TAKE CONTROL OF YOUR DIGITAL PLANT ECOSYSTEM. Practical Industrial Cyber Security with RIPE



Similar documents
A RIPE Implementation of the NIST Cyber Security Framework

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Cyber Watch. Written by Peter Buxbaum

NATIONAL CYBER SECURITY AWARENESS MONTH

Update On Smart Grid Cyber Security

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Italy. EY s Global Information Security Survey 2013

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Document ID. Cyber security for substation automation products and systems

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

Industrial Security Solutions

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

What is Really Needed to Secure the Internet of Things?

Defending Against Data Beaches: Internal Controls for Cybersecurity

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Cyber security Building confidence in your digital future

The Four-Step Guide to Understanding Cyber Risk

Risk Management in Practice A Guide for the Electric Sector

Cyber Security and Privacy - Program 183

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

TUSKEGEE CYBER SECURITY PATH FORWARD

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL

Computer System Security Updates

A NEW APPROACH TO CYBER SECURITY

Cybersecurity: Mission integration to protect your assets

Challenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG All rights reserved

Program Overview and 2015 Outlook

Beyond the Hype: Advanced Persistent Threats

DoD Strategy for Defending Networks, Systems, and Data

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Protecting against cyber threats and security breaches

CYBERSPACE SECURITY CONTINUUM

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Capabilities for Cybersecurity Resilience

William Hery Research Professor, Computer Science and Engineering NYU-Poly

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Priority III: A National Cyberspace Security Awareness and Training Program

Cyber Security: Confronting the Threat

Cybersecurity Training

Cyber security Building confidence in your digital future

Enterprise Security Tactical Plan

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

SCADA Security Training

Cyber Security Management

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

How To Write A National Cybersecurity Act

ADVANCED PERSISTENT THREATS & ZERO DAY ATTACKS

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

CESG Certification of Cyber Security Training Courses

Decrease your HMI/SCADA risk

idata Improving Defences Against Targeted Attack

Managed Services. Business Intelligence Solutions

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

Data Security Concerns for the Electric Grid

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Secure Software Development Trends in the Oil & Gas Sectors. How the Microsoft Security Development Lifecycle helps protect critical industries

Feature. SCADA Cybersecurity Framework

The Importance of Cybersecurity Monitoring for Utilities

The Internet of Things (IoT) Opportunities and Risks

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

Fostering Incident Response and Digital Forensics Research

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Cybersecurity Converged Resilience :

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Middle Class Economics: Cybersecurity Updated August 7, 2015

Cybersecurity The role of Internal Audit

Intelligent. Buildings: Understanding and managing the security risks

Transcription:

TAKE CONTROL OF YOUR DIGITAL PLANT ECOSYSTEM Practical Industrial Cyber Security with RIPE

The Industrial Internet s Achilles Heel: Unmanageable Cyber Risk Digital technology, IT, and the Internet have revolutionized process and factory automation, and industrial production at large. Whether the anticipated benefits of this development will outweigh its inherent risk will depend on how well cyber security and fragility issues are addressed. This is why we developed RIPE a practical and cost-efficient cyber security program for industry to confront a problem that keeps getting bigger and bigger with every new network connection. YESTERDAY IT is nothing but a nice to have add-on to automation technology. The major IT application on the plant floor is standalone PC-based SCADA. Openness of software interfaces is a declared design objective in order to facilitate easy integration with office applications. A textbook example is OPC. Targeted and complex cyber attacks against industrial facilities are unknown. Let s be crystal clear: the worries over vulnerabilities in critical infrastructure to cyberattack have real validity. From 2011 to 2013, probes and intrusions into the computer networks of critical infrastructure in the United States went up by 1700 percent. P.W. Singer and Allan Friedman TOMORROW Analog sensors and actuators are no longer available. By implementing the Industrial Internet, complete supply chains get digitally integrated. Digital super structures dominate the landscape from Smart Grid to manufacturing. The reliability and security aspects of the continuously growing (= disorderly rambling) structures are no longer fully understood by anyone. Customers, insurance companies, investors and government agencies demand verifiable cyber security in production environments. Cyber sabotage risk is regarded at least as important as privacy. TODAY Ethernet is the new fieldbus standard. Field devices are configurable via Web browser. Remote maintenance and condition monitoring via the Internet are ubiquitous. The modern factory depends on digital data flow. Digital technology and networks have become an enabling technology without which efficient production is no longer possible. Plant extensions and retrofits regularly get more expensive than planned due to uncontrolled digital growth that can be understood and untangled only with unscheduled, painstaking effort. IT security controls such as antivirus and security patches fail in production environments. Almost every asset owner has experienced malware in the process network. Cyber attack campaigns like Stuxnet and Energetic Bear highlight the dimensions of a problem that continues to be neglected thoroughly. Essentially all current digital designs in widespread use are far less dependable than almost any analog system of 50 years ago. We have made a giant leap backwards in surety while making a giant leap forward in controllability and function. Fred Cohen RIPE Robust Industrial Control Systems Planning and Evaluation >> 2

The RIPE Program: Cyber Security Governance for Industry It has become common knowledge: Flexibility and comfort of modern cyber technologies come with a security risk, and this risk increases proportionally with networking and the degree you depend on it. Everything that can be monitored and re-configured comfortably via the network can be compromised as easily. The impact is then not restricted to isolated automation cells because more digital integration also means more dependencies, more potential sources of trouble, and more widespread consequence in the event of failure or compromise. Cyber systems responsiveness to instruction makes them invaluably flexible; but it also permits small changes in a component s design or direction to degrade or subvert system behavior. Richard Danzig Technical point solutions like firewalls, antivirus and security patches don t solve the problem. They fight symptoms but don t cure the disease. Protecting single assets is not sufficient; at the end of the day it must be assured that the enterprise can leverage the full potential of its cyber ecosystem while minimizing systemic risk. The prerequisite for achieving this is a governance process featuring proactive planning and supervision this is what the planning and evaluation stands for in RIPE. This insight isn t new. It is embedded in various cyber security frameworks such as ISO 27001, ISA-99/62443, and the NIST CSF. However all of these frameworks lack concrete, practical procedures that implement governance. These standards expected that asset owners invent individual cyber security plans rather than following a standard guideline. This is counterproductive for several reasons. You re-invent the wheel, because no matter which industry you are in, others have solved your problem already. You also forego comparability and scalability. But if you are responsible for multiple plants The Loviisa nuclear power plant (Finland) trusts RIPE for efficient and measurable cyber security you will hardly prefer individual custom-built solutions over proven and efficient standards. This is where the RIPE program comes in. It comes with standardized and concrete templates, checklists and reference architectures, developed and annually updated by internationally respected experts with decades of experience. Implementation may either be achieved by internal staff or external service providers. Introducing RIPE to a plant environ ment occurs stepby-step, reflecting given resources and security requirements. Plant Planning and System Procurement System Inventory Network and Data Flow Diagrams CYBER SECURITY AND ROBUSTNESS Policies and Standard Operating Procedures Training Workforce Management RIPE addresses all factors that affect industrial cyber security. RIPE Robust Industrial Control Systems Planning and Evaluation >> 3

RIPE Control Variables: Technology and System Architecture System inventory. It s a building block of every cyber security program, yet few enterprises have it. RIPE teaches how a solid hardware and software inventory can be produced and maintained. Network and data flow diagrams. If you haven t documented your network to the detail, you don t really know it and can t protect it efficiently. RIPE shows how standardized, meaningful network and data flow diagrams can be produced without which full system understanding isn t achievable. Plant planning and system procurement. RIPE comes with detailed reference architectures for the design and configuration of networks, conduits, IT end devices etc. It also lists concrete cyber security criteria for system procurement that are essential to make cyber security sustainable. RIPE data flow diagrams help plant engineers to understand the digital dependencies of system components RIPE Control Variables: People, Policies, Training Policies and standard operating procedures. Let s face it: Security policies from IT don t work on the plant floor. In consequence, everybody may do what they want to do an untenable situation. RIPE comes with concrete policies and standard operating procedures for different user roles. Training. Humans can only perform professionally if they know what they re doing. RIPE comes with a comprehensive training curriculum that centers on efficiency. Workforce management. Policies can only be audited if their target audience is personally known. The same is true for conducting training. Yet most businesses don t keep a record of their contractors. RIPE includes procedures and concepts for establishing an effective workforce management process that solves the problem. RIPE Robust Industrial Control Systems Planning and Evaluation >> 4

Cyber Security as a Quality Management Process Do you have reservations about cyber security because too much hot air was produced under this label? We too! That s why we based RIPE exclusively on verifiable and measurable facts and circumstances. As practiced in quality management for decades, periodic verifications and audits along with appropriate corrections are at the core of RIPE. Unless regulations require otherwise, you decide by yourself if audits shall be conducted by a third party or by internal staff. Moving beyond the Hamster Wheel requires practitioners to think about security in the same ways that other disciplines do as activities that can be named, and whose efficiencies can be measured with key indicators. Andrew Jaquith Based on annual audit results, The Langner Group produces an analytic report. The report includes an analysis of emergent vulnerabilities and their potential physical effects. The efficiency of the cyber security program is measured with performance indicators that can be compared to other plants and to an industry-wide benchmark. In regulated industries such as nuclear, RIPE reports also form the basis for documenting compliance. The objective of RIPE is the implementation of a continuous improvement process as it is known from quality management. Current achievements form the basis for further improvement. Security involves making sure things work, not in the presence of random faults, but in the face of an intelligent and malicious adversary trying to ensure that things fail in the worst possible way at the worst possible time... again and again. Bruce Schneier The result is sustainable cyber security and robustness that provides for resilience and reliability even with further integration and growing sophistication of threats. Not just as a bold yet unsubstantiated promise, but as demonstrated system capability. As an asset owner you get the confidence that your investment in modern automation technology won t turn into an Achilles' heel that puts business continuity and competitiveness at risk, and it allows you to face the prospect of future cyber regulation calmly. Performance indicators measure the maturity of your cyber security program. They allow for comparison with other plants. RIPE Robust Industrial Control Systems Planning and Evaluation >> 5

About Langner The Langner Group is a cyber defense consultancy founded by Ralph Langner and Perry Pederson. Its European sister company (based in Germany) has a history of over 25 years. Langner became globally known for a quick and detailed analysis of the Stuxnet malware. A summary that is regarded as the definitive reference on the subject is published as To kill a centrifuge. A technical analysis of what Stuxnet s creators tried to achieve. Langner s swift cracking of the Stuxnet code has solidified his position as one of the foremost experts in cyber security. The Huffington Post Perry Pederson worked for the US Department of Defense, the Department of Homeland Security, and the Nuclear Regulatory Commission on cyber-physical security. In 2007 he lead the Aurora experiment where it was demonstrated by DHS that a cyber attack can destroy electric generators, threatening the reliability of the electric grid. Langner s several decades of international experience includes globally recognized milestone achievements in the analysis of highly complex malware and in identifying critical attack scenarios and the development of effective countermeasures. We have given advice to the White House, the US Senate, the Pentagon, the International Atomic Energy Agency, and many other organizations. We have designed secure Ralph Langner is globally recognized for his analysis of the Stuxnet malware Ralph Langner has not only been a key player in some of the most important developments in information security history, but also is a charming, easy to work with colleague. He brings a bright mind to cybersecurity questions, with a skill for connecting them to questions of both technology and industry. Peter Singer, Author of Cybersecurity and Cyberwar: What Everyone Needs to Know industrial controllers and created process-based cyber security programs for asset owners. In respect to the latter we focus on enterprises with multiple plants and facilities where scalability and comparability of cyber security programs are a priority. As strategic consultants our objective is not to sell as many man-days as possible but to establish effective collaborations with our clients internal teams. Perry Pederson led the Aurora experiment where a 27 ton diesel generator was destroyed by a cyber attack RIPE Robust Industrial Control Systems Planning and Evaluation >> 6

Contact To learn more about RIPE and The Langner Group or to schedule a consultation appointment, get more information on the Web: In the USA: The Langner Group, LLC 1331 S. Eads Street #802 Arlington, VA 22202 In Europe: Langner Communications GmbH Kattjahren 4 D-22359 Hamburg phone: +1 (571) 551-29 98 mail: info@langner.com phone: + 49 (40) 60 90 11-0 fax: + 49 (40) 60 90 11-11 mail: info@langner.com In the web >> www.langner.com << On Twitter >> www.twitter.com/langnergroup <<

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information