Cybersecurity - Wonderware California · NIST Cybersecurity FrameworkIST. Cybersecurity Framework. The Framework guides you to correct outcomes through the five basic functions. Framework

Cybersecurity Best Practices

Cybersecurity

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Presented By:

Tom Gallagher, Head of Quality and Cybersecurity

Tom Gallagher

• Head of Quality and Cybersecurity at AVEVA

• Works with DHS, ICS-CERT, and other government agencies

• B.S. in Computer Information Systems

• Advanced CEH training

Speaker’s Introduction


Agenda


Cybersecurity Overview

Risk Analysis and Management

Improving Operational Technology Security

Recommended Actions

Conclusions

Resources

Cybersecurity Overview

AVEVA’s Cybersecurity Program


2019 Threat Landscape

• 90% of OT Organizations represented in study have experienced at least one damaging cyberattack over past two years.

• Large companies suffering annual losses of nearly $500K

• Majority reported between 2 and 4 incidents in the past year

• 67% wish to keep up with sophistication and stealth of attackers

• 60% worry about an attack against OT infrastructure

• The Global Average cost of a breach has increased by 6.4% over the previous year to $3.86M

• The average cost for each lost or stolen record containing sensitive or confidential information is up 4.8% year over year to $148


OT/ICS Security & Cost of a Data Breach Study by Ponemon

References: 2017 Kaspersky Report on OT/ICS Security & 2018 Cost of a Data Breach Study by Ponemon & 2019 Cybersecurity in Operational Technology by Ponemon

AVEVA’s Security Goals and Objectives• Keep our Customers Secure

• Improve the Security Posture of our products.

• Increase Security knowledge of R&D Engineers.

• Enable rapid response to issues (CERT).

• Security Process Compliance

• ISASecure SDLA certified processes.

• Define KPI’s to measure results.

• Quality Management System (QMS) provides Governance.

• Increase Security Awareness

• Across organizational functions in all Business Units.

• Ensure Security Requirements are defined.

• Build Security into Architectures.

Security Development Lifecycle• All Software R&D teams follow our ISASecure® SDLA

Certified Process.

• We have aligned our Security Development Lifecycle with the IEC 62443 standard and our Agile/Lean development practices.

• The Quality Management System (QMS) and Security Development Lifecycle (SDL) provides for governance across the software business.

• All product teams have assigned Security Advisors.

Security Training• Security Training is mandatory and provided to:

• Dev Engineers

• Test Engineers

• Architects

• Dev/QA Managers

• Team Members have annual security training goals aligned with product technologies.

• Any new teams and/or team members are trained in Security.

• We use Microsoft, Team Professor, and Plural Sight trainings.

Security Tools

Automated, Secure Build SystemsModern compiler versions with security options enabledDigital Signing of all Binaries and Installs

Static Code AnalysisCheckMarxVisual Studio Code Analysis (FXCop)BinscopeWhite Source (Open Source scans)

Security RulesCWE-SANS Top 25OWASP Top 10

Other ToolsMS Threat ModelingAttack Surface AnalyzerNessus ScannerCylance ProtectWurldtech AchillesbeSTORMBurpsuiteArachniCSET

Threat Models

Example Product Threat Model

▲ Threat Modeling is a structured approach to analyze the security architecture of the product and identify potential threats that may impact the system.

▲ We use Threat Models to develop specific product security tests (e.g. fuzz and penetration tests).

▲ Reviewed and updated as needed every product release.

▲ We have regular Threat Modeling Workshops with Microsoft.

Incident Response and Management• We have a defined response process that is aligned with

ISO/IEC 30111 Standards.

• Response process includes:

• Investigation, Validation, and Triage of issue.

• We use Common Vulnerability Scoring System (CVSS) to rank issues as Low, Medium or High based on their CVSS base scores.

• Communication with ICS-CERT.

• If necessary, a software patch plan is developed.

• Security Bulletins, Distributor and Customer alerts, and public announcements as warranted.

• The working procedures are documented within our Quality Management System (QMS).

• Our Vulnerability Management Policy is available for review online at: http://www.schneider-electric.com/en/download/document/Vuln_Mgmt_Policy/

http://www.schneider-electric.com/en/download/document/Vuln_Mgmt_Policy/

Cloud Product Security

• Physical Security

• Azure regional datacenters are protected by layers of defense-in-depth security

• Information Security

• Azure provides in-transit and at-rest data encryption

• Azure Key Vault protects keys, secrets and certificates

• Azure Virtual Networks and Network Security Groups

• Threat management and intrusion detection

Azure and AWS Hosting

© 2018 AVEVA Solutions Limited and its subsidiaries. All rights reserved.

• Azure Certifications

• ISO/IEC 27001, 22301, 27017 and 27018

• CSA Star Gold

• SOC 1, SOC 2 and SOC 3.

• And many others…

AVEVA Security Highlights and CertificationsCapabilities that Differentiate Our Products

© 2018 AVEVA Solutions Limited and its subsidiaries. All rights reserved.

• Azure DevOps

• Global R&D AD Federation

• CI/CD Pipelines

• DevSecOps

• Azure Security Center

• AWS CloudTrail

• SAST/DAST/IAST

• Cloud Security

• Cloud Security Alliance

• SOC 2 Audit Reports

• Pursuing ISO 27001

Risk Analysis and Management

How to Identify, Analyze, and Describe Risks



NIST Cybersecurity FrameworkISTCybersecurity Framework

The Framework guides you to correct

outcomes through the five basic functions.

Framework for Improving Critical Infrastructure Cybersecurity

Identify

Protect

DetectRespond

Recover

FrameworkCore

Identify Risks to Assets

• Identify the risks to the OT environment

• Consider vulnerabilities of what you have and how they may be exploited, by whom, and what would be the impact of a successful attack

• Asset Discovery and Identification

• Physical assets are inventoried through both technology and manual processes to locate and identify all assets aligned with OT, including RTUs, PLCs, IEDs, users, applications, switches, routers, firewalls and security devices

• Identify the protocols in use across the field infrastructure

• Logical aspects include organizational structure


Review Network and Computer Security

Vulnerability

Exploit

Vulnerability Assessment

• Focus

• Through internal or external resources and tools, investigate the system for vulnerabilities:

• Open ports, unneeded services, weak or default passwords, USB access, clear text communication or tool usage, weak access control definitions

• Consider not just technology, but also environmental vulnerabilities

• Hurricanes, flooding, terrorist attacks, severe thunderstorms, etc.

• Consider physical access at facilities across your infrastructure


How Vulnerable are the Systems?

• Tools

• NESSUS, OpenVAS, NMAP, Cisco, etc.

• Active versus Passive system interaction within a production environment

Threat Assessment

• Identify the Threat Actors

• External: Script Kiddies, Darknet Criminals, Nation States

• Internal: Disgruntled Worker, Careless Worker, Dedicated Worker


• Identify the Attack Vectors that could be used

• Phishing, Ransomware, Advanced Persistent Threat, Process Attacks

• Physical Security, Rogue Network Devices, Severe Weather

Risk Assessment

• Take the information created in prior steps and combine to perform a risk analysis

• Components of Risk


Quantifying Risk in order to Prioritize Improvements

• Specifies how a vulnerability exploitation could happen, for example a fire in the control room or a password being compromised

Situation

• Designates the source of the threat and combines with the vulnerability, for example the same vulnerability could exist as both an internal and external threat

Threat/Vulnerability

• Specifies the security control area to which the risk pertains, for example Policy, Process, or Technical

Area

• Corrective actions that would mediate the identified risk

Remediation

• FAIR by the Open Group is an example of a recognized Value at Risk Framework

Quantitative Risk Assessment


Quantifying your Risk

Situation Threat/VulnerabilityAsset

(Value)Vulnerability (Likelihood)

Threat (Impact)

Risk (Valuation) Area Remediation

Users accessing data that is not within their role and responsibility

Internal / Access Control $1,000,000 20% 50% $100,000 Technical Implement a robust role based access control paradigm that leverages Active Directory and is used to control data access universally

Passwords easily compromised External + Internal / Weak Passwords

$500,000 30% 50% $75,000 Policy Establish a password policy aligned to NIST’s best practices for critical sites

• Quantitative

Risk = Asset * Vulnerability * ThreatWhere:

Asset is the dollar value of the asset at risk

Vulnerability is the likelihood of it happening (0-100%)

Threat is the impact of the threat, High (100%), Medium (50%), Low (10%)

Risk Assessment

• Qualitative

• Leverage experience to quantify the probability of a risk occurring

• Valuation: Very High, High, Moderate, Low, Very Low


Describing the Risk

Situation Threat/VulnerabilityAsset

(Value)Vulnerability (Likelihood)

Threat (Impact)

Risk (Valuation) Area Remediation

Users accessing data that is not within their role and responsibility

Internal / Access Control

Very High Low Moderate High Technical Implement a robust role based access control paradigm that leverages Active Directory and is used to control data access universally

Passwords easily compromised External + Internal / Weak Passwords

High Moderate High High Policy Establish a password policy aligned to NIST’s best practices for critical sites

Risk Assessment

• Qualitative Versus Quantitative

• Begin Simple and build your risk models over time

• Strive for incremental improvements

• Results will help to justify the changes you need to implement

• Clearly document budget impacts

• Consider Dollars, Resources, and Technology

• Clearly State ROI


Using this information to drive Change

Improving Operational Technology Security



Vulnerability Management Program

A continuous process to identify, assess, and

correct system vulnerabilities.

Execute on a monthly basis, reducing

vulnerabilities based on prioritized risk

Framework for Managing Vulnerability

Scan Assets for

Vulnerabilities

Assess and Rank the

Identified Risk

Remediation

Validate Corrective

Actions

VMPPreparation

Vulnerability Management Program• IT and OT are increasingly becoming more aligned

with technology and processes.

• A focused means to collaborate

• The OT group responsible for the safe operation of the assets

• The IT/Security groups responsible for managing, patching, and ensuring the secure operation of IT assets

• Objective: Maintain the security of the infrastructure while respecting the unique needs and demands of the OT space

• Provides a practical framework to create and maintain a secure operating environment

• Iterative Progress and Continuous Improvement is Key to Success


Shared Program between IT/OT/Security

Security Controls

• Security Controls are the safeguards/countermeasures prescribed for information systems or organizations and are designed to:

• Protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations

• Satisfy a set of defined security requirements.

• Questions to Ask:

• What Controls are needed to satisfy the security requirements to mitigate risk?

• Have the security controls been implemented or is there a plan in place?

• What is the desired or required level of assurance that the selected security controls, as implemented, are effective in their application?


NIST 800-53 r4 – Security Controls and Assessment Procedures for FIS and Organizations

MP – Media Protection

IR – Incident Response

AT – Awareness and Training

AC – Access Control

IA – Identification and Authentication

Recommended Actions


Guidance for Customers

Architectural Concepts

• Implement the system in layers

• Protect segments with NG Firewalls

• Data flows from more secure to less secure

• When using VLANs, do not use default LAN 0

• Model dataflows to identify flow risks betweensystem components

• Secure Data in Motion and At Rest

• Consider Certificate Management

• IT and OT Convergence, IIoT, Digital Transformation Impacting Traditional Model© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Defense in Depth and a Secure Infrastructure

Purdue ICS Model

Cloud

System Management

• User Management

• Inter- and Intra-Domain User Management

• Align as part of a comprehensive Role Based Access Control (RBAC) model

• Least Privilege as the guiding principal

• Group Policy Configuration

• DO NOT expect to use a typical IT GPO configuration within an OT system

• Review and apply recommended Microsoft’s Baseline GPO’s

• https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines

• Review and apply recommended Center for Internet Security (CIS) GPO’s

• https://www.cisecurity.org/benchmark/microsoft_windows_server/

• Change default passwords, disable unneeded services, block/remove ports, remove unneeded software© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Baseline Recommendations

Asset Management

• A fundamental requirement for a VMP is knowing the details of what is on your network

• Includes Versions of software, what is supported, along with valid configurations

• A formal tool is recommended to perform this functionality

• Document all components that comprise the OT environment, including field devices, routers, firewalls, switches, VPNs, wireless devices, IDS/IPS, servers, workstations, BYOD, phones

• Include Production, Test and Development, Engineering, Training, IDMZ/DMZ/DSS

• Include all sites, LAN Configuration, WAN configuration, Web Interactions

• Regularly scan and review the network to ensure no unexpected additions/removals/changes


Knowing what is on your network

Patch Program

• Use a Test Environment to validate all patches, updates, and upgrades prior to deployment

• Consider risk

• Implement the program in Phases

• Start with common/baseline systems

• Move to more complex systems, one-off’s, and legacy

• Coordinate the monitoring and update process across those responsible

• Minimize the amount of software to be monitored and managed

• Consider how updates are installed and managed along with who may do it

• Align with Asset Management


Updates of Software and Firmware

System Protections

• Antivirus, Antimalware

• Traditional Signature Based

• Algorithmic, Machine Learning, AI

• Process Monitoring for Branching and Behavior

• Intrusion Detection System / Intrusion Prevention System

• Use of an IPS is not recommended for control networks

• Consider effect of monitoring to ensure that performance is not negatively impacted

• Firewalls

• Host-Based, Network-Based, NextGen

• Whitelisting© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Means of Protecting From and For Detecting Exploitations

Policy, Monitoring and Reporting

• Policy

• Formal definition of rules and procedures for all people accessing and using the computing environment

• Include topics such as Passwords, User Exit, Data Disposal, Equipment Disposal, Reporting, etc.

• Monitoring and Reporting

• Consider centrally monitoring the security state of the OT system through a System Information and Event Management (SIEM) system

• Establish policies for regular reporting and auditing of the security environment


Guiding Principles and Demonstratively Showing Compliance

Incident Response (IR)


Response Process

•Oversees the team and directs their response actions

Incident Response Manager

•Performs the work associated with the cyber incident•Triage – analyzes intrusion warnings, removes false positives•Forensic – captures and analyzes data related to incident

Security Analyst (Triage & Forensic)

•Provide threat analysis, threat research, provide incident context

Threat Researchers

•Works with other organizations (e.g. IT, HR, Exec) to handle optics, etc.

Cross-Functional Support

Roles & Responsibilities

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

Preparation

Identification

Containment

Eradication

Recovery

LessonsLearned

Business Continuity / Disaster Recovery

• Strategic - Business Continuity Planning

• The process to create a plan that defines how the business will continue to provide its services in case of a disaster.

• Tactical - Disaster Recovery

• Process to Recover the business activities after a disaster occurs.

• Validation - Test the Plans

• Teams should meet and exercise these plans


Two Sides of the Same Coin

BSP/SM/DR (Investor’s Business Daily, 2018)



Roadmaps for Planning, Recovery, Validation

Determine Scope of the Plan

Document Key Business Areas Identify Dependencies Determine Acceptable

DowntimeRecovery Plan for each

Area or Function

Business Continuity Planning

Roles and Responsibilities Communications Equipment Preventative or

Preparatory Activities Document Budget

Disaster Recovery

Table Top Exercises Structured Walkthrough Disaster Simulation Testing

Plan Validation

Training and User Education

• Establish an organization-wide training program

• Leverage online to make it as practical as possible

• Role out in phases

• Require annual refresher courses

• Require new employees to take as part of on-boarding process

• Training topics include

• Relevant Policies

• Awareness of malware tactics, e.g. Phishing emails

• Clearly define how to respond to suspicious activities


Educate and Motivate

Conclusions


Takeaways

• Security is NOT a destination but a journey

• Improving your Security Posture will be challenging and will require investment in time, dollars, and resources

• Do NOT attempt to boil the ocean, you will be overwhelmed and fail

• Look for continuous and incremental improvements

• Monitor, Audit, Measure, and Report on progress

• Cooperation is critical

• IT

• Vendors


Key Messages and Parting Thoughts

challenging

continuous improvements

Monitor, Audit, Measure, and Report

IT

Vendors

Takeaways

• Plan, Plan, Plan – Do not leave to chance

• It is critical to have a Business Continuity / Disaster Recovery Plan in place

• Use the provided strategic concepts to help you frame the discussion with your executives• Need to bring budget implications along with cost of keeping the status quo

• Educate and Motivate

• You are not alone and there are numerous standards and resources available to help!


Key Messages and Parting Thoughts

Plan, Plan, Plan


help yourexecutives

You are not alone

Moving Forward• AVEVA is committed to keeping our customers secure.

• We will continue our focus on product Cybersecurity SDL, Tools, and Practices.

• We will continue to evolve our products with the latest technology to enable customers a secure experience with our product offerings.

Resources


Resources

• NIST Framework for Improving Critical Infrastructure Cybersecurity

• https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

• NIST 800-53 r4, Security Controls

• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

• https://nvd.nist.gov/800-53/Rev4 (Online Version of Control Families, Very Helpful)

• NIST 800-61 r2, Computer Security Incident Handling Guide

• https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

• NIST 800-82 r2: Guide to Industrial Control Systems (ICS) Security

• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf


Page 1

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

https://nvd.nist.gov/800-53/Rev4

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Resources

• NIST 800-184, Guide for Cybersecurity Event Recovery

• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf

• NIST 800-30 r1, Guide for Conducting Risk Assessments

• https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

• GPO Resources

• https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines

• https://www.cisecurity.org/benchmark/microsoft_windows_server/

• Microsoft’s Threat Modeling Tool

• https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Page 2

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf

https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines

https://www.cisecurity.org/benchmark/microsoft_windows_server/

https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling

Resources

• CISCO-AVEVA-SE Oil and Gas Pipeline Security Reference Document

• https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Oil_and_Gas/Pipeline/SecurityReference/Security-IRD/Security-IRD.html

• National Vulnerability Database (NVD) by NIST

• https://nvd.nist.gov/

• Common Vulnerabilities and Exposures (CVE)

• https://cve.mitre.org/


Page 3

https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Oil_and_Gas/Pipeline/SecurityReference/Security-IRD/Security-IRD.html

https://nvd.nist.gov/

https://cve.mitre.org/

Resources

• SANS (Information Security Training and Resources)

• https://www.sans.org/

• Center for Internet Security (CIS)

• https://www.cisecurity.org/

• ICS-CERT

• https://ics-cert.us-cert.gov/

• OWASP (Open Web Application Security Project)

• https://owasp.org/


Page 4

https://www.sans.org/

https://www.cisecurity.org/

https://ics-cert.us-cert.gov/

https://owasp.org/

Resources

• NIS Directive

• https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive

• Standards

• IEC 62443, ISO 2700x, NERC, NIST

• From ICS-CERT: https://ics-cert.us-cert.gov/Standards-and-References

• FAIR (Factor Analysis of Information Risk)

• Value at Risk (VaR) Framework for cybersecurity and operational risk

• https://www.fairinstitute.org/


Page 5

https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive

https://ics-cert.us-cert.gov/Standards-and-References

https://www.fairinstitute.org/

linkedin.com/company/aveva

@avevagroup

ABOUT AVEVA AVEVA is a global leader in engineering and industrial software driving digital transformation across the entire asset and operational life cycle of capital-intensive industries.

The company’s engineering, planning and operations, asset performance, and monitoring and control solutions deliver proven results to over 16,000 customers across the globe. Its customers are supported by the largest industrial software ecosystem, including 4,200 partners and 5,700 certified developers. AVEVA is headquartered in Cambridge, UK, with over 4,400 employees at 80 locations in over 40 countries.aveva.com


Presented By: Tom Gallagher• Head of Quality and Cybersecurity

• [email protected]

Documents

Cybersecurity - Wonderware California · NIST Cybersecurity FrameworkIST. Cybersecurity Framework. The Framework guides you to correct outcomes through the five basic functions. Framework