industrial cyber security 101
TRANSCRIPT
2015 Honeywell Users Group
Europe, Middle East and Africa
Industrial Cyber Security 101
Mike Spear, Honeywell
2 © 2015 Honeywell International All Rights Reserved
Introduction
Mike Spear – Duluth, GA USA
Global Operations Manager, Industrial Cyber Security
• Responsible for the Global Delivery of Honeywell’s
Industrial Cyber Security Solutions
Focus – Cyber Security, Industrial Networks, and
Wireless
• Over 30 years of Technical Management and Consulting
• Process, Batch, Discrete Manufacturing & Power
Industries
• 9th Year with Honeywell Process Solutions
• CIS Advisory Board Member – Gwinnett Technical
College
3 © 2015 Honeywell International All Rights Reserved
• What is Industrial Cyber
Security?
• Is the Risk Real?
• Where to start?
• Standards
• Where can I get more
Information?
Agenda
4 © 2015 Honeywell International All Rights Reserved
What Is Industrial Cyber Security?
• Body of technologies, processes & people designed to protect industrial networks
• From damage, disruption, unauthorized access or exploitation via electronic means
• Requires deep understanding of industrial control systems/operations + information technology/cyber security expertise
IT Cyber Security
Industrial Cyber
Security
Router
ESC ESF ESTACE ExperionServer
ESVTSafety
ManagerTerminalServer
Qualified Cisco Switches
Optional HSRPRouter
Domain Controller
ESF EASPHDServer
ExperionServer
Firewall
3RD Party App SubsystemInterface
Corporate and 3rd Party Connections
Level 3
Level 3.5 DMZ
Level 4
TerminalServer
PatchMgmtServer
AntiVirusServer
eServerPHD ShadowServer
Level 2
Domain Controller
Level 1
• Confidentiality and information
• Business systems
• Process availability, safety, reliability
• No disruptions; never down
• Unique, specific requirements
5 © 2015 Honeywell International All Rights Reserved
Is there a Real Threat?
Process Industry Accounts for 43%
• 55% APT
• 38 % of ICS incidents
classified as unknown Lack of detection and
monitoring
• Industrial Incidents ‒ Energy = 33%
‒ Water = 5%
‒ Chemical = 3%
‒ Nuclear = 2% *DHS-NCCIC Incident Response/ Activity 2014
*ICS-Cert Industrial Control System Cyber Emergency Response Team APT – Advanced Persistent Threat
• ICS-CERT - 245 Reported
Incidents
6 © 2015 Honeywell International All Rights Reserved
Are you Immune?
• My PCN ‒ Does Not connect to the
Internet …
‒ We do not allow portable
media…
‒ Has a firewall…
‒ Is patched during every
shutdown….
• Therefore, My ICS is 100%
secure
• 35% of ICS Incidents are a
result of Malware Most penetrate from WITHIN the
ICS environment
35% of ICS Incidents are a result of Malware!
*Honeywell Process Solutions
Penetration Sources
USB/Portable Media36%
Vendor28%
Internal Emp. Direct24%
Remote Access4%
Corp Network4%
Unknown4%
7 © 2015 Honeywell International All Rights Reserved
• Trusted attackers are difficult to detect and
catch
• Must consider multiple users accessing
systems
“Snowden” Threat – An insider who goes rogue
Insider Risks & Threats
Risks – Trusted resources that have been compromised
• Unsuspecting, innocent employee who is
exploited
• Laptop compromised outside of the plant via
malware
Employees, Vendors & Contractors
8 © 2015 Honeywell International All Rights Reserved
Security Design
PROTECT
Technical controls
(Firewall, AWL, AV, IPS, DC,
network segmentation, ….)
DETECT
Technical controls
(IPS, IDS, SIEM, Security
Dashboard …)
RESPOND
Technical controls
(IPS, Recovery CD, …)
RECOVER
Technical controls
(Back-up Control Center, …)
IDENTIFY
Non-technical controls
(Assessments, Risk management)
Non-technical controls
(Security Policies & Procedures)
Non-technical controls
(Security monitoring)
Non-technical controls
(Security incident response,
Disconnection management)
Non-technical controls
(Data recovery, Disaster recovery)
Technical controls
(Vulnerability scanning,
Monitoring …)
TIME TO
BREACH THE
PROTECTION
TIME TO
DETECT THE
EVENT
TIME TO
RESPOND TO
THE EVENT > +
IF TRUE THE PLANT IS SECURE
TB > (TD + TR )
2015 Honeywell Users Group
Europe, Middle East and Africa
What is your Risk Appetite?
10 © 2015 Honeywell International All Rights Reserved
Levels of Security
IEC
62
44
3 -
Te
ch
nic
al p
rote
ctio
n le
ve
l
C2M2 - Maturity level
SL 4 – Protects against intentional security incidents using sophisticated means and having
extended resources – Nation State
SL 3 – Protects against intentional security incidents using sophisticated means –
Hacktivist, Terrorist
SL 2 – Protects against intentional security incidents using simple means – Cyber Crime,
Hacker
SL 1 – Protects against casual security incidents – Careless Employee or Contractor
IEC 62443-3-3 – Security Levels
ML 3 – Practices are managed with policies and governance from organization. Policies
are reviewed and adjustments made as needed and include compliance with specified
standards and/or guidelines.
ML 2 – Risk practices are approved by management and expressed as policy, policies,
processes, and procedures are defined, implemented and validated. Adequate resources
are provided.
ML 1 – Risk practices are performed but may be adhoc, typically by individual thus
outcome may vary depending on the individual.
ML 0 – Practices are not formalized, often case by case, and risk is managed in an ad hoc
and sometimes reactive manner.
NIST / C2M2 – Maturity Levels (As Examples)
What is an appropriate
protection level for my plant?
11 © 2015 Honeywell International All Rights Reserved
Levels of Security
Security
level 4
Security
level 3
Security
level 2
Security
level 1
Ma
turi
ty
leve
l 0
Ma
turi
ty
Leve
l 1
Ma
turi
ty
Leve
l 2
Ma
turi
ty
Le
ve
l 4
3
Critical
infrastructure
Typical critical infrastructure:
Oil & gas, power, water
Non-critical
infrastructure
Typical non-critical infrastructure:
Plastics, steel, resins, food, paper, beverages
Classifications of criticality
can differ by country!
Where are we
today? In our security assessments most companies
score between SL 1 and SL 2 and ML 0 and ML 1
12 © 2015 Honeywell International All Rights Reserved
System Profiling
Maturity level
Se
cu
rity
Le
ve
l
ML0 ML2 ML1 ML3
SL1
SL2
SL3
SL4
1 2 3 4
5 6 7 8
9 10 11 12
13 14 15 16
13 © 2015 Honeywell International All Rights Reserved
Where would your Security Profile be?
2015 Honeywell Users Group
Europe, Middle East and Africa
Awareness
15 © 2015 Honeywell International All Rights Reserved
Awareness
• Questions to consider: ‒ Portable Media
What if you find an USB flash drive on the parking lot. What do you do?
‒ Network/Security Documentation
What happens with network / security documentation / info. Is it stored in a secure place and only authorized
people can access? Or can everyone in the company get access?
‒ Backups
What about back-ups. Containing all documentation including network / security info and also passwords and
other system settings? Are they securely stored or available to many? Will it restore?
‒ People
What do you do when a system administrator leaves knowing all the ins and outs of your cyber security? Has
your system been setup such that 1 person has all the info / access rights, etc.?
Are the vendors involved in your security bound by confidentiality?
• General: ‒ What does your company do to create awareness for cyber security?
Training
Policies Procedures, Best Practices
Enforcement
‒ Do you have an updated / accurate incident management plan to execute during a cyber
attack?
2015 Honeywell Users Group
Europe, Middle East and Africa
Segmentation
17 © 2015 Honeywell International All Rights Reserved
• Technical Security Controls ‒ Separation from Business
Network
‒ Firewall Segmentation
Review Configuration
Log Review
Rule Management – Especially
Outbound
Consider Next Generation Firewall
• Includes advanced inspection
functionality
Architecture Segmentation
‒ Zones and Conduits
Grouping of nodes with like security requirements
Conduits should always be from adjacent zones
18 © 2015 Honeywell International All Rights Reserved
•Determine Risk Appetite ‒Current State vs Desired State
•Create Awareness ‒Policies & Procedures
•Implement Architecture Segmentation ‒Zones & Conduits
Getting Started Summary
2015 Honeywell Users Group
Europe, Middle East and Africa
Standards & Regulations
20 © 2015 Honeywell International All Rights Reserved
Cyber Security Standards for ICS
• Oriented toward owner / operators ‒ Security architecture
‒ Procurement
‒ Technical and non-technical security controls
‒ ISMS framework
• Oriented toward suppliers ‒ Equipment requirements
‒ Development requirements
‒ Service delivery
• Oriented toward technical countermeasures ‒ Industry specific (Power, water, pipelines, chemical, offshore, critical infrastructure)
• Oriented toward non-technical countermeasures ‒ Industry specific (Power, water, pipelines, chemical, offshore, critical infrastructure)
21 © 2015 Honeywell International All Rights Reserved
IEC 62443
Standards/Guidelines/Frameworks
Just a small overview
Owner / operator
Supplier / vendor
Technical
IEC 62443-4-2
IEC 62443-2-4
ISASecureTM program:
• Embedded Device Security Assurance (EDSA) • System Security Assurance (SSA) • Security Development Lifecycle Assurance (SDLA) •ISO/IEC 15408 Common Criteria
IEC 62443-3-3
IEC 62443-2-2
IEC 62443-2-1
IEC 62443-2-3
IEC 62443-4-1
ISA 99 / IEC 62443 program:
• 13 security standards covering the full spectrum
API 1164
75574 - 75575
Pipeline cyber security Maritime cyber security
NISTIR 7628
NISTIR 7788
NISTIR 7328
NISTIR 7874
Smart grid security guidelines • NISTIR • ENISA
NERC CIP
NERC CIP program:
• 8 security standards • Power utilities
EPRI 1023502
Procurement guidelines • EPRI • DHS
Non-technical
22 © 2015 Honeywell International All Rights Reserved
Is that All?
Owner / operator
Supplier / vendor
Technical
Non-technical
IEC 62443
IEC 62443-4-2
IEC 62443-4-1
IEC 62443-3-3
IEC 62443-2-2
IEC 62443-2-1
IEC 62443-2-3 IEC 62443-2-4
NERC CIP
EPRI 1023502
NISTIR 7628
NISTIR 7328
NISTIR 7788
NISTIR 7874
API 1164
75574 - 75575
Unfortunately,
• No, …
IEC 61508 – security controls safety
IEC 61511 – security controls safety
• Industry specific security standards
Chemical - CIDX
Water systems - EPA
• National / regional security standards
ANSSI – French critical infrastructure
VGB – German (nuclear) power
industry
OLF – Norwegian offshore
CPNI – UK critical infrastructure
ICT Qatar guidelines
ENISA-European ICS
NIST
BSI
JRC
WIB, etc, etc, etc.
•
23 © 2015 Honeywell International All Rights Reserved
• Standards are good however,
• Too many ‒ Overlap
‒ Inconsistent
• Focus primarily on Technical Controls
• ICS Standards still need to mature ‒ Business Justification
• Will need to employ a hybrid depending on Industry ‒ IEC-62443 & NIST
• Embedding into overall risk management framework
Man Years of Effort
Martin Luther King
All progress is precarious, & the solution of one problem brings us face to face with another problem
24 © 2015 Honeywell International All Rights Reserved
Other Sources of Information
To Learn more…www.becybersecure.com
Day Time Title Presenter
Monday 14.00 – 16.00 “Cyber Security Engineering Training”
(Munich/Frankfurt)
Sinclair Koelemij, EMEA Technical
Leader Industrial Cyber Security
Tuesday 15.15 – 16.00 “Breakthrough Cyber Security Strategies:
Introducing Honeywell Risk Manager”
(Dusseldorf/Colonia)
Eric Knapp, Director Industrial Cyber
Security Solutions & Technologies
Wednesday 14.00 – 14.40 “Botnets & Zombies: Managing Risk in a
World of Uncertainty” (General Session)
Eric Knapp, Director Industrial Cyber
Security Solutions & Technologies
12.00 – 13.00 “Measuring & Managing Cyber Security”
(Londres)
Sema Tutucu, Operations Manager,
Industrial Cyber Security – EU/A
Thursday 11.10 – 11.55 “Continuous Industrial Cyber Risk Mitigation with
Managed Services Monitoring & Alerting”
(Munich/Frankfurt)
Konstantin Rogalas, Manager,
Business Development EU/A
All Various Knowledge Center Sinclair Koelemij, EMEA Technical
Leader Industrial Cyber Security
25 © 2015 Honeywell International All Rights Reserved
Honeywell Industrial Cyber Security
Any questions?