Breakthrough Cyber Security Strategies Introducing Honeywell Risk Manager
About the Presenter Eric D. Knapp @ericdknapp Global Director of Cyber Security Solutions and Technology for Honeywell Process Solutions Over 20 years of experience in Information Technology; Over 10 years dedicated to Industrial Cyber Security Specializing in cyber security for ICS, security analytics, risk, and advanced cyber security controls Patents pending for risk management metrics and methodologies Author of Industrial Network Security and Applied Cyber Security and the Smart Grid 2 2015 Honeywell International All Rights Reserved
What is (cyber security) Risk? the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. (ISO) a function of the likelihood of a given threat-source s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization (NIST) 3
What is the Cyber Security Risk Manager? A tool that continuously monitors for indicators of cyber security risk i.e., Threats & vulnerabilities that could impact the ICS 4
Measurements & Methodologies Risk is an indication of Threat, Vulnerability and Impact Many methodologies: ISA-99 / 62443, ISO27005:2011, etc. Likelihood x Impact (R = L x I) Threat x Vulnerability x Consequence (R = T x V x C) Determining what V I and C are is the hard part These can be subjective without standards and precise methodologies! 5
6 Measurements & Methodologies
Quiz Time! Level 4 Business Network Level 3.5 DMZ A B PC A is a print server. It will not impact anything if compromised. Level 3 Advanced Control PC B is an Operators workstation. If compromised it could directly impact production Level 2 Supervisory Control Q: What option would you choose for PC A from the following? Level 1 9
Understanding Consequence Risk Manager understands impact within an ICS 10
Measurements & Methodologies If R = L x I How do we determine Likelihood? L is a function of both Vulnerability and Threat Vulnerability A vulnerability does not cause harm itself (ISO27005:2011) Threat A threat has the potential to harm assets e.g. unauthorized actions, physical damage, technical failures (ISO27005:2011) 11
Measurements & Methodologies If R = L x I How do we determine Likelihood? L is a function of both Vulnerability and Threat Vulnerability Countermeasure Threat (specific) Threat (actor) 12
Assess the Vulnerability of the ICS Vulnerability can be a broad or focused lens: Each asset needs to be assessed The entire system needs to be assessed You need to understand threat to understand vulnerability Example: If HMI software is susceptible to a buffer overflow, this is a very specific vulnerability of a specific software asset. However, if the HMI can be used to directly impact the entire system, it is also a systemic vulnerability This is because malicious control of the HMI is equivalent to having a bad guy at the console, and you can easily gain control of an HMI over the network (understanding the threat) 13
Assess the Vulnerability of the ICS Perform Vulnerability Assessments, but do them carefully Slow scans Redundant pairs Passive methods No exploits!!! Understand the limits Aggressive scans tell you a lot but they aren t safe to use Less-aggressive scans are safer but they tell you less No scan can tell you everything you can t scan for zero-days Enlist assistance from someone qualified and experienced in assessment ICS systems 14
Quiz Time! Level 4 Business Network X Level 3.5 Level 3 DMZ Advanced Control Z PC X and Z are both scanned by a VA scanner and 6 critical vulnerabilities are found on each. PC Z is patched fully, but PC X is left as is. Level 2 Supervisory Control Q: Which of the machines is vulnerable? Level 1 15
Understanding Vulnerabilities Risk Manger looks for indicators of vulnerability Weak system defenses Poor access controls Susceptibility to misuse 16
Identify Threats Against the ICS What are cyber threats? Malware (viruses, trojans, RATs, APTs, etc) Hackers (script kiddies, semi-professionals, disgruntled employees, professionals, hacker-for-hire, cyber crime, nation-state) Accidents (insider / employees, outside / unintentional incidents) 17
Identify Threats Against the ICS You need to understand vulnerability to understand threat wait? Which came first? (just don t hide from the truth) 18
Quiz Time Again! You have some credible threat statistics here Q: What s the biggest threat? 19
Understanding Threats Risk Manager looks for various indicators of active threats Active intrusions Exploits of vulnerabilities Unauthorized activity 20
What Does Risk Manager do with all of this? Risk Manager evaluates indicators of risk using patented algorithms to generate accurate risk scores in line with industrial risk management standards 21
Assess Your Cyber Security Posture How risky is my system from a security perspective? Has something happened that I need to act on? Where do I start? How can I show that we are improving our security posture? Is my control system up to date? Am I following best practices? When something goes wrong, what should I do? 22
23 At-a-glance Indication of Current Risk Levels
24 Quickly Identifies What s Causing Risk
25 Finds the Root Cause, to the Node Level
26 Trend Risk over Time
27 Summary Reports on Risk Posture and Progress
Introducing the Cyber Security Risk Manager See it Live in the Demo Room 28