Imagination at work

Cyber Security and Power Industry Lionel Mazzella Solutions Architect Europe

GE Power Digital

January 2017

GE Proprietary Information—Class III (Confidential) Export Controlled—U.S. Government approval is required prior to export from the U.S., re-export from a third country, or release to a foreign national wherever located.

Imagination at work

Cyber Security and Today’s Context

More and More Connected Devices

152M

Cars connect to the IoT

6 fold increase

26B

Internet of Things

connected devices

+1B

Growth in the installed

Base of Smart Meters

7.3B

Smartphones and

PCs connected

By 2020

+$300B

Incremental Revenue mostly in Services

$1.9T Forecasted Economic Value-Add Across Sectors

Source: Gartner - The Internet of Things, Worldwide, 2013

Cyber Attacks on Critical Infrastructure

67%

of companies with critical

infrastructure suffered at least one

attack in the past 12 months1

78%

expect a successful exploit of their

ICS/SCADA systems within the next

two years1

66%

of companies are not ready to

address security issues for OT3

1: Critical Infrastructure: Security Preparedness and Maturity (July 2014), Unisys and Ponemon

2: Verizon Data Breach Investigations Report 2015, Verizon

3: 2015 Global Megatrends in Cybersecurity, Raytheon and Ponemon

4: Bayar, T. (2014, Oct. 14). Cybersecurity in the power sector. Power Engineering International

5: 2014 ICS-CERT Statistics for Energy and Water

38%

91% of Power Generation

organisations have

experienced a Cyber Attack4

of reported attacks are

against Power & Water5

61 Countries2 across 79,790 security incidents2 In 2015

1. Source: Ernst & Young 2. Source: Industrial Internet Report for 2015, GE and Accenture

Cyber Attacks in Power Industry

64% Power leaders believe their security strategy not

aligned with today’s risk

environment1

31% Power leaders named security as one of the top

concerns in the use of data

and analytics2

> 90% Power leaders say growth only achieved through

enhanced management of

risk with strategic adoption

of technology

Clear Action Is Needed

225K people lost power in the Ukraine from cyber attack

(December 2015)

The Stuxnet worm, targeting SCADA and PLCs systems, caused

fast-spinning of almost 1/5 of

Iran’s nuclear centrifuges

The Stakes Are High

On average, breaches go

undetected for 229 days

84% of cyber attacks target application software

400% increase in “disclosed” ICS attacks between

2010 and 2012

Top Exposure Categories

Source: GE Cyber Health Checks for Power Customers, Q1 2016, NAM, MEA, APAC

GE Cyber Security Health Check

Q1 2016

15 Power Sites

North America, Middle East and Asia

Report Summary

At least one system with a vulnerable OS 96%

At least one “dual-homed” systems (circumventing firewall) 96%

At least one system with an expired end-point solution 92%

User access practices that do not align to industry best practices 88%

At least one system where malware has been detected 8%

Effective Cyber Security Monitoring 0%

Longest duration since administrator password changed 12 years

Cyber Attack Recovery Timeline

Source: Beneath the surface of a cyberattack, Deloitte (2016)

!

Imagination at work

GE’s Cyber Security for Power Industry

Seven Steps for Effective ICS Defense In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected.

If system owners had implemented the seven strategies below, 98% of incidents ICS-CERT responded to in FY 2014 and FY 2015 would have been prevented. The remaining 2% could have been identified with increased monitoring and a robust incident response.

Implement Application

Whitelisting – 38%

Ensure Proper Configuration/Patch Management – 29%

Implement Secure Remote Access – 1%

Monitor and Respond – 2%

Reduce your Attack Surface

Area – 17%

Manage Authentication – 4%

Build a Defendable Environment – 9%

Edge Analytics

Predix Edge

End-to-End Security

Predix™Cloud: GE’s IIoT Solution

Enterprise Systems

Edge/Connectivity Things/Assets Users The Predix Cloud

Cloud Foundry

Assets Analytics Data Security

Data Infrastructure

Digital Twin

Operations

Applications

Cloud

IT/OT

GE’s Cyber Security Solution to protect both IT/OT and the Predix Cloud

!

!

!

!

!

!

!

!

Imagination at work

IT/OT Cyber Security

IT Security is about Data

OT Security is about Critical Assets

Risk and Safety People Environment Equipment

Uptime Quality and Performance

Reducing Exposure to Cyber Risks

GE’s Cyber Security Defense Strategy

Maturity

Tactical, random with limited visibility

Directed, preventative, and organised

Measure Attack

Surface and Risk

Defend

and Respond

Responsive, Managed,

and Comprehensive

Proactive, measureable, continuous improvement

Health Check Patch Updates

Personnel Training

Intrusion Detection Whitelist Blacklist

Event Monitoring Anomaly Detection Adaptive Protection

Ris

k

Low

H

igh

High Low

Stage 1: Baseline Stage 2: Defend Stage 3: Prevent

Best Practices

Patch Management

Antivirus

User Training

Whitelisting

Access control

Ports/Services

Physical access

GE’s Solution Mapping to CIS Critical Security Controls Solution Component

ID Control Description Pa

tch

Av

aila

bili

ty

Re

po

rtin

g

Vu

lne

rab

ility

R

ep

ort

ing

Inv

en

tory

A

wa

ren

ess

Sy

ste

m

Ba

selin

ing

Po

rts

an

d

Se

rvic

es

Au

dit

ing

Pu

rpo

se B

uilt

H

MI

Sy

ste

m

Ha

rde

nin

g

Ne

xt G

en

era

tio

n

An

ti-M

alw

are

Ap

plic

ati

on

V

irtu

alis

ati

on

Ap

plic

ati

on

C

on

tain

ers

De

fau

lt C

on

fig

ura

tio

n

Ma

na

ge

me

nt

Co

nfi

gu

rati

on

P

ers

iste

nc

e

Co

nfi

gu

rati

on

C

om

pa

riso

n

Se

cu

re U

ser

Po

licie

s

Ma

na

ge

d

Au

the

nti

ca

tio

n

Use

r P

olic

y

En

forc

em

en

t

Log

A

gg

reg

ati

on

Se

cu

re R

em

ote

A

cc

ess

Ne

two

rk

Mic

ro-S

eg

me

nta

tio

n

Wo

rklo

ad

Is

ola

tio

n

HM

I /

Ho

st B

ac

ku

p

an

d R

ec

ov

ery

Ad

dit

ion

al

do

cu

me

nta

tio

n,

Tra

inin

g &

Ed

uc

ati

on

1 Inventory of Authorized & Unauthorized Devices X X X

2 Inventory of Authorized & Unauthorized Software X X X X X X

3 Secure End-User Devices X X X X X X X X X X X

4 Continuous Vulnerability Assessment/Remediation X X

5 Controlled Use of Administrative Privileges X X X X

6 Maintenance, Monitoring &Analysis of Audit Logs X

7 E-mail and Web Browser Protections X

8 Malware Defense X

9 Control of Network Ports, Protocols & Services X X X

10 Data Recovery Capability X

11 Secure Configuration of Network Devices X X

12 Boundary Defense X

13 Data Protection X

14 Controlled Access Based on Need to Know X

15 Wireless Access Control

16 Account Monitoring and Control X

17 Security Skills Assessment & Appropriate Training X

18 Application Software Security

19 Incident Response and Management

20 Penetration Tests and Red Team Exercises

Not supported in Baseline Security Centre

Imagination at work

Cloud Cyber Security

Predix™ Cloud: Industrial-Grade Security

The 4 Pillars of Trust

Establish end-to-end security through a comprehensive security strategy that combines security certifications, hardware, software, expertise and best practices.

Predix™ Cloud: Industrial-Grade Security

Secure and Certify Operational

Infrastructure

Governance and certification are essential

components of an Industrial Internet platform that

deals with sensitive information.

The Predix Cloud is built on a common infrastructure

governance model based on:

• ISO 27001/2 • NIST 800-53

• FIPS 140-2

Predix enables support for more than 60 regulatory

and compliance frameworks, including:

• CSA/CCM 3.01

• SOC 2 Type 1 and Type 2

• HIPAA (protects)

• FedRAMP

• Export Controls/ITAR

Bring Operational Availability

and Governance with ‘IT’

Platform hardening at every layer and connection to

remove unnecessary services, applications, and

network protocols, as well as configured OS user

authentication and resource controls.

Automated and manual controls are deployed to

identify and patch system vulnerabilities.

Provides unified and clean run-time environments

for customer workloads.

Developed to comply with:

• ISO27002/01

• SSAE16 SOC 2

• Industry best practices

Predix™ Cloud: Industrial-Grade Security

Protect OT/IT in an

App Factory Delivery Model

Complete “DevOpsSec” (Development Operations-

Security) process for all apps and microservices.

Static and dynamic automated testing help keeping

new code as clean as possible.

Survey of new microservices arriving into the

development area to detect any abnormal or suspicious behaviour.

Possibility of malware making its way into the run-

time environment greatly reduced.

Establish User-Based World

For Industrial Apps

Continuous monitoring at every layer, with data loss

protection and malware detection from the external

networks all the way through to the application or

microservice.

Creation of a “heat-map” dashboard for the Predix

Security Operations team to protect customers served by Predix.

Guidance for the shared responsibility of the user

organisation to implement controls at the

application and data layers.

Additional capabilities include:

• Full Security Operations Centre (SOC) and tooling

• Automated isolation and monitoring of incidents

• App-to-app behavioural evaluation

• Chain of custody for data communities

Predix™ Cloud Infrastructure Security The table below lists additional security in place to protect the Predix infrastructure.

Isolated customer

environments

Enable multi-tenancy to ensure that a customer’s business environment and data are hidden from others as

needed to ensure privacy.

OS security Harden and maintain base OS images for provisioned virtual machines based on Predix hardening standards

and related guidelines developed to comply with ISO27002/01 and SSAE16 SOC 2 standards and industry

best practices.

Hardware security Architect and securely deploy hardware for the infrastructure based on Predix hardening standards and

related guidelines developed to comply with ISO27002/01 and SSAE16 SOC 2 standards and industry best

practices.

Secured storage Provide encrypted block and object storage with associated services.

Secured data in transit within

the cloud network

Secure the network (using IPSec and SSL/TLS protocols) based on controls defined in Predix hardening

standards and related guidelines.

Federated identity management

Use tools that leverage the existing identity stores and remove the burden of identity management.

Secure single sign-on (SSO) services for access Predix.

Vulnerability and patch

management

Test and update software and hardware based on security advisories and regular vendor patch releases

utilising proper change management procedures.

Monitoring and logging Actively search for network intrusion, malicious activities, and compliance policy violations that are a threat to

the infrastructure; communicate and remediate any incidents.

Rigorous risk assessments

against the cloud infrastructure

Perform penetration testing and compliance scanning to detect any vulnerabilities and compliance violations

and quickly remediate them; perform assessments against security controls and procedures.

Cyber Security for Industry

Assets Data

People

A complete Cyber Security Solution for the Industry has to cover Assets, Data and People

Thanks for listening