite server

Leading by Innovation McAfee Endpoint Security The Future of Malware-Detection: Activate protection on all Layers outside the Operating System

Securing end devices

Cybersecurity Health Check At A Glance

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Recommended IP Telephony Architecture

Practical Steps To Securing Process Control Networks

Industrial Security Solutions

Industrial Cyber Security 101. Mike Spear

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

CMPT 471 Networking II

Achieving PCI-Compliance through Cyberoam

Transcription:

Slide 1

WWHMI SCADA-12 Cyber Security Best Practices in the Industrial World Chris J Smith for Paul Forney, MCSE, CSSLP Chief Technologist R&D Security Team Invensys Operations Management 2012 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.

Acknowledgements Pike Research Monitoring and Securing SCADA Networks The Department of Homeland Security CSSP All the folks at McAfee (thanks for your help and support) Ernie Rakaczsky Program Manager, Invensys Cyber- Security The Invensys Critical Infrastructure & Security Practice Team Slide 3

Stealth Attacks Increasing More than 1,200 new rootkits detected each day AURORA: STUXNET: SLAMMER: ZEUS: More than 2.1M unique rootkits detected More than 75M malware detected Government Physical Harm Sponsored Hacking Organized For Crime Fun Cyber Espionage Number of reports of data breaches via hacking, malware, fraud, and insiders has more than doubled since 2009 TDSS rootkit is used as a persistent backdoor to install other types SpyEye is hidden with a rootkit to steal banking credentials STAKES Are Rising Rapidly Stuxnet used a rootkit to hide an APT targeting government infrastructure Slide 4

Typical Network Architecture An Attacker has three challenges 1. Gain access to the control system LAN 2. Through Discovery, gain understanding of the process 3. Gain control of the process Slide 6

Reported ICS Vulnerabilities ACTUAL - 215 Slide 11

Community of Concern Oil EPRI Chemical Nuclear Power Industry Sectors Owner\Operators Water Gas Electric LOGIC2 I3P Academia & Research SRI IFAC IEEE NERC NIST Standards ISA/ISCI IEC TSWG CSSP NCSD Department of Homeland Security ICSJWG ISAC US- CERT HSARPA Control System Cyber Security Community Engineering Firms INL ARGONNE API PNNL National Labs AGA LLNL SANDIA Control Systems Vendors Labs & Research Security Consultants Security Technologies Slide 13

A successful Cyber Security Program has 3 major areas of focus with People Policy and Procedures 65% 15% 20% Technology Dennis Brandl Three Pillars of Industrial Cyber Security Slide 15

Security Objectives Prevent unauthorized changes to values in a Controller, PLC, process or configuration Prevent misrepresentation of process values on the HMI Reduce possibility of a production slowdown due to ICS software Protect integrity of process and event information Prevent loss of genealogy information Provide availability of the system and safety for the plant personnel and surrounding environment Slide 16 Slide 16

Special Restrictions for ICS Security Products* Do nothing that negatively impacts network latency Restrict SCADA traffic to known and expected message types Isolate the SCADA network from any other networks, including the enterprise Collect and analyze from multiple sources beyond only IT events Prioritize situational awareness to prevent cyber incidents Implement strong change management for all SCADA modifications Use security products that are simple to deploy and manage Involve SCADA operations personnel in all SCADA security decisions *Pike Research Monitoring and Securing SCADA Networks Slide 17

What We Need to Protect Endpoint Network Data Enterprise Apps SCADA, HMI Ladder Logic Ethernet, TCP/IP Ethernet, Serial Ethernet, Serial, Relays Modern Computers (Windows, Linux, Mac) Legacy Computers (Windows) Special Function (Embedded OS) Corporate IT SCADA Device Network Slide 20

Established Adaptation for over 8 years Internet Internet Zone Perimeter Firewall Data Center Zone Intrusion Prevention Network Monitoring Server Monitoring Service Level Management Content Filtering Web Usage Reporting User Management Anti-Virus Wireless Security Server Management Remote Access Anti-SPAM Internet Firewall Plant Network Zone Control Network Firewall PC Workstation File & Print Services Wireless Controls Network Zone Intrusion Prevention Anti-Virus Application Workstation Control Station Control Node Bus Interface Interface PC Portal Field I/O I/O I/O PLC I/O I/O I/O I/O Multiple Zone Network Slide 21

Best Practices for Securing an ICS Maintain the latest Invensysauthorized Operating System (OS) and application patches. Test every patch to ensuring deployment does not impact operations. Always use current anti-virus definitions. Verify update was successfully installed. Update authorized application software. Enable Network Anti-Virus / Intrusion Prevention System. Enable System policies on all capable network appliances Slide 23

Best Practices, USB Devices Do not use a USB stick unless it has been scanned Designate and use specific USB equipment To bridge airgaps, use a specific designated station WITHOUT restriction on USB devices, their portable nature can be used to compromise your security perimeter! Slide 24

Machine Hardening (typically no negative effects on the ICS) Harden Servers and Workstations and Non-ICS assets Ensure all software and hardware patches and updates are current. Run A/V scans. Disable all unused ports and services. Harden Bios. Use static IP addresses, disable DHCP Disable NetBIOS and NetBIOS over TCIP/IP. Slide 25

Best Practices, Cont. Change default admin passwords. Use strong passwords consisting of more than 6-8 characters using special characters when applicable. Control User Rights. Do not use accounts across domains. Implement password aging, history, and complexity requirements. Always implement Backup and Restore to a network repository. Slide 26

More To Do s! Inventory network assets and keep it up to date. Run regular network audits Use physical network isolation when possible Use logical network segmentation (secure zones) when possible with strict Firewall Rules. Isolate and control flow of information between Business Network(s) from PCN through use of firewalls. Require strict firewall rules with specific (/32) source, destination, port, and protocol. Use DMZs Slide 27

Network Access Enable Firewall Logging and Monitor as appropriate Implement NMS to provide system audit and logging and monitor Don t click links or files that aren t verified ICS assets should not have internet access Some ICS assets may need to have access to business network website interfaces so verify all access leaving the ICS network to un-trusted networks Slide 28

In the event of a Cyber incident Create an Incident Response Plan before an incident so that you are prepared. Steps that are typically part of incident response plans are: Do get a triage team together. Do make a VM image of the affected system. Do get copies of all the logs. Work with the antivirus vendor and other agencies to collect the necessary forensics. Do not start updating anti-virus. Do not start running anti-virus patches. Slide 29

Vendor Responsibility - Secure By Design Secure Software is responsible to provide: Confidentiality: Protect against unauthorized information disclosure. Integrity: Prevent unauthorized changes to data. Availability: Provide the required services uninterrupted 24x7 Authenticity: Determine identity of components and users in reliable and consistent manner. Authorization: Control access to various parts of the system based on the user or code s credentials. Non-repudiation: Establish audit trails through system and establish evidence to track a system operation. Slide 30 Slide 30

Security: Meeting Cyber Security Requirements As a supplier we are positioned to support cyber security requirements throughout the Life-Cycle from within our: Software Development Lifecycle SDL, Testing, Certification, Source Code validation, etc. Project Execution FAT/SAT Security Baseline, Possible Security features and function fully implemented and updated, etc. Life-Time Support Patch Validation, Security updates, vulnerability mitigation, etc. Slide 31

Project Ozone Cyber Security Initiative Vision To create and enhance processes, knowledge and an ingrained culture for building secure and robust solutions our Customers can trust. What is it: Why is it Important: Success is Defined As: Assess existing vulnerabilities in solution offerings Enhance products, processes and tools from a security view Improve responsiveness to Cyber Security issues Increased awareness in the Industry to Cyber Security threats and their impact Impact on credibility and cost after Cyber Security attacks is severe Strategic Alignment for an enterprise connected platform Real-time Indicators: SDL Process Violations (Reduced prerelease process violations per product) Security vulnerabilities per product (Reduction in reported vulnerabilities closed proactively, found pre-release) Primary Indicators: Security Defect Reports (Zero post release reports) Responsiveness to threats/issues (Response time less than 35 days) Slide 32

Cyber Security Updates Released Date Notice Identification Number Security Vulnerability Description Detailed Information 4-8-2011 LFSEC00000054 Stack Based buffer overflow in the InBatch BatchField ActiveX Control A vulnerability (Stack overflow) has been discovered in the InBatch BatchField ActiveX Control. This control is installed as part of the InBatch Server and on all InBatch Runtime Clients, including when used embedded in InTouch and any third party InBatch Client Programs (VB or C++). In addition, this control can be used in publishing InTouch graphics in Wonderware Information Server. April 8, 2011 - LFSEC00000054 2-18-2011 LFSEC00000051 Server lm_tcp buffer overflow A vulnerability has been discovered in InBatch Server and I/A Batch Server in all supported versions of Wonderware InBatch and Foxboro I/A Series Batch. This vulnerability, if exploited, could allow Denial of Service (DoS), the consequence of which is a crash of the InBatch Server. February 18, 2011 - LFSEC00000051 7-14-2010 LFSEC00000037 Wonderware ArchestrA ConfigurationAccessCo mponent ActiveX Stack Overflow A vulnerability has been discovered in a component used by the Wonderware ArchestrA IDE (Integrated Development Environment) and the InFusion IEE (Integrated Engineering Environment) and if exploited, could allow remote code execution. July 14 2010 Security Update LFSEC00000037 Slide 33

Project Execution Approach People Training Process Enhancements SOP s and Tools Product Enhancements Institutionalized Across Invensys Operations Management Slide 34

Secure By Design Security Built in not Added On The Microsoft SDL is a software development policy for all products with meaningful business risk and/or access to sensitive data Key part of Invensys commitment to protect its customers Implementing the SDL reduces the Total Cost of Ownership (TCO) for Software Products Fewer security patch events required for our products Secure software is by nature Quality software Slide 35 Slide 35

Threat Modeling Approach A Careful study of the design of an application to identify weaknesses and vulnerabilities includes 5 steps 1. Identify security objectives 2. Create an application overview 3. Decompose the application 4. Identify threat vectors 5. Identify vulnerabilities Slide 36 Slide 36

Defend Against S.T.R.I.D.E. Attacks S T R I D E Spoofing Identity: Allows an attacker to pose as something or someone else Tampering with Data: Involves malicious modification of data or code. Repudiation: Allows an attacker to perform actions that other parties can neither confirm or contradict Information Disclosure: Involves the exposure of information to individuals who are not supposed to have access to it Denial of Service: DoS attacks deny or degrade service to valid users Elevation of Privilege: Occurs when a user gains increased capability often as an anonymous user taking advantage of a coding error to gain admin capability Slide 37

Our Solution Stop incurring Technical Debt New Code Reduce Technical Debt Legacy Implement the Security Development Lifecycle for all new projects. Evaluate and model our most critical software for threats, strengthening with tools from the SDL Institutionalize Across Invensys Operations Management R&D Slide 38

Please Subscribe to Security Central! https://wdn.wonderware.com/sites/wdn/pages/security%20central/cybersecurityupdates.aspx Slide 39

Slide 40

Conclusion Secure systems start with design both hardware, software and application deployments The security journey must be a collaboration between people, processes and technology there is no silver bullet! No substitute for a practical security program that provides a long term, self perpetuating maturity model that can be engrained into the culture of an organization to produce the foundation for secure and robust solutions we can trust. Within Invensys Operations Management R&D, our journey has begun for a more Secure Critical Infrastructure. Slide 41

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information