ppt template - iom.invensys.comiom.invensys.com/en... · the invensys cyber security team offers a...

GEN-14Cyber Security Solutions for LessRegulated Industries

Douglas CliftonTim JohnsonMichael Martinez

http://twitter.com/cybercompliant | #SoftwareRevolution

http://www.youtube.com/watch?v=SYzKhmWUDrM

http://invensyscybersecurity.blogspot.com/

© 2013 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries.All third party trademarks and service marks are the proprietary marks of their respective owners.

Douglas CliftonTim JohnsonMichael Martinez http://www.youtube.com/watch?v=SYzKhmWUDrM

Agenda

1. Cyber Security Compliance

2. Technology

3. Invensys Critical Infrastructure & Security Practice (CISP)

Slide 3

Cyber Security Compliance

Michael Martinez


What is Cyber Security?

Slide 5

Cyber Security Compliance

Why do it?• Increase safety• Protect intellectual property• Reduce down time• Industry or internal policy• It could be the law

How to do it?• Leverage product security

features• Augment with cyber security

knowledge and solutions• Repeat

Slide 6

Why do it?• Increase safety• Protect intellectual property• Reduce down time• Industry or internal policy• It could be the law

How to do it?• Leverage product security

features• Augment with cyber security

knowledge and solutions• Repeat

It’s all about compliance…

Regulatory requirements

Customer requirements built on customer expectations

Customer compliance

Slide 7

Development

Product security standards

Cyber security solutions

Regulatory requirements

Product v. Client Compliance

Invensys ProductDevelopment Concerns• ISASecure™

• Achilles™

• WIB

• MS SDL

• Etc.

Customer Concerns• NERC CIP

• NEI 08-09

• ISA 99

• NIST SP 800-82

• ISO/IEC 15408

• 6 CFR 27 (CFATS)

• ANSI/AWWA G430

• 49 CFR 195

• API 1164

Invensys fills the GAP between product offering and clientcompliance needs.

Slide 8

Invensys ProductDevelopment Concerns• ISASecure™

• Achilles™

• WIB

• MS SDL

• Etc.

Customer Concerns• NERC CIP

• NEI 08-09

• ISA 99

• NIST SP 800-82

• ISO/IEC 15408

• 6 CFR 27 (CFATS)

• ANSI/AWWA G430

• 49 CFR 195

• API 1164

February 12, 2013 Executive OrderImproving Critical Infrastructure Cyber Security

Sec 6. Consultative Process – calls for DHS to work with existing Sector Coordinating Councils (SCC) or the

transportation sector in the case of pipelines

Sec 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure – Call for NIST to establish a

“Cybersecurity Framework” – within approx 1 year of order (Feb 12,2013)

Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program – temporary

Sec. 9. Identification of Critical Infrastructure at Greatest Risk – within 150 days of order these assets shall

be identified

Sec. 10. Adoption of Framework – within 90 days of final framework, the existing sectors must report on

their ability to comply with framework – special attention to Sec 9 assets

If they do not/cannot comply, then other agencies must step in to define mitigating actions.

Slide 9

Sec 6. Consultative Process – calls for DHS to work with existing Sector Coordinating Councils (SCC) or the

transportation sector in the case of pipelines

Sec 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure – Call for NIST to establish a

“Cybersecurity Framework” – within approx 1 year of order (Feb 12,2013)

Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program – temporary

Sec. 9. Identification of Critical Infrastructure at Greatest Risk – within 150 days of order these assets shall

be identified

Sec. 10. Adoption of Framework – within 90 days of final framework, the existing sectors must report on

their ability to comply with framework – special attention to Sec 9 assets

If they do not/cannot comply, then other agencies must step in to define mitigating actions.

U.S. Critical Infrastructure

Chemical Sector

Commercial Facilities Sector

Communications Sector

Emergency Services Sector

Energy Sector

Financial Services Sector

Information TechnologySector

Nuclear Reactors, Materials,and Waste Sector

Transportation SystemsSector

Slide 10

Critical Manufacturing Sector

Dams Sector

Defense Industrial Base Sector

Food and Agriculture Sector

Government Facilities Sector

Healthcare and Public Health Sector

Transportation SystemsSector

Water and WastewaterSystems Sector

NIST Framework Update

February 12, 2013 Executive Order

Executive Order 13636 – Improving Critical Infrastructure Cyber Security

September 11-13, 2013 Fourth Cyber Security Framework Workshop

Draft Compendium of Informative References

Review of over 320 National and International Standards, Guidelines, Directives, Best

Practices, Models, Specifications, Policies, and Regulations, including input from:

Slide 11

February 12, 2013 Executive Order

Executive Order 13636 – Improving Critical Infrastructure Cyber Security

September 11-13, 2013 Fourth Cyber Security Framework Workshop

Draft Compendium of Informative References

Review of over 320 National and International Standards, Guidelines, Directives, Best

Practices, Models, Specifications, Policies, and Regulations, including input from:

• ANSI• ISA• NERC• API• ISO

• IEC• NEI• NIST• NFPA• OIG

• OLF• OPC• SANS• TIA

Discussion Draft of the Preliminary Cybersecurity Framework, August 28, 2013

The framework complements, and does not replace, anorganization’s existing business or cyber security risk managementprocess and cyber security program. Rather, the organization can use itscurrent processes and leverage the framework to identify opportunities toimprove an organization’s cyber security risk management. Alternatively,an organization without an existing cyber security program can use theframework as a reference when establishing one.

Key Concepts• Framework Core

• Framework Implementation Tiers

• Framework Profile

NIST Framework Concepts

Slide 12

The framework complements, and does not replace, anorganization’s existing business or cyber security risk managementprocess and cyber security program. Rather, the organization can use itscurrent processes and leverage the framework to identify opportunities toimprove an organization’s cyber security risk management. Alternatively,an organization without an existing cyber security program can use theframework as a reference when establishing one.

Key Concepts• Framework Core

• Framework Implementation Tiers

• Framework Profile


Core Tier Profile

NIST Framework Concepts

Slide 13

Core

Functions

Categories

Subcategories

Informative Reference

Tier

0 - Partial

1- Risk Informed

2 - Repeatable

3 - Adaptive

Profile

Establish a Roadmap


Framework CoreFunction Category Subcategory Informative Reference(s)

IDENTIFY

PROTECT

DETECT

RESPOND

Slide 14

RESPOND

RECOVER

14Discussion Draft of the Preliminary Cybersecurity Framework, August 28, 2013

Invensys provides a full lifecycle Cyber Security Methodology,NOT a product-centric point solution like many IT-based securitycompanies do.

Point solutions such as anti-virus software or firewalls on theirown fall short and miss the security target.

The integration of sound cyber security best practices thatencompass best-in-class COTS products provides and enables acomplete and holistic cyber security compliance solution thathits the target.

Products + Consulting = Compliance

Slide 15

Invensys provides a full lifecycle Cyber Security Methodology,NOT a product-centric point solution like many IT-based securitycompanies do.

Point solutions such as anti-virus software or firewalls on theirown fall short and miss the security target.

The integration of sound cyber security best practices thatencompass best-in-class COTS products provides and enables acomplete and holistic cyber security compliance solution thathits the target.

Technology

Tim Johnson


Impact of Cyber Security to Business

• ICS-CERT responded to and investigated198 cyber incidents (compared to 130 in2011)

• The Energy sector was the most targetedindustry in 2012, accounting for 41% ofevents

• The Water sector was the second mosttargeted industry in 2012, accounting for15% of events

• The cyber security response team helpedwith incident responses for 23 oil/naturalgas sector events

• Chemical organizations reported 7incidents to ICS-CERT

• The Nuclear sector reported 6 incidents toICS-CERT

Slide 17

• 90% of companies suffered a cyber attack in the past 12months

• Some suffered multiple• Of all the attacks reported, 41% claimed at least half a

million U.S. dollars ($500,000) in damages• Other reported they were unable to determine their

immediate losses.

• ICS-CERT responded to and investigated198 cyber incidents (compared to 130 in2011)

• The Energy sector was the most targetedindustry in 2012, accounting for 41% ofevents

• The Water sector was the second mosttargeted industry in 2012, accounting for15% of events

• The cyber security response team helpedwith incident responses for 23 oil/naturalgas sector events

• Chemical organizations reported 7incidents to ICS-CERT

• The Nuclear sector reported 6 incidents toICS-CERT

ePolicy Orchestrator (ePO)

Anti Malware

Host Intrusion Detection (HIDS)

Data Loss Prevention (DLP)

Active Directory (A/D)

Hardened OS

Whitelisting

Backup Exec System Recovery

(BESR)

Invensys Recommended IndustrialControl System Security Features

Slide 18

ePolicy Orchestrator (ePO)

Anti Malware

Host Intrusion Detection (HIDS)

Data Loss Prevention (DLP)

Active Directory (A/D)

Hardened OS

Whitelisting

Backup Exec System Recovery

(BESR)

Standards organizations like those in the image below help companies developeffective cyber security strategies. While these organizations have differentapproaches, they all have a common element—to establish a “best practice”approach to cyber security.

Cyber Security Best Practices

Slide 19

Control System Enhancements

Sample Control Systems

• MS Active Directory

• McAfee Suite ePO, AV, DLP,Whitelisting

• Symantec BESR

• Product level patching

• No Fixed Root User

• Hardened OS

• Etc.

Consulting Services

All Process Systems

• Security Best Practices

• Access Control / ADWorkshop

• Technology Workshop

• Disaster Recovery Planning

• System SecurityManagement Controls

• Patch Management (entiresite)

AND

Cyber Security in Industry

Slide 20

Control System Enhancements

Sample Control Systems

• MS Active Directory

• McAfee Suite ePO, AV, DLP,Whitelisting

• Symantec BESR

• Product level patching

• No Fixed Root User

• Hardened OS

• Etc.

Consulting Services

All Process Systems

• Security Best Practices

• Access Control / ADWorkshop

• Technology Workshop

• Disaster Recovery Planning

• System SecurityManagement Controls

• Patch Management (entiresite)

Invensys Industrial Control SystemSecurity FeaturesePolicy Orchestrator (ePO)ePolicy Orchestrator (ePO) is a unifying security management open platform byMcAfee. ePO makes risk and compliance management simpler, enabling clientsto connect security solutions to their enterprise infrastructure to increasevisibility, gain efficiencies, and strengthen protection.

Anti-MalwareVirus scans prevent, detect, and remove malware, including but not limited tosystem viruses, computer viruses, computer worms, Trojan horses, spyware,and adware.

Host Intrusion Detection System (HIDS)Host Intrusion Detection System (HIDS) monitors and analyzes the internals ofa computing system. A host-based IDS monitors all or parts of the dynamicbehavior and the state of a computer system.

Slide 21

ePolicy Orchestrator (ePO)ePolicy Orchestrator (ePO) is a unifying security management open platform byMcAfee. ePO makes risk and compliance management simpler, enabling clientsto connect security solutions to their enterprise infrastructure to increasevisibility, gain efficiencies, and strengthen protection.

Anti-MalwareVirus scans prevent, detect, and remove malware, including but not limited tosystem viruses, computer viruses, computer worms, Trojan horses, spyware,and adware.

Host Intrusion Detection System (HIDS)Host Intrusion Detection System (HIDS) monitors and analyzes the internals ofa computing system. A host-based IDS monitors all or parts of the dynamicbehavior and the state of a computer system.

Invensys Industrial Control SystemSecurity FeaturesData Loss Prevention (DLP)Data Loss Prevention (DLP) systems enable organizations to reduce thecorporate risk of the unintentional disclosure of confidential information.

Active Directory (A/D)Active Directory (A/D) provides a central location for network administrationand security. It authenticates and authorizes all users and computers in aWindows domain type network—assigning and enforcing security policies forall computers and installing or updating software.

Harden OSFactory hardening is a procedure that updates patches and anti-virus softwareand disables unused ports and services. System hardening is necessarybecause default operating system installations focus more on ease of userather than security.

Slide 22

Data Loss Prevention (DLP)Data Loss Prevention (DLP) systems enable organizations to reduce thecorporate risk of the unintentional disclosure of confidential information.

Active Directory (A/D)Active Directory (A/D) provides a central location for network administrationand security. It authenticates and authorizes all users and computers in aWindows domain type network—assigning and enforcing security policies forall computers and installing or updating software.

Harden OSFactory hardening is a procedure that updates patches and anti-virus softwareand disables unused ports and services. System hardening is necessarybecause default operating system installations focus more on ease of userather than security.

Invensys Industrial Control SystemSecurity FeaturesWhitelistingWhitelisting is the opposite of Blacklisting. Whitelists contain onlythose programs you wish to grant access to as opposed to those youdo not. This makes Whitelisting a lot less labor intensive since youonly have to keep up with the applications you know about.

Backup Exec System Recovery (BESR)Centrally manage backup and recovery tasks for multiple desktopsacross the network. Schedule backups to run automatically, includingevent-triggered backups, without disrupting network usage.

Slide 23

WhitelistingWhitelisting is the opposite of Blacklisting. Whitelists contain onlythose programs you wish to grant access to as opposed to those youdo not. This makes Whitelisting a lot less labor intensive since youonly have to keep up with the applications you know about.

Backup Exec System Recovery (BESR)Centrally manage backup and recovery tasks for multiple desktopsacross the network. Schedule backups to run automatically, includingevent-triggered backups, without disrupting network usage.

The CTM Module is a unique offering fromthe Invensys Cyber Security team.

• Combination of “Best-in-Class” firewallplus Invensys’ in-depth industry andcyber security knowledge

• Focuses on the Water, Power, Oil/GasPipeline, and Manufacturing industries

• Comes with Invensys’ pre-configuredrule sets for each focus industry

• Each CTM is pre-bundled to ensure fastturn around

Cyber Threat Management (CTM) Module

Slide 24

The CTM Module is a unique offering fromthe Invensys Cyber Security team.

• Combination of “Best-in-Class” firewallplus Invensys’ in-depth industry andcyber security knowledge

• Focuses on the Water, Power, Oil/GasPipeline, and Manufacturing industries

• Comes with Invensys’ pre-configuredrule sets for each focus industry

• Each CTM is pre-bundled to ensure fastturn around

Cyber Threat Management ModuleAll pre-bundled as part of the Invensys CTM

ForiWifi 60CMWireless or non-wireless operation

FortiGuardAnti-virusIntrusion PreventionWeb filteringAnti-spamApplication ControlVulnerability scanIPSec and SSL VPNData Loss PreventionDevice Awareness

FortiClientEnd Point Management

Wifi802.11a/b/g/n (multi SSID)

FortiWifi 60CM Features

Slide 25

All pre-bundled as part of the Invensys CTM

ForiWifi 60CMWireless or non-wireless operation

FortiGuardAnti-virusIntrusion PreventionWeb filteringAnti-spamApplication ControlVulnerability scanIPSec and SSL VPNData Loss PreventionDevice Awareness

FortiClientEnd Point Management

Wifi802.11a/b/g/n (multi SSID)

Why SQL Server Hardening?

Slide 26

…SQL Injection is the #1 server attack!

SQL Server Hardening ServiceServer hardening is one of the most importanttasks to be done on your servers. Most server “outof the box” configurations are not designed withsecurity in mind. SQL servers should be seen ascritical assets and any compromise to them couldresult in significant loss to business andproduction.

Some of the threats to a SQL server are:• Indirect attack—SQL injection• Direct—exploit attack• Cracking SA Password• Direct—exploit attack• Google hacks

SQL server hardening is critical toany cyber security initiative and ispart of many regulatory complianceprograms.

Slide 27

Server hardening is one of the most importanttasks to be done on your servers. Most server “outof the box” configurations are not designed withsecurity in mind. SQL servers should be seen ascritical assets and any compromise to them couldresult in significant loss to business andproduction.

Some of the threats to a SQL server are:• Indirect attack—SQL injection• Direct—exploit attack• Cracking SA Password• Direct—exploit attack• Google hacks

SQL server hardening is critical toany cyber security initiative and ispart of many regulatory complianceprograms.

IIS servers are a favorite target of hackers.Research shows that 75% of cyber attacksoccur at the application level.

Business and Industry pay a heavy cost forthese security failures:• Cost of server clean-up• Cost of data loss• Cost of lost business opportunities• Cost of reduced productivity

Server hardening not only provides securitybut also establishes a baseline for all serverplatforms assisting with maintenance,patching, and planning.

IIS Server Hardening

Slide 28

IIS servers are a favorite target of hackers.Research shows that 75% of cyber attacksoccur at the application level.

Business and Industry pay a heavy cost forthese security failures:• Cost of server clean-up• Cost of data loss• Cost of lost business opportunities• Cost of reduced productivity

Server hardening not only provides securitybut also establishes a baseline for all serverplatforms assisting with maintenance,patching, and planning.

Do I Need an Assessment?

Slide 29

…64% of companies expect to be hacked!Source: Bit9, Verizon Threat Report

Most organizations think of anti-virus software,firewalls, and hardening when they think ofsecurity. However, few think of a SecurityAssessment as part of their overallcomprehensive security program.

They are often faced with a number ofchallenges:• Knowing their current security position• Determining their vulnerability level,

exposure, and possible impact• Experiencing inability to monitor who has

access to their network and critical assets• Enhancing their existing security strategy

Security Assessment

Slide 30

Most organizations think of anti-virus software,firewalls, and hardening when they think ofsecurity. However, few think of a SecurityAssessment as part of their overallcomprehensive security program.

They are often faced with a number ofchallenges:• Knowing their current security position• Determining their vulnerability level,

exposure, and possible impact• Experiencing inability to monitor who has

access to their network and critical assets• Enhancing their existing security strategy

Invensys Enhanced Solutions

ActiveDirectory

CentralizedBack Up

& Restoration

PatchManagement

NetworkManagement/ePO

RelayServer

Firewall‘Secure Zone’

Slide 31

OTS

NetworkManagement/ePO

LogManagement

Secure FileServer

TriStation‘Compliance’

NetworkInfrastructure

• Active Directory (A/D) Workshop• Technology Roadmap• Procedures/SOPs• Secure Zones• Centralized Backups• Event Logging• Patch Management• Network Management• Remote Access Relay Server• Managed Secure Services

The Invensys cyber security team offers a comprehensive list ofcyber security solutions to help address any internal needs,regulatory requirements, or program mandates. All of theseelements are synergistic, providing not only a broad scope ofsecurity but also the defense-in-depth necessary for true cybersecurity compliance. Our most common solutions include:

Invensys cyber security team provides security solutionsCyber Security Solutions

Slide 32

• Active Directory (A/D) Workshop• Technology Roadmap• Procedures/SOPs• Secure Zones• Centralized Backups• Event Logging• Patch Management• Network Management• Remote Access Relay Server• Managed Secure Services

Invensys Critical Infrastructure andSecurity Practice

Doug Clifton


Cyber Security Consulting

• Providing cyber security services in Industrial Automation since 2001

• Largest vendor-based Industrial Control Security Group in the market

• Delivering cyber solutions to a global customer base

• Experienced with IT technologies but with a Process Automation mindset

Why Invensys?

Slide 34

CISP Certifications• CISSP• CCNA• CCDA• CEH• ECS• NNCDA• CCNP• CCS1• CCSA

Invensys Critical Infrastructure &Security Practice (CISP)

• CWNA• CCFE• MCSE• CISM• CISA• CCSE• OSCP• CCIE• plus others

Slide 35

CISP Certifications• CISSP• CCNA• CCDA• CEH• ECS• NNCDA• CCNP• CCS1• CCSA

We are a very active business within Invensys.Currently active projects (August 2013):

• 31 embedded projects

• 21 CISP-only projects

• CWNA• CCFE• MCSE• CISM• CISA• CCSE• OSCP• CCIE• plus others

Platform IndependentThe CISP solution portfolio will work on ANY control system platform,expanding the market beyond the traditional Invensys customer base.

Network AgnosticThe CISP solution portfolio can be deployed on any network topology ortechnology, independent of network lifecycle, due to the lifecyclemethodology of the solution portfolio.

Industry RelevantThe CISP solution portfolio is applicable to any industrial manufacturingindustry, whether the focus is on cyber security compliance or networksystems optimization.

Solution EcosystemCISP is greater than the sum of its parts: cyber security consulting, networkcompliance, regulatory experts, auditors, network systems design andimplementation, system integrators, and trusted advisors.

What Makes CISP Unique?

Slide 36

Platform IndependentThe CISP solution portfolio will work on ANY control system platform,expanding the market beyond the traditional Invensys customer base.

Network AgnosticThe CISP solution portfolio can be deployed on any network topology ortechnology, independent of network lifecycle, due to the lifecyclemethodology of the solution portfolio.

Industry RelevantThe CISP solution portfolio is applicable to any industrial manufacturingindustry, whether the focus is on cyber security compliance or networksystems optimization.

Solution EcosystemCISP is greater than the sum of its parts: cyber security consulting, networkcompliance, regulatory experts, auditors, network systems design andimplementation, system integrators, and trusted advisors.

• We can support our clients’ roadmap by assisting with theircompliance requirements.

• Our customers have requirements. We don’t want them to go italone.

• Critical time in the market; we have the skills to grow business.

• It’s a market differentiator.

Cyber Security Consulting

Slide 37

• We can support our clients’ roadmap by assisting with theircompliance requirements.

• Our customers have requirements. We don’t want them to go italone.

• Critical time in the market; we have the skills to grow business.

• It’s a market differentiator.

• Program definition

• Assessment

• Remediation

• Program deployment

• Audit preparation

• Audit support

The Invensys cyber security team partners with clientsthroughout the compliance lifecycle.

Partnering for Compliance

Slide 38

• Program definition

• Assessment

• Remediation

• Program deployment

• Audit preparation

• Audit support

Implement a cyber security program.

Align cyber security programs withimplementation of upgrades.

Maintain compliance to current andfuture cyber security regulations.

Plan for Cyber Security

Slide 39

Implement a cyber security program.

Align cyber security programs withimplementation of upgrades.

Maintain compliance to current andfuture cyber security regulations.

1. Our clients have compliance requirements larger in scope thansecure products alone can provide.

2. We have a comprehensive solution that includes:• Compliance with industry standards• Products designed with security• Cyber security experts and delivery/support personnel• Enhanced solutions to meet clients’ cyber security program

needs

3. We are vigilant. Our cyber security solutions will meet thechallenging industrial landscape.

Summary

Slide 40

1. Our clients have compliance requirements larger in scope thansecure products alone can provide.

2. We have a comprehensive solution that includes:• Compliance with industry standards• Products designed with security• Cyber security experts and delivery/support personnel• Enhanced solutions to meet clients’ cyber security program

needs

3. We are vigilant. Our cyber security solutions will meet thechallenging industrial landscape.

“Safety and cyber security are job one at Invensys.”- Mike Caliel, President & CEO Invensys

INDUSTRY• High-cost prevention• High skills• Static networks• Cyber security is not

what they do

The Cyber Security Problem…this is why we do what we do

Slide 43

HACKERS• Low-cost tools• Low skills• Dynamic landscape• Hacking is all they do

Cyber Threat Management Module

Slide 44

Source: Hackmageddon

Motivations Behind Attacks47% Cyber Crime46% Hacktivism4% Cyber Warfare3% Cyber Espionage

100100% Targeted!% Targeted!

ppt template - iom.invensys.comiom.invensys.com/en... · the invensys cyber security team offers a...

Documents