gettozero stealth industrial
TRANSCRIPT
DatePresenter Name, Title
Innovative Cyber-Security for the Industrial Sector
Unisys Stealth™ Protects Your
Critical Infrastructure from Cyber-Attack
© 2014 Unisys Corporation. All rights reserved. 2
Industrial Organizations are in the Cross-Hairs of Cyber-Attacks
Accelerating frequency Greater sophistication
When it comes to critical infrastructure, there can be no compromise.
You must maintain 100% reliabily, 24/7 operations.
© 2014 Unisys Corporation. All rights reserved. 3
Global government
mandates and
regulations
Risk assessments
show high levels of
vulnerability
Act now…
or it will cost
more later
Regulatory are Fueling the Need for Action
© 2014 Unisys Corporation. All rights reserved. 3
© 2014 Unisys Corporation. All rights reserved. 4
• Current defenses are vulnerable and reactive
• Legacy technologies must continually be patched and upgraded
• Modernization poses greater risks in the future
• IP theft is on the rise
Bigger fortresses and air-gaps are too weak and too costly.
Today’s Security Approach Is Not Good Enough
Industrial organizations need stronger protection.
© 2014 Unisys Corporation. All rights reserved. 5
• Protect critical industrial automation systems
• Secure data-in-motion across any network
• Prevent multiple threats with one solution
• Safeguard intellectual property
• Protect the enterprise, not just SCADA endpoints
There is a more secure and cost-effective wayto protect your data and systems.
Innovative Security Can Help You ‘Get to Zero’
Go invisible. Reduce your attack surface.
Incidents
© 2014 Unisys Corporation. All rights reserved. 6
You can’t hack what you can’t see…
Stealth is What Innovative Security Looks LikeWhat a Hacker Sees When Enabled
• Layered security for mission-critical protection
• Scalable and incrementally implemented – with no disruption
• Makes endpoints invisible, tightens access control, protects data-in-motion
© 2014 Unisys Corporation. All rights reserved. 7
Stealth is Truly Innovative Security Technology
COMMUNICATING SPLIT PORTIONS OF A DATA SET
ACROSS MULTIPLE DATA PATHS
WORKGROUP KEY WRAPPING FOR COMMUNITY OF INTEREST MEMBERSHIP
AUTHENTICATION
GATEWAY FOR SECURING DATA TO/FROM A PRIVATE NETWORK
SECURING AND PARTITIONING DATA-IN-MOTION USING A COMMUNITY-OF-INTEREST KEY
INTEGRATED MULTI-LEVEL SECURITY SYSTEM
SECURING MULTICAST DATA
PATENTS
World-class intellectual propertyUnisys Stealth is protected by more than 60 issued or pending U.S. patents and patent applications.
© 2014 Unisys Corporation. All rights reserved. 8
Crypto-Module
JFCOM JILTestbed IO Range
DIACAP – DoD Information Assurance Certification and Accreditation ProcessMAC – Mission Assurance Category (Level 1 is Highest) DISA – Defense Systems Information Agency EUCOM – European CommandSOCOM – Special Operations Command JFCOM – JOINT Forces Command JIL – Joint Intelligence Laboratory
CWID – Coalition Warrior Interoperability DemonstrationJUICE – Joint User Interoperability Communications Exercise CECOM – Communications Electronics Command (US Army)GTRI – Georgia Tech Research InstituteDJC2 – Deployable Joint Command and ControlNIST – National Institute of Standards and TechnologyNIAP – National Information Assurance Partnership
2005 2006 2007 2008 2009 2010 2011
CWID 08DISA
CWID 09
DISA
JUICE 09CECOM
Combined
Endeavour EUCOM
CWID 05USAF
CWID 10
SOCOM
GTRI DJC2 PMO
SPAWAR
Private LabSSVT Validation:
Failed to compromise
“Large
Integrator”Tests and fails
to break Stealth
IV&VNational Center for
Counter-terrorism and
Cybercrime SOCOM
Export LicenseDept of Commerce
FIPS 140-2
Certification
NIST
EAL4+
Certification
NIAP
Unisys Stealth
DIACAP MAC-1
CertificationCWID 10
Network Risk Assessment
CWID 05AF Comm Agency
DIACAP MAC-1
CertificationJFCOM
SOCOMR&D Prototype
2012
Emerald
Warrior ‘12
SIPRNet
IATT
2013
Independent
Test Client-hired
3rd party: Failed to
compromise
And again… Different client,
different tester:
Failed to
compromise
And again…
Commercial
& Pub Sector
Stealth Has Been Tested by the Best in the World
© 2014 Unisys Corporation. All rights reserved. 9
MobileApps
SCADA
ICS
HMI
How Stealth Protects Industrial Controls
Cloaked Endpoints
256-bit Encryption
Communities of Interest
Reduce Your Attack SurfaceYou Can’t Hack
What You Can’t See
© 2014 Unisys Corporation. All rights reserved. 10
Sample Use Cases: Protect What Matters Most
Manufacturing
Guard ERP and
shop-floor integration
Chemical Processing
Improve safety,
prevent ICS damage
and IP theft
Oil and Gas Production
Keep pipelines,
well heads, IP, and remote
operations secure
© 2014 Unisys Corporation. All rights reserved. 10
© 2014 Unisys Corporation. All rights reserved. 11
Business Risk Challenges
• Good Enough
• Non-compliant
• Security profile varied
Business Cost Challenges
• Complex hardware deployment
• Financial impact of breach
• Private networks
Operational Challenges
• Afraid to change anything
• Management by location
• Integrating multiple solutions
Risk Convenience CostSecurity AgilityCost
Reduction
Stealth Security
• Reduces attack surface
• Facilitates compliance
• Contained compromise
Stealth Cost Reduction Potential
• Leverage cost benefits of cloud
• Prevent rather than remediate
• Significantly reduce IT costs
Stealth Agility
• Software-defined networking
• Incremental, non-disruptive
• No application changes
Why Stealth Now?
© 2014 Unisys Corporation. All rights reserved. 11
© 2014 Unisys Corporation. All rights reserved. 12
A non-US department of defense agency uses Stealth
in a secure virtual desktop infrastructure solution
A US government agency uses Stealth for secure
telecommuting
Large science company is implementing Stealth to protect its process control environment
and safeguard its IP
A healthcare organization is using Stealth to verify secure transmission of data between
multiple hospitals
Industry leader in graphical processors securing remote access to virtual desktops,and segmenting the internal network with COI to secure
to sensitive data
Brazil service provider to Public Sector social services
using Stealth to securely transmit copies of disk images
between multiple sites
PCI DSS compliance for point of sale environment;
conventional approach buying new switches and firewalls
was too expensive
Unisys uses Stealth to secure and protect our high-value application and database servers, for secure remote
telecommuting and regional isolation
Clients with Zero Tolerance for Breaches Use Stealth
© 2014 Unisys Corporation. All rights reserved. 13
Don’t Just Take Our Word For It
“Unisys markets the product with
the tag line, “you can’t hack what
you can’t see,” and we have
to agree with them.”
“Stealth is an interesting product
that might just be a great
way to hide from
hackers.”
- David Strom, editor-in-chief, Network World
Finalist: announcement Sept 2014
Click to view May 2014 Stealth product review
Winner: Cybersecurity Product of the Year 2014
© 2014 Unisys Corporation. All rights reserved.
Thank you.
© 2014 Unisys Corporation. All rights reserved.
Sub-Vertical Slides
© 2014 Unisys Corporation. All rights reserved. 16
How to use this deck
Replace slide #10 of the main presentation (Sample Use Cases) with the appropriate set of sub-vertical slides
• Industrial has three sub-verticals to choose from :– Manufacturing
– Chemical Processing
– Oil and Gad Production
© 2014 Unisys Corporation. All rights reserved.© 2014 Unisys Corporation. All rights reserved.
Manufacturing Cyber Threats Section
DELETE the Use Case slide from the
Industrial Core PPT Deck and insert the
Manufacturing slides from this deck
© 2014 Unisys Corporation. All rights reserved. 18
Top Three Manufacturing Cyber Targets
1. ICS/SCADA: New controls and all-digital infrastructures create vulnerabilities
2. Command and control software: Hackers and malicious code target Human-Machine Interfaces (HMI) and Machine Execution Systems (MES)
3. Intellectual property: Backdoor hacks can steal valuable industrial assets
© 2014 Unisys Corporation. All rights reserved. 19
Recent Events
600%+ increase in ICS/SCADA
vulnerabilities from 2010 to 2013
Over 25% ICS/SCADA
cyber-attacks on Industrial sector in 2013
In 2013, a major ICS/SCADA supplier
infected with malware
© 2014 Unisys Corporation. All rights reserved. 20
Command and Control Software Vulnerabilities
HMI and MES Advantages
for Manufacturing
• Can help tie shop floor
visibility to ERP systems
• Result is reduced
time-to-market and greater operational
efficiencies
Vulnerabilities
• Runs on off-the-shelf OSs, known
hacker targets
• MES-Enterprise software gaps
• Hackers and viruses have multiple
entry points
© 2014 Unisys Corporation. All rights reserved. 20
© 2014 Unisys Corporation. All rights reserved. 21
• Intelligent Control Circuit (ICC)
• Supervisory Control and Data Acquisition (SCADA)
• Remote Terminal Unit (RTU)
• In field ICS/SCADA: most never designed for IP-connectivity
• Mixture of old (analog) and new devices in field
• Connectivity to control center via cell, radio, wireless, Ethernet and fiber
Industrial Control Attack Surfaces
exploitable vulnerabilities
in 1,330 models of
control devices1
More than 2,600
© 2014 Unisys Corporation. All rights reserved. 211 SCADA and Security of Critical Infrastructure. InfoSec Institute. |
© 2014 Unisys Corporation. All rights reserved. 22
Go to the MANUFACTURING Core PPT Deck
Continue with the Stealth value proposition slides
© 2014 Unisys Corporation. All rights reserved.© 2014 Unisys Corporation. All rights reserved.
Chemical Processing Cyber Threats
DELETE the Use Case slide from the
Industrial Core PPT Deck and insert the
Chemical Processing slides from this deck
© 2014 Unisys Corporation. All rights reserved. 24
Top Three Chemical Processing Cyber Targets
1. ICS/SCADA: Increased vulnerabilities as more and newer devices enter market
2. Command and control software: Human-Machine Interface (HMI) and Machine Execution System (MES) software targets
3. Theft of intellectual property: Proprietary processes and formulas at risk
© 2014 Unisys Corporation. All rights reserved. 25
Recent Events
600%+ increase in ICS/SCADA
vulnerabilities from 2010 to 2013
277 ICS/SCADA cyber-attacks
voluntarily reported in 2013
48 chemical and defense plants
breached with Nitro virus in 2014
© 2014 Unisys Corporation. All rights reserved. 26
Command and Control Software Vulnerabilities
Human-Machine Interface (HMI) Programs for
Chemical Processing Command and Control Centers
• Proprietary software (supply chain compromise,
bugs, questionable security measures)
• Runs on off-the-shelf OS, known hacker target
• Must be patched and maintained
© 2014 Unisys Corporation. All rights reserved. 26
© 2014 Unisys Corporation. All rights reserved. 27
• Intelligent Control Circuit (ICC)
• Supervisory Control and Data Acquisition (SCADA)
• Remote Terminal Unit (RTU)
• Mixture of old (analog) and new devices
• Moving from analog to digital systems
Chemical Processing Control Attack Surfaces
exploitable vulnerabilities
in 1,330 models of
control devices1
More than 2,600
© 2014 Unisys Corporation. All rights reserved. 271 SCADA and Security of Critical Infrastructure. InfoSec Institute. |
© 2014 Unisys Corporation. All rights reserved. 28
Go to the Industrial Core PPT Deck
Continue with the Stealth value proposition slides
© 2014 Unisys Corporation. All rights reserved.© 2014 Unisys Corporation. All rights reserved.
Oil and Gas Cyber Threats
DELETE the Use Case slide from the
Industrial Core PPT Deck and insert the
Oil and Gas slides from this deck
© 2014 Unisys Corporation. All rights reserved. 30
Pipeline Cyber Attack
“Cyberspies linked to China’s military targeted nearly two dozen US natural gas pipeline operators over a recent six-month period, stealing information that could be used to sabotage US gas pipelines, according to a restricted US government report and a source familiar with the government investigation.”
– Christian Science Monitor
February 27, 2013
© 2014 Unisys Corporation. All rights reserved. 31
Recent Events
600%+ increase in ICS/SCADA
vulnerabilities from 2010 to 2013
Data Theft besiegesOil Industry
Compromising industrial facilities from
40 milesaway
© 2014 Unisys Corporation. All rights reserved. 32
Command and Control Software Vulnerabilities
Human-Machine Interface (HMI)
Programs for Oil and Gas
Production Command and
Control Centers
• Proprietary software (supply chain
compromise, bugs, questionable
security measures)
• Runs on off-the-shelf OSs,
known hacker targets
Mobile Controls
• Remote operation of gas and oil
rigs/well-heads at risk from hacks
and viruses
© 2014 Unisys Corporation. All rights reserved. 32
© 2014 Unisys Corporation. All rights reserved. 33
• Intelligent Control Circuit (ICC)
• Supervisory Control and Data Acquisition (SCADA)
• Remote Terminal Unit (RTU)
• In field ICS/SCADA: most never designed for IP-connectivity
• Mixture of old (analog) and new devices in field
• Connectivity to control center via cell, radio, wireless, Ethernet and fiber
Oil and Gas Production Control Attack Surfaces
exploitable vulnerabilities
in 1,330 models of
control devices1
More than 2,600
© 2014 Unisys Corporation. All rights reserved. 331 SCADA and Security of Critical Infrastructure. InfoSec Institute. |
© 2014 Unisys Corporation. All rights reserved. 34
Go to the Industrial Core PPT Deck
Continue with the Stealth value proposition slides
© 2014 Unisys Corporation. All rights reserved.
AppendixTechnical Slides
© 2014 Unisys Corporation. All rights reserved. 36
Info Dispersal
Algorithm and Data
Reconstitution
Virtual Communities
of Interest (COI)
Cryptographic
Service Module
AES 256 Encryption
You can’t hack what you can’t see…
Protect Data-in-Motion Make Endpoints Invisible
Executes Low in the
Protocol Stack
Stealth Shim
7. Application
6. Presentation
5. Session
4. Transport
3. Network
1. Physical
2. Link
NIC
Stealth: Four Key Elements
© 2014 Unisys Corporation. All rights reserved. 37
How We Cloak
TCP UDP
DHCP ARPIP
Stealth Driver credentials
authorized into COI
MACLayer 2
Layer 3
Layer 4
Message from COI member processed
Message from COI member discarded
Message from non-Stealth endpoint discarded
Unisys Stealth Endpoint Driver
© 2014 Unisys Corporation. All rights reserved. 38
Stealth for Critical Infrastructure
EAL4+ FIPS 140-2
Internet
Control Bus
Terminal Bus
EnterpriseNetwork
HMI
EWS
CCTV ServerHistorianOPC ServerDomain Controller
Plant Firewall
Corporate Firewall
Control Firewall
Alarm Aggregation
EPA DatabaseERPRTU
HMI
Application Server
Plant Bus
Hardwired Instrumentation
Field Bus to Instrumentation
Hardwired Instrumentation
PLC PLC PLC PLC
• Identify the most sensitive endpoints in the critical infrastructure and who should have access
• Create compartmentalized security model based on need-to-access
• Protect and enforce the security model with strong end-to-end encryption, properly managed keys and CLOAKED endpoints
© 2014 Unisys Corporation. All rights reserved. 39
Unisys Stealth protects critical app processing environments through cloaking techniques—effectively rendering them invisible and providing protection from internal and external threats
Unisys Stealth for Mobile extends the protection of these mission-critical assets to mobile environments—providing only the right mobile users access to the right environments
Server
Unprotected ProtectedServer
(Phys or VM)
ProtectedApp
Server
ProtectedDatabase
Server
Mobile Security starts in the data center and extends out to your mobile devices
Unisys Stealth for Mobile
© 2014 Unisys Corporation. All rights reserved. 40
Application
Wrapping Software
Stealth Data Center
Segmentation
Server
UnprotectedProtected
Server(Phys or VM)
ProtectedApp
Server
ProtectedDatabase
Server
Stealth for
Mobile Gateway
vDR
vDR
Broker
Wraps individual applications on a device—enabling fine-grained security controls to be applied to individual applications
Provides secure passage for mobile data to application processing environments—connects authenticated mobile application users into Stealth Communities of Interest
Compartmentalizes data center using Communities of Interest instead of physical infrastructure
Unisys Stealth for Mobile
Three Components
© 2014 Unisys Corporation. All rights reserved. 41
Stealth for
Mobile Software
Legal
Finance
Stealth Authorization
Service
Stealth Appliance
VPN Server
DMZ(Audit, IDS)
Broker
vDR
vDR
Enterprise
Identity Store
Internet
Wrapped applications
Stealth-Enabled Mobile App• Captures user credentials• Wrapped for security
IPsec Connection Gateway• Off-the-shelf IPsec VPN gateway
Mobile Stealth Gateway• Broker
– Authorizes users– Manages vDRs’ COIs
• Virtual Device Relay (vDR)– Relays data between
app and Stealth network
Stealth
Network
DMZ• Clear-text network segment• Allows monitoring, firewalling, etc.
Unisys Stealth for Mobile
Architecture