Plant Cyber Security - Forensic IT Cyber Security.pdf§ Encryption. Confidential Data ... minimum and tightly controlled is a necessity. § Unauthorized access to a production network

Confidential DataDrivenSolutions

PlantCyberSecurityTheRiseofSecurityAnalytics


01110010011011110110111101110100001000000110001101100001011101010111001101100101Purposeofpresentation

§ Inanutshell,wearegoingtochallengeyoutorethinkyourplantcybersecuritystrategyandmakeadjustmentstoprotectyourplantagainstfutureattacks.

§ Wewillgiveyouideastosecureyourplant—andfeelthatitissecure.

§ Wewillstresstoyouthevalueofdetectingandactingonintrusionsinsteadofpreventingthem.

§ Andyes,wewillchallengeyoutoremovevirusprotectionsoftwareandmalwareprotectionsoftwarefromyourplantcomputers.


US

ISO 27001ISO 27002

SOX PCI

FIREWALL ACL

All employees, vendors, contractors, supplementary staff, past and present workers.

IT Manager, Director, CIO

THEM

ESPIONAGESABOTAGE

HACK DDOS

Anonymous persons, foreign government sponsored employees and…

Hacker, Cyber Terrorist

Usvs.ThemFRAUD THEFT

…all employees, vendors, contractors, supplementary staff, past and present workers.


01110010011011110110111101110100001000000110001101100001011101010111001101100101PresentationFlow

§ Firstwearegoingtogetourbearingswithsomedefinitionsanddiscusstheprosandconsoftypicalplantcybersecuritypractices.

§ Nextwewilldiscusswhythesemethodsarealwaysbehindthecurveandinfactprovideafalsesenseofsecurity.§ Don’tyouthinkthateverytimeyouhearaboutabreachinthenewsthatthecompanyaffectedmostlikelyhadsecuritymeasuresinplace?

§ Don’tyouthinkthattheirsecuritymeasuresareprobablysimilartoyours?§ Don’tyouthinktheyfelttheywereprepared?

§ Compliant?


01110010011011110110111101110100001000000110001101100001011101010111001101100101Whatisplantcybersecurity?

Ingeneral,regardlessofindustry,thebasicdefinitionofplantcybersecurityis:

“Toprotectcriticaldigitalassetsandtheinformationtheycontainfromsabotageormalicioususe.”

Wearegoingtobreakthisdownintoitsbasicparts.


SABOTAGEDIGITAL ASSETS MALICIOUS USE

• Steal Industrial secrets

• Disrupt competitor

• Computers

• Network Devices

• Media

• Identify theft

• Fraud

• Extortion

PartsofPlantCyberSecurity


01110010011011110110111101110100001000000110001101100001011101010111001101100101Whataredigitalassets?

§ Digitalassetsincludeandnotlimitedto:§ Computers

§ Anycomputer,controlroomconsole,laptop,server,hand-heldorportabledevice,personalcomputer,vendorcomputer,engineeringstation,oranyothercomputingdevicethatcanaccessyourcontrolsystemnetwork.

§ NetworkDevices§ Anyrouter,switch,hub,ornetworkanalysisdevicethatcanaccessyourcontrolsystemnetwork.

§ StorageDevices§ Anydisk,floppy,DVD,CD,USB,internalorexternalharddrive,flashdrive,opticaldrive,orotherstoragedevicethatcanaccessyourcontrolsystemnetwork.


01110010011011110110111101110100001000000110001101100001011101010111001101100101WhatisSabotage?

§ Sabotagehasafewdifferentforms:§ Deliberateactionaimedatweakeningacorporationthroughsubversion,disruption,ordestruction.

§ Stealingofcommercialsecretsthathaverealcommercialvalue.§ Consciouswithdrawalofefficiencytocausesomechangeintheworkplace.


01110010011011110110111101110100001000000110001101100001011101010111001101100101WhatisMaliciousUse?

§ Themostcommontypesofmalicioususeofcyberdataareidentifytheftandfraud.§ Theseprimarilyareassociatedwithpersonalaccounts,retailwebsites,andbackofficesystems.

§ Withamanufacturer,whataretypesofmalicioususe?§ Makingpubliccorporatesecrets,recipes,formulas,manufacturingmethodologies.

§ Exposingcorporatefraudorwrongdoing;flawsinhiringandfiringpractices,forexample.

§ Poormediaexposure.


01110010011011110110111101110100001000000110001101100001011101010111001101100101TypicalMethodsofProtection

§ Separationofbusinesssystemsandmanufacturingsystems.§ Firewallstokeepintrudersout§ Networkisolation§ AccessControlLists(ACLs)§ Anti-Virus,spyware,andmalwaresoftwareprotection§ CompliancetosecuritystandardsforITandManufacturing§ Passwordmanagement§ Encryption


01110010011011110110111101110100001000000110001101100001011101010111001101100101SeparationofBusinessandManufacturing

§ Althoughthereisalmostalwaysalinkbetweenabusinessnetworkandamanufacturingnetwork,keepingthisataminimumandtightlycontrolledisanecessity.§ Unauthorizedaccesstoaproductionnetworkdoesnotmeanthatbusinesssystemsareabletobereached.

§ Conversely,unauthorizedaccesstoabusinesssystemdoesnotmeanthattheproductionsystem,engineeringstations,etc.,areabletobereached.


01110010011011110110111101110100001000000110001101100001011101010111001101100101Firewalls

§ Afirewallisahardwareorsoftwareappliancethatusesrulestoallow/denynetworktrafficbasedonaddress,protocol,port,orapplication.§ AllowTCPport135,443,etc.§ DenyHTTPport80§ DenyFacebook,YouTube,etc.(requiresupdatedNext-Genfirewalls)§ Allow*.Oracle.com,*.Microsft.com§ Deny*.somebadsite.com


01110010011011110110111101110100001000000110001101100001011101010111001101100101NetworkIsolation

§ Limittrafficthroughrouterandswitchconfigurationstoensureunwantedtrafficcannotaccessspecificnetworks.

§ Ensurethatawirelessconnectioncannotaccesscertainsystemsthatawiredconnectioncan.

§ Disableinterfacesthatlinknetworkstogetherthatarenotusedonaroutinebasis.


01110010011011110110111101110100001000000110001101100001011101010111001101100101AccessControlLists

§ Usinggroups,roles,andindividualpermissions,filesanddatacanbeprotected.

§ MostACLsuseandAllow/Denypolicythatcanacceptanobjecttype(group,role,account)tomanagepermissions.


01110010011011110110111101110100001000000110001101100001011101010111001101100101Anti-Virus,Spyware,andMalwareSoftware

§ Thesepackagesrunonindividualsystemsanduseaknowndatabasetoexamineexecutablesandexecutionsignaturesagainstknownthreats,viruses,spyware,ormalware.

§ Manyofferreal-timeprotectioninwhichtheyareconstantlyanalyzingsignatures,anddoingwhatisreferredtoasaheuristiccheckingtolookforknownbadbehavior(i.e.,portscanning,emailblasts,passwordcracking,etc.


01110010011011110110111101110100001000000110001101100001011101010111001101100101CompliancetoSecurityStandards


01110010011011110110111101110100001000000110001101100001011101010111001101100101PasswordManagement

§ Passwordmanagementincludes:§ Whohasaccessandtowhat?§ Passwordexpiration§ Passwordcomplexityrules§ Keywordrules§ Cleartextorsecuretransmission.§ Storage


01110010011011110110111101110100001000000110001101100001011101010111001101100101Encryption

§ Encryptioncanbeatnumerouslevels:§ Securitycommunicationprotocolswhenaccessingentitiesoutsideyourplant(httpsvshttp,forexample)

§ Passwords§ Applicationspassingsecuretokensvs.cleartextpasswords§ Filesystems,directories,files§ Code


01110010011011110110111101110100001000000110001101100001011101010111001101100101AtypicalMethodsofCyberProtection

§ EnhancedPasswordManagement§ Theabilitytolistalluserswithaccesstospecificdigitalassets.

§ Whohastheenablepasswordtotherouter?§ Whichusershavebeengivenrootlevelaccess?

§ Passwordcomplexity§ Aggressivepasswordaging§ Completeaccessmaps(VPNàFirewallàNetworkDevicesàServersàApplications)

§ Medialockdown(USB,etc.)


01110010011011110110111101110100001000000110001101100001011101010111001101100101DoTheseMethodsWork?

§ AskGoogle– hackedseveraltimesincluding5milliongmail accounts§ AskYahoo– 2013over1billionaccounts,2014over500millionaccounts§ AskE-bay– 2014over148millionaccounts§ AskSpotify– 2016,Spotifydeniesbutusersconfirmcredentialsonline§ AskTarget– 2013over40millioncreditcardscompromised§ AskSchnucks– 2013over2.4millioncreditcardscompromised§ AskIran- 2007Stuxnet attackedtheirnuclearfuelprogram§ AskDebbieWassermanSchultzandtheDNC!§ AccordingtoIBM’s2016CyberSecurityIntelligencereport,therewasariseof66%inthe

numberofmanufacturingcybersecurityincidentswitha30%chunkofthosebeingdirectedattheautomotiveindustry.

So,dothesemethodswork? YesandNo.


01110010011011110110111101110100001000000110001101100001011101010111001101100101ExcerptsfromMcAfeeArticleJune2014

§ …IntheUS,forexample,thegovernmentnotified3,000companiesin2013thattheyhadbeenhacked…

§ …TwobanksinthePersianGulflost$45millioninafewhours…§ …ABritishcompanyreportedthatitlost$1.3billionfromasingleattack…

§ …Brazilianbankssaytheircustomerslosemillionsannuallytocyberfraud…

§ …India’sCERTreportedthat308,371websiteswerehackedbetween2011andJune2013…

https://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf


01110010011011110110111101110100001000000110001101100001011101010111001101100101ArticleContinued

Mostcybercrimeincidentsgounreported.

Fewcompaniescomeforwardwithinformationonlosses.

WhenGooglewashackedin2010,another34Fortune500companies insectorsasdiverseasinformationtechnologyandchemicalsalsolostintellectualproperty.SomeoftheinformationontheincidentonlycametolightfromdocumentsmadepublicbyWikiLeaks.OnlyoneothercompanyreportedthatithadbeenhackedalongwithGoogle,anditsuppliednodetailsontheeffect.



01110010011011110110111101110100001000000110001101100001011101010111001101100101ArticleContinued

Similarly,whenamajorUSbanklostseveralmilliondollarsinacyberincidentitpubliclydeniedanyloss,evenwhenlawenforcementandintelligenceofficialsconfirmeditinprivate.Fewofthebiggestcybercriminalshavebeencaughtor,inmanycases,evenidentified.



01110010011011110110111101110100001000000110001101100001011101010111001101100101ForbesArticleJanuary2016

§ 'Crimewave'isanunderstatementwhenyouconsiderthecoststhatbusinessesaresufferingasaresultofcybercrime.'Epidemic'ismorelikeit.IBMCorp.'sChairman,CEOandPresident,Ginni Rometty,recentlysaidthatcybercrimemaybethegreatestthreattoeverycompany intheworld.

§ Threeyearsago,theThe WallStreetJournalestimatedthatthecostofcybercrimeintheU.S.wasapproximately$100billion.Theestimatedisputedotherreportswhichpeggedthenumbersbyasmuchastentimeshigher.

§ In2015,theBritishinsurancecompanyLloyd’sestimatedthatcyberattackscostbusinessesasmuchas$400billionayear,whichincludesdirectdamagepluspost-attackdisruptiontothenormalcourseofbusiness.Somevendorandmediaforecastsoverthepastyearputthecybercrimefigureashighas$500billionandmore.

https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#1a127b6b3a91


01110010011011110110111101110100001000000110001101100001011101010111001101100101ForbesArticleJanuary2016(cont.)

§ From2013to2015thecybercrimecostsquadrupled,anditlooksliketherewillbeanotherquadruplingfrom2015to2019. Juniperresearchrecentlypredictedthattherapiddigitizationofconsumers’livesandenterpriserecordswillincreasethecostofdatabreachesto$2.1trilliongloballyby2019,increasingtoalmostfourtimestheestimatedcostofbreachesin2015.

§ TheWorldEconomicForum(WEF)saysasignificantportionofcybercrimegoesundetected,particularlyindustrialespionagewhereaccesstoconfidentialdocumentsanddataisdifficulttospot.Thosecrimeswouldarguablymovetheneedleonthecybercrimenumbersmuchhigher.

§ Largebanks,retailers,andfederalagenciesmaketheheadlineswhentheyarehacked - butallbusinessesareatrisk.AccordingtoMicrosoft,20%ofsmalltomidsizedbusinesseshavebeencybercrimetargets

https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#1a127b6b3a91


2015 – 400 BILLION2013 – 100 BILLION 2019 – 2.1 TRILLION ESTIMATED

Thisisstaggering

LookAtTheNumbersFromPreviousSlide:• TheWorldEconomicForum(WEF)saysasignificantportion

ofcybercrimegoesundetected,particularlyindustrialespionagewhereaccesstoconfidentialdocumentsanddataisdifficult tospot.Thosecrimeswouldarguablymovetheneedleonthecybercrimenumbersmuchhigher.

• Largebanks,retailers,andfederalagenciesmaketheheadlineswhentheyarehacked - butallbusinessesareatrisk.According toMicrosoft, 20%ofsmalltomidsizedbusinesseshavebeencybercrimetargets


01110010011011110110111101110100001000000110001101100001011101010111001101100101Re-asktheQuestion:Dotheywork?

§ Earlierwesaidyesandno.§ Yes theystopsomeattacks,but,No,thereisnoguaranteewithanysystemtoavoidallcybercrime.

§ Fromthenumbersitisclearthateventhoughwehavefirewalls,compliance,anti-virussoftware,andhaveadequatelyanalyzedourrisks—theattacksstillsucceed.§ Thisispartlyduetothenatureofthepreventionsoftware.


01110010011011110110111101110100001000000110001101100001011101010111001101100101Whyisitsuchastaggeringrise?

§ Thereareseveralreasons:§ Moreandmorebusinesseshaveonlinepresences.§ Withinbusinesses,thedesiretoconnectthebusinesstothemanufacturingforschedulingsystems,analytics,costsofproduction,meanthatmoreandmoredevicesandsystemsareinterconnected.

§ Socialinteractionandphishing§ Uninformedemployees§ Poormanagementofresourcesanddigitalassets§ Blacklistingvs.Whitelisting


CasablancaNew York

Sydney

HQ Tokyo

Stockholm

InterconnectionandDataSharing


Cross-PlatformThe idea of data everywhere and data on any device is great conceptually, however, it is a nightmare for the security analyst.

WindowsOS AppleOSAndroid OS

Apple

Android

MultiplePlatforms,MultipleCodeStreams


We are so interconnected today that just a whiff of news is instantaneously spread around the globe.

Imagine unfounded rumors and brand damage. “I heard there was a massive data breach at Acme, Inc.” Whether true or not is irrelevant. If you were going to purchase from Acme, Inc. you are now thinking twice.

SocialInteraction


01110010011011110110111101110100001000000110001101100001011101010111001101100101Phishing

§ ABingsearchofphishingshowsthefollowingdefinition:Phishingistheattempttoacquiresensitiveinformationsuchasusernames,passwords,andcreditcarddetails(andsometimes,indirectly,money),oftenformaliciousreasons,bymasqueradingasatrustworthyentityinanelectroniccommunication.Thewordisaneologismcreatedasahomophoneoffishingduetothesimilarityofusingabaitinanattempttocatchavictim.

§ Sometimesitissubtle:§ “Iamdoingasurveyforapaper,whichaccountingsystemdoyouuse?A,B,orC?

§ “DoyouuseSiemensorRockwelltocontrolyour…?”


01110010011011110110111101110100001000000110001101100001011101010111001101100101UninformedEmployees

§ HowmanyofyouremployeeswouldpickupaUSBdrivenexttotheircarandplugitintotheirworkcomputer?§ Usingbooby-trappedUSBflashdrivesisaclassichackertechnique.Buthoweffectiveisitreally?§ AgroupofresearchersattheUniversityofIllinoisdecidedtofindout,dropping297USBsticksontheschool'sUrbana-Champaigncampuslastyear.

§ Asitturnsout,itreallyworks.§ Inanewstudy,theresearchersestimatethatatleast48percentofpeoplewillpickuparandomUSBstick,plugitintotheircomputers,andopenfilescontainedinthem.Moreover,practicallyallofthedrives(98percent)werepickedupormovedfromtheiroriginaldroplocation.


01110010011011110110111101110100001000000110001101100001011101010111001101100101PoorManagementofDigitalAssets

§ Whenwasthelasttimeyouhavehadapenetrationtestdonetoyourplant?§ Doyoureallyfeelyouhaveagraspofwhichusershaveaccesstowhat?Notjust

employees,butcontractorresources.§ Useraccountpasswordsarechangedregularlybutwhataboutsystem

passwords,router-enablepasswords,networkswitchpasswords,databasepasswords,ftppasswords?Thesearerarelychangedonaregularbasis.

§ Doyouchangeallpasswordswhensomeoneleaves?§ Doyounotifyallemployeesthatauserisnolongeremployed?§ Howoftendoyoupatchyoursystemsandupdatevirusdefinitions?Bestcaseis

usuallyevery30days.§ Doyoudocompliancetestingandquicklyfollow-upondeficientitems?


01110010011011110110111101110100001000000110001101100001011101010111001101100101Blacklistingvs.Whitelisting

§ Blacklistingsoftwareisthetypicalwaymostanti-virus,spyware,andmalwaresoftwarework—theyscanfor“known”offenders.Somelookforbadbehavior,however,thebestcaseislookingforalreadyknownsignatures.

§ Whitelistingsoftwareistotalcontroloverwhatsoftwareandexecutablesareallowedtorunonasystem.Ahackercan’tjustexecutesoftwaresinceitishaltedbeforeitisexecuted.

BlacklistingisOK,butWhitelistingistheonlywaytogoforproductionmanufacturingsystems.


01110010011011110110111101110100001000000110001101100001011101010111001101100101WouldYouBlacklistAccesstoYourHome?

§ Inotherwords,aspeopleentered,youwouldrunabackgroundchecklookingforcriminalactivityorotherbadactivity.Youmightalsoimplementsomeheuristicmethodsandkicksomeoneoutwhowasrummagingthroughyourdeskdrawer.§ No,youwouldnotdothis.

§ Youwhitelist accesstoyourhome.Youhaveabsoluteauthoritytocontrolwhocomesinandwhoisallowedtostay.Thereisnounauthorizedaccess.

§ Intheeventofanintrusion,youdon’tsitbyandwaitforananti-virusupdate(i.e.,thepolice).No,youpickupabatorotherweaponanddefendyourhome.


01110010011011110110111101110100001000000110001101100001011101010111001101100101

Anti-Virus,Spyware,andMalwareUnderAttackWegettheseemailsallthetimefromnotableanti-viruscompanies:

Symantechasrecentlybecomeawareofamediumvulnerability inolderversionsoftheserveragent.Thelatestversionaddressesthisvulnerability innewinstallationsandwasreleasedFebruary15th,2017.Serveragentsthatarenotalreadyupgradedwillbeidentified intheSEPSBEcloudmanagementconsolestartingonMarch8th.Amanualupgradewillberequiredtoensureyouhavethelatestprotection.

YoucantakeimmediateactiontomanuallyupdatetothelatestversionoftheserveragentfortheSymantecEndpointProtectionSmallBusinessEdition.Formoreinformation pleasesee:https://support.symantec.com/en_US/article.HOWTO124395.html

Ifyoudonottakeaction,wewillbereleasingaLiveUpdate forserveragentsbeginning inApril.AnothernoticewillbesentclosertotheLUdate.

Moreinformation aboutthisvulnerabilitycanbefoundhere:https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170306_00

Note:ExistingredistributablepackageswillbedeprecatedonMarch8thandyouwillneedtogeneratenewones.

TheSymantecCustomerCommunications Team


01110010011011110110111101110100001000000110001101100001011101010111001101100101ArticlefromMicrosoft

§ AnarticlefromtheMicrosoftSecurityTeamsaysthat“…industryreportsshowadvancedcyber-attackscangoundetectedforapproximately…

200days…”.

§ Itishardtofathom,for6.5months,acybercriminalmightbelurkingwithinyoursystems,extractingdata,stealingsecrets,etc.,allwhileyoufeelyoursystemsareprotectedbecauseyouhavedoneeverythingright.

https://info.microsoft.com/rs/157-GQE-382/images/EN-MSFT-SCRTY-CNTNT-Intelligent%20Security%20e-book%20-%20Lockheed%20Martin.pdfht.


01110010011011110110111101110100001000000110001101100001011101010111001101100101Whatdoes200dayslooklike?

InfectedToday

60daymark…virushasbeenrunning,gatheringdata,capturingpasswords,andtransmittingdata…for60days!

According toMicrosoftSecurityExperts,thisistypicallythefirsttimeyouranti-virussoftwarewilldetect,notify,andprotectagainstthevirus.Thisistheendofthe200daywindow.


01110010011011110110111101110100001000000110001101100001011101010111001101100101SoundsLikeYouHaveNoControl

Quitethecontrary.Youalwayshavecontrolifyoujusttakeit.

Wewillpresentyouwithtwodifferentoptions.§ Option1 - Staythecourseandbepartofthe2.1Trillionincybercrimestatisticsthatarepredictedby2019.

§ Option2 – Takecontrolofyourproductionsystemsandlockthemdowntotally,startusingsecurityanalyticstobeproactiveinsteadofreactive…andyes,removeyouranti-virus,spyware,andmalwaresoftwareafteryouimplementwhitelistsoftwareandChangeManagement.


BeRealistic– Thissituationisnotyours


Hollywood’sHacker– ProbablyNotYourHackerEither


01110010011011110110111101110100001000000110001101100001011101010111001101100101ADoseofReality

§ Partofanycybersecuritystrategyhastoinvolveacomprehensiveriskassessment.§ Althoughweareallproudofourproductsandbusinesses,let’sexaminetherisk.§ Ifyoumaketwisty-tiesforbread,youareprobablyatamuchlowerlevelofriskthanafinancialinstitutionorlargeretailer,butifyoumakemilitarygradechemicalsyouareatahigherrisk.

§ HPorIBMbothprovidenetworkmanagementservicestootherorganizations;theyareatahigherriskthanyouraveragelocalITorganizationthatdoesthesamething.


01110010011011110110111101110100001000000110001101100001011101010111001101100101…ButEveryoneisAtRisk

AtForensicIT,onourfirstdayinanewoffice,auserpluggedinaservertotheinternetconnectiontofinishconfiguringitremotely(note:thefirewallwasdelayedbutuserwantedtoconfiguresoftware).Within12hourstheAdministratorpasswordwashacked.WedetermineditwasanautomatedhackfromChina.Asimplefixistoinstallthefirewallandconfiguresecurityappropriately,butstill…alittlescary.Therewerenogoodstoobtain,itwasjustaBOT/scriptrunningandtryingtoplantseedsforlater.Luckilywehadtheskillstofixandremovealltraces.


Change Management and total system access control.

Implement Whitelist software (parallel or replace). Implement mechanisms to gather and use Security Analytics.

Consult security professionals, hire a person, or firm. Take it seriously. Get PEN Tested. Keep deadlines.

Document all systems, security mechanisms, backup schemes, disaster recover plans, etc.

Assess your risk. Identify all vulnerabilities.Start

Step3

Step1

Step2

Step4

RoadmaptoCyberSecurityFinish


01110010011011110110111101110100001000000110001101100001011101010111001101100101RoadmapStep1- AssessYourRisk

§ Noteveryorganizationisatriskfromdirectattack.§ Understandingriskiskeytohowtobuildyourroadmaptocybersecuritysuccess.

§ Mostareatriskforindirectattacks,BOTS,script-kiddies,etc.§ Example:CryptoLocker isanastyvirusthatmanycompaniesgotcaughtbyduringthat200-daywindowfromMicrosoftandwereforcedtopaytohavetheirfilesunlocked.

§ Haveseriousdiscussionswithyourkeystakeholdersandtryandidentifyrisks.Putyourselfinahacker’sshoes.Whatdotheythink?


Compromise individuals, look at contractors systems

Penetration attempts, port scanning, password cracking

Social engineering, phishing

Embed scripts and other programs to do reconnaissance

Look at new flaws in firewalls, systems, and anti-virus/spyware software.

Whatdoesahackerthink?


86%

60%

90%

55%

80%

70%

65%

96%

Leave no stone unturned in your systems analysis. Hackers, BOTs, and script kiddies won’t.

Backups

DisasterPlans

PasswordsIdentified

ContractorAccess

RoadmapStep2- EvaluateYourSystems

Anti-virusUpdates

SystemPatches

FirmwareVersions

Hardware/SoftwareInventory


01110010011011110110111101110100001000000110001101100001011101010111001101100101SecureYourPasswords§ Therearemanyprogramstohelpyoucreateverysecurepasswords.

§ WeuseKeePasswhichallowsyoutorevealthepasswordorcut/paste.ItgetsridofsimplepasswordslikePassword!


01110010011011110110111101110100001000000110001101100001011101010111001101100101RoadmapStep3– PENTesting

§ Step3– PENTesting§ Oneofthebestinitialstepsistohaveaqualifiedorganizationdoproactivewhitehathackinginwhichthegoodguysanalyzeyoursystemsandtrytofindholesinyoursecurityplan.

§ Therearethreestepstothis:§ 3.1Testprep.Inthisstep,doyourbesttofindandfixwhatyoucan.§ 3.2ContractaPENTestingcompanyandexecuteadetailedSOW.§ 3.3Worktofixanyvulnerabilitiesuncovered.


NOVEMBER

30In a few weeks you should be able to understand how at risk you are and what gapping holes exist.

3.1 PEN Testing PrepSet realistic but aggressive goals for this. Just think, a script-kiddie might be on your system “right now” doing this.

3.2 PEN Testing

DECEMBER

15With your consultants, create an aggressive strategy to fix what is broken.

3.3 Remediation

JANUARY

21

PlanYourWorkandWorkYourPlan


01110010011011110110111101110100001000000110001101100001011101010111001101100101

RoadmapStep4– WhitelistSoftwareandChangeManagement

§ Step4iscrucialtoyoursuccess.§ 4.1InstallWhitelistsoftwareapplication

§ Rememberourdiscussiononwhitelistsoftware?Onyourproductionsystemthatiscommissioned,unchanging,justrunningandmakingyourwidgets,yoursecurityteamcanmapout:§ Everyexecutablethatruns(DLLs,OCXs,COMComponents)§ Everynetworkprotocol,address,andportinuse§ Everynetwork-awareapplicationandwhoittalksto(system,address,protocol,port,targetapplication)

§ Everyuseraccount


01110010011011110110111101110100001000000110001101100001011101010111001101100101

RoadmapStep4– WhitelistSoftwareandChangeManagement(cont.)

§ InblacklistsoftwarelikeNortonorMcAfee,applicationsareabletorunandyour200-daywindowtocatchmostattacksisineffect.Willyouranti-virusreallycatchit?

§ Ifyouinstallwhitelistsoftware,firstofall,allaccessaccountswillbedisabled.Thehacker/BOT/script-kiddiewillnotevenfindanythingforAdmintotryandhack.§ Thisisalsoimpossiblebecausetheremoteaccessportsaredisabled!§ Fornovelty,assumetheygetpastthisandtheytrytokickoffascript/program;theywouldhavetodecryptthewhitelistdatabasepasswordwhichwouldinevitableinvolvetryingtoloadmoresoftware.

Everythingisshutdown.


01110010011011110110111101110100001000000110001101100001011101010111001101100101

RoadmapStep4– WhitelistSoftwareandChangeManagement(cont.)

§ 4.2ImplementChangeManagementSoftware.§ WithChange-Managementawarewhitelistsoftware,nothingcanbedone,altered,adjusted,unlessanApprovedCMR(ChangeManagementRequest)iscompleted.

§ Thisistotalaccesscontrol.§ Thisistotalprotection.§ Itdoesnotmatterwhenorifyouranti-virussoftwaregetsupdated,andinfact,afteraparallelinstallationforseveralmonths,wewouldencourageyoutofirstdisable,andeventuallydeleteyourblacklistsoftware.§ Whytaxyourproductionwithsoftwarethatconsumesresourcesbutdoesn’treallydoitsjob?

§ Thisistruecyber“security”.


01110010011011110110111101110100001000000110001101100001011101010111001101100101SoundsTooGoodToBeTrue

§ Whatarethedrawbacks,thissoundstoogoodtobetrue?§ Remember,wesaidyouarenever100%.PartofyourSecurityAnalyticsdataistobearminarmwithyourwhitelistsoftwarevendor.Theirsoftwarewillbeunderconstantattack.Evenso,thelayersofaccess(ports,accounts,whitelistapplications,etc.)makeitverydifficulttocompromise.

§ InternaldisgruntledemployeescansabotageyoursystemiftheyareontheACLandcangetyourqualifiedmanagerstoapproveCMRs.

§ Educationiskeyhere.BlindCMRapprovalsareano-noandhavingbackupsanddisasterrecoveryplansinplacearecrucialtothisinternalattack.


01110010011011110110111101110100001000000110001101100001011101010111001101100101StillSoundsTooGoodToBeTrue

§ Oneotherdrawbackisthespeedofaccess.IttakestimetoapproveCMRs,ittakestimetodealwiththewhitelistsoftware.§ IfIhaveanemergencyandhavetodealwithoverridingCMRsitwillhurtmyproduction!§ Wewillconcedethatthismaybetrue,butwiththeuseofmobiledevicesandeasyCMRapprovalsthisisanacceptabledelay—wearetalkingminutes,nothours.


HowdoIstart?


Analyzes Risk

Researches Threats

Keeps you compliant

MonitorsSystems ManagementNot Distracted

• A security expert is a specialized person in the field of cyber security.

• How many of you have your system engineer or similar try doing their normal job…and…doing tasks for cyber security?

• They are up to date on breaches, constantly analyzing your systems, and are building a database of your business’ security analytics (users, systems, ACLS, protocols, ports, software, outside connections, etc.).

HireAnExpertPerson/Firm


RUSSIA

CHINA

AUSTRALIA

EGYPT

FRANCEUSA

BRAZIL

A breach hits the news and it affects WonderWare software. Your security professional can immediately put monitoring into place to assess risk in offices or plants that have the effected software.

ProactiveResponse


Onefocusedsecurityexpertiseasilyworththeirweightingold.

InvestInSecurityExpertorFirm


Whataretheballparkcosts?


50people$60k

Estimate 60k for a 50 person factory and roughly 90% of that for every 50 persons. This is of course dependent on the number of systems, types of platforms, etc.

150people$162k

300people$324k

500people$540k

ExpectCyberSecurityCoststoRisewithFactorySize


01110010011011110110111101110100001000000110001101100001011101010111001101100101Summary

§ Thereisalwaysrisk.§ Balancingriskwithproductionneedscanbedifficulttomapout,however,youreffortswillnotbewasted.Itisnotdifficult,justdetailed.

§ Hackersareaheadofblacklistsoftwarevendorsandyoujustcannotaffordtobeunprotected.§ Thestatisticsandresearchareundeniable.JustaskGoogle…Yahoo…

§ ImplementingChangeManagementandawhitelistsoftwaremethodologycanprovideacybersecuritymodelthatdoesnotwaittoreact—itisaproactiveprotectionmethodologythatwillkeepyourproductionsecure.

Documents

Plant Cyber Security - Forensic IT Cyber Security.pdf§ Encryption. Confidential Data ... minimum and tightly controlled is a necessity. § Unauthorized access to a production network