Download - Continuous Industrial Cyber Risk Mitigation with Managed Services Monitoring and Alerting
2 © 2015 Honeywell International All Rights Reserved
Focus: Up to But Not Including Corporate and 3rd Party Networks
Router
ESC ESF EST ACE Experion Server
ESVT Safety Manager
Terminal Server
Qualified Cisco Switches
Optional HSRP Router
Domain Controller ESF EAS
PHD Server Experion
Server
Firewall
3RD Party App Subsystem Interface
Corporate and 3rd Party/Vendor/Contractor/Maintenance Connections
Level 3
Level 3.5 DMZ
Level 4
Terminal Server
Patch Mgmt Server
Anti Virus Server
eServer PHD Shadow Server
Level 2
Domain Controller
Level 1
IT Cyber Security
Industrial Cyber
Security
4 © 2015 Honeywell International All Rights Reserved
Function
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Critical Infrastructure Cybersecurity Framework
http://www.nist.gov/cyberframework/
Maps controls to: - ISO 27001 - ISA 99/IEC 62443 - NIST SP 800-53 - COBIT 5 - CCS CSC
5 © 2015 Honeywell International All Rights Reserved
Function Elements
IDENTIFY Hardware & Software Inventory, Policy & Procedures Network Topology, Security Risk Assessments
PROTECT Firewalls, Passwords, Antivirus, Patching, USB Control Physical Security, Change Control, Backup & Recovery
DETECT ?
RESPOND ?
RECOVER ?
Critical Infrastructure Cybersecurity Framework
http://www.nist.gov/cyberframework/
6 © 2015 Honeywell International All Rights Reserved
Industrial Cyber Attacks & Incidents Are Rising
Information Stealer Malware
Worm Targeting SCADA and Modifying PLCs
Virus Targeting Energy Sector Largest Wipe Attack
Virus for Targeted Cyber Espionage in Middle East
Worm Targeting ICS Information Gathering and Stealing
Large-Scale Advanced Persistent Threat Targeting Global Energy
APT Cyber Attack on 20+ High Tech, Security & Defense Cos.
Cyber-Espionage Malware Targeting Gov’t & Research Organizations
Industrial Control System Remote Access Trojan & Information Stealer
Security Bug and Vulnerability Exploited by Attackers
7 © 2015 Honeywell International All Rights Reserved
What do these 3 Plants have in common?
German Steel Plant
Turkish Pipeline
Iranian Nuclear Facility
8 © 2015 Honeywell International All Rights Reserved
Increased Activity & Success
Nov 20, 2014 NSA Chief FINALY states:
“It’s already happened!”
Jan 23, 2015 Cisco CEO states
“Cyber Attacks will double this year”
9 © 2015 Honeywell International All Rights Reserved
• Most of these attacks could have been stopped using good protection and detection capabilities
• The results/effects of ALL of these attacks could have been reduced via continuous monitoring
Is your ICS currently infected or under attack?
Common Thread
11 © 2015 Honeywell International All Rights Reserved
Key Events to Monitor
• Network Activity Logs ACL Rules, Utilization Spikes, Passwords/Strings
• System Audit Logs Unauthorized Access, Disabling Controls, Configuration Changes
• System Availability/Performance Application Health, CPU Utilization, Hardware Errors, Overruns
• Administrative Changes GPO Modifications, Group Additions, Enabling USB Devices
• Software Update Compliance Aging for Virus Signatures, Security Patches, Software Updates
• Virus Infections
12 © 2015 Honeywell International All Rights Reserved
Key Devices to Monitor
• Control Systems Servers • Controllers • Safety Managers • Historians • Network Devices (firewall, switch, wireless) • Windows Servers • Workstations (operator & engineering) • System Backups • Virtual Hosts
13 © 2015 Honeywell International All Rights Reserved
• Budget for required utilities Intrusion Detection Systems Security Information & Event Management Logging Agents, Relay Servers, Databases, etc.
• Personnel required for administration Initial Installation of components above Analysis of events to determine what is critical Investigation of alerts to determine next steps
• Other concerns Competing DCS priorities Training on new technology Different expertise per location
Obstacles to effective Monitoring
14 © 2015 Honeywell International All Rights Reserved
Hire a company to monitor your systems for ¼ the price, but only if they have the following:
• Expertise in Control System security • Methodology that complies with IEC 62443 • Passive, Comprehensive, Secure • 100s of current ICS customers • Follow the sun support model • Geographically separate operating facilities • Vendor Agnostic
Continuous Monitoring Best Practice
16 © 2015 Honeywell International All Rights Reserved
1. For patching updates, are you using manual or automated processes? Manual ____ Automated ____
2. For antivirus updates, are you using manual or automated processes? Manual ____ Automated ____
3. On a scale of 1-10 (10 being very satisfied), how satisfied are you with how you currently monitor the security of your control system?
4. If you are not currently using Whitelisting, how soon do you intend to add Whitelisting to your cyber security program? Within 6 months 1 year 2 years or beyond Never
Voice of Customer