Expanding Cyber Security Management for Critical Infrastructure

Transcription

1 Expanding Cyber Security Management for Critical Infrastructure ISSE Wednesday 15 th November 17, Brussels Dr Andrew Hutchison, Telekom Security

2 OVERVIEW Attack Surface expands to include IoT/Critical Infrastructure Evolving Attacks Re-balancing the counter approach Broad Scope Security Monitoring Approach and tools Adding cyber-physical feeds Supporting implementation of ISA99/IEC62443 requirements Conclusions 2

3 EVOLVING NATURE OF THREATS Zero Day Exploits Ransomware Attacks on autonomous vehicles Attacks on firmware 90% of corporate networks are protected But only 10% of industrial networks Attacks on power/ heating systems Attacks on cloud services Spear Phishing & faked identities Attacks on production plants (SCADA systems) 3

4 ATTACKS ON CRITICAL INFRASTRUCTURE ARE REAL! SEP 2010 MAY 2015 DEC 2015 FEB 2016 NOV 2016 Access to Iranian nuclear plant Complete exchange of IT people without power IT-systems shut down people without internet Stuxnet infects industrial plant Attack on IT of german Bundestag Ukraine: attack on power grid Ransomware attack on hospital Mirai-Botnet- Attack on Router Source: 4

5 FROM PREVENTION TO PREVENTION. DETECTION. REACTION. Responding to Targeted CyberAttacks, ISACA 5

6 BROAD SCOPE SECURITY MONITORING SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)

7 EXAMPLE SIEM SERVICE AND DELIVERY MODEL CLOUD. Customer 1 SOC AV Server Customer 1 AV Server Customer 2 INTERNET Head of IT Mail Customer 2 Web Sensor HQ Sensor of customer 1 Sensor Office 1 Sensors for data collection and normalization are installed in the customer s infrastructure. The data is forwarded to the customer s cyber defense server for processing. Dedicated, customer-specific virtual cyber defense server operated by an MSSP: storage of security events, threat intelligence, reporting. 3 Sensor Office 2 CSO

8 EXAMPLE SIEM SERVICE AND DELIVERY MODEL ON-PREMISES. OFFICE FINLAND Head of IT Sensor Office SOC INTERNET Mail germany Web Factory 1 Sensors for data collection & normalization are installed in the customer s infrastructure. The data is forwarded to an on-site customer server for processing. HQ Only alarm data gets forwarded to SOC, data remains on-site at the customer. Server 3 Factory 2 CSO

9 MONITORING IT + OT ENVIRONMENTS WITH IoT SOURCES

10 SUPPORTING THE IMPLEMENTATION OF ISA99/IEC62443 REQUIREMENTS FR 2 Use Control, including FR 3 System Integrity, including FR 5 Restricted data flow, including FR 6 Timely response to events, including SR 2.8 Auditable events SR 2.9 Audit storage capacity SR 2.10 Response to audit processing failures SR 2.11 Timestamps SR 3.2 Malicious code protection SR Security functionality verification SR 5.2 Zone boundary protection SR 6.1 Audit Log accessibility SR 6.2 Continous Monitoring

11 PROTECTION OF CRITICAL INDUSTRIAL INFRASTRUCTURE example example example Industrial Threat Protection Intelligent, continuous risk management for the whole production network Zero Impact installation Continuous analysis of vulnerabilities and risk assessment Industrial Network Protection Firewall-protection for industry networks and switching systems across different locations Mobile connection and integration into existing systems (SIEM) possible Industrial Access Protection Full control of remote access Secure management of all suppliers Compliance conform documentation per Rendezvous-Server 11

12 Consulting SOC INDUSTRIAL CONTROL SYSTEM SECURITY COMPONENTS Visibility: Monitoring & Response Assets, Topology, Flows, Change, Vulnerabilities, Attacks Industrial SIEM Network Segmentation Control flows Industrial Firewall Industrial Threat Protection Industrial Network Protection EXAMPLE EXAMPLE Access Control User & identity management, remote access, privileged access Industrial IAM End-Point Protection anti-malware, port and device control, memory protection, firmware- & controllogic integrity Industrial End-Point Protection Industrial Access Protection Industrial End Point Protection EXAMPLE 12

13 CONTINUOUS RISK MANAGEMENT, RELIABILITY, ATTACK DETECTION & COMPLIANCE REPORTING example OT * -Net ICS Control Center OT-Net Industrial Threat Protect Pro * OT: Operational Network ** DNA: Device-Network-Application relation 13

14 EXAMPLE ICS NETWORK CONTROL Magenta Security 14

15 END-TO-END NETWORK SECURITY & DATA FLOW CONTROL & INSPECTION example OT * --Net ICS Control Center Industrial Network Protect Pro OT--Net * OT: Operational Network 15

16 FULL CONTROL FOR REMOTE MAINTENANCE ACCESS example Management Portal Rendezvous Server Secure Tunnel Technician 16

17 TYPICAL NETWORK ARCHITECTURE & INTEGRATION SIEM / SOC Integration and Monitoring 17

18 LOCAL AND CENTRALISED INFRASTRUCTURE VIEWS 18

19 ICS ATTACK VECTOR PATHS AND PREDICTION 19

20 ICS EXAMPLE SECURITY USE CASES Security Measure Inventory & Asset Management Patch Management PLC Update Management Change Management Perimeter Leakage Description Identify all assets connected to the ICS environment including PCs/ Laptops/ Switches/ PLCs/ Servers/Thin Clients etc. To ensure devices are patched to the latest approved version in order to reduce vulnerabilities. To ensure PLC firmware is up to date and stays current with all security related fixes. Ensure that no changes are made to plant, equipment or process without authorisation Detect devices connected to external networks. 20

21 THREAT INTELLIGENCE

22 CONCLUSIONS While the management of Cyber Security environments within the Information Technology (IT) area is fairly well defined and understood, the incorporation of Operation Technology (OT) and cyber physical systems into such management frameworks and systems is less mature. For Critical Infrastructure (CI) in particular, it is essential that security management is conducted in a well implemented manner especially since many of the controllers and connectivity / management models are primitive compared to IT type devices. Security models are often limited, with the assumption that physical isolation or protection of devices will ensure that they are not manipulated in unexpected or unauthorised ways. Implementation of cyber physical systems is typically layered with devices, connectivity, processing (possibly cloud), horizontal services (for example IoT enabling platforms) and vertical services (for example specific to healthcare, connected car, energy, etc.) combining to form an OT solution. For enhanced management of cyber physical systems, security related events can be collected and inspected using guidelines such as the International Society for Automation (ISA) standards for Industrial Automation and Control Systems (IACS). In particular the ISA Across these services extends a requirement for end-to-end security, and it is this goal which systems need to develop. 22

23 Questions?