Upload
lekhanh
View
236
Download
0
Embed Size (px)
Citation preview
Invensys and the Invensys logo are trade marks of Invensys plc9 October 2013
Invensys proprietary & confidentialSlide 1
© 2013 Invensys. All Rights Reserved.The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.
Cyber Security -Fortify your plant
Welcome at the
Cyber Security Conference 2013
October 3rd, 2013
Spacer
No smoking
Safety - Emergency exits:
- In the front left of the room
- In the back left of the room
This conference is made for you so please participate, ask & discuss
(Q&A at the end of a presentation)
Agenda14.00 Cyber Crime – A Mysterious Space Rein Visser
14.10 How to create a Cyber Security Plan Mark Bakker
14.30 Cyber Security in Process Industries Walter Belgers
15.00 Impact of Cyber Terrorism Wim Verloop
15.30 Coffee break
15.45 Cyber Security in Process Control Domain Joshua Carlson
16.15 Increase your system’s availability Bert Haselager
16.30 Security Assurance Levels Joshua Carlson
17.00 Know your Defense in Depth Joshua Carlson
17.15 Cyber Security Panel All
17.45 Closure Rein Visser
18.00 Networking drinks & buffet
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 6
“Our lives are becoming more and more connected to
technology every day. At the same time, the threat to our information systems from hackers and bad actors is increasing just as rapidly.”
National Security Agency, December 2010
Mysterious
1. Regulations?
2. Publicity?
3. Is it a crime?
– Hackers
– Criminals
– Hacktivists
– Advanced Persistent Threat (APT)
4. Are we connected?
Our commitment
1.Cyber Secure Products & Systems
2.Cyber Secure Architecture
3.Cyber Security Services
• “Our production systems are completely isolated from outside access”
• “Our system is secure as it would be impossible for an outsider to understand it.”
• “We’re not a likely target. We’re not important or interesting enough to attract hackers.”
• “We’ve never had a problem: no intrusion or disruption in our production network.”
• “We can’t justify the expense and manpower.”
Objections to protect systems
Project SHINE
> 1,000,000Internet-Connected SCADA and ICS Systems and still counting
Source: Bob Radvanovsky / www.shodanhq.com
Slide 12
Hacking 2.0 – ex. 1: Remote control
Antwerp, July 2013
• Drugs container
• Hacking terminal computer
• Control cranes
Slide 15
Telegraaf – 31 July 2013
Pre-warning
Pro-ACT:
It is always best to take measures to
prevent the house from burning.
Re-ACT in case there is a Cyber
Security Attack:
call our Computer Incident Response
Team to reduce the impact.
Slide 17
Creating a Cyber Security Plan
Slide 20
Objective:
• Optimize Production Process
• Minimize Disruptions
• Reduce Insurance Costs
• Increase Customer Satisfaction
• Increase Employee Satisfaction
How to protect your systems 1
Policy & Organisation:
• Priority
• Responsibility
• Collaboration
• Software
Slide 21
How to protect your systems 2
Risk Management:
• Security Audit
• Recovery plan
• External Expertise
Slide 22
How to protect your systems 3
Secure Access:
• Secure Mobility
• Secure User Identity
• Internet / Intranet
• Overall network security
Slide 23
Slide 28
AW
Factory Application Servers• SCADA/HMI• Historian• AssetCentre• Transaction Manager
Factory Services Platform• Directory• Security/Audit
Data Servers
Gbps Linkfor Failover Detection
Firewall(Active)
Firewall(Standby)
DIO
Levels 0–2
HMI
Cell/Area #1Redundant Star TopologyFlex Links Resiliency
Cell/Area #3Bus/Star Topology
Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
EnteraysLayer 2 Access Switch
Switch
Manufacturing Zone Site Manufacturing
Operations and ControlLevel 3
Remote AccessServer
Router
Patch ManagementTerminal ServicesApplication MirrorAV Server
ERP, Email,Wide Area Network (WAN)
Network Services• DNS, DHCP, syslog server• Network and security mgmt
Drive
Controller
HMI
DIO
Controller
Drive
Controller
Drive
HMI
Cell/Area #2Ring TopologyResilient Ethernet Protocol (REP)
DIODIO
Web hosting
ISP
Company webiste
IT
Typical Security
architecture for
Industrial
Automation and
Control Systems
Holistic viewSwitch
Lipman Report, October 2010
“We can no longer afford to ignore the threat from these increasingly advanced governments or terrorist groups aiming to disarm us or fund their activities, to individual hackers looking for money and information.
The time for urgency is now.”
Slide 29
Invensys can help you!
Let me introduce you!
1. Ir. Walter Belgers
Owner & COO Madison Gurkha
Cyber Security in Process Industries
2. Drs. Wim Verloop
Director Digital Investigation
The impact of Cyber Terrorism
Slide 30
Invensys proprietary & confidential31
3Cyber Security in Process Industries
© Invensys 3 October 2013
Invensys proprietary & confidential34
5Cyber Security in Process Control Domain
© Invensys 3 October 2013
Joshua Carlson
EMEA Cyber Security Consultant
Invensys Cyber Security Services
Cyber Security in the Process Control Domain
Invensys Cyber Security Services
Cyber Security Defined
“…combination of technologies and
processes designed to protect computers,
networks and data from unauthorized
access, vulnerabilities and attacks…”
The ability to control and prevent
unauthorized external or internal
access to critical infrastructure systems
Why it’’’’s important
� Increases (plant) safety
� Reduces down time
� Protection of intellectual property
� Compliance with internal regulations
� Compliance with country-specific regulations
Recent Headlines: The Threats are Real
NSS Labs Vulnerability Report - 2013
• ICS/SCADA vulnerabilities have
increased more than 600% since
2010
• Cyber-Espionage / Malware
programs steal sensitive data
from organizations for 5 YEARS
before being discovered
• Power companies targeted by
approximately 10,000 cyber
attacks per month
• Hackers target proprietary ICS,
PLC, and SCADA technologies
Recent Occurrences: Cyber Espionage
Operation “Red October”
During the past five years, a high-level cyber-espionage campaign has
successfully infiltrated computer networks at diplomatic, governmental
and scientific research organizations, gathering data and intelligence
from mobile devices, computer systems and network equipment.
What do we do?Flawless Operation of Critical Infrastructure
A Primary Component of National Security
Recommended Cyber Security Solutions
� Individual credentials for non-
repudiation
� User-specific access control policies
� Lower level user lockdown
� Password expiration / complexity /
history standards
� Unnecessary component restrictions
� Centralized logging
Role Based Access Controls / Centralized ManagementRole Based Access Controls / Centralized Management
Complete Endpoint ProtectionComplete Endpoint Protection
Ethernet Switch HardeningEthernet Switch Hardening
Complete System Monitoring & ManagementComplete System Monitoring & Management
Disaster RecoveryDisaster Recovery
Implementation of BIOS SecurityImplementation of BIOS Security
� Anti Virus / Anti Spyware
� Host Intrusion Prevention
(behavior / heuristic-based)
� Device Control (DLP)
� Integrity Control
� Application Control (Whitelisting)
� Centralized update, reporting,
monitoring, management
� Un-used ports disabled
� Default credentials disabled &
strong authentication used
� Telnet disabled & SSH enabled
� Webview & Discovery Protocol disabled
� Centralized device health and statistics
monitoring / management
� Centralized performance monitoring /
management
� Notification / alerting systems for
preventative maintenance
� Centralized scheduling &
management of backups
� Full disk and folder backups
� Complete system restoration capabilities
� Off site storage
DL380 BIOS Parameters Setting
System Options > USB Options >
Removable Flash Media Boot
Sequence
Internal SD Card First
System Options > Processor
Options > No-Execute Memory
Protection
Enabled
Standard Boot Order (IPL) Reordered
1. Hard Drive C:
2. CD-ROM
3. Floppy Drive
4. USB DriveKey
5. PCI Slot 5 Ethernet Network
Controller
6. PCI Slot 6 Ethernet Network
Controller
Server Availability >
POST F1 Prompt
Delayed (20 Seconds)
Server Security > Set Admin
Password
Set to a strong password that will
be communicated only to
authorized users
BIOS Serial Console & EMS >
BIOS Serial Console Port
Disabled
“Safety and Cyber Security are job one at
Invensys”
- Mike CalielPresident & CEO Invensys
1. Creating and maintaining a
Cyber Security plan is
absolutely critical.
2. Plan must be approved and
supported by Executive
Management.
3. Plan must include a
Business Continuity
strategy.
4. Security must be designed
into the initial stages of
Operating Platform
development.
Invensys proprietary & confidential53
6Increase your system’s availability
© Invensys 3 October 2013
09-Oct-13
Invensys proprietary & confidentialSlide 54
Simplifying your life with RemoteWatch V4.0
Bert Haselager
Sept 2013
© Invensys 09-Oct-13Invensys proprietary & confidential55
Agenda
Service
3 From Break\Fix to conditional Preventive Maintenance?
4 How does it work?
5 Where do I get it?
2 How does it do that?
1 What does it do?
1) What does it do?
Slide 56
RemoteWatch V4.0 simplifies the lives of our Foxboro I/A Series & FCS customers by:
• Reducing Process System Downtime
• Enabling Proactive Maintenance
• Lowering Cost of Ownership
• Make maintaining a system easier and cheaper
• Facilitating lifecycle management
1) What does it do?
Service
Lab
Reports
Remote
Display
Performance
Monitoring
Remote
Service
2. Ethernet
Office
Domain
Process
Domain
I/A-Series/InFusion AW AW WP
Nodebus/Mesh Network
WP
CP CP
Remote
APC
Slide 57
Customer and Invensys requirements
2) How does it do that?Remote access requirements for the DCS
Service
1. Resource data collection
1. Resource data collection
2. Push & Store data to
RemoteWatch Server Apps
2. Push & Store data to
RemoteWatch Server Apps
3. Share info with Invensys Center via Secure connection
3. Share info with Invensys Center via Secure connection
4. Report Subscribers on
Events & populate the Event log
4. Report Subscribers on
Events & populate the Event log
5. Address Events & Remote Assist if
required
5. Address Events & Remote Assist if
required
Slide 58
2) How does it do that?Reducing Process System down time
Service
1. Data Acquisition Software (DAS) is collecting information on system resources monitored.
Examples of information collected:1. Station communication resources 3. System Configuration data
2. Station performance data 4. OS Patch & AV data
3. FERRET data 5. HW & SW revision data
Slide 59
2) How does it do that?Step 1: Resource data collection
Service
Collected system resource data is pushed from the system to the RemoteWatch Site Server where the received information is processed and
stored locally for the LocalWatch App.Prepare the set of information to be uploaded to the Invensys Service Center for reporting Events, extended reporting and populating the FERRET
Installed Base supporting the System Asset Viewer (SAV) usage.
RemoteWatch Site Server
4) How does it do that?Step 2: Push & Store data to RemoteWatch Server
Service
The RemoteWatch Site Server is using an outbound secure tunnel to the Invensys Service center to sent Heartbeats and push the collected information.
The Service center receives the heartbeats and site collected information in
the Communication Server inbox residing in a DMZ.
CustomerNetwork
Internet
RemoteWatch Site Server
Invensys Service Center
DMZ
CommunicationServer
Customer Site
Slide 61
2) How does it do that?Step 3: Share info with Invensys Service Center
via the secure connectionService
Information received is processed and Events are shared with:• Users in the Invensys Service center
• Customers and Service providers via the Invensys GCS Support web site• The Customer Site Event log offer a log of all reported Events.• A mail subscription is available.
• Immediate emails on Critical and Error level Events
• A daily email report on the Events reported in the last 24 hours
Invensys Service Center
DMZ
CommunicationServer
Event Log Site X
Invensys GCS Support Web Site
Customer & Service Provider
2) How does it do that?Step 4: Report Subscribers on Events & populate
the Event lobService
Internet
Database
Applications
Network
Devices
Received messages will have the SiteID, Severity, Timestamp and MSG Body.The MSG will be forwarded to the RWS Service hosted by the GCS Web Farm.
The RWS app will monitor system resources
InvensysService Center
DMZ
Application
Server
DatabaseServer
CommunicationServer
Virtual Service
Engineer
GCS Web Farm
System Resources in Alarm information will be packed and mailed to Home Office
Local Invensys
Customer
CASEMngmt
Event Log Site X
The RWS Service is receiving messages. That will be processed based on Severity.They can be logged, sent to the CASE MngmtRWS Queue and used to inform the End User and its IOM Service Rep.
Slide 63
2) How does it do that?Break\Fix to conditional Preventive maintenance
Service
Events can be handled by the Customer maintenance team and or the
Invensys Service Provider or the Invensys Service Center.
Customer maintenance teams and Invensys Service providers are
addressing the reported events locally.
If required they can get Remote assistance from the Invensys Service Center.
The combination of RemoteWatch monitoring resources and reporting
resources becoming critical in time, delivers Proactive Maintenance
Enables the Process System maintenance team and or Invensys Service
Provider backed-up by the Invensys Service Center, to reduce the Process System down time due to unexpected events.
Slide 64
2) How does it do that?Step 5: Address Events & Provide Remote Assistance
if RequiredService
DemoInvensys View
Customer View
Slide 66
2) How does it do that?Event Reporting via GCS Support Web
Service
FERRET integration adds all FERRET functions and makes them available close to ‘real time’.
For users on the RemoteWatch Site Server (VSE) via LocalWatch.
For users using System Asset Viewer (SAV) thru the FERRET updates to the Installed Base.
Slide 67
2) How does it do that?Lowering Cost of Ownership – FERRET Integration
Service
System Asset Viewer (SAV)
FERRET DAS components, installed at the individual DCS hosts are scheduled to collect FERRET information periodically.DCS hosts push the collected FERRET data to the RemoteWatch Site Server (VSE), where it is imported into the LocalWatch DB.
Installed Base
GCS Web
LocalWatch does combine the individual FERRET data files forpresentation locally and does create a [SiteID].fer that will be uploaded to the Installed Base Repository (IBR) via the RemoteWatch Service Center.
Invensys DCS+
DAS 4.0
Collected FERRET data is available via:
• LocalWatch on the RemoteWatch Site Server (VSE)
• Installed Base Repository reports
• System Asset Viewer (SAV)
RemoteWatchSite Server (VSE)
Installed Base Reports
LocalWatch DB
(Local RWS Site)
LocalWatch
2) How does it do that?Lowering Cost of Ownership – FERRET Integration
Service
Provide OS Patch, I/A & FCS Software and Anti Virus (AV) protection status reporting and deployment
• Reporting of the installation status for OS Patches, Invensys QuickFixes and AV
files
• Phase 1 - for the RemoteWatch Site Server
• Locally via LocalWatch
• Remote via the GCS Support Web Site
• Phase 2 – for the Monitored Process System
• Locally via LocalWatch
• Remote via the GCS Support Web Site
Slide 69
2) How does it do that?Lowering Cost of Ownership – OS Patches, QF’s & AV
Service
Slide 70
Provide OS Patch, I/A & FCS Software and Anti Virus (AV) protection status reporting and deployment
• Deployment of approved OS Patches, Invensys QuickFixes and AV Dat files
• Phase 1 - for the RemoteWatch Site Server
• Deliver the approved OS Patches via WSUS and AV Dat files.
• Install the Patches & Dat files when possible unattended
• Phase 2 – for the Monitored Process System
• Deliver the approved OS Patches via WSUS and AV Dat files.
• Manual installation required.
2) How does it do that?Lowering Cost of Ownership – OS Patches, QF’s & AV
Service
Provide OS Patch, I/A & FCS Software and Anti Virus (AV) protection status reporting and deployment
• Deployment of approved OS Patches, Invensys QuickFixes and AV Dat files
• Phase 1 - for the RemoteWatch Site Server
• Deliver the approved OS Patches via WSUS and AV Dat files.
• Install the Patches & Dat files when possible unattended
• Phase 2 – for the Monitored Process System
• Deliver the approved OS Patches via WSUS and AV Dat files.
• Manual installation required.
Slide 71
2) How does it do that?Lowering Cost of Ownership – OS Patches, QF’s & AV
Service
Slide 72
All the firewalls and other IT infrastructure are NOT shown in this picture
Microsoft WSUSSource of Master data
RemoteWatchSite Server (VSE)
Invensys Office Domain Customer Site
RemoteWatch Secure Domain
Invensys WSUSReplica
Invensys WSUS replica is receiving data from Microsoft on Windows products and the available patches.
Invensys qualifies the patches, determines the deployment method and assigns the Patch to the Update group.
Invensys WSUS will deploy the qualified patches to the WSUS RemoteWatch Service Center and link them to the defined update membership groups.
Deployment Phase 1
WSUS RemoteWatch Service Center will deploy Patches and execute the configured install actions.
WSUS RemoteWatchService Center
2) How does it do that?Lowering Cost of Ownership – OS Patches, QF’s & AV
Service
Slide 73
All the firewalls and other IT infrastructure are NOT shown in this picture
Invensys Office Domain Customer Site
RemoteWatch Secure Domain
Operator action is required to deploy patches to the target Process System. Due to the ‘perform installmanual’ option, a patch ready for installation will appear on the Customer Workstation under theMaintenance user login and does require a manual install.
Deployment Phase 2
WSUS RemoteWatch Service Center will deploy Patches to the WSUS RemoteWatch Site Server (VSE). Patches will be set to the ‘perform install manual’.
WSUS RemoteWatchService Center
Process System
WSUS RemoteWatchSite Server (VSE)
2) How does it do that?Lowering Cost of Ownership – OS Patches, QF’s & AV
Service
Through Invensys’ Customer FIRST program. Contact the Services
Sales or Services Manager in your Region:
America’s : David Spencer MENA: Jigar Shah
EURA: Peter Knott APAC: Subhash Ray
Where do I get RemoteWatch 4.0?
Service
Guidelines
IEC 62443:
- ISA S99 / IEC-62443
- WIB / IEC-62443-2-4
ISO 27000-series
NERC 1300
Slide 77
Policies, Procedures, Awareness
Physical
Perimeter
Internal Network
Application
DataDefense in Depth
Guideline: ISA S99
ISA S99: Security for
Industrial Automation and
Control Systems
Establishing an IACS Security
Program
Slide 78
Guideline: ISA S99.03.03
SAL 1: Casual or coincidental violation
SAL 2: Intentional Violation using simple means
SAL 3: Intentional Violation using sophisticated means
SAL 4: Intentional Violation using sophisticated means & extended resources
IEC 62443-3-3
Endorsed by WIB workgroup
Slide 79
Guideline: WIBThe International Instrument Users'
Association.
PCD: requirements for vendors
Participants:
Slide 80
Guideline: ISO 27k
Series: 27000 – 27043 + 27799
27000 – Intro
27001 – Information Security Management System
27004 – Information Security Management Measurement
27005 – Information Security Risk Management
27019 – Information security for Process Control in the Energy Industry
27032 – Cybersecurity:
Preservation of confidentiality, integrity and availability of information
in the Cyberspace.
27033 – IT network security
Slide 81
Slide 82
AW
Factory Application Servers• SCADA/HMI• Historian• AssetCentre• Transaction Manager
Factory Services Platform• Directory• Security/Audit
Data Servers
Gbps Linkfor Failover Detection
Firewall(Active)
Firewall(Standby)
DIO
Levels 0–2
HMI
Cell/Area #1Redundant Star TopologyFlex Links Resiliency
Cell/Area #3Bus/Star Topology
Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
EnteraysLayer 2 Access Switch
Switch
Manufacturing Zone Site Manufacturing
Operations and ControlLevel 3
Remote AccessServer
Router
Patch ManagementTerminal ServicesApplication MirrorAV Server
ERP, Email,Wide Area Network (WAN)
Network Services• DNS, DHCP, syslog server• Network and security mgmt
Drive
Controller
HMI
DIO
Controller
Drive
Controller
Drive
HMI
Cell/Area #2Ring TopologyResilient Ethernet Protocol (REP)
DIODIO
Web hosting
ISP
Company webiste
IT
Typical Security
architecture for
Industrial
Automation and
Control Systems
Holistic viewSwitch
Cyber Security OfferingsInvensys Cyber Security Services
Solutions Cyber Security Assessment
Security Architecture & Policy Development
Cyber Security Implementation
Cyber SecurityManagement & Optimization
Services elements
System Assessment Baseline Security Network & System hardening
Incident / emergency response services
Site Assessment Network & systemsdesign / engineering
Endpoint protection Network andsystems management
Compliance Assessment
Security programdevelopment
Information Security Training
VulnerabilityAssessment
Back-up and disasterrecovery
Network & systemaudits
Network and systems monitoring
Wireless / wired network topology discovery
Security program review
Slide 84
Discuss about Cyber Security!
1. Ir. Walter Belgers
2. Drs. Wim Verloop
3. Rein Visser
4. Joshua Carlson
5. Mark Bakker
Slide 86
Lipman Report, October 2010
“We can no longer afford to ignore the threat from these increasingly advanced governments or terrorist groups aiming to disarm us or fund their activities, to individual hackers looking for money and information.
The time for urgency is now.”
Slide 89
Invensys can help you!