Industrial Cyber Security 101. Mike Spear

Industrial Cyber Security 101 Mike Spear

Introduction Mike Spear Duluth, GA USA Global Operations Manager, Industrial Cyber Security Mike.spear@honeywell.com Responsible for the Global Delivery of Honeywell s Industrial Cyber Security Solutions Focus Cyber Security, Industrial Networks, and Wireless Over 30 years of Technical Management and Consulting Process, Batch, Discrete Manufacturing & Power Industries 9 th Year with Honeywell Process Solutions CIS Advisory Board Member Gwinnett Technical College 2 2015 Honeywell International All Rights Reserved

Agenda What is Industrial Cyber Security? Is the Risk Real? Where to start? Standards Where can I get more Information? 3 2015 Honeywell International All Rights Reserved

What Is Industrial Cyber Security? Body of technologies, processes & people designed to protect industrial networks From damage, disruption, unauthorized access or exploitation via electronic means Requires deep understanding of industrial control systems/operations + information technology/cyber security expertise IT Cyber Security Industrial Cyber Security Confidentiality and information Business systems Process availability, safety, reliability No disruptions; never down Unique, specific requirements 4 2015 Honeywell International All Rights Reserved

Is there a Real Threat? ICS-CERT - 245 Reported Incidents 55% APT 38 % of ICS incidents classified as unknown Lack of detection and monitoring Industrial Incidents Energy = 33% Water = 5% Chemical = 3% Nuclear = 2% *DHS-NCCIC Incident Response/ Activity 2014 *ICS-Cert Industrial Control System Cyber Emergency Response Team APT Advanced Persistent Threat Process Industry Accounts for 43% 5 2015 Honeywell International All Rights Reserved

Are you Immune? My PCN Does Not connect to the Internet We do not allow portable media Has a firewall I stayed at a Holiday Inn Express. Therefore, My ICS is 100% secure. 35% of ICS Incidents are a result of Malware Most penetrate from WITHIN the ICS environment Internal Emp. Direct 24% Penetration Sources Corp Network Remote Access 4% 4% Unknown 4% Vendor 28% USB/Portable Media 36% *Honeywell Process Solutions 35% of ICS Incidents are a result of Malware! 6 2015 Honeywell International All Rights Reserved

Insider Risks & Threats Snowden Threat An insider who goes rogue Trusted attackers are difficult to detect and catch Must consider multiple users accessing systems Risks Trusted resources that have been compromised Unsuspecting, innocent employee who is exploited Laptop compromised outside of the plant via malware Employees, Vendors & Contractors 7 2015 Honeywell International All Rights Reserved

Security Design IDENTIFY PROTECT DETECT RESPOND RECOVER Technical controls Technical controls Technical controls Technical controls Technical controls (Vulnerability scanning, Monitoring ) (Firewall, AWL, AV, IPS, DC, network segmentation,.) (IPS, IDS, SIEM, Security Dashboard ) (IPS, Recovery CD, ) (Back-up Control Center, ) Non-technical controls Non-technical controls Non-technical controls Non-technical controls Non-technical controls (Assessments, Risk management) (Security Policies & Procedures) (Security monitoring) (Security incident response, Disconnection management) (Data recovery, Disaster recovery) TIME TO BREACH THE PROTECTION TIME TO DETECT THE EVENT > + TIME TO RESPOND TO THE EVENT IF TRUE THE PLANT IS SECURE T B > (T D + T R ) 8 2015 Honeywell International All Rights Reserved

What is your Risk Appetite?

Levels of Security ISA 99 62443-3-3 Security Levels What is an appropriate protection level for my plant? SL 4 Protects against intentional security incidents using sophisticated means and having extended resources SL 3 Protects against intentional security incidents using sophisticated means Technical protection level SL 2 Protects against intentional security incidents using simple means SL 1 Protects against casual security incidents NIST / C2M2 Maturity Levels ML 4 Practices are adapted based on lessons learned and predictive indicators derived from previous cyber security activities. ML 3 Risk practices are approved by management and expressed as policy, policies, processes, and procedures are defined, implemented and validated. Governance maturity level ML 2 Risk practices are approved by management, staff has adequate resources to perform cyber security duties. ML 1 practices are not formalized, often case by case, and risk is managed in an ad hoc and sometimes reactive manner 10 2015 Honeywell International All Rights Reserved

Levels of Security Security level 4 Critical infrastructure Typical critical infrastructure: Oil & gas, power, water Security level 3 Security level 2 Security level 1 Where are we today? Non-critical infrastructure Typical non-critical infrastructure: Plastics, steel, resins, food, paper, beverages In our security assessments most companies score between SL 1 and SL 2 and ML 1 and ML 2 Maturity level 1 Maturity Level 2 Maturity Level 3 Maturity Level 4 Classifications of criticality can differ by country! 11 2015 Honeywell International All Rights Reserved

System Profiling SL4 13 14 15 16 Security Level SL3 SL2 9 10 11 12 5 6 7 8 SL1 1 2 3 4 ML1 ML2 ML3 Maturity level ML4 12 2015 Honeywell International All Rights Reserved

Where Do you Want to be? 13 2015 Honeywell International All Rights Reserved

Awareness

Awareness Questions to consider: Portable Media What if you find an USB flash drive on the parking lot. What do you do? Network/Security Documentation What happens with network / security documentation / info. Is it stored in a secure place and only authorized people can access? Or can everyone in the company get access? Backups What about back-ups. Containing all documentation including network / security info and also passwords and other system settings? Are they securely stored or available to many? Will it restore? People What do you do when a system administrator leaves knowing all the ins and outs of your cyber security? Has your system been setup such that 1 person has all the info / access rights, etc.? Are the vendors involved in your security bound by confidentiality? General: What does your company do to create awareness for cyber security? Training Policies Procedures, Best Practices Enforcement Do you have an updated / accurate incident management plan to execute during a cyber attack? 15 2015 Honeywell International All Rights Reserved

Segmentation

Architecture Segmentation Technical Security Controls Separation from Business Network Firewall Segmentation Review Configuration Log Review Rule Management Especially Outbound Consider Next Generation Firewall Includes advanced inspection functionality Zones and Conduits Grouping of nodes with like security requirements Conduits should always be from adjacent zones 17 2015 Honeywell International All Rights Reserved

Getting Started Summary Determine Risk Appetite Current State vs Desired State Create Awareness Policies & Procedures Implement Architecture Segmentation Zones & Conduits 18 2015 Honeywell International All Rights Reserved

Standards & Regulations

Cyber Security Standards for ICS Oriented toward owner / operators Security architecture Procurement Technical and non-technical security controls ISMS framework Oriented toward suppliers Equipment requirements Development requirements Service delivery Oriented toward technical countermeasures Industry specific (Power, water, pipelines, chemical, offshore, critical infrastructure) Oriented toward non-technical countermeasures Industry specific (Power, water, pipelines, chemical, offshore, critical infrastructure) 20 2015 Honeywell International All Rights Reserved

Standards/Guidelines/Frameworks Owner / operator Just a small overview API 1164 NISTIR 7628 IEC 62443-3-3 EPRI 1023502 IEC 62443-2-1 IEC 62443-2-2 Technical NISTIR 7874 IEC 62443 NERC CIP IEC 62443-2-3 NISTIR 75574 7788-75575 IEC 62443-4-2 NISTIR 7328 IEC 62443-2-4 IEC 62443-4-1 Non-technical Supplier / vendor ISA 99 / IEC 62443 program: 13 security standards covering the full spectrum ISASecure TM program: Embedded Device Security Assurance (EDSA) System Security Assurance (SSA) Security Development Lifecycle Assurance (SDLA) NERC CIP program: 8 security standards Power utilities Procurement guidelines EPRI DHS Smart grid security guidelines NISTIR ENISA Pipeline cyber security Maritime cyber security 21 2015 Honeywell International All Rights Reserved

Is that All? Owner / operator API 1164 NISTIR 7628 IEC 62443-3-3 EPRI 1023502 IEC 62443-2-1 IEC 62443-2-2 Technical NISTIR 7874 IEC 62443 NERC CIP IEC 62443-2-3 NISTIR 75574 7788-75575 IEC 62443-4-2 NISTIR 7328 IEC 62443-2-4 IEC 62443-4-1 Non-technical Supplier / vendor Unfortunately, No, IEC 61508 security controls safety IEC 61511 security controls safety Industry specific security standards Chemical - CIDX Water systems - EPA National / regional security standards ANSSI French critical infrastructure VGB German (nuclear) power industry OLF Norwegian offshore CPNI UK critical infrastructure ICT Qatar guidelines NIST ENISA WIB, etc, etc, etc. 22 2015 Honeywell International All Rights Reserved

Man Years of Effort Standards are good however, Too Many Overlap Inconsistent Focus primarily on Technical Controls ICS Standards still need to mature Business Justification Will need to employ a hybrid depending on Industry IEC-62443 & NIST Embedding into overall risk management framework All progress is precarious, & the solution of one problem brings us face to face with another problem. 23 2015 Honeywell International All Rights Reserved Martin Luther King

Other Sources of Information Day Time Title Presenter Monday 2:00 PM Cyber Security Strategies: Introducing Honeywell Risk Manager (Grand Oaks Ballroom AB) 4:15 PM Continuous Industrial Cyber Risk Mitigation with Managed Services Monitoring & Alerting (Grand Oaks Ballroom CD) Thursday 1:00 PM Preventing, Detecting & Recovering from a Cyber Incident (Cibolo Canyon BR 1/2) 1:00 PM Best Practices for Securing Process Control Networks (Grand Oaks Ballroom) 1:00 PM Fundamentals of Process Control Design (Grand Oaks Ballroom PQ) Eric Knapp, Director Industrial Cyber Security Solutions & Technologies Mark Littlejohn, Global Manager- Industrial Managed Security Services Mike Baldi, Industrial Cyber Security Solutions Architect Jay Gustin, Engineering Fellow Sachi Dash, Manager Project Engineering All Various Knowledge Center Robert Alston, Americas Technical Leader Industrial Cyber Security To Learn more 24 2015 Honeywell International All Rights Reserved

Any questions? Honeywell Industrial Cyber Security 25 2015 Honeywell International All Rights Reserved

Layered Approach to Governance 26 2015 Honeywell International All Rights Reserved