Honeywell.com 2014 Honeywell Users Group Asia Pacific Effective Defense in Depth Strategies for Industrial Systems 1 Document control number Honeywell Proprietary
Honeywell.com Chee Ban, Ngai About the Presenter Honeywell Industrial Cyber Security, APAC Leader Over 20 years of experience in Information Technology risk management and industrial cyber security. Mechanical engineer by training, Master in Software Engineering, CISSP & CISA Stint in corporate IT at DBS Bank, Maybank, Stanchart and as SOC operations director in APAC. cheeban.ngai@honeywell.com Industrial cyber security at PETRONAS. 2 Document 2014 control number Honeywell Honeywell Proprietary Proprietary
Industrial IT usage 8-10 years behind Corporate IT experience Anti-virus & Firewalls Localized concerns Security Standards Security best practices ISO / IEC 27001 Regulatory Compliance & CIP Anti-virus & Firewalls Open systems architecture Regulatory standards. Compliance audits. Security Standards Process & Procedures ISA / IEC-62443 (ISA-99). Regulatory Compliance & CIP Regulatory audits. 3
Case: Lack of fundamental cyber security care & practices Microsoft patches were outdated by 2 months. Anti-virus scanning turned off. Network slowed down whenever PHD server turned on. found infected with Conficker virus HONEYWELL CONFIDENTIAL - FOR INTERNAL USE ONLY 4
Case: Lack of fundamental cyber security care & practices Physical access security is important too! Unauthorised access to servers possible. Lack of attention to environmental control. Entry to CCR by card access & Room by biometric fingerprint authentication. HONEYWELL CONFIDENTIAL - FOR INTERNAL USE ONLY 5
Testing & Qualification of Microsoft Patch Updates & Anti-Malware Updates for Honeywell Systems Honeywell SUIT LAB, HTS-Hyderabad Security Update Investigation Team 2012 Honeywell Proprietary 6
Honeywell tests & qualifies Microsoft Patch Updates for full-compatibility with Honeywell Systems Microsoft published patch available for MS11-077 Vulnerability US-CERT issued alert on Microsoft patch necessary for MS11-077 Vulnerability Honeywell announced tested patch for MS11-077 is available. Honeywell tested MS11-077 patch next day after. 7 HONEYWELL - CONFIDENTIAL File Number
Testing of Anti-Virus Signature Updates Why is it Important? 8 HONEYWELL - CONFIDENTIAL File Number
Secure Delivery of Tested-Patch/Anti-Malware Updates Level 4 Level 3.5 DMZ Level 3 Level 2 Level 1 Anti- Malware Experion EST Industrial PCN Site Windows TM Patch Mgmt (WSUS) Secure Service Node Relay Corporate Proxy SSL Encrypted, Certificate Authenticated Tunnel Initiated by site s Secure Service Node Connect to Managed Security Service Center ONLY Managed Security Service Center Communication Application s Operator Controls ACE Engineering Controls DMZ CORPORATE Domain Controller 3 RD Party Apps ESF Domain Controller Experion Terminal e Corporate Router Internet Tunnel through corporate network provides additional security Database s Relay isolates PCN from Corporate Network Restricts end nodes from sending or receiving data out of PCN DMZ 9 2014 Honeywell Proprietary
Network Architecture Security: Zones & Conduits Courtesy: Tofino 10
Specifying the Zones Courtesy: Tofino 11
Defining the Conduits Courtesy: Tofino 12
Limite d L2 to L1 No communications between L1 & L3 or L4 Limite d L2 to L3 Very Limited L2 to L3.5 Very Limited L3 to L3.5 Very Limited L3.5 to L4 No Direct communications between L4 & L3 or L2 ISA-95 PCN Secure Architecture Standard Enterprise Switch Comm flow Level 4 Firewall L4 to L4 Level 3.5 DMZ Domain Controller ESF PHD Experion EAS Terminal Patch Mgmt Anti Virus 3 RD Party App Subsystem Interface e PHD Shadow Limited L3.5 to L3.5 L3 to L3 Level 3 Router ESC ESF ACE Experion EST Optional HSRP Router ESVT Safety Manager Terminal Domain Controller Level 2 Level 1 Qualified Cisco Switches L2 to L2 L1 to L1 13
IEC 62443 / ISA 99 Cyber Security Standard for ICS Key references: IEC 62443-3-2 SL, zones & conduits IEC 62443-3-3 Security Requirements IEC 62443-2-2 Non-technical controls 14
Experion Backup & Restore Campaign and Account Planning Handouts
Honeywell.com Defense in Depth Rudimentary Perspective Controlled Physical Access OS Patch & Anti-malware updating Defined Security Zones Cyber security best practices Redundancy Layered Approach to Process Network Security 16 Document control number Honeywell Proprietary
ISA / IEC 62443 Security Levels (SL) SL 1 PROTECTION AGAINST CASUAL OR COINCIDENTAL VIOLATION (I.e. changing a setpoint to a value outside engineering defined conditions, interception of a password send over the network in clear text.) SL 2 PROTECTION AGAINST INTENTIONAL VIOLATION USING SIMPLE MEANS (I.e. virus infection, exploiting commonly known vulnerabilities of DMZ hosts) SL 3 PROTECTION AGAINST INTENTIONAL VIOLATION USING SOPHISTICATED MEANS (I.e. exploits in operating systems, protocols. Attacker requires advanced security knowledge, advanced domain knowledge, advanced knowledge of the target system. I.e. password cracking.) SL 4 PROTECTION AGAINST INTENTIONAL VIOLATION USING SOPHISTICATED MEANS WITH EXTENDED RESOURCES (Similar to SAL 3 but attacker now has extended resources to their disposal. I.e. StuxNet attack) 17
Honeywell.com Defense in Depth so, where do we go from here after all these? 18 Document control number Honeywell Proprietary
ISA / IEC 62443 Security Levels (SL) SL 1 PROTECTION AGAINST CASUAL OR COINCIDENTAL VIOLATION (I.e. changing a setpoint to a value outside engineering defined conditions, interception of a password send over the network in clear text.) SL 2 PROTECTION AGAINST INTENTIONAL VIOLATION USING SIMPLE MEANS (I.e. virus infection, exploiting commonly known vulnerabilities of DMZ hosts) SL 3 PROTECTION AGAINST INTENTIONAL VIOLATION USING SOPHISTICATED MEANS (I.e. exploits in operating systems, protocols. Attacker requires advanced security knowledge, advanced domain knowledge, advanced knowledge of the target system. I.e. password cracking.) SL 4 PROTECTION AGAINST INTENTIONAL VIOLATION USING SOPHISTICATED MEANS WITH EXTENDED RESOURCES (Similar to SAL 3 but attacker now has extended resources to their disposal. I.e. StuxNet attack) 19
Honeywell.com Defense in Depth Advanced Perspective Regular Cyber Security Assessment Security Intelligence Monitoring Interceptions & Control Application Layer Security Security Incidence Response Layered Approach to Process Network Security 20 Document control number Honeywell Proprietary
Cyber Security Assessment 1: Discussions, information collation. 2: Documentation, Network architecture reviews. 3: Vulnerability assessment testing. 4: Verification and validation of test results with customer s technical representatives. 5: Presentation of to customer s management. 6: Cyber security assessment report.
Security Intelligence Monitoring For assuring cyber security requirements at a glance: Instantaneous view of current cyber posture Drill down to cyber tools Value includes: Quick status assurance Reduced administrative load Meet regulatory requirements Service includes: Vendor flexible interface for: Antivirus Application Whitelisting Security Patching Backup / Restore Network Security Cyber Security Dashboard
Honeywell.com Deep Packet Inspection App Hijacking Droppers Worms Viruses Syn Flood, Smurf, Session Hijack RPC attacks, Application Contents Layers 5-7 TCP/UDP Application Contents Header IP Header TCP/UDP Header Application Contents Ethernet Header IP Header TCP/UDP Header Application Contents 1001011001101100110110110110110100101100110110011011011011011010010110011011001101101101101101001 Layer 4 Layer 3 Layer 2 Layer 1 23 Document control number Honeywell Proprietary
Detection Capability Honeywell.com Deep Packet Inspection Application Session Inspection Packet Packet Packet Packet Packet Packet Packet Packet Packet All Packets in a Session are Reassembled, Decoded and Inspected Deep Packet Inspection Packet Packet Packet Packet Packet Packet Each Packet is Decoded and Inspected in Sequence 24 Document control number Honeywell Proprietary
Application Whitelisting Whitelisting is the process of preventing malicious software, from infecting your system By defining only what processes are allowed to run And by blocking all other programs
Security Incident Response ISA-99.02.01-2009 Incident discovery - reporting Authentication Containment Categorization, Response Escalation Recovery Forensics Management reporting Honeywell 2011 version 5.1 slide - 26
27 Questions
Contacts Chee Ban Ngai Industrial Cyber Security, Leader, Asia Pacific phone: +603 7958 8922 cell: +6012 233 0915 cheeban.ngai@honeywell.com Follow us: Blog: http://insecurity.honeywellprocess.com Website: http://www.honeywellprocess.com Website: http://www.becybersecure.com 2012 Honeywell Proprietary 28
Honeywell.com Thank You 29 Document control number Honeywell Proprietary