Evolving Security in Process Control

© Lockheed Martin

Evolving Security in Process Control4th Annual Cyber Security Summit – Energy & Utilities

Abu Dhabi

March 30, 2015

© Lockheed Martin

Not ‘If’ but ‘When’

“Your IT systems may have already been

compromised, attackers could already have

your new product plans, bidding positions or

research, they may already be running your

process control systems.”

Sir Iain Lobban, Director General, GCHQ, Sept 2012

“There are two kinds of companies. There are those who've been hacked, and those who don't know they've been hacked.”James Comey, Director, FBI

© Lockheed Martin

Cyber Attack Impacts Whole Value Chain

Business

Production

Control Systems

Customers

Security Incident

Impact

© Lockheed Martin

Growth in Targeted AttacksNight Dragon - 2011

Shamoon - 2012

Energetic Bear - 2012

NorwegianOil & Gas - 2014

German steel works - 2014

© Lockheed Martin

Just the Tip of the Iceberg

For every major incident that makes the news, many more smaller incidents go unreported

© Lockheed Martin

Rapidly Changing Threat Landscape

• New vulnerabilities• Readily available exploit kits• Hacktivists• State sponsored activities• BYOD• Mobile devices• Cloud access from anywhere• Growth in social media• Internet of Things• Advanced Persistent Threats (APT’s)

© Lockheed Martin

A173984

• Malicious Insider 37%

• Criminal Syndicates 26%

• Nation State Sponsored 19%

Top Threats

Intelligence Driven Cyber Defence, Ponemon Institute LLC, February 2015

© Lockheed Martin

• Lost Intellectual Property– Geoscience data

• Reputation Damage– Joint Ventures– Customers– Government

• Business Disruption– Lost production– Incident investigation

• Damage to Critical Infrastructure– HSE– Cost of repair

Top Impacts

Intelligence Driven Cyber Defence, Ponemon Institute LLC, February 2015

© Lockheed Martin

Internet Accessible Control Systems

241 locations>52,000 IP addresses

© Lockheed Martin

Prevention is ideal but detection is a mustHowever, detection without response has minimal value

© Lockheed Martin

Would you know if your system was compromised?

Average time from compromise to detection 14 months

© Lockheed Martin

The Need to Evolve

Engineering workstation

HMI

Manualshutdown

F&GESD

Shutdown signal

PIserver

Remote monitoring

PIserver

File serverAntivirus

serverPatchserver

Remote accessserver

Offline Malware Analysis

Privilege Access Management &

Session Recording

SIEM/ID server

“We have a firewall and anti-virus software. We’re safe.”

© Lockheed Martin

The Need to Evolve

Engineering workstation

HMI

Manualshutdown

F&GESD

Shutdown signal

PIserver

Remote monitoring

PIserver

File serverAntivirus

serverPatchserver

Remote accessserver

Offline Malware Analysis

Privilege Access Management &

Session Recording

SIEM/ID server

“We have a firewall and anti-virus software. We’re safe.”

NO! YOU ARE NOT SAFE

The insider is already the wrong side of your firewall – with your approval

© Lockheed Martin

Foundational Security Technologies

Basic Security

Compliant Security (Reactive)

Sustainable Security(Proactive)

Intelligence Driven Defense®

(Predictive)

Procedures and Documentation

Automation and Efficient IT/OT Process Integration

Cyber Intelligence integrated in Operations

Compliance driven (ISO27001), COTS products, “set it and forget it”

Add good security practices, use SIEM to monitor & respond to alerts

Integrate IT & OT security, use available intelligence

See what’s coming at you, anticipate, generate & share intelligence

80%

20%

Security Evolution

© Lockheed Martin

End Point Security Network Security

Reactive Looking inwards at vulnerability and managing impact to confidentiality, integrity and availability. This typically results in reactive actions after an intrusion has taken place. Address 80% Threat

Foundational Security

© Lockheed Martin

Intelligence Driven Defense®

Threat FocusedThis builds on foundational security. It looks outwards at the specific adversaries attacking your enterprise and intimately understanding/analysing their tactics, techniques and procedures. This allows you to proactively take a defensive course of action.

Proactively address 20% and 80% Threat

© Lockheed Martin

Campaign analysis is used to determine the patterns and behaviours of the intruders

LM Cyber Kill Chain® Campaign Heat Map

• Group intrusions together into “Campaigns”• Prioritize and measure against each campaign

Understand the Threat Landscape

© Lockheed Martin

• Basic security measures essential– Reduce attack surface– Maintain signatures, patches, firewalls, etc.

• People– End users are part of your defences

– train & test them– Your adversaries are people. You need

people who understand their tactics, techniques & procedures (TTP) – train & test them

• Governance– Management focus on security– Ensure response capability is in place (you

will need it) – train & test them

– Measure success

Critical Success Factors

© Lockheed Martin

Remember…

Security is a journey, not a destination

© Lockheed Martin

© Lockheed Martin

Thank you

Andrew Wadsworth, GICSP

Head of Process Control Security

Lockheed Martinandrew.wadsworth@civil.lmco.com

Johnstone House

52-54 Rose Street

Aberdeen

AB10 1UD

United Kingdom

Office +44 1224 611040

Mobile +44 7914 356962

Scott Keenon

Business Development Manager

Lockheed Martinscott.keenon@civil.lmco.com

Johnstone House

52-54 Rose Street

Aberdeen

AB10 1UD

United Kingdom

Office +44 1224 611052

Mobile +44 7968 793353