GEN-14 Cyber Security Solutions for Less Regulated Industries

Transcription

1 Slide 1

2 GEN-14 Cyber Security Solutions for Less Regulated Industries Douglas Clifton Tim Johnson Michael Martinez #SoftwareRevolution Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.

3 Agenda 1. Cyber Security Compliance 2. Technology 3. Invensys Critical Infrastructure & Security Practice (CISP) Slide 3

4 Cyber Security Compliance Michael Martinez 2013 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.

5 What is Cyber Security? Slide 5

6 Cyber Security Compliance Why do it? Increase safety Protect intellectual property Reduce down time Industry or internal policy It could be the law How to do it? Leverage product security features Augment with cyber security knowledge and solutions Repeat Slide 6

7 It s all about compliance Customer requirements built on customer expectations Customer compliance Regulatory requirements Cyber security solutions Product security standards Development Slide 7

8 Product v. Client Compliance Invensys fills the GAP between product offering and client compliance needs. Invensys Product Development Concerns Customer Concerns ISASecure NEI Achilles ISA 99 WIB NIST SP MS SDL ISO/IEC Etc. 6 CFR 27 (CFATS) NERC CIP ANSI/AWWA G CFR 195 API 1164 Slide 8

9 February 12, 2013 Executive Order Improving Critical Infrastructure Cyber Security Sec 6. Consultative Process calls for DHS to work with existing Sector Coordinating Councils (SCC) or the transportation sector in the case of pipelines Sec 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure Call for NIST to establish a Cybersecurity Framework within approx 1 year of order (Feb 12,2013) Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program temporary Sec. 9. Identification of Critical Infrastructure at Greatest Risk within 150 days of order these assets shall be identified Sec. 10. Adoption of Framework within 90 days of final framework, the existing sectors must report on their ability to comply with framework special attention to Sec 9 assets If they do not/cannot comply, then other agencies must step in to define mitigating actions. Slide 9

10 U.S. Critical Infrastructure Chemical Sector Emergency Services Sector Information Technology Sector Commercial Facilities Sector Energy Sector Nuclear Reactors, Materials, and Waste Sector Communications Sector Financial Services Sector Critical Manufacturing Sector Food and Agriculture Sector Dams Sector Government Facilities Sector Defense Industrial Base Sector Healthcare and Public Health Sector Slide 10 Transportation Systems Sector Water and Wastewater Systems Sector

11 NIST Framework Update February 12, 2013 Executive Order Executive Order Improving Critical Infrastructure Cyber Security September 11-13, 2013 Fourth Cyber Security Framework Workshop Draft Compendium of Informative References Review of over 320 National and International Standards, Guidelines, Directives, Best Practices, Models, Specifications, Policies, and Regulations, including input from: ANSI ISA NERC API ISO IEC NEI NIST NFPA OIG OLF OPC SANS TIA Discussion Draft of the Preliminary Cybersecurity Framework, August 28, 2013 Slide 11

12 NIST Framework Concepts The framework complements, and does not replace, an organization s existing business or cyber security risk management process and cyber security program. Rather, the organization can use its current processes and leverage the framework to identify opportunities to improve an organization s cyber security risk management. Alternatively, an organization without an existing cyber security program can use the framework as a reference when establishing one. Key Concepts Framework Core Framework Implementation Tiers Framework Profile Discussion Draft of the Preliminary Cybersecurity Framework, August 28, 2013 Slide 12

13 NIST Framework Concepts Core Tier Functions 0 - Partial Categories 1- Risk Informed Subcategories 2 - Repeatable Informative Reference 3 - Adaptive Discussion Draft of the Preliminary Cybersecurity Framework, August 28, 2013 Slide 13 Profile Establish a Roadmap

14 Framework Core Function Category Subcategory Informative Reference(s) IDENTIFY PROTECT DETECT RESPOND RECOVER Discussion Draft of the Preliminary Cybersecurity Framework, August 28, 2013 Slide 14 14

15 Products + Consulting = Compliance Invensys provides a full lifecycle Cyber Security Methodology, NOT a product-centric point solution like many IT-based security companies do. Point solutions such as anti-virus software or firewalls on their own fall short and miss the security target. The integration of sound cyber security best practices that encompass best-in-class COTS products provides and enables a complete and holistic cyber security compliance solution that hits the target. Slide 15

16 Technology Tim Johnson 2013 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.

17 Impact of Cyber Security to Business 90% of companies suffered a cyber attack in the past 12 months Some suffered multiple Of all the attacks reported, 41% claimed at least half a million U.S. dollars ($500,000) in damages Other reported they were unable to determine their immediate losses. Slide 17 ICS-CERT responded to and investigated 198 cyber incidents (compared to 130 in 2011) The Energy sector was the most targeted industry in 2012, accounting for 41% of events The Water sector was the second most targeted industry in 2012, accounting for 15% of events The cyber security response team helped with incident responses for 23 oil/natural gas sector events Chemical organizations reported 7 incidents to ICS-CERT The Nuclear sector reported 6 incidents to ICS-CERT

18 Invensys Recommended Industrial Control System Security Features epolicy Orchestrator (epo) Anti Malware Host Intrusion Detection (HIDS) Data Loss Prevention (DLP) Active Directory (A/D) Hardened OS Whitelisting Backup Exec System Recovery (BESR) Slide 18

19 Cyber Security Best Practices Standards organizations like those in the image below help companies develop effective cyber security strategies. While these organizations have different approaches, they all have a common element to establish a best practice approach to cyber security. Slide 19

20 Cyber Security in Industry Control System Enhancements Consulting Services Sample Control Systems AND All Process Systems MS Active Directory Security Best Practices McAfee Suite epo, AV, DLP, Access Control / AD Workshop Symantec BESR Technology Workshop Product level patching Disaster Recovery Planning No Fixed Root User System Security Management Controls Whitelisting Hardened OS Etc. Slide 20 Patch Management (entire site)

21 Invensys Industrial Control System Security Features epolicy Orchestrator (epo) epolicy Orchestrator (epo) is a unifying security management open platform by McAfee. epo makes risk and compliance management simpler, enabling clients to connect security solutions to their enterprise infrastructure to increase visibility, gain efficiencies, and strengthen protection. Anti-Malware Virus scans prevent, detect, and remove malware, including but not limited to system viruses, computer viruses, computer worms, Trojan horses, spyware, and adware. Host Intrusion Detection System (HIDS) Host Intrusion Detection System (HIDS) monitors and analyzes the internals of a computing system. A host-based IDS monitors all or parts of the dynamic behavior and the state of a computer system. Slide 21

22 Invensys Industrial Control System Security Features Data Loss Prevention (DLP) Data Loss Prevention (DLP) systems enable organizations to reduce the corporate risk of the unintentional disclosure of confidential information. Active Directory (A/D) Active Directory (A/D) provides a central location for network administration and security. It authenticates and authorizes all users and computers in a Windows domain type network assigning and enforcing security policies for all computers and installing or updating software. Harden OS Factory hardening is a procedure that updates patches and anti-virus software and disables unused ports and services. System hardening is necessary because default operating system installations focus more on ease of use rather than security. Slide 22

23 Invensys Industrial Control System Security Features Whitelisting Whitelisting is the opposite of Blacklisting. Whitelists contain only those programs you wish to grant access to as opposed to those you do not. This makes Whitelisting a lot less labor intensive since you only have to keep up with the applications you know about. Backup Exec System Recovery (BESR) Centrally manage backup and recovery tasks for multiple desktops across the network. Schedule backups to run automatically, including event-triggered backups, without disrupting network usage. Slide 23

24 Cyber Threat Management (CTM) Module The CTM Module is a unique offering from the Invensys Cyber Security team. Slide 24 Combination of Best-in-Class firewall plus Invensys in-depth industry and cyber security knowledge Focuses on the Water, Power, Oil/Gas Pipeline, and Manufacturing industries Comes with Invensys pre-configured rule sets for each focus industry Each CTM is pre-bundled to ensure fast turn around

25 FortiWifi 60CM Features All pre-bundled as part of the Invensys CTM Cyber Threat Management Module Slide 25 ForiWifi 60CM Wireless or non-wireless operation FortiGuard Anti-virus Intrusion Prevention Web filtering Anti-spam Application Control Vulnerability scan IPSec and SSL VPN Data Loss Prevention Device Awareness FortiClient End Point Management Wifi a/b/g/n (multi SSID)

26 Why SQL Server Hardening? SQL Injection is the #1 server attack! Slide 26

27 SQL Server Hardening Service Server hardening is one of the most important tasks to be done on your servers. Most server out of the box configurations are not designed with security in mind. SQL servers should be seen as critical assets and any compromise to them could result in significant loss to business and production. Some of the threats to a SQL server are: Indirect attack SQL injection Direct exploit attack Cracking SA Password Direct exploit attack Google hacks SQL server hardening is critical to any cyber security initiative and is part of many regulatory compliance programs. Slide 27

28 IIS Server Hardening IIS servers are a favorite target of hackers. Research shows that 75% of cyber attacks occur at the application level. Business and Industry pay a heavy cost for these security failures: Cost of server clean-up Cost of data loss Cost of lost business opportunities Cost of reduced productivity Server hardening not only provides security but also establishes a baseline for all server platforms assisting with maintenance, patching, and planning. Slide 28

29 Do I Need an Assessment? 64% of companies expect to be hacked! Source: Bit9, Verizon Threat Report Slide 29

30 Security Assessment Most organizations think of anti-virus software, firewalls, and hardening when they think of security. However, few think of a Security Assessment as part of their overall comprehensive security program. They are often faced with a number of challenges: Knowing their current security position Determining their vulnerability level, exposure, and possible impact Experiencing inability to monitor who has access to their network and critical assets Enhancing their existing security strategy Slide 30

31 Invensys Enhanced Solutions Firewall Secure Zone Relay Server Active Directory Centralized Back Up & Restoration Patch Management Network Management/ePO Log Management Network Infrastructure TriStation Compliance Secure File Server OTS Slide 31

32 Cyber Security Solutions Invensys cyber security team provides security solutions The Invensys cyber security team offers a comprehensive list of cyber security solutions to help address any internal needs, regulatory requirements, or program mandates. All of these elements are synergistic, providing not only a broad scope of security but also the defense-in-depth necessary for true cyber security compliance. Our most common solutions include: Slide 32 Active Directory (A/D) Workshop Technology Roadmap Procedures/SOPs Secure Zones Centralized Backups Event Logging Patch Management Network Management Remote Access Relay Server Managed Secure Services

33 Invensys Critical Infrastructure and Security Practice Doug Clifton 2013 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.

34 Cyber Security Consulting Why Invensys? Providing cyber security services in Industrial Automation since 2001 Largest vendor-based Industrial Control Security Group in the market Delivering cyber solutions to a global customer base Experienced with IT technologies but with a Process Automation mindset Slide 34

35 Invensys Critical Infrastructure & Security Practice (CISP) CISP Certifications CISSP CCNA CCDA CEH ECS NNCDA CCNP CCS1 CCSA CWNA CCFE MCSE CISM CISA CCSE OSCP CCIE plus others We are a very active business within Invensys. Currently active projects (August 2013): 31 embedded projects 21 CISP-only projects Slide 35

36 What Makes CISP Unique? Platform Independent The CISP solution portfolio will work on ANY control system platform, expanding the market beyond the traditional Invensys customer base. Network Agnostic The CISP solution portfolio can be deployed on any network topology or technology, independent of network lifecycle, due to the lifecycle methodology of the solution portfolio. Industry Relevant The CISP solution portfolio is applicable to any industrial manufacturing industry, whether the focus is on cyber security compliance or network systems optimization. Solution Ecosystem CISP is greater than the sum of its parts: cyber security consulting, network compliance, regulatory experts, auditors, network systems design and implementation, system integrators, and trusted advisors. Slide 36

37 Cyber Security Consulting We can support our clients roadmap by assisting with their compliance requirements. Our customers have requirements. We don t want them to go it alone. Critical time in the market; we have the skills to grow business. It s a market differentiator. Slide 37

38 Partnering for Compliance The Invensys cyber security team partners with clients throughout the compliance lifecycle. Program definition Assessment Remediation Program deployment Audit preparation Audit support Slide 38

39 Plan for Cyber Security Implement a cyber security program. Align cyber security programs with implementation of upgrades. Maintain compliance to current and future cyber security regulations. Slide 39

40 Summary 1. Our clients have compliance requirements larger in scope than secure products alone can provide. 2. We have a comprehensive solution that includes: Compliance with industry standards Products designed with security Cyber security experts and delivery/support personnel Enhanced solutions to meet clients cyber security program needs 3. We are vigilant. Our cyber security solutions will meet the challenging industrial landscape. Safety and cyber security are job one at Invensys. - Mike Caliel, President & CEO Invensys Slide 40

41 Slide 41

42 Slide 42

43 The Cyber Security Problem this is why we do what we do INDUSTRY High-cost prevention High skills Static networks Cyber security is not what they do HACKERS Low-cost tools Low skills Dynamic landscape Hacking is all they do Slide 43

44 Cyber Threat Management Module Motivations Behind Attacks 47% 46% 4% 3% Cyber Crime Hacktivism Cyber Warfare Cyber Espionage 100% 100 % Targeted! Slide 44 Source: Hackmageddon