Invensys and the Invensys logoiom.invensys.com/NL/Documents/Cyber Security 2013 BNL - ALL Preso… · Invensys and the Invensys logo ... • DNS, DHCP, syslog server • Network and

Invensys and the Invensys logo are trade marks of Invensys plc9 October 2013

Invensys proprietary & confidentialSlide 1

© 2013 Invensys. All Rights Reserved.The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.

Cyber Security -Fortify your plant

Welcome at the

Cyber Security Conference 2013

October 3rd, 2013

Spacer

No smoking

Safety - Emergency exits:

- In the front left of the room

- In the back left of the room

This conference is made for you so please participate, ask & discuss

(Q&A at the end of a presentation)

Agenda14.00 Cyber Crime – A Mysterious Space Rein Visser

14.10 How to create a Cyber Security Plan Mark Bakker

14.30 Cyber Security in Process Industries Walter Belgers

15.00 Impact of Cyber Terrorism Wim Verloop

15.30 Coffee break

15.45 Cyber Security in Process Control Domain Joshua Carlson

16.15 Increase your system’s availability Bert Haselager

16.30 Security Assurance Levels Joshua Carlson

17.00 Know your Defense in Depth Joshua Carlson

17.15 Cyber Security Panel All

17.45 Closure Rein Visser

18.00 Networking drinks & buffet

Invensys proprietary & confidential5

1Cyber Crime –A Mysterious Space

© Invensys 3 October 2013

Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 6

“Our lives are becoming more and more connected to

technology every day. At the same time, the threat to our information systems from hackers and bad actors is increasing just as rapidly.”

National Security Agency, December 2010

Mysterious

1. Regulations?

2. Publicity?

3. Is it a crime?

– Hackers

– Criminals

– Hacktivists

– Advanced Persistent Threat (APT)

4. Are we connected?

Our commitment

1.Cyber Secure Products & Systems

2.Cyber Secure Architecture

3.Cyber Security Services

Meet the Experts!

1. Learn

2. Participate

3. Address

4. Enjoy


2Fortify your plant


• “Our production systems are completely isolated from outside access”

• “Our system is secure as it would be impossible for an outsider to understand it.”

• “We’re not a likely target. We’re not important or interesting enough to attract hackers.”

• “We’ve never had a problem: no intrusion or disruption in our production network.”

• “We can’t justify the expense and manpower.”

Objections to protect systems

Project SHINE

> 1,000,000Internet-Connected SCADA and ICS Systems and still counting

Source: Bob Radvanovsky / www.shodanhq.com

Slide 12

Hacking 2.0 – ex. 1: Remote control

Antwerp, July 2013

• Drugs container

• Hacking terminal computer

• Control cranes

Slide 15

Telegraaf – 31 July 2013

Pre-warning

Pro-ACT:

It is always best to take measures to

prevent the house from burning.

Re-ACT in case there is a Cyber

Security Attack:

call our Computer Incident Response

Team to reduce the impact.

Slide 17

IT vs. OT

Slide 18


2aCyber Security Plan


Creating a Cyber Security Plan

Slide 20

Objective:

• Optimize Production Process

• Minimize Disruptions

• Reduce Insurance Costs

• Increase Customer Satisfaction

• Increase Employee Satisfaction

How to protect your systems 1

Policy & Organisation:

• Priority

• Responsibility

• Collaboration

• Software

Slide 21


Risk Management:

• Security Audit

• Recovery plan

• External Expertise

Slide 22


Secure Access:

• Secure Mobility

• Secure User Identity

• Internet / Intranet

• Overall network security

Slide 23


Threat Protection:

• Back-up data

• Encrypt Data

Slide 24


Monitoring & Control:

• Identify

• Information

• Membership

Slide 25

Slide 26

Slide 28

AW

Factory Application Servers• SCADA/HMI• Historian• AssetCentre• Transaction Manager

Factory Services Platform• Directory• Security/Audit

Data Servers

Gbps Linkfor Failover Detection

Firewall(Active)

Firewall(Standby)

DIO

Levels 0–2

HMI

Cell/Area #1Redundant Star TopologyFlex Links Resiliency

Cell/Area #3Bus/Star Topology

Cell/Area Zones

Demilitarized Zone (DMZ)


Enterprise ZoneLevels 4 and 5

EnteraysLayer 2 Access Switch

Switch

Manufacturing Zone Site Manufacturing

Operations and ControlLevel 3

Remote AccessServer

Router

Patch ManagementTerminal ServicesApplication MirrorAV Server

ERP, Email,Wide Area Network (WAN)

Network Services• DNS, DHCP, syslog server• Network and security mgmt

Drive

Controller

HMI

DIO

Controller

Drive

Controller

Drive

HMI

Cell/Area #2Ring TopologyResilient Ethernet Protocol (REP)

DIODIO

Web hosting

ISP

Company webiste

IT

Typical Security

architecture for

Industrial

Automation and

Control Systems

Holistic viewSwitch

Lipman Report, October 2010

“We can no longer afford to ignore the threat from these increasingly advanced governments or terrorist groups aiming to disarm us or fund their activities, to individual hackers looking for money and information.

The time for urgency is now.”

Slide 29

Invensys can help you!

Let me introduce you!

1. Ir. Walter Belgers

Owner & COO Madison Gurkha

Cyber Security in Process Industries

2. Drs. Wim Verloop

Director Digital Investigation

The impact of Cyber Terrorism

Slide 30


3Cyber Security in Process Industries



4The impact of Cyber Terrorism


Coffee break – 15 mins

Next:

Cyber Security in Process Control Domain


5Cyber Security in Process Control Domain


Joshua Carlson

EMEA Cyber Security Consultant

Invensys Cyber Security Services

Cyber Security in the Process Control Domain

Invensys Cyber Security Services

Recommended Solutions

Summary

Cyber Security Defined

Agenda


5aCyber Security defined



“…combination of technologies and

processes designed to protect computers,

networks and data from unauthorized

access, vulnerabilities and attacks…”

The ability to control and prevent

unauthorized external or internal

access to critical infrastructure systems

Why it’’’’s important

� Increases (plant) safety

� Reduces down time

� Protection of intellectual property

� Compliance with internal regulations

� Compliance with country-specific regulations

Cyber Security is NOT…

• A Destination

• A Finite Set of Tools

• A Conference or

Training Class

Recent Headlines: The Threats are Real

NSS Labs Vulnerability Report - 2013

• ICS/SCADA vulnerabilities have

increased more than 600% since

2010

• Cyber-Espionage / Malware

programs steal sensitive data

from organizations for 5 YEARS

before being discovered

• Power companies targeted by

approximately 10,000 cyber

attacks per month

• Hackers target proprietary ICS,

PLC, and SCADA technologies

Recent Occurrences: Cyber Espionage

Operation “Red October”

During the past five years, a high-level cyber-espionage campaign has

successfully infiltrated computer networks at diplomatic, governmental

and scientific research organizations, gathering data and intelligence

from mobile devices, computer systems and network equipment.

What do we do?Flawless Operation of Critical Infrastructure

A Primary Component of National Security

Agenda


Summary



5bRecommended solutions


Recommended Cyber Security Solutions

� Individual credentials for non-

repudiation

� User-specific access control policies

� Lower level user lockdown

� Password expiration / complexity /

history standards

� Unnecessary component restrictions

� Centralized logging

Role Based Access Controls / Centralized ManagementRole Based Access Controls / Centralized Management

Complete Endpoint ProtectionComplete Endpoint Protection

Ethernet Switch HardeningEthernet Switch Hardening

Complete System Monitoring & ManagementComplete System Monitoring & Management

Disaster RecoveryDisaster Recovery

Implementation of BIOS SecurityImplementation of BIOS Security

� Anti Virus / Anti Spyware

� Host Intrusion Prevention

(behavior / heuristic-based)

� Device Control (DLP)

� Integrity Control

� Application Control (Whitelisting)

� Centralized update, reporting,

monitoring, management

� Un-used ports disabled

� Default credentials disabled &

strong authentication used

� Telnet disabled & SSH enabled

� Webview & Discovery Protocol disabled

� Centralized device health and statistics

monitoring / management

� Centralized performance monitoring /

management

� Notification / alerting systems for

preventative maintenance

� Centralized scheduling &

management of backups

� Full disk and folder backups

� Complete system restoration capabilities

� Off site storage

DL380 BIOS Parameters Setting

System Options > USB Options >

Removable Flash Media Boot

Sequence

Internal SD Card First

System Options > Processor

Options > No-Execute Memory

Protection

Enabled

Standard Boot Order (IPL) Reordered

1. Hard Drive C:

2. CD-ROM

3. Floppy Drive

4. USB DriveKey

5. PCI Slot 5 Ethernet Network

Controller

6. PCI Slot 6 Ethernet Network

Controller

Server Availability >

POST F1 Prompt

Delayed (20 Seconds)

Server Security > Set Admin

Password

Set to a strong password that will

be communicated only to

authorized users

BIOS Serial Console & EMS >

BIOS Serial Console Port

Disabled

Agenda


Summary



5cSummary


“Safety and Cyber Security are job one at

Invensys”

- Mike CalielPresident & CEO Invensys

1. Creating and maintaining a

Cyber Security plan is

absolutely critical.

2. Plan must be approved and

supported by Executive

Management.

3. Plan must include a

Business Continuity

strategy.

4. Security must be designed

into the initial stages of

Operating Platform

development.

Thank You

Joshua Carlson

EMEA Cyber Security [email protected] Cyber Security Services


6Increase your system’s availability


09-Oct-13


Simplifying your life with RemoteWatch V4.0

Bert Haselager

Sept 2013

© Invensys 09-Oct-13Invensys proprietary & confidential55

Agenda

Service

3 From Break\Fix to conditional Preventive Maintenance?

4 How does it work?

5 Where do I get it?

2 How does it do that?

1 What does it do?

1) What does it do?

Slide 56

RemoteWatch V4.0 simplifies the lives of our Foxboro I/A Series & FCS customers by:

• Reducing Process System Downtime

• Enabling Proactive Maintenance

• Lowering Cost of Ownership

• Make maintaining a system easier and cheaper

• Facilitating lifecycle management

1) What does it do?

Service

Lab

Reports

Remote

Display

Performance

Monitoring

Remote

Service

2. Ethernet

Office

Domain

Process

Domain

I/A-Series/InFusion AW AW WP

Nodebus/Mesh Network

WP

CP CP

Remote

APC

Slide 57

Customer and Invensys requirements

2) How does it do that?Remote access requirements for the DCS

Service

1. Resource data collection

1. Resource data collection

2. Push & Store data to

RemoteWatch Server Apps

2. Push & Store data to

RemoteWatch Server Apps

3. Share info with Invensys Center via Secure connection

3. Share info with Invensys Center via Secure connection

4. Report Subscribers on

Events & populate the Event log

4. Report Subscribers on

Events & populate the Event log

5. Address Events & Remote Assist if

required

5. Address Events & Remote Assist if

required

Slide 58

2) How does it do that?Reducing Process System down time

Service

1. Data Acquisition Software (DAS) is collecting information on system resources monitored.

Examples of information collected:1. Station communication resources 3. System Configuration data

2. Station performance data 4. OS Patch & AV data

3. FERRET data 5. HW & SW revision data

Slide 59

2) How does it do that?Step 1: Resource data collection

Service

Collected system resource data is pushed from the system to the RemoteWatch Site Server where the received information is processed and

stored locally for the LocalWatch App.Prepare the set of information to be uploaded to the Invensys Service Center for reporting Events, extended reporting and populating the FERRET

Installed Base supporting the System Asset Viewer (SAV) usage.

RemoteWatch Site Server

4) How does it do that?Step 2: Push & Store data to RemoteWatch Server

Service

The RemoteWatch Site Server is using an outbound secure tunnel to the Invensys Service center to sent Heartbeats and push the collected information.

The Service center receives the heartbeats and site collected information in

the Communication Server inbox residing in a DMZ.

CustomerNetwork

Internet

RemoteWatch Site Server

Invensys Service Center

DMZ

CommunicationServer

Customer Site

Slide 61

2) How does it do that?Step 3: Share info with Invensys Service Center

via the secure connectionService

Information received is processed and Events are shared with:• Users in the Invensys Service center

• Customers and Service providers via the Invensys GCS Support web site• The Customer Site Event log offer a log of all reported Events.• A mail subscription is available.

• Immediate emails on Critical and Error level Events

• A daily email report on the Events reported in the last 24 hours

Invensys Service Center

DMZ

CommunicationServer

Event Log Site X

Invensys GCS Support Web Site

Customer & Service Provider

2) How does it do that?Step 4: Report Subscribers on Events & populate

the Event lobService

Internet

Database

Applications

Network

Devices

Received messages will have the SiteID, Severity, Timestamp and MSG Body.The MSG will be forwarded to the RWS Service hosted by the GCS Web Farm.

The RWS app will monitor system resources

InvensysService Center

DMZ

Application

Server

DatabaseServer

CommunicationServer

Virtual Service

Engineer

GCS Web Farm

System Resources in Alarm information will be packed and mailed to Home Office

Local Invensys

Customer

CASEMngmt

Event Log Site X

The RWS Service is receiving messages. That will be processed based on Severity.They can be logged, sent to the CASE MngmtRWS Queue and used to inform the End User and its IOM Service Rep.

Slide 63

2) How does it do that?Break\Fix to conditional Preventive maintenance

Service

Events can be handled by the Customer maintenance team and or the

Invensys Service Provider or the Invensys Service Center.

Customer maintenance teams and Invensys Service providers are

addressing the reported events locally.

If required they can get Remote assistance from the Invensys Service Center.

The combination of RemoteWatch monitoring resources and reporting

resources becoming critical in time, delivers Proactive Maintenance

Enables the Process System maintenance team and or Invensys Service

Provider backed-up by the Invensys Service Center, to reduce the Process System down time due to unexpected events.

Slide 64

2) How does it do that?Step 5: Address Events & Provide Remote Assistance

if RequiredService

Demo

Slide 65

2) How does it do that?LocalWatch

Service

DemoInvensys View

Customer View

Slide 66

2) How does it do that?Event Reporting via GCS Support Web

Service

FERRET integration adds all FERRET functions and makes them available close to ‘real time’.

For users on the RemoteWatch Site Server (VSE) via LocalWatch.

For users using System Asset Viewer (SAV) thru the FERRET updates to the Installed Base.

Slide 67

2) How does it do that?Lowering Cost of Ownership – FERRET Integration

Service

System Asset Viewer (SAV)

FERRET DAS components, installed at the individual DCS hosts are scheduled to collect FERRET information periodically.DCS hosts push the collected FERRET data to the RemoteWatch Site Server (VSE), where it is imported into the LocalWatch DB.

Installed Base

GCS Web

LocalWatch does combine the individual FERRET data files forpresentation locally and does create a [SiteID].fer that will be uploaded to the Installed Base Repository (IBR) via the RemoteWatch Service Center.

Invensys DCS+

DAS 4.0

Collected FERRET data is available via:

• LocalWatch on the RemoteWatch Site Server (VSE)

• Installed Base Repository reports

• System Asset Viewer (SAV)

RemoteWatchSite Server (VSE)

Installed Base Reports

LocalWatch DB

(Local RWS Site)

LocalWatch

2) How does it do that?Lowering Cost of Ownership – FERRET Integration

Service

Provide OS Patch, I/A & FCS Software and Anti Virus (AV) protection status reporting and deployment

• Reporting of the installation status for OS Patches, Invensys QuickFixes and AV

files

• Phase 1 - for the RemoteWatch Site Server

• Locally via LocalWatch

• Remote via the GCS Support Web Site

• Phase 2 – for the Monitored Process System

• Locally via LocalWatch

• Remote via the GCS Support Web Site

Slide 69

2) How does it do that?Lowering Cost of Ownership – OS Patches, QF’s & AV

Service

Slide 70


• Deployment of approved OS Patches, Invensys QuickFixes and AV Dat files


• Deliver the approved OS Patches via WSUS and AV Dat files.

• Install the Patches & Dat files when possible unattended



• Manual installation required.


Service


• Deployment of approved OS Patches, Invensys QuickFixes and AV Dat files



• Install the Patches & Dat files when possible unattended



• Manual installation required.

Slide 71


Service

Slide 72

All the firewalls and other IT infrastructure are NOT shown in this picture

Microsoft WSUSSource of Master data

RemoteWatchSite Server (VSE)

Invensys Office Domain Customer Site

RemoteWatch Secure Domain

Invensys WSUSReplica

Invensys WSUS replica is receiving data from Microsoft on Windows products and the available patches.

Invensys qualifies the patches, determines the deployment method and assigns the Patch to the Update group.

Invensys WSUS will deploy the qualified patches to the WSUS RemoteWatch Service Center and link them to the defined update membership groups.

Deployment Phase 1

WSUS RemoteWatch Service Center will deploy Patches and execute the configured install actions.

WSUS RemoteWatchService Center


Service

Slide 73

All the firewalls and other IT infrastructure are NOT shown in this picture

Invensys Office Domain Customer Site

RemoteWatch Secure Domain

Operator action is required to deploy patches to the target Process System. Due to the ‘perform installmanual’ option, a patch ready for installation will appear on the Customer Workstation under theMaintenance user login and does require a manual install.

Deployment Phase 2

WSUS RemoteWatch Service Center will deploy Patches to the WSUS RemoteWatch Site Server (VSE). Patches will be set to the ‘perform install manual’.

WSUS RemoteWatchService Center

Process System

WSUS RemoteWatchSite Server (VSE)


Service

Through Invensys’ Customer FIRST program. Contact the Services

Sales or Services Manager in your Region:

America’s : David Spencer MENA: Jigar Shah

EURA: Peter Knott APAC: Subhash Ray

Where do I get RemoteWatch 4.0?

Service

Thank you!ANY QUESTIONS?

09-Oct-13


© Invensys 3 October 2013Invensys proprietary & confidential76

7Cyber Security Standards

Guidelines

IEC 62443:

- ISA S99 / IEC-62443

- WIB / IEC-62443-2-4

ISO 27000-series

NERC 1300

Slide 77

Policies, Procedures, Awareness

Physical

Perimeter

Internal Network

Application

DataDefense in Depth

Guideline: ISA S99

ISA S99: Security for

Industrial Automation and

Control Systems

Establishing an IACS Security

Program

Slide 78

Guideline: ISA S99.03.03

SAL 1: Casual or coincidental violation

SAL 2: Intentional Violation using simple means

SAL 3: Intentional Violation using sophisticated means

SAL 4: Intentional Violation using sophisticated means & extended resources

IEC 62443-3-3

Endorsed by WIB workgroup

Slide 79

Guideline: WIBThe International Instrument Users'

Association.

PCD: requirements for vendors

Participants:

Slide 80

Guideline: ISO 27k

Series: 27000 – 27043 + 27799

27000 – Intro

27001 – Information Security Management System

27004 – Information Security Management Measurement

27005 – Information Security Risk Management

27019 – Information security for Process Control in the Energy Industry

27032 – Cybersecurity:

Preservation of confidentiality, integrity and availability of information

in the Cyberspace.

27033 – IT network security

Slide 81

Slide 82

AW

Factory Application Servers• SCADA/HMI• Historian• AssetCentre• Transaction Manager

Factory Services Platform• Directory• Security/Audit

Data Servers

Gbps Linkfor Failover Detection

Firewall(Active)

Firewall(Standby)

DIO

Levels 0–2

HMI

Cell/Area #1Redundant Star TopologyFlex Links Resiliency

Cell/Area #3Bus/Star Topology

Cell/Area Zones



Enterprise ZoneLevels 4 and 5

EnteraysLayer 2 Access Switch

Switch

Manufacturing Zone Site Manufacturing

Operations and ControlLevel 3

Remote AccessServer

Router

Patch ManagementTerminal ServicesApplication MirrorAV Server

ERP, Email,Wide Area Network (WAN)

Network Services• DNS, DHCP, syslog server• Network and security mgmt

Drive

Controller

HMI

DIO

Controller

Drive

Controller

Drive

HMI

Cell/Area #2Ring TopologyResilient Ethernet Protocol (REP)

DIODIO

Web hosting

ISP

Company webiste

IT

Typical Security

architecture for

Industrial

Automation and

Control Systems

Holistic viewSwitch


8Know your Defense in Depth


Cyber Security OfferingsInvensys Cyber Security Services

Solutions Cyber Security Assessment

Security Architecture & Policy Development

Cyber Security Implementation

Cyber SecurityManagement & Optimization

Services elements

System Assessment Baseline Security Network & System hardening

Incident / emergency response services

Site Assessment Network & systemsdesign / engineering

Endpoint protection Network andsystems management

Compliance Assessment

Security programdevelopment

Information Security Training

VulnerabilityAssessment

Back-up and disasterrecovery

Network & systemaudits

Network and systems monitoring

Wireless / wired network topology discovery

Security program review

Slide 84


9Cyber Security Panel


Discuss about Cyber Security!

1. Ir. Walter Belgers

2. Drs. Wim Verloop

3. Rein Visser

4. Joshua Carlson

5. Mark Bakker

Slide 86


10Closure


More info

Slide 88

- www.iom.invensys.com

- www.ncsc.nl

- www.us-cert.gov

Lipman Report, October 2010

“We can no longer afford to ignore the threat from these increasingly advanced governments or terrorist groups aiming to disarm us or fund their activities, to individual hackers looking for money and information.

The time for urgency is now.”

Slide 89

Invensys can help you!

Invensys and the Invensys logo are trade marks of Invensys plc9 October 2013
