Embed Size (px)
Citation preview
7 8
5 SECURITY IMPERATIVES FOR POWER EXECUTIVESRESPONDING TO DEPARTMENT OF HOMELAND SECURITY RECOMMENDATIONS
GE Power Digital Solutions © 2016 General Electric Company. All rights reserved.
5 Security Imperatives for Power Executives
2 GE Power Digital Solutions © 2016 General Electric Company. All rights reserved.
In September 2015, the Department of Homeland Security (DoH) published a fact sheet: ICS Cybersecurity for the C-Level. It entreats C-level executives in the industrial sector to put cyber security at the forefront of their plans, while also offering some practical advice.
The fact sheet outlines the growing rate and sophistication of malware attacks, citing Havex and BlackEnergy as examples. Havex, which operates as a Remote Access Trojan (RAT), can inject unauthorized control commands onto ICS/SCADA devices and cause denial of service in critical infrastructure (e.g., water, energy); BlackEnergy, another trojan-type bug, can compromise Human Machine Interface (HMI) software to gain access to control systems. The DoH fact sheet lists the questions that every C-level executive should be considering for OT cyber security. These questions represent the fundamentals that require immediate action to:
• Maintain a continuously updated secure perimeter across plant assets — both physical and systems
• Institute mechanisms for intrusion detection with action plans for mitigation once attacks are in progress
• Train personnel in proper security procedures and system processes
• Mitigate business risk and ensure continuous operation, avoiding unplanned downtime environment.
Read on to learn the 5 imperatives every power executive needs to know to proactively address the DoH questions.
$243 billion — $1 trillion: impact to
the US economy of an electricity blackout across 15 US states affecting 93 million
people Source: Lloyds Emerging
Risk Report, 2015
The Threats Are Real:
91%In 2013, 91% of power generation organizations had experienced a cyber attack.1
$1M The average cost of each NERC CIP Violation.2
40%40% of all cyber attacks are targeting the energy sector. (This is the second largest vertical).3
31%of power generation executives named security as one of the top 3 barriers to the use of data and analytics.Source: Industrial Internet Report for 2015, GE and Accenture
3 GE Power Digital Solutions © 2016 General Electric Company. All rights reserved.
Step one in creating a comprehensive security program is a clear understanding of what needs to be protected. This is more than a simple asset inventory list — it involves a deep understanding of
Operations Technology (OT) systems, enterprise systems, physical assets, network infrastructure and the dependencies between these components.
A recommended approach is to first identify each component at the various levels, and subsequently define the connection/interface points that represent vulnerabilities to cyber attacks. Examples of these categorizations are described in the right column.
Once the inventory is complete, defining the dependencies will be the next challenge. What happens if the network is compromised with a security attack? What recovery procedures are required? What if a SCADA system is compromised? Likely scenarios should be defined and appropriate action plans put in place for recovery.
IMPERATIVE 1: DOCUMENT ASSETS
AT RISK
PHYSICAL ASSETSPlant hardware, from turbines and compressors down to valves and pumps — any asset that is part of the operating environment that might be vulnerable to attack. Many of these assets will be monitored with machine sensors that measure aspects of operation, but even those that are not attached to sensors should be part of the security inventory.
OT SYSTEMSIndustrial Control Systems (ICS), SCADA, Programmable Logic Controllers (PLCs) and Distributed Control Systems (DCS).
ENTERPRISE SYSTEMSProcurement and �nancial systems, for example, that are integrated to plant operations environments need to be identi�ed as part of the inventory for security examination.
NETWORK CONFIGURATIONS
Communications devices, routers and lines, �rewalls and other devices on the network need to be documented for security purposes.
CATEGORIZATIONS
5 Security Imperatives for Power Executives
GeneratorProtection
PanelSIL PanelMark Vle
GT Controls
EX2100eExcitation
BentlyNevada
LS2100eStatic
Starter
WaterTreatment CEMS T & D
Mark VleBOP
Controls
Mark VleEDS
Mark VleUtilitiesControls
EX2100eExcitation
Mark VleST Controls
GeneratorProtection
Panel
GT HMIThin
Client
ST HMIThin
Client
Mark VleHRSG
Controls
NETWORKINFRASTRUCTURE
OT SYSTEMS/ENTERPRISE SYSTEMS
PHYSICAL
Unit Data Highway
Firewall / Router
OSM &Onsite
Gateway
HMI Server(EWS)
Historian Gateway
HMI Server 1
ApplicationSoftware
HMI Server 2
Security ST OpShield
Control Room Engineering
GasTurbines
Balanceof Plant
SteamTurbines
Customer LAN
Plant Data Highway
Mobile use Wearables
4 GE Power Digital Solutions © 2016 General Electric Company. All rights reserved.
Considering possible consequences of a cyber attack can help establish the baseline for a security strategy. Scenario planning and action responses should be a part of every power OT security
profile. The ability to anticipate an attack with a clear understanding of next-step actions can mean the difference between a response with little or no interruption and a full-scale plant shut down with catastrophic consequences.
Categories of scenario planning should include:
IMPERATIVE 2: UNDERSTAND THE
POTENTIAL CONSEQUENCES
Targets of the Dragon�y attack were energy grid operators, major electricity generation �rms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey and Poland. The attack used spear-phishing, water-holing and Remote Access Trojans.
Cyber attacks were responsible for plunging around half the homes in Ukraine’s Ivano-Frankivsk region into darkness for several hours on December 23, 2015
READ MORE
READ MORE
Targets of the Dragon�y attack were energy grid operators, major electricity generation �rms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey and Poland. The attack used spear-phishing, water-holing and Remote Access Trojans.
Cyber attacks were responsible for plunging around half the homes in Ukraine’s Ivano-Frankivsk region into darkness for several hours on December 23, 2015
READ MORE
READ MORE
5 Security Imperatives for Power Executives
Compromised HMI — Malware Infection
Denial of Service
Stolen Account
Disgruntled Employee
Malicious con�gurations of command parameters can cause a ‘trip’ resulting in an unplanned outage.
A stolen administrative account for a network router could result in ‘access control’ de�nitions being changed, allowing unwanted access into the OT controls environment.
Ransomeware
A type of malware that prevents or limits users from accessing their system and forces victims to pay ransom through certain online payment methods in order to grant access to their systems, or to get their data back. This malware approach can be disastrous for Industrial Control Systems, preventing the operator from interfacing with a running power plant.
Sets gas turbine to operate outside of operating parameters, resulting in a safety ‘trip’ or damage to the asset.
Compromised vendor control system downloads are hacked and include malware infected software updates for download. The customer trusts the source of software update and downloads the malware infected package, updates their controls software, and inadvertently introduces malware into their controls environment.
Onslaught of network tra�c targeting an HMI, resulting in the inability to operate the HMI software.
!Trojan Malware Packaged in ICS Vendor Software Downloads
ATTACK SCENARIO POTENTIAL CONSEQUENCES
5 GE Power Digital Solutions © 2016 General Electric Company. All rights reserved.
The cyber security ownership issue is one that frequently lands in a nebulous area between the IT and the Operations organizations. However these organizations generally have differing views of
security management that do not necessarily converge into a comprehensive approach that truly protects the plants systems and assets. While IT counterparts have been focused on protecting data and systems, now their role is expanding to work with OT technologists who must protect mission critical assets and control systems.
An attack on IT could lead to data theft (ones and zeros), while an attack on OT could affect the physical world (people, environment, assets).
IMPERATIVE 3: DESIGNATE
CLEAR LINES OF RESPONSIBILITY
Data Is King
IT is about digital information storage, retrieval, transmission, and manipulation. Most businesses want to ensure smooth data �ow and integrity. Uptime is important, but does not impart the same business impact as it does for OT.
Gateways Are Everywhere
More gateways mean a larger attack surface. And considering that 60 percent of network trac is bots, the volume of gateways on a typical enterprise network makes it nearly impossible to keep up.
Patch Tuesdays
Security patching is so commonplace in IT that vendors have a regular weekly release day. Vulnerabilities are easy for attackers to �nd because of the dynamic nature of IT environments.
Con�dentiality Is Priority #1
In order of importance, priorities are: con�dentiality, integrity and availability (the CIA triad). Businesses and consumers expect �nancial, medical and personal data to remain private.
Process Is King
OT is about process control — eliminating outages and unplanned downtime. While some IT systems have similar concerns (e.g., online commerce systems), OT it especially focused on uptime because of its importance to business outcomes.
Fewer Gateways
Fewer gateways, fewer avenues for attackers to pursue. The key is reinforcing armaments at those known gates, moats, and tunnels from the start.
No Patch Schedule
No matter what, security cannot make critical infrastructure less available or reliable. In fact, it cannot have any negative impact — no disruptions, no slow downs — to the real-time and deterministic operation of critical infrastructure.
OT: Control Is Priority #1
In OT, an additional priority tops the list, while the rest are �ip-�opped. The new order: control, availability, integrity, and con�dentiality. Control equates to safety because loss of control could have dire consequences.
IT PERSPECTIVE OT PERSPECTIVE
Assign a Security O�cer who spans both IT and OT organizations
Security decisions should focus on operational priorities — control, availability, integrity and con�dentiality
IT and OT can no longer be siloed functions. Focus �rst on identity and access control, asset management, and change management
Develop cross-organizational source for understanding emerging cyber threats
BEST PRACTICE
62% Respondents from
2015 Gartner survey who ranked
‘reduced cybersecurity risk’ as top
issue when asked of the importance
of IT and OT alignment bene�ts.
— Gartner, December 22, 2015. Survey Analysis: Progressing to a Digital Business Future Through IT/OT Transformation (n=352), Analyst: Kristian Steenstrup
Assign a Security O�cer who spans both IT and OT organizations
Security decisions should focus on operational priorities — control, availability, integrity and con�dentiality
IT and OT can no longer be siloed functions. Focus �rst on identity and access control, asset management, and change management
Develop cross-organizational source for understanding emerging cyber threats
BEST PRACTICE
62% Respondents from
2015 Gartner survey who ranked
‘reduced cybersecurity risk’ as top
issue when asked of the importance
of IT and OT alignment bene�ts.
— Gartner, December 22, 2015. Survey Analysis: Progressing to a Digital Business Future Through IT/OT Transformation (n=352), Analyst: Kristian Steenstrup
5 Security Imperatives for Power Executives
6 GE Power Digital Solutions © 2016 General Electric Company. All rights reserved.
Do you have remote access to your ICS environment? If so, how is that monitored and protected?
Protecting Industrial Control Systems (ICS) from outside attacks can be especially troublesome when network environments allow internet access. However, it’s unrealistic to operate today without the
benefit of access to the Internet and to other internal systems. Therefore, the right configurations must be applied to protect this especially vulnerable area for OT systems. IT systems are typically fortified at the edge of the Internet with firewalls, proxy servers and intrusion detection services. However, within the corporate environment, sub-networks exist with much looser security barriers, due to the system and data sharing requirements between departments.
IMPERATIVE 4: LOCK DOWN OT
SYSTEMS WITH RIGHT TOPOLOGY & PROTECT
WITH INTRUSION DETECTION
THE OT ENVIRONMENT requires a much stronger vigor to protect against attacks that might come from the Internet:
The ICS should exist within it’s own network environment, with no direct access to the Internet allowed from that network.
The ICS network should be separated from the rest of the corporate network via technologies (�rewalls, DMZ) that severely limit tra�c to special designations.
User access to the OT network environment should be controlled and examined frequently to ensure that only those that require access are allowed access. Access lists should be reviewed at regular intervals by senior management — extraneous access and departed employees should be removed immediately.
Tra�c within the ICS “network” needs to be monitored closely with sophisticated intrusion detection capabilities to identify any suspicious activities.
DEMILITARIZED ZONE (DMZ) — OUTER PERIMETER
OT CONTROL ENVIRONMENT
CustomerCorporate Network
Remote Monitoring
Services
Operator Interface
Gateway
Non-Essential Site Operations
RSG
OSM
Secure
Secure
Secure
Secure
Secure
5 Security Imperatives for Power Executives
7 8
7 GE Power Digital Solutions © 2016 General Electric Company. All rights reserved.
Understanding the assets that need to be protected and putting in place the right network environment is only the beginning. Constant vigilance and updated policies and procedures are the best protection
against cyber disruption. Keeping current with cyber techniques and current attack alerts should be the primary responsibility of the designated security officer. However, every employee needs to be armed with the tools for maintaining the company’s security profile.
Best practices for maintaining a continuously protected environment include:
• Keep software and firmware up-to-date with timely patch updates.
• Hire an external cyber security company to perform site evaluations, threat modeling, and penetration testing to evaluate systems.
• Engage an automate patch system for critical ICS — so that manual update schedules aren’t a barrier.
• Participate in security communities focused on business environments to stay current on trending attacks and best practices.
• Monitor critical systems for security related events and anomalies. Transition from a reactive to a predictive security program.
• Educate operations and IT personnel on a regular basis on new attack mechanisms so that they can act as watchful eyes across physical and system landscapes.
IMPERATIVE 5: KEEP CURRENT
ON RECOMMENDED CYBER SECURITY BEST PRACTICES
RESOURCES
PROTECTING CRITICAL INFRASTRUCTURE
CATCHING UP WITH THE NIST CYBER SECURITY FRAMEWORK
THE INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM
READ MORE
READ MORE
READ MORE
RESOURCES
PROTECTING CRITICAL INFRASTRUCTURE
CATCHING UP WITH THE NIST CYBER SECURITY FRAMEWORK
THE INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM
READ MORE
READ MORE
READ MORE
RESOURCES
PROTECTING CRITICAL INFRASTRUCTURE
CATCHING UP WITH THE NIST CYBER SECURITY FRAMEWORK
THE INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM
READ MORE
READ MORE
READ MORE
5 Security Imperatives for Power Executives
5 Security Imperatives for Power Operations Executives
8 GE Power Digital Solutions © 2016 General Electric Company. All rights reserved.
SETTING A COMPREHENSIVE SECURITY STRATEGY
Answering the questions from the Department of Homeland Security is an excellent way to begin thinking about an OT security strategy. When constructing an approach, GE recommends identifying and initiating the following stages along a security maturity model, with clear actions outlined for a power business environment:
Stage 1: Assess
Identify immediate security issues that can impact operations, even if the environment is thought to be “air gapped.” Common findings from expert assessments include unapproved wireless access points or unsafe software — vulnerabilities that attackers can easily exploit. Many immediate issues can be fixed quickly to reduce cyber threat risk.
Stage 2: Protect
Implement security monitoring and defensive layers to comply with standards and strengthen the security posture. Lower the risk of security exploits by using technical solutions, such as purpose-built industrial control security equipment. Set up automation and patch management tools to simplify and expedite security administration. Training is mandatory for operations safety, so implement the same for security. Train teams on what to look for and how to respond to cyber activities.
Stage 3: Prevent
For sophisticated organizations, pursue proactive and predictive security measures such as running attack scenarios on cloud-collected data. “Digital twins” can replicate operating environments and simulate defenses to measure threat impact and improve security. Regular assessments and security health checks can monitor dynamic environments.
Across all stages, it is critical to maintain a constant vigilance to ensure basic security hygiene is implemented and cyber security policies are enforced.
GE CAN HELP GE CYBER SECURITY
PORTFOLIO
SECURITY ASSESSMENT SERVICES A portfolio of professional services to assess cyber security risk and prioritize remediation action, as well specialized NERC CIP and IEC 62443-2-4 compliance services.
OPSHIELD A purpose-built IDS/IPS security solution designed to protect critical infra-structure, control systems and operational technology (OT) assets.
SECURITY ST A centralized security management solution for turbine, plant, and generator controls environments.
CYBER SECURITY TRAINING A comprehensive portfolio of security training courses for critical infrastructure and Industrial Control Systems (ICS) to increase sta� knowledge and awareness.
STAGE 1: ASSESS STAGE 2: PROTECT STAGE 3: PREVENT
7 8
5 Security Imperatives for Power Operations Executives
9 GE Power Digital Solutions © 2016 General Electric Company. All rights reserved.
YOUR SECURITY PARTNER IN THE INDUSTRIAL WORLD
GE brings over 60 years of experience in developing advanced control systems with detailed knowledge of power environments. Whether retrofitting pre-existing environments and equipment, or mapping to new digital power plant footprints, GE security professionals can identify, manage and reduce cyber risk.
TO LEARN MORE
For more information on Cyber Security imperatives, go to: www.ge.com/digital/power
Sources:
1. Bayar, T. (2014, Oct. 14). Cybersecurity in the power sector. Powering Engineering International, Vol. 22/#9.
2. NERC CIP 2013 Reliability Report: http://www.nerc.com/pa/RAPA/PA/Performance %20Analysis%20DL/2013_SOR_May%2015.pdf
3. Barron-Lopez, L. (2014, Jul. 15). Cyber threats put energy sector on red alert. TheHill.com
