Embed Size (px)
Citation preview
ICS Cyber Security: Continuous Monitoring as a Critical Function
Mark Littlejohn
Honeywell Proprietary
2 2014
About the Presenter
Mark Littlejohn • Global Leader Cyber Security Managed
Services for Honeywell Process Solutions.
• Over 20 years experience in the field of cyber security.
• Specializing in cyber security solutions, security infrastructure through assessing organizational risk, establishing security goals, implementing sound technical solutions, regulatory compliance and real-time monitoring.
Honeywell Proprietary
3 2014
Continuous Monitoring Topics
• Making the Case
• Key Elements
• Honeywell Advantage
ICS Continuous Monitoring: Making the Case
Honeywell Proprietary
5 2014
Focus: Up to But Not Including Corporate and 3rd Party Networks
Router
ESC ESF ESTACE Experion Server
ESVT Safety Manager
Terminal Server
Qualified Cisco Switches
Optional HSRP Router
Domain Controller ESF EAS
PHD Server Experion
Server
Firewall
3RD Party App Subsystem Interface
Corporate and 3rd Party/Vendor/Contractor/Maintenance Connections
Level 3
Level 3.5 DMZ
Level 4
Terminal Server
Patch Mgmt Server
Anti Virus Server
eServer PHD Shadow Server
Patch Anti PHD
Level 2
Domain Controller
Level 1
IT Cyber Security
Industrial Cyber
Security
Honeywell Proprietary
6 2014
Critical Infrastructure Cybersecurity Framework Function
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
http://www.nist.gov/cyberframework/
Maps controls to: - ISO 27001 - ISA 99/IEC 62443 - NIST SP 800-53 - COBIT 5 - CCS CSC
Honeywell Proprietary
7 2014
Critical Infrastructure Cybersecurity Framework Function Elements
IDENTIFY Hardware & Software Inventory, Policy & Procedures Network Topology, Security Risk Assessments
PROTECT Firewalls, Passwords, Antivirus, Patching, USB Control Physical Security, Change Control, Backup & Recovery
DETECT ?
RESPOND ?
RECOVER ?
http://www.nist.gov/cyberframework/
Honeywell Proprietary
8 2014
Industrial Cyber Attacks & Incidents Are Rising
Information Stealer Malware
Worm Targeting SCADA and Modifying PLCs
Virus Targeting Energy Sector Largest Wipe Attack
Virus for Targeted Cyber Espionage in Middle East
Worm Targeting ICS Information Gathering and Stealing
Large-Scale Advanced Persistent Threat Targeting Global Energy
APT Cyber Attack on 20+ High Tech, Security & Defense Cos.
Cyber-Espionage Malware Targeting Gov’t & Research Organizations
Industrial Control System Remote Access Trojan & Information Stealer
Security Bug and Vulnerability Exploited by Attackers
Worm Targeting SCADA
Industrial Control System Remote Security Bug and Vulnerability
Information Stealer Malware
Cyber-Espionage Malware Targeting
Worm Targeting ICS
Virus for Targeted Cyber
Large-Scale Advanced Persistent
Virus Targeting Energy Sector
Threat Targeting
APT Cyber Attack on 20+
Honeywell Proprietary
9 2014
What do these 3 Plants have in common?
9
German Steel Plant
Turkish Pipeline
Iranian Nuclear Facility
Honeywell Proprietary
10 2014
Increased Activity & Success
Nov 20, 2014 NSA Chief FINALY states:
“It’s already happened!”
Jan 23, 2015 Cisco CEO at 2015 Davos Conference:
“Cyber Attacks will double
this year”
Honeywell Proprietary
11 2014
Common Thread
• Most of these attacks could have been stopped using good protection and detection capabilities
• The results/effects of ALL of these attacks could have been reduced via continuous monitoring
Is your ICS currently infected or under attack?
ICS Continuous Monitoring: Key Elements
Honeywell Proprietary
13 2014
Key Item to Monitor
• Network Activity Logs • Attack Signatures, ACL Rules, Utilization Spikes
• System Audit Logs • Unauthorized Access, Disabling Controls, Configuration Changes
• System Availability/Performance • Application Health, CPU Utilization, Hardware Errors
• Administrative Changes • GPO Modifications, Group Additions, Log Clearing
• Software Update Compliance • Aging for Virus Signatures, Security Patches, Software Updates
• Virus Infections
Honeywell Proprietary
14 2014
Obstacles to Effective Monitoring
• Budget for required utilities • Intrusion Detection Systems • Security Information & Event Management • Logging Agents, Relay Servers, Databases, etc.
• Personnel required for administration • Initial Installation of components above • Analysis of events to determine what is critical • Investigation of alerts to determine next steps
• Other concerns • Competing DCS priorities • Training on new technology • Different expertise per location
Honeywell Proprietary
15 2014
Continuous Monitoring Best Practice
Hire a company to monitor your systems for ¼ the price, but only if they have the following:
• Expertise in Control System security • Methodology that complies with IEC 62443 • 100s of current ICS customers • Follow the sun support model • Geographically separate operating facilities
ICS Continuous Monitoring: Honeywell Advantage
Honeywell Proprietary
172014
Complete Industrial Cyber Security Solutions • Security Assessments • Network & Wireless Assessments • Security Audits
• Firewall • Intrusion Prevention • Access Control • Policy Development
• Patching & Anti-Virus • Application Whitelisting • End Node Hardening • Portable Media & Device Security
• Continuous Monitoring • Compliance & Reporting
• Security Analytics • Security Information & Event Management (SIEM)
• Security Awareness Training
• Current State Analysis • Design & Optimization • Zones & Conduits
• Security Assessments • Network & Wireless Assessments • Security Audits Assessments
& Audits
•
•
• Zones & Conduits
Architecture & Design
•
•
•
•
Network Security
•
•
•
Endpoint Protection
Continuous Monitoring
& Event Management (SIEM)
Situational Awareness
TECHNOLOGY
Response & Recovery
• Backup and Restore • Incident Response
Honeywell Proprietary
182014
Managed Industrial Cyber Security Services Technology Enabled
Secure Connection Secure tunnel for services
Perimeter and Intrusion Management Firewall: Configuration rules + log file review and reporting IPS: Signature update validation + log file review and reporting
Protection Management Qualified anti-malware files & operating system patches
Continuous Monitoring and Alerting Monitoring of system, network & cyber security performance 24/7 alerting against thresholds
Intelligence Reporting Weekly compliance and quarterly trend reports
Honeywell Proprietary
192014
The Foundation: Honeywell’s Secure Connection
• Customer Initiated Encrypted Tunnel – Customer controlled connection
• Customized with easy to configure Security Policies • Only connects to Honeywell’s Managed Security Service Center
– Two-Factor Authentication and Encryption • Honeywell Certificate based • Keeps information private even through corporate network
• Infrastructure and methodology supports ISA99/IEC-62443 concepts – Zones & conduits, authentication, security logging, input validation and
system integrity checks
• Secure Connection Enables – Protection Management – Continuous Monitoring and Alerting – Intelligence Reporting – Perimeter and Intrusion Management – Secure Troubleshooting
Drawbridge
Secure Connection
Honeywell Proprietary
202014
Secure Connection Architecture
Connection Initiated by Site Secure Service Node
• SSL Encrypted, Two-Factor Authenticated Communication
• Connects to Managed Security Service Center ONLY
• Encrypted communication through corporate network provides additional security
Connection Initiated by Site
•
•
Internet
Level 3
Level 3.5 DMZ
Level 4
Level 2
Level 1
ACE
ExperionServer
Domain Controller
Domain Controller
ExperionServer
3RD Party Apps
TerminalServer
eServer
EST
ESF
Anti-MalwareServer
DMZ
EngineeringControls
OperatorControls
CORPORATE
MalwareMalwareExperion
MalwareMalwareMalwareMalwareMalwareMalwareMalware
WindowsTMPatch MgmtServer
(WSUS)
CorporateRouter
SSL Encrypted, Two-Factor Authenticated Communication
Encrypted communication through corporate network provides additional security
Communication Server
DMZ
DatabaseServers
Application Servers
CorporateProxyServer
RelayServer Application Application
SecureServiceNode
eServereServer
Domain
• Relay Server isolates ICS/PCN ensuring no direct communication between Level 3 & Level 4/Corporate Network
• Restricts unauthorized ICS/PCN nodes from sending or receiving data
Managed Security Service Center Industrial
Site
Honeywell Proprietary
21 2014
Protection Management
Deploying Current Releases Helps Prevent Exploits, Infections and Application Malfunctions
• Automated, secure transfer to site of Honeywell tested and qualified Anti-Malware signature files & Operating System patches – Provides a local source of current, qualified signature files and patches for
installation – Reduces manual, administrative work and delays required to obtain current files
and patches – Maintains integrity of files through Secure Connection’s encrypted file transfer
• Avoids file modification risk via transfers by email or portable media
• Anti-Malware files – Protect against virus, worms, and malware which can compromise the PCN/ICS
• Windows TM and Experion Operating System patches – Block multiple malware vulnerabilities to reduce system breaches, prevent
unauthorized shut downs, and keep Control Systems operating properly
Anti-Malware Files & Operating System Patches
Honeywell Proprietary
222014
Continuous Monitoring and Alerting
• Continuous Monitoring – Agentless monitoring solution for system, network
and security performance and health – Tested to ensure no impact on systems – Automated monitoring of critical ICS, network,
Windows TM and security parameters – Intelligent analysis based on Honeywell engineering & expertise
• Alerts / Situational Awareness – 24/7 automated, proactive alerting for all monitored devices – Equipment and device specific thresholds – Managed Security Service Center automatically generates an
alert email or SMS text to site specified contact
Secure Connection Monitoring of Systems, Network & Security
Honeywell Proprietary
232014
Intelligence Reporting
• Trend Analysis Complements Alerts – Ability to catch degrading conditions – Captures & reports frequency of intermittent issues
• Weekly Critical Parameter Reports Actionable reports of critical system & network
information plus security issues
– Out-of-date installation status for Anti-Malware signatures & WindowsTM patches
– Inventory of all detected networked equipment – Key source of data for compliance documentation
• Bi-Annual and/or Quarterly Reports – Comprehensive, detailed reports including long term trends, plus expert analysis
• Audit – Audit capability including access to session recordings
Secure Connection Reporting of ICS Status, Trends & Issues
Honeywell Proprietary
242014
Perimeter & Intrusion Management Services
Firewalls and IPS only work if properly configured & managed
• Firewall Management Services – Provides expert review of firewall log files, including rule changes – Allows for identification of unauthorized and unplanned changes Note: Corporate firewall management NOT included or supported
• Intrusion Prevention System (IPS) Management Services – Verifies IPS signature updates are appropriate for site – Provides expert review of log files
• Logs and changes are reviewed and monitored for modifications and activity – Avoids erosion of security posture or system interruption
PCN Firewalls & IPS Equipment Configurations Are Critical Elements of Site Protection
Secure Connection Management of Firewalls & Intrusion Prevention Systems
Honeywell Proprietary
25 2014
Why Honeywell Industrial Cyber Security?
Global team of certified experts with deep experience across all industries 100’s of successful PCN / Industrial cyber security projects Leaders in security standards ISA99 / IEC62443
Trusted, Proven Solution Provider
Proprietary methodologies specific for process control environment & operations Best practices developed through years of delivering solutions
Comprehensive understanding of unique process control security requirements
First to obtain ICS product security certification with ISASecure Largest R&D investment in cyber security solutions and technology Strategic partnerships with best in class security product vendors
Industry Leading People and Experience
Industry Leading Processes and Expertise
Industry Leading Solutions
Honeywell Proprietary
262014
Contact Information
Contact InformationEmail: [email protected]
www.becybersecure.com
Thank you!
