Stronger than Firewalls And Cheaper Too



Similar documents
13 Ways Through A Firewall

13 Ways Through A Firewall What you don t know will hurt you

How To Protect Your Network From Attack From A Hacker (For A Fee)

Safe Network Integration

An Analysis of the Capabilities Of Cybersecurity Defense

Strong Security in NERC CIP Version 5: Unidirectional Security Gateways

Goals. Understanding security testing

SANS Top 20 Critical Controls for Effective Cyber Defense

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Taxonomy of Intrusion Detection System

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Security Policy for External Customers

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

New Technologies for Substation Cyber Hardening

ABB s approach concerning IS Security for Automation Systems

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cyber Security Summit Milano, IT

Remote Access Considered Dangerous. Andrew Ginter, VP Industrial Security Waterfall Security Solutions

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Guideline on Auditing and Log Management

INCIDENT RESPONSE CHECKLIST

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

N-Dimension Solutions Cyber Security for Utilities

Innovative Defense Strategies for Securing SCADA & Control Systems

UNIDIRECTIONAL SECURITY GATEWAYS. Utilizing Unidirectional Security Gateways to Achieve Cyber Security for Industrial Environments

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

An International Perspective on Security and Compliance

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Designing a security policy to protect your automation solution

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

THE ROLE OF IDS & ADS IN NETWORK SECURITY

The Protection Mission a constant endeavor

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Secondary DMZ: DMZ (2)

Client Security Risk Assessment Questionnaire

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Seven Strategies to Defend ICSs

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

IT Security and OT Security. Understanding the Challenges

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Industrial Security for Process Automation

UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Next Generation Jump Servers for Industrial Control Systems

LogRhythm and NERC CIP Compliance

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Critical Controls for Cyber Security.

Jumpstarting Your Security Awareness Program

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Cybersecurity Health Check At A Glance

Overcoming PCI Compliance Challenges

Getting Ahead of Malware

IT Security Risks & Trends

What Do You Mean My Cloud Data Isn t Secure?

THE TOP 4 CONTROLS.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Network Instruments white paper

WHITE PAPER. Best Practices for Securing Remote and Mobile Devices

USM IT Security Council Guide for Security Event Logging. Version 1.1

INTRUSION DETECTION SYSTEMS and Network Security

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Data Management Policies. Sage ERP Online

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

KEY STEPS FOLLOWING A DATA BREACH

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

ICANWK406A Install, configure and test network security

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Cyber security tackling the risks with new solutions and co-operation Miikka Pönniö

Best Practices for DanPac Express Cyber Security

Chapter 9 Firewalls and Intrusion Prevention Systems

Protecting Critical Infrastructure

The Business Case for Security Information Management

1B1 SECURITY RESPONSIBILITY

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Ovation Security Center Data Sheet

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

PCI DSS Requirements - Security Controls and Processes

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Ovation Security Center Data Sheet

Verve Security Center

Transcription:

Stronger than Firewalls And Cheaper Too Andrew Ginter Director of Industrial Security Waterfall Security Solutions 2012

Emerging Threat: Low Tech, Targeted Attacks Night Dragon, Shady RAT, Anonymous Trick users into providing passwords, installing malware Custom malware, tested to evade anti-virus Remote control: steal credentials, propagate Steal administrator credentials, create own passwords Patching: no need for vulnerabilities if you have passwords Create accounts, don t guess long passwords Firewalls allow connections with passwords Conventional ICS security guidance does not address targeted attacks 2

Unidirectional Security Gateways One-way optical hardware enforces security / network isolation no attack from business network can affect operations Software replicates industrial servers from operations network to business network Faithful replica business users can not tell they are using a copy Single point of management all configuration changes are propagated from master server on control network 3

Firewalls Are Not Enough Errors and omissions leave you open to attack Every allowed connection is vulnerable Steal the password and you are in Even if you trust the users, but should you trust their workstations? Their cell phones? Firewalls are software - even firewalls have vulnerabilities and zero days Costly: procedures, training, management, log reviews, audits, assessments Firewalls are software they rely on process and people to keep them secure Photo: Red Tiger Security 4

Firewalls How Many? Demilitarized zone (DMZ) extra network, no connections straight through, different protocols in vs out Single-firewall DMZ one firewall to compromise Two-firewall DMZ two firewalls, from two vendors HA doubles firewall count 5

Firewalls CapEx FIREWALL CAPEX Number of firewall layers - 2- firewall DMZ = 2, 1-firewall DMZ = 1 Parallel firewalls - none = 1, High-availability = 2 or more Per-firewall purchase price $10,000 1 2 2 Total number of firewalls $20,000 CapEx: Firewalls 6

Remote Access Server Remote Access via Remote Desktop, VNC, Citrix, or equivalent Best practice: no direct connection from business network into control network Remote Access Server in DMZ Daisy-chain to Remote Desktop / VNC in control network, or Access control equipment directly from DMZ 7

Remote Access - CapEx REMOTE ACCESS CAPEX Terminal Server with 5 concurrent user license $3,600 $3,600 CapEx: Remote Access 8

Network Intrusion Detection System (NIDS) Defense-in-depth what protects you when firewalls are compromised or mis-configured? NERC-CIP v5 (draft) requires NIDS, other defense-in-depth advice recommends NIDS or other protections NIDS sensor scans all network traffic for attack / suspicious patterns scanning may be one-way hardware NIDS management station collects, correlates, visualizes traffic and alerts 9

NIDS - CapEx NIDS CAPEX Per-sensor cost $35,000 Number of sensors 1 $35,000 CapEx: NIDS 10

Firewall Management Support & signature costs: 70-80% of cost of firewall purchase, per year Routine management costs: $1500-$5000 per firewall per month Add/remove remote access users, change passwords, change rules and other configurations Log monitoring, incident response, emergency replacements Keep firmware & signatures up to date Periodic costs periodic reviews, audits, vulnerability assessments, penetration tests, risk assessments Documentation costs to comply with regulations or corporate policies 11

Firewalls - OpEx FIREWALL OPEX HW/SW/Support/signature cost per firewall per yr $8,000 Average firewall administrator fully-loaded / yr $120,000 Routine management average number of firewalls per administrator 7 Days per year updating each firewall's compliance / engineering documentation - days/firewall/year Days per year reviewing firewall configurations for regulatory / standards compliance Security audits / assessments / pen-tests per year 1 Security assessment cost - per assessment $50,000 Fraction of assessment effort spent on firewalls / perimeter protections 10% 10 7 $16,000 OpEx: Firewall support+sig/yr $34,286 OpEx: Firewall routine mgmt /yr $17,362 OpEx: Firewall standards / regulatory - related costs / yr $5,000 OpEx: Assessment costs / year $72,647 OpEx: Firewalls 12

Remote Access - Training and Background Checks Malware and targeted attacks can jump through VPNs, and keystroke loggers can steal remote access passwords Remote laptops & desktops must be kept secure Users of remote access clients must understand how to keep their computers secure and how to use remote access securely Remote users must be authorized and pass background checks 13

Remote Access - OpEx REMOTE ACCESS OPEX Number of remote access users 20 Per-user days/year spent in training 1.5 Average end user fully-loaded labor cost / year $125,000 Per user, per day, training program cost $1,000 Number of remote end users needing background checks for remote access 10 who would not have needed them otherwise Background check cost / user $1,000 Number of years between background 5 checks $15,957 OpEx: Remote access training - user labor / year $30,000 OpEx: training program cost / year $2,000 $47,957 OpEx: Remote user background checks / year OpEx: Total remote access cost / year 14

NIDS Management Log monitoring often automated by NIDS management console Incident investigation, escalation and response Firmware, signature updates Ruleset / correlation engine customization to minimize false positives Industrial NIDS vendors tend to charge per-sensor, roughly twice what a managed firewall costs 15

NIDS - OpEx NIDS OPEX HW/SW/Support/Signature costs / sensor/ year $7,000 NIDS administrator cost/year $120,000 NIDS management - number of sensors per administrator $7,000 OpEx: Support/sigs / year 3.5 $34,286 OpEx: NIDS labour cost/year $41,286 OpEx: NIDS 16

Preventable Incidents Unidirectional Gateway strong security blocks all online attacks originating on external networks Serious incidents large damages, rare, per-site / per-year costs are modest Routine incidents malware on control system network triggers process safety shutdown, control infection, rebuild affected machines, forensic root-cause investigation costs Business-network insider incidents Data corruption & recovery costs Well-meaning errors and omissions shut machines down for daily backup, just wanted to do an nmap to understand the network, vulnerability scans never hurt my business machines! 17

Preventable Incidents - OpEx PREVENTABLE INCIDENT COSTS Major incident cost $1,000,000,000 Major incident frequency / decade - all major sites in North America 1 Total number of large / major industrial sites in North America 10,000 Routine incident cost $250,000 Routine incidents / site / decade 1 Business network insider cost/incident $40,000 Insider incidents / site / decade 4 $10,000 OpEx: Major incident costs / year $25,000 OpEx: Routine incident cost / year $16,000 OpEx: Insider incident cost / year $51,000 OpEx: Preventable incident costs / site / year 18

Unidirectional Comparison COMPARISON Firewall Total CapEx Firewall Total OpEx Comparable Unidirectional $250,000 CapEx Comparable Unidirectional OpEx $50,000 $58,600 CapEx: Total $212,891 OpEx: Total $191,400 CapEx: Difference $162,891 OpEx: Difference 15 Months to Payback 19

Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Hundreds of sites deployed in all critical infrastructure sectors Frost & Sullivan: Entrepreneurial Company of the Year Award for ICS network security Pike Research: Waterfall is key player in the cyber security market Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Market leader for server replication in industrial environments 20

Strong Security Reduces Operating Costs Majority of sites are not managing firewalls according to best practice Most practitioners do not believe realistic calculations regarding their annualized dollar risk due to preventable cyber incidents Unidirectional customers report payback periods from operational cost savings of 12-18 months Stronger than firewalls, and cheaper, too 21