security industry pov_ibm_cavanna_2015

© 2015 IBM Corporation

IBM & Security Industry. Point Of Views IV Congreso Internacional de Ciberseguridad Industrial Buenos Aires 2 Junio 2015

Santiago Cavanna IBM Security BU Argentina, Uruguay, Paraguay [email protected] @scavanna


IBM Security

Energy and Utilities & Security The IBM Point of View

Shifts in energy policy, technology, and consumer focus – driven by concerns about energy security, environmental sustainability, and economic competitiveness – are creating a much more dynamic environment. Utility companies are investing in infrastructure to: modernize their infrastructure, improve generation performance and enable new business models with their customers. But as companies transform their business towards smart grid technology, they are faced with the growing threats of cyber attacks as the amount of infrastructure and potential failure points along the grid increase. In addition there is a greater need to secure assets and prevent data theft, combined with the increasing pressure from complex regulatory requirements, that is driving companies to focus on managing their risk by focusing on key areas. Secure smart meters and their networks- while communications services providers have decades of experience in secure networking, securing the mesh networks that move data and control signal traffic between individual utilities and the thousands or millions of Smart Meters they operate is a domain business, especially for utilities. Strategy – Implement endpoint management controls to detect devices on the network and automate patch management.

Protect Critical infrastructure Critical infrastructure is becoming a primary target for cyber attacks due to aging infrastructure and the migration to IP-based

/ICS networks and become a potential weakness for attacks. Strategy - Combine security intelligence and continuous monitoring for greater visibility and control.

Secure web applications and customer data - Web portals and smart meter applications have potential weaknesses in the code that can be a gateway to back end data. Strategy: Applications need to be tested regularly for code vulnerabilities that can expose customer data. Shifting regulatory requirements – organizations are challenged with identifying all critical assets and their interconnectivity to report adequate proof of compliance against NIST. Strategy – conduct a critical infrastructure security assessment to understand compliance posture and to help the organization prioritize their security investments


IBM Security

Energy and Utilities & Security The IBM Point of View

How IBM Can Help IBM has built and secured dozens of AMI Smart Meter networks around the world and has the skills and expertise in securing carrier class substation networks. IBM has advised utilities on how to secure and protect their OT networks and systems and has a portfolio of market leading software offerings and services and is in an excellent position to assess your clients’ security needs and deliver the right solution to; stop advanced threats, protect critical data, optimize security operations, safeguard cloud & mobile initiatives and help strengthen regulatory compliance

IBM Security capabilities • Secure critical infrastructure more effectively with real-time monitoring & security intelligence • Centrally manage user identity and access management across diverse systems / organizations • Simplify and secure application access from inside and outside of the organization • Effective governance and compliance reporting • Prevent potential distribution of malware throughout the smart grid network through effective endpoint management • Implement threat and risk analysis for Smart Grid infrastructure

• Learn More • IBM Security Point of View • 2014 Cyber Security Intelligence Index for Energy and Utilities • 2014 X-Force Threat Intelligence Report • 2014 IBM CISO Assessment Report • IBM Security Client Reference Guide

Connect with IBM Security


IBM Security End to End Security in Utilities

4

METER RELIABILITY

METER DATA VALIDITY METER AVAILABILITY

CONFIDENTIALITY OF CUSTOMER PERSONAL INFORMATION

AMI MALWARE, CYBER ATTACKS

PREVENT HAN DEVICES FROM ATTACKING GRID

UNAUTHORIZED METER DISCONNECTS/ CONNECTS

PREVENT PHYSICAL ABUSE OF ASSETS REMOTE SUBSTATION

VIDEO SURVEILLANCE

SECURE COMMUNICATION LINKS

PREVENT POWER PILFERAGE

PROTECT SENSITIVE ASSETS

EMPLOYEE BACKGROUND CHECKS

PREVENT ACCIDENTS

METER THEFT

SECURELY MANAGE PEAK DEMAND

ACCURATE BILLING

SCADA NETWORK SECURITY

RELIABLE COMMUNICATION

GENERATING, TRANS & DIST NETWORK

CRITICAL ASSET DISCOVERY & IDENTIFICATION

DATA CENTER NETWORK, SYSTEM, APPLICATION, DATA SECURITY

CONTEXT SENSITIVE ACCESS CONTROL

ASSET & CONFIG MGMT

SERVICE AVAILABILITY & PERFORMANCE MGMT

CONFIDENTIALITY, INTEGRITY & AVAILABILITY

PHYSICAL SECURITY

OPERATIONS & PROCESSES

AMI & HAN SECURITY

INCIDENT MGMT

SCADA SECURITY

* Not all intersections shown

KEY MANAGEMENT

FIRMWARE UPDATES

REGULATORY COMPLIANCE


IBM Security

5

Increased internal, industry, and government security policies, standards, and regulations

Logical and Physical integration requirements

An increased number of end users and devices accessing your networks, applications, and data

Threats of viruses, worms, and Internet attacks

Regulatory requirements •  FERC •  NERC •  SOX

Varied locations & sources of identity information (native systems)

Unauthorized/undetected use of applications & systems

Challenges and risks inherent in next generation intelligent networks

Improve operational efficiency – manage costs

Protect security and privacy of critical assets

Energy & Utility Potential Problem Areas


IBM Security

Who is attacking our networks?


IBM Security

7

Points of Access for Vulnerabilities

Regulators Industrial Control System Vendors (SCADA) Software (Operating Systems and Applications) Vendor Vulnerabilities Security patches break product certification Operator control via remote access (Modem and TCP/IP) for maintenance

and/or multiple site readiness Any Interface (SW to SW or System to System) is a prime target


IBM Security

© ABB Inc. junio 3, 2015 | Slide 8

CYBER SECURITY CONTROLS

PH

YS

ICA

L S

EC

UR

ITY

CO

NTR

OLS

SECURITY CONTROLS

Security for Industrial Control Systems (SCADA) - ICS Security based on IEC 62443

Air-gap networks, apps and control data with firewalls, proxies


IBM Security

Which Operational Technology (OT) systems are we talking about?

Field sensors IEDs T&D control systems (SCADA) Energy Management Systems (EMS) Distribution Management Systems

(DMS) Outage Management Systems

(OMS) Demand Response Systems

–  Smart Grid Communications equipment (SCADA)

–  Meter Data Management Systems (MDMS)

–  Asset Management (e.g., Maximo)

–  Ops Centers (e.g., NOCs, SOCs) –  DCS and PLC systems in

generating plants

Contol Systems: Past & Present


IBM Security

A TCP/IP Enabled World

Process Control Systems (PCS) migrating to TCP/IP networks SCADA and DCS typically rely upon “wrapped” protocols

Analog control and reporting protocols embedded in digital protocols Encryption and command integrity limitations Poor selection of TCP/IP protocols

Problems with patching embedded operating systems Controllers typically running outdated OS’s Security patches and updates not applied Difficulty patching the controllers

10


IBM Security

Miniaturization and Bridging Networks

Professional attack tools are small enough to fit on a standard Smartphone

Designed to “audit” and exploit discovered vulnerabilities

Wireless or wired attacks, and remote control

Smartphones also targeted Contact info. Bridge to network

handheld hacking devices

11


IBM Security

Bridging Networks

Softest targets appear to be the control centers Greatest use of “PC” systems Frequent external connectivity Entry-point to critical plant

systems Bridging control centers and the

plant operational framework Network connectivity for ease

of operational control Reliance on malware to proxy

remote attacks

12


IBM Security

Proliferation of Networked Devices

Switch from analog to digital controls Incorporation of network standards

TCP/IP communications Wireless communications

Replacement SKU parts include new features “free” Additional features

may be “on” by default

May be turned on by engineers

From analog to digital

(+ networked)

Wireless integration

13


IBM Security

Wireless RF / WiFi Attacks

Increased use of wireless technologies Large security research focus

Common topic/stream at hacking conferences Packet Radio Software

New tools and software to attack & eavesdrop on any RF transmission

Community-based sharing of findings Tools and guides on long-range

interception or wireless technologies

A 14.6 dBi Yagi antenna that can make

a WiFi connection from 10 miles

14


IBM Security

ICS versus IT and Security

Industrial Control Systems (ICS)

Protects the ability to operate safely and securely The end user is a computer A decentralized system to ensure availability / reliability Remote access is available to field devices Source code is often sold with the system Long life cycles Not patchable

IT Systems

Protects the data on the client and in transit The end user is a human A centralized system to achieve economy of scale Limited remote access Source code is limited and protected Relatively short life cycles Patchable

15


IBM Security

Finding Holes Penetration Testing (remote)

and Security Assessment (local)

National and International 15-20 unique security

assessments in the last 5 yrs

America’s Hackable Backbone The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.

"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.‘”

Forbes August 22nd 2007

16


IBM Security

Common Security Assessment Findings

Weak protocols leave systems vulnerable PCS networks lack overall segmentation PCS networks lack antivirus protection Standard operating systems leave the

device open to well known security vulnerabilities Most IP-based communications within the PCS network are not encrypted Most PCS systems have limited-to-no logging enabled Many organizations still rely heavily on physical security measures

17


IBM Security

Not a technical problem, but a business challenge

Many of breaches could have been prevented However, significant effort required to inventory, identify and close every vulnerability Financial & operational resistance is always encountered, so how much of an investment is

enough?


IBM Security

-

Identity and Access Governance

Guardium Data Security

AppScan Source

Network Intrusion Prevention Trusteer Apex

Identity and Access Management

Guardium Database Vulnerability Mgmt

AppScan Dynamic

Next Generation Network Protection

Mobile & Endpoint Management

Privileged Identity Management

Guardium / Optim Data Masking

DataPower SOA Security

SiteProtector Threat Management

Virtualization and Server Security

Federated Access and SSO

Key Lifecycle Manager Security Policy Manager

Network Anomaly Detection

Mainframe Security

IBM X-Force and Trusteer Threat Intelligence

Advanced Fraud Protection

Trusteer Rapport Trusteer Pinpoint

Malware Detection Trusteer Pinpoint ATO Detection Trusteer Mobile Risk Engine

Security Intelligence and Analytics

Strategy, Risk and Compliance

Security Maturity Benchmarking

Security Strategy and Roadmap Development

Security Risk Assessment and Program Design

Industrial Controls (NIST, SCADA)

Payment Card Advisory (PCI)

Identity Strategy and Assessment Data Security and Assessment Embedded Device Testing

Firewall / IDPS / UTM Management

Web Protection and Managed DDoS

User Provisioning and Access Mgmt Encryption Penetration Testing

Hosted Web, E-mail and Vulnerability Management

Deployment and Migration

Total Authentication Solution Data Loss Prevention

Application Security Assessment

Staff Augmentation Managed and Cloud Identity Mobile Application Testing

People Data Applications Network Infrastructure Endpoint

Emergency Response Managed SIEM Incident Planning Cyber Threat Intel Security Operations Center Design Services

QRadar SIEM QRadar Log Manager QRadar Risk Mgr QRadar Vulnerability Mgr QRadar Incident Forensics

The IBM Security Portfolio Services

Products

Cybersecurity Assessment and Response

Threat Intelligence Advisory X-Force Threat Analysis Penetration Testing Incident Preparation Emergency Response


IBM Security


IBM Security

•  Detection of day-zero attacks that have no signature •  Policy monitoring and rogue server detection •  Visibility into all attacker communication •  Passive flow monitoring builds asset profiles & auto-classifies hosts •  Network visibility and problem solving (not just security related)

QRadar SIEM Product Tour: Flows for Network Intelligence


IBM Security

•  Flow collection from native infrastructure •  Layer 7 data collection and analysis •  Full pivoting, drill down and data mining on flow sources for

advanced detection and forensic examination •  Visibility and alerting according to rule/policy, threshold, behavior or

anomaly conditions across network and log activity

QRadar SIEM Product Tour: Flows for Application Visibility


IBM Security

security industry pov_ibm_cavanna_2015

Technology

utilities security

energy security

security operations

security intelligence

security investments

critical data

clients security needs

ibm point of view shifts