Download - Security industry pov_ibm_cavanna_2015
© 2015 IBM Corporation
IBM & Security Industry. Point Of Views IV Congreso Internacional de Ciberseguridad Industrial Buenos Aires 2 Junio 2015
Santiago Cavanna IBM Security BU Argentina, Uruguay, Paraguay [email protected] @scavanna
© 2015 IBM Corporation
IBM Security
Energy and Utilities & Security The IBM Point of View
Shifts in energy policy, technology, and consumer focus – driven by concerns about energy security, environmental sustainability, and economic competitiveness – are creating a much more dynamic environment. Utility companies are investing in infrastructure to: modernize their infrastructure, improve generation performance and enable new business models with their customers. But as companies transform their business towards smart grid technology, they are faced with the growing threats of cyber attacks as the amount of infrastructure and potential failure points along the grid increase. In addition there is a greater need to secure assets and prevent data theft, combined with the increasing pressure from complex regulatory requirements, that is driving companies to focus on managing their risk by focusing on key areas. Secure smart meters and their networks- while communications services providers have decades of experience in secure networking, securing the mesh networks that move data and control signal traffic between individual utilities and the thousands or millions of Smart Meters they operate is a domain business, especially for utilities. Strategy – Implement endpoint management controls to detect devices on the network and automate patch management.
Protect Critical infrastructure Critical infrastructure is becoming a primary target for cyber attacks due to aging infrastructure and the migration to IP-based
/ICS networks and become a potential weakness for attacks. Strategy - Combine security intelligence and continuous monitoring for greater visibility and control.
Secure web applications and customer data - Web portals and smart meter applications have potential weaknesses in the code that can be a gateway to back end data. Strategy: Applications need to be tested regularly for code vulnerabilities that can expose customer data. Shifting regulatory requirements – organizations are challenged with identifying all critical assets and their interconnectivity to report adequate proof of compliance against NIST. Strategy – conduct a critical infrastructure security assessment to understand compliance posture and to help the organization prioritize their security investments
© 2015 IBM Corporation
IBM Security
Energy and Utilities & Security The IBM Point of View
How IBM Can Help IBM has built and secured dozens of AMI Smart Meter networks around the world and has the skills and expertise in securing carrier class substation networks. IBM has advised utilities on how to secure and protect their OT networks and systems and has a portfolio of market leading software offerings and services and is in an excellent position to assess your clients’ security needs and deliver the right solution to; stop advanced threats, protect critical data, optimize security operations, safeguard cloud & mobile initiatives and help strengthen regulatory compliance
IBM Security capabilities • Secure critical infrastructure more effectively with real-time monitoring & security intelligence • Centrally manage user identity and access management across diverse systems / organizations • Simplify and secure application access from inside and outside of the organization • Effective governance and compliance reporting • Prevent potential distribution of malware throughout the smart grid network through effective endpoint management • Implement threat and risk analysis for Smart Grid infrastructure
• Learn More • IBM Security Point of View • 2014 Cyber Security Intelligence Index for Energy and Utilities • 2014 X-Force Threat Intelligence Report • 2014 IBM CISO Assessment Report • IBM Security Client Reference Guide
Connect with IBM Security
© 2015 IBM Corporation
IBM Security End to End Security in Utilities
4
METER RELIABILITY
METER DATA VALIDITY METER AVAILABILITY
CONFIDENTIALITY OF CUSTOMER PERSONAL INFORMATION
AMI MALWARE, CYBER ATTACKS
PREVENT HAN DEVICES FROM ATTACKING GRID
UNAUTHORIZED METER DISCONNECTS/ CONNECTS
PREVENT PHYSICAL ABUSE OF ASSETS REMOTE SUBSTATION
VIDEO SURVEILLANCE
SECURE COMMUNICATION LINKS
PREVENT POWER PILFERAGE
PROTECT SENSITIVE ASSETS
EMPLOYEE BACKGROUND CHECKS
PREVENT ACCIDENTS
METER THEFT
SECURELY MANAGE PEAK DEMAND
ACCURATE BILLING
SCADA NETWORK SECURITY
RELIABLE COMMUNICATION
GENERATING, TRANS & DIST NETWORK
CRITICAL ASSET DISCOVERY & IDENTIFICATION
DATA CENTER NETWORK, SYSTEM, APPLICATION, DATA SECURITY
CONTEXT SENSITIVE ACCESS CONTROL
ASSET & CONFIG MGMT
SERVICE AVAILABILITY & PERFORMANCE MGMT
CONFIDENTIALITY, INTEGRITY & AVAILABILITY
PHYSICAL SECURITY
OPERATIONS & PROCESSES
AMI & HAN SECURITY
INCIDENT MGMT
SCADA SECURITY
* Not all intersections shown
KEY MANAGEMENT
FIRMWARE UPDATES
REGULATORY COMPLIANCE
© 2015 IBM Corporation
IBM Security
5
Increased internal, industry, and government security policies, standards, and regulations
Logical and Physical integration requirements
An increased number of end users and devices accessing your networks, applications, and data
Threats of viruses, worms, and Internet attacks
Regulatory requirements • FERC • NERC • SOX
Varied locations & sources of identity information (native systems)
Unauthorized/undetected use of applications & systems
Challenges and risks inherent in next generation intelligent networks
Improve operational efficiency – manage costs
Protect security and privacy of critical assets
Energy & Utility Potential Problem Areas
© 2015 IBM Corporation
IBM Security
7
Points of Access for Vulnerabilities
Regulators Industrial Control System Vendors (SCADA) Software (Operating Systems and Applications) Vendor Vulnerabilities Security patches break product certification Operator control via remote access (Modem and TCP/IP) for maintenance
and/or multiple site readiness Any Interface (SW to SW or System to System) is a prime target
© 2015 IBM Corporation
IBM Security
© ABB Inc. junio 3, 2015 | Slide 8
CYBER SECURITY CONTROLS
PH
YS
ICA
L S
EC
UR
ITY
CO
NTR
OLS
SECURITY CONTROLS
Security for Industrial Control Systems (SCADA) - ICS Security based on IEC 62443
Air-gap networks, apps and control data with firewalls, proxies
© 2015 IBM Corporation
IBM Security
Which Operational Technology (OT) systems are we talking about?
Field sensors IEDs T&D control systems (SCADA) Energy Management Systems (EMS) Distribution Management Systems
(DMS) Outage Management Systems
(OMS) Demand Response Systems
– Smart Grid Communications equipment (SCADA)
– Meter Data Management Systems (MDMS)
– Asset Management (e.g., Maximo)
– Ops Centers (e.g., NOCs, SOCs) – DCS and PLC systems in
generating plants
Contol Systems: Past & Present
© 2015 IBM Corporation
IBM Security
A TCP/IP Enabled World
Process Control Systems (PCS) migrating to TCP/IP networks SCADA and DCS typically rely upon “wrapped” protocols
Analog control and reporting protocols embedded in digital protocols Encryption and command integrity limitations Poor selection of TCP/IP protocols
Problems with patching embedded operating systems Controllers typically running outdated OS’s Security patches and updates not applied Difficulty patching the controllers
10
© 2015 IBM Corporation
IBM Security
Miniaturization and Bridging Networks
Professional attack tools are small enough to fit on a standard Smartphone
Designed to “audit” and exploit discovered vulnerabilities
Wireless or wired attacks, and remote control
Smartphones also targeted Contact info. Bridge to network
handheld hacking devices
11
© 2015 IBM Corporation
IBM Security
Bridging Networks
Softest targets appear to be the control centers Greatest use of “PC” systems Frequent external connectivity Entry-point to critical plant
systems Bridging control centers and the
plant operational framework Network connectivity for ease
of operational control Reliance on malware to proxy
remote attacks
12
© 2015 IBM Corporation
IBM Security
Proliferation of Networked Devices
Switch from analog to digital controls Incorporation of network standards
TCP/IP communications Wireless communications
Replacement SKU parts include new features “free” Additional features
may be “on” by default
May be turned on by engineers
From analog to digital
(+ networked)
Wireless integration
13
© 2015 IBM Corporation
IBM Security
Wireless RF / WiFi Attacks
Increased use of wireless technologies Large security research focus
Common topic/stream at hacking conferences Packet Radio Software
New tools and software to attack & eavesdrop on any RF transmission
Community-based sharing of findings Tools and guides on long-range
interception or wireless technologies
A 14.6 dBi Yagi antenna that can make
a WiFi connection from 10 miles
14
© 2015 IBM Corporation
IBM Security
ICS versus IT and Security
Industrial Control Systems (ICS)
Protects the ability to operate safely and securely The end user is a computer A decentralized system to ensure availability / reliability Remote access is available to field devices Source code is often sold with the system Long life cycles Not patchable
IT Systems
Protects the data on the client and in transit The end user is a human A centralized system to achieve economy of scale Limited remote access Source code is limited and protected Relatively short life cycles Patchable
15
© 2015 IBM Corporation
IBM Security
Finding Holes Penetration Testing (remote)
and Security Assessment (local)
National and International 15-20 unique security
assessments in the last 5 yrs
America’s Hackable Backbone The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.
"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.‘”
Forbes August 22nd 2007
16
© 2015 IBM Corporation
IBM Security
Common Security Assessment Findings
Weak protocols leave systems vulnerable PCS networks lack overall segmentation PCS networks lack antivirus protection Standard operating systems leave the
device open to well known security vulnerabilities Most IP-based communications within the PCS network are not encrypted Most PCS systems have limited-to-no logging enabled Many organizations still rely heavily on physical security measures
17
© 2015 IBM Corporation
IBM Security
Not a technical problem, but a business challenge
Many of breaches could have been prevented However, significant effort required to inventory, identify and close every vulnerability Financial & operational resistance is always encountered, so how much of an investment is
enough?
© 2015 IBM Corporation
IBM Security
-
Identity and Access Governance
Guardium Data Security
AppScan Source
Network Intrusion Prevention Trusteer Apex
Identity and Access Management
Guardium Database Vulnerability Mgmt
AppScan Dynamic
Next Generation Network Protection
Mobile & Endpoint Management
Privileged Identity Management
Guardium / Optim Data Masking
DataPower SOA Security
SiteProtector Threat Management
Virtualization and Server Security
Federated Access and SSO
Key Lifecycle Manager Security Policy Manager
Network Anomaly Detection
Mainframe Security
IBM X-Force and Trusteer Threat Intelligence
Advanced Fraud Protection
Trusteer Rapport Trusteer Pinpoint
Malware Detection Trusteer Pinpoint ATO Detection Trusteer Mobile Risk Engine
Security Intelligence and Analytics
Strategy, Risk and Compliance
Security Maturity Benchmarking
Security Strategy and Roadmap Development
Security Risk Assessment and Program Design
Industrial Controls (NIST, SCADA)
Payment Card Advisory (PCI)
Identity Strategy and Assessment Data Security and Assessment Embedded Device Testing
Firewall / IDPS / UTM Management
Web Protection and Managed DDoS
User Provisioning and Access Mgmt Encryption Penetration Testing
Hosted Web, E-mail and Vulnerability Management
Deployment and Migration
Total Authentication Solution Data Loss Prevention
Application Security Assessment
Staff Augmentation Managed and Cloud Identity Mobile Application Testing
People Data Applications Network Infrastructure Endpoint
Emergency Response Managed SIEM Incident Planning Cyber Threat Intel Security Operations Center Design Services
QRadar SIEM QRadar Log Manager QRadar Risk Mgr QRadar Vulnerability Mgr QRadar Incident Forensics
The IBM Security Portfolio Services
Products
Cybersecurity Assessment and Response
Threat Intelligence Advisory X-Force Threat Analysis Penetration Testing Incident Preparation Emergency Response
© 2015 IBM Corporation
IBM Security
• Detection of day-zero attacks that have no signature • Policy monitoring and rogue server detection • Visibility into all attacker communication • Passive flow monitoring builds asset profiles & auto-classifies hosts • Network visibility and problem solving (not just security related)
QRadar SIEM Product Tour: Flows for Network Intelligence
© 2015 IBM Corporation
IBM Security
• Flow collection from native infrastructure • Layer 7 data collection and analysis • Full pivoting, drill down and data mining on flow sources for
advanced detection and forensic examination • Visibility and alerting according to rule/policy, threshold, behavior or
anomaly conditions across network and log activity
QRadar SIEM Product Tour: Flows for Application Visibility