CRITICAL INFRASTRUCTURE PROTECTION…

A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES

 

CRITICAL INFRASTRUCTURE PROTECTION BACKGROUNDER

CIP Industry Overview – Energy Sector

• Regulated

• Large workforce

• 24x365 service delivery

• Sell across geographies

• Complex operational controls &

business systems

• Business demands

• Profitability

• Environmental leadership

• Smart grid

Critical Infrastructure Concerns

• Passwords – can be cracked in minutes• Frequent password changes leads to help desk calls

• Existing physical access controls broken

• Attacks target critical infrastructure‒ Loss of revenue from outage

‒ Impact to customers from outage

• Malware attacks target security weak SCADA devices

• Compliance to NERC CIP, Presidential Executive Order

• Expense of annual compliance audits

CRITICAL INFRASTRUCTURE NETWORKS

Critical Infrastructure NetworksExternal Access

Business Systems (HTTP etc. protocols) Industrial Control Systems (SCADA protocols)

Field Systems

Core Network

InternetRemote Access (VPN)

Extended employee Access

Other Facilities

Smart Grid

ICS Suppliers

External Access

Critical InfrastructureCyber Security Vulnerabilities

“The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”

February 12, 2013Barack ObamaPresident of the United States

Increasedneed for connectivity between business and ICS systems

Desktop malware infection

Spear-phishing attacks

Internet facing ICS systems

http://proxclone.com/reader_cloner.html

Physical access controls

Malware Is Focused On Stealing Money and IP and Disrupting Infrastructures

Physical Intrusions SQL InjectionIdentity stolen through injected fields

MITB / MITM / DDoSIntegrity attack – appear as the real identity

Session Riding/Token StealingIdentity integrity is compromised

DNS PoisoningURL identity is compromised

ZITMO / MITMOCompromising Mobile SMS, Photos & Contacts

Key LoggingIdentity & actions compromised

Stealing And Compromising is There Key to Doing That

Traditional antivirus and perimeter solutions are necessary but ineffective

DIGITALIDENTITY

REGULATORY COMPLIANCE

“Cybersecurity is One of the Top Standing Issues facing the Electric Sector over the Next 10 Years”

Federal Energy Regulatory Commission & North American Electric Reliability Corporation

FERC: • oversee the US interstate transmission and

pricing of a variety of energy resources, including electricity, natural gas and oil

• FERC named NERC as the government's Electrical Reliability Organization (ERO), thereby granting NERC the power to oversee and regulate the electrical market

• NERC is the organization that audits power companies and levies fines for non-compliance

NERC:

• oversees and regulates the reliability of the North American electrical grids.

• has the legal authority to enforce reliability standards…in the United States, and make compliance with those standards mandatory and enforceable."

NERC CIP and Identity Based Security

CIP-001: Sabotage reporting

CIP-002: Critical Cyber Asset Identification

CIP-003: Security Management Controls

CIP-004: Personnel and Training

CIP-005: Electronic Security Perimeters

CIP-006: Physical Security (of Critical Cyber Assets)

CIP-007: Systems Security Management

CIP-008: Incident Reporting and Response Planning

CIP-009: Recovery Plans (for Critical Cyber Assets)

CIP-010: Config. Change Mgmt. and Vulnerability Assessments

CIP-011: Information Protection

Credential Issuance & Revocation

User and Device Authentication

Physical Access Control

Credential Management • Workflow & roles • Audit controls• Credential strength

Identity Based Security Solution checklist for Critical Infrastructure Protection

Strong authentication for both physical and logical systems• People; Devices (PC, mobile); Applications; Physical Access

Flexible authenticator support• Different types of authenticators (use cases are not homogenous)

• Easily change-out authenticators if compromise occurs

Streamlined credential management• Across all systems

• Supports roles and separation of duties

• Supports report and audit trails

Capabilities to defeat advanced malware-based attacks

Address deployment considerations

• Users: Easy to provision, easy to use, easy to self-recover

• IT: integrate to current business systems

Modular architecture that will grow / expand threats and compliance needs evolve

WHAT DOES THIS MEAN FOR CRITICAL INFRASTRUCTURE ORGANIZATIONS

Layered Security for CIP

1. Remote access two-factor

2. Strong authentication System Administrators

3. Strong authentication Employees

4. Secure critical information and communications with encryption

5. SCADA command transaction approval

20

1. Remote Access

• utilities must protect network access as a breach can be severe, require multi-factor authentication

• Passwords• Usability, many passwords to remember,

frequent changes

• Insecure/easily compromised

• Must seamlessly integrate into existing IT environment

• VPN

• Workstation

• Directories

• Physical access

CIP-0005-5 R2.3: Require multi-factor authentication for all Interactive Remote Access sessions

2. Administrator Strong Authentication / Dual Identities

• Prevent “pass the hash” attack for Administrators by providing two separate identities (credentials)

• One for corporate access and another for server domain access

• Mitigate past the hash threat by the Administrator not using corporate credentials for server domain access

Hash

Hash

Hash

CorporateAccess

DomainAccess

3. Employee Physical / Logical Security

NIST certified

• Eliminates CIP-007 password complexity requirement

• No password changes• One-time-password as well

Electronic Perimeter

• Simultaneous - legacy & new systems

• CIP-006 defense in depth* combining card with PIN & biometrics

Physical Perimeter

SAML

* FERC Order No. 706, Paragraph 572

4. Securing critical communications

Deployment Flexibility

Entrust EMS

Email Server

Optional Content Scanner

Sending Flexibility

Internet

-Secure PDF-Web Mail Pull / Push-Ad hoc Web push

-S/MIME Gateway

-S/MIME-OpenPGP

Delivery Flexibility

Web Mail Pull

S/MIME

Mobile Flexibility

IDGAuth.

Portal Auth.

PKI .

SAN / NFS .

Archive

AV / AS

StatementGen.

Alarms / SNMP

5. Critical Transaction Monitoring

1. User initiatives online transaction

Web transactions can be:• Network access• Application access• Critical transactions

SCADA controls under investigation

Transaction details retrieved over secure connection

User reviews transaction on phone/ tablet

Notification sent“Out of Band”

Transaction is completed and Identity Assured

Transaction is digitally signed and confirmed from mobile

(X.509)

Compromised with desktop Malware?

Authentication Platform

5. Critical Transaction Monitoring with Dual Controls

• Dual controls requires a second user to approve a transaction

• AKA: Maker / checker; Dual approvers; Dual signatures

• Identity of two distinct approvers is assured• Both initiator and approver

• Transaction confirmation on mobile dramatically simplifies dual controls

• Real time notification to approver

• Simple approval on mobile device (can be digitally signed)

• Speeds up transaction completion

Look for Identity Based Security Solution that…

Secures digital identities and information across the organization

Provides agility to quickly & easily

modify policies OR Authenticators on

the fly

Deployment flexibility to tie into your IT systems &

business

Future Proof to grow with your business needs

THANK YOU