Embed Size (px)
Citation preview
© Lockheed Martin
Evolving Security in Process Control4th Annual Cyber Security Summit – Energy & Utilities
Abu Dhabi
March 30, 2015
© Lockheed Martin
Not ‘If’ but ‘When’
“Your IT systems may have already been
compromised, attackers could already have
your new product plans, bidding positions or
research, they may already be running your
process control systems.”
Sir Iain Lobban, Director General, GCHQ, Sept 2012
“There are two kinds of companies. There are those who've been hacked, and those who don't know they've been hacked.”James Comey, Director, FBI
© Lockheed Martin
Cyber Attack Impacts Whole Value Chain
Business
Production
Control Systems
Customers
Security Incident
Impact
© Lockheed Martin
Growth in Targeted AttacksNight Dragon - 2011
Shamoon - 2012
Energetic Bear - 2012
NorwegianOil & Gas - 2014
German steel works - 2014
© Lockheed Martin
Just the Tip of the Iceberg
For every major incident that makes the news, many more smaller incidents go unreported
© Lockheed Martin
Rapidly Changing Threat Landscape
• New vulnerabilities• Readily available exploit kits• Hacktivists• State sponsored activities• BYOD• Mobile devices• Cloud access from anywhere• Growth in social media• Internet of Things• Advanced Persistent Threats (APT’s)
© Lockheed Martin
A173984
• Malicious Insider 37%
• Criminal Syndicates 26%
• Nation State Sponsored 19%
Top Threats
Intelligence Driven Cyber Defence, Ponemon Institute LLC, February 2015
© Lockheed Martin
• Lost Intellectual Property– Geoscience data
• Reputation Damage– Joint Ventures– Customers– Government
• Business Disruption– Lost production– Incident investigation
• Damage to Critical Infrastructure– HSE– Cost of repair
Top Impacts
Intelligence Driven Cyber Defence, Ponemon Institute LLC, February 2015
© Lockheed Martin
Internet Accessible Control Systems
241 locations>52,000 IP addresses
© Lockheed Martin
Prevention is ideal but detection is a mustHowever, detection without response has minimal value
© Lockheed Martin
Would you know if your system was compromised?
Average time from compromise to detection 14 months
© Lockheed Martin
The Need to Evolve
Engineering workstation
HMI
Manualshutdown
F&GESD
Shutdown signal
PIserver
Remote monitoring
PIserver
File serverAntivirus
serverPatchserver
Remote accessserver
Offline Malware Analysis
Privilege Access Management &
Session Recording
SIEM/ID server
“We have a firewall and anti-virus software. We’re safe.”
© Lockheed Martin
The Need to Evolve
Engineering workstation
HMI
Manualshutdown
F&GESD
Shutdown signal
PIserver
Remote monitoring
PIserver
File serverAntivirus
serverPatchserver
Remote accessserver
Offline Malware Analysis
Privilege Access Management &
Session Recording
SIEM/ID server
“We have a firewall and anti-virus software. We’re safe.”
NO! YOU ARE NOT SAFE
The insider is already the wrong side of your firewall – with your approval
© Lockheed Martin
Foundational Security Technologies
Basic Security
Compliant Security (Reactive)
Sustainable Security(Proactive)
Intelligence Driven Defense®
(Predictive)
Procedures and Documentation
Automation and Efficient IT/OT Process Integration
Cyber Intelligence integrated in Operations
Compliance driven (ISO27001), COTS products, “set it and forget it”
Add good security practices, use SIEM to monitor & respond to alerts
Integrate IT & OT security, use available intelligence
See what’s coming at you, anticipate, generate & share intelligence
80%
20%
Security Evolution
© Lockheed Martin
End Point Security Network Security
Reactive Looking inwards at vulnerability and managing impact to confidentiality, integrity and availability. This typically results in reactive actions after an intrusion has taken place. Address 80% Threat
Foundational Security
© Lockheed Martin
Intelligence Driven Defense®
Threat FocusedThis builds on foundational security. It looks outwards at the specific adversaries attacking your enterprise and intimately understanding/analysing their tactics, techniques and procedures. This allows you to proactively take a defensive course of action.
Proactively address 20% and 80% Threat
© Lockheed Martin
Campaign analysis is used to determine the patterns and behaviours of the intruders
LM Cyber Kill Chain® Campaign Heat Map
• Group intrusions together into “Campaigns”• Prioritize and measure against each campaign
Understand the Threat Landscape
© Lockheed Martin
• Basic security measures essential– Reduce attack surface– Maintain signatures, patches, firewalls, etc.
• People– End users are part of your defences
– train & test them– Your adversaries are people. You need
people who understand their tactics, techniques & procedures (TTP) – train & test them
• Governance– Management focus on security– Ensure response capability is in place (you
will need it) – train & test them
– Measure success
Critical Success Factors
© Lockheed Martin
Remember…
Security is a journey, not a destination
© Lockheed Martin
© Lockheed Martin
Thank you
Andrew Wadsworth, GICSP
Head of Process Control Security
Lockheed [email protected]
Johnstone House
52-54 Rose Street
Aberdeen
AB10 1UD
United Kingdom
Office +44 1224 611040
Mobile +44 7914 356962
Scott Keenon
Business Development Manager
Lockheed [email protected]
Johnstone House
52-54 Rose Street
Aberdeen
AB10 1UD
United Kingdom
Office +44 1224 611052
Mobile +44 7968 793353
