Upload
gordon-tillett
View
226
Download
4
Tags:
Embed Size (px)
Citation preview
CRITICAL INFRASTRUCTURE PROTECTION…
A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES
CRITICAL INFRASTRUCTURE PROTECTION BACKGROUNDER
CIP Industry Overview – Energy Sector
• Regulated
• Large workforce
• 24x365 service delivery
• Sell across geographies
• Complex operational controls &
business systems
• Business demands
• Profitability
• Environmental leadership
• Smart grid
Critical Infrastructure Concerns
• Passwords – can be cracked in minutes• Frequent password changes leads to help desk calls
• Existing physical access controls broken
• Attacks target critical infrastructure‒ Loss of revenue from outage
‒ Impact to customers from outage
• Malware attacks target security weak SCADA devices
• Compliance to NERC CIP, Presidential Executive Order
• Expense of annual compliance audits
CRITICAL INFRASTRUCTURE NETWORKS
Critical Infrastructure NetworksExternal Access
Business Systems (HTTP etc. protocols) Industrial Control Systems (SCADA protocols)
Field Systems
Core Network
InternetRemote Access (VPN)
Extended employee Access
Other Facilities
Smart Grid
ICS Suppliers
External Access
Critical InfrastructureCyber Security Vulnerabilities
“The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”
February 12, 2013Barack ObamaPresident of the United States
Increasedneed for connectivity between business and ICS systems
Desktop malware infection
Spear-phishing attacks
Internet facing ICS systems
http://proxclone.com/reader_cloner.html
Physical access controls
Malware Is Focused On Stealing Money and IP and Disrupting Infrastructures
Physical Intrusions SQL InjectionIdentity stolen through injected fields
MITB / MITM / DDoSIntegrity attack – appear as the real identity
Session Riding/Token StealingIdentity integrity is compromised
DNS PoisoningURL identity is compromised
ZITMO / MITMOCompromising Mobile SMS, Photos & Contacts
Key LoggingIdentity & actions compromised
Stealing And Compromising is There Key to Doing That
Traditional antivirus and perimeter solutions are necessary but ineffective
DIGITALIDENTITY
REGULATORY COMPLIANCE
“Cybersecurity is One of the Top Standing Issues facing the Electric Sector over the Next 10 Years”
Federal Energy Regulatory Commission & North American Electric Reliability Corporation
FERC: • oversee the US interstate transmission and
pricing of a variety of energy resources, including electricity, natural gas and oil
• FERC named NERC as the government's Electrical Reliability Organization (ERO), thereby granting NERC the power to oversee and regulate the electrical market
• NERC is the organization that audits power companies and levies fines for non-compliance
NERC:
• oversees and regulates the reliability of the North American electrical grids.
• has the legal authority to enforce reliability standards…in the United States, and make compliance with those standards mandatory and enforceable."
NERC CIP and Identity Based Security
CIP-001: Sabotage reporting
CIP-002: Critical Cyber Asset Identification
CIP-003: Security Management Controls
CIP-004: Personnel and Training
CIP-005: Electronic Security Perimeters
CIP-006: Physical Security (of Critical Cyber Assets)
CIP-007: Systems Security Management
CIP-008: Incident Reporting and Response Planning
CIP-009: Recovery Plans (for Critical Cyber Assets)
CIP-010: Config. Change Mgmt. and Vulnerability Assessments
CIP-011: Information Protection
Credential Issuance & Revocation
User and Device Authentication
Physical Access Control
Credential Management • Workflow & roles • Audit controls• Credential strength
Identity Based Security Solution checklist for Critical Infrastructure Protection
Strong authentication for both physical and logical systems• People; Devices (PC, mobile); Applications; Physical Access
Flexible authenticator support• Different types of authenticators (use cases are not homogenous)
• Easily change-out authenticators if compromise occurs
Streamlined credential management• Across all systems
• Supports roles and separation of duties
• Supports report and audit trails
Capabilities to defeat advanced malware-based attacks
Address deployment considerations
• Users: Easy to provision, easy to use, easy to self-recover
• IT: integrate to current business systems
Modular architecture that will grow / expand threats and compliance needs evolve
WHAT DOES THIS MEAN FOR CRITICAL INFRASTRUCTURE ORGANIZATIONS
Layered Security for CIP
1. Remote access two-factor
2. Strong authentication System Administrators
3. Strong authentication Employees
4. Secure critical information and communications with encryption
5. SCADA command transaction approval
20
1. Remote Access
• utilities must protect network access as a breach can be severe, require multi-factor authentication
• Passwords• Usability, many passwords to remember,
frequent changes
• Insecure/easily compromised
• Must seamlessly integrate into existing IT environment
• VPN
• Workstation
• Directories
• Physical access
CIP-0005-5 R2.3: Require multi-factor authentication for all Interactive Remote Access sessions
2. Administrator Strong Authentication / Dual Identities
• Prevent “pass the hash” attack for Administrators by providing two separate identities (credentials)
• One for corporate access and another for server domain access
• Mitigate past the hash threat by the Administrator not using corporate credentials for server domain access
Hash
Hash
Hash
CorporateAccess
DomainAccess
3. Employee Physical / Logical Security
NIST certified
• Eliminates CIP-007 password complexity requirement
• No password changes• One-time-password as well
Electronic Perimeter
• Simultaneous - legacy & new systems
• CIP-006 defense in depth* combining card with PIN & biometrics
Physical Perimeter
SAML
* FERC Order No. 706, Paragraph 572
4. Securing critical communications
Deployment Flexibility
Entrust EMS
Email Server
Optional Content Scanner
Sending Flexibility
Internet
-Secure PDF-Web Mail Pull / Push-Ad hoc Web push
-S/MIME Gateway
-S/MIME-OpenPGP
Delivery Flexibility
Web Mail Pull
S/MIME
Mobile Flexibility
IDGAuth.
Portal Auth.
PKI .
SAN / NFS .
Archive
AV / AS
StatementGen.
Alarms / SNMP
5. Critical Transaction Monitoring
1. User initiatives online transaction
Web transactions can be:• Network access• Application access• Critical transactions
SCADA controls under investigation
Transaction details retrieved over secure connection
User reviews transaction on phone/ tablet
Notification sent“Out of Band”
Transaction is completed and Identity Assured
Transaction is digitally signed and confirmed from mobile
(X.509)
Compromised with desktop Malware?
Authentication Platform
5. Critical Transaction Monitoring with Dual Controls
• Dual controls requires a second user to approve a transaction
• AKA: Maker / checker; Dual approvers; Dual signatures
• Identity of two distinct approvers is assured• Both initiator and approver
• Transaction confirmation on mobile dramatically simplifies dual controls
• Real time notification to approver
• Simple approval on mobile device (can be digitally signed)
• Speeds up transaction completion
Look for Identity Based Security Solution that…
Secures digital identities and information across the organization
Provides agility to quickly & easily
modify policies OR Authenticators on
the fly
Deployment flexibility to tie into your IT systems &
business
Future Proof to grow with your business needs
THANK YOU