About NitroSecurity. Application Data Monitor. Log Mgmt Database Monitor SIEM IDS / IPS. NitroEDB

Transcription

1 About NitroSecurity NitroEDB IDS / IPS SIEM Log Mgmt Database Monitor Application Data Monitor Born from the INL Highly Optimized Core Architecture, Using Patented Technology - 8 unique mechanisms to improve performance (collection & analysis) - Unique mechanisms to improve the diversity of supported devices - Unique mechanisms to improve storage efficiency and archiving - Additional open technology to further optimize performance

2 All Assets Need Security The Responsible Entity shall ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. ~ CIP (R6)

3 What does this mean? 1. The assets themselves need security baked in Hardened (ports & services) Cleaned (protected against malware and patched) Restricted (account / access control) Monitored (audit trail of security event activity) 1. All Assets need to be monitored as a system Analyzed (trends, anomalies) Correlated (threats, risk) Organized (reports, compliance)

4 Alternate Security Monitoring What if an Asset doesn t produce sufficient security events? CIP compliant drop in security appliances can passively monitor the control system Events are generated passively (no impact to asset) Example Network-based IDS with advanced SCADA preprocessors Advanced detection signatures for exploit threats against control systems (e.g., OPC)

5 What s a SIEM? A Security Information & Event Management System (SIEM) collects all relevant information from the enterprise network, to: Understand systems & protocols of the ENTERPRISE Detect patterns indicative of THREATS Analyze VULNERABILITY and RISK Provide forensic detail required to INVESTIGATE Provide actionable data for INCIDENT RESPONSE Produce a clear audit trail for COMPLIANCE

6 But this isn t The Enterprise

7 it s a Control System Diagram courtesy of US CERT

8 So, what does the Control System need? A Security Information & Event Management System (SIEM) that collects all relevant information from the control system, to: Provide CONTEXT to threats within the Control System Monitor Control System SYSTEMS & PROTOCOLS to detect anomalies/patterns that threaten RELIABILITY Analyze EVENTS in accordance with CIP-007 Provide actionable data for INCIDENT RESPONSE Produce auditable reports for SUSTAINED NERC-CIP COMPLIANCE

9 The Secure Enclave Outside systems & services (e.g., Internet) Other Cyber Assets Critical Assets & All Systems that Access them is it this easy?

10 The Evolution of Threats They re moving up the stack Targeting the application layer They re getting more complex Multiple vectors Tiered reconnaissance Low & slow profiles

11 Threats are Moving up the Stack 1 Physical 2 Data Link Physical Security = Who enters the control room Routable Access Control = Who connects to cyber assets 3 Network 4 Transport 5 Session Database Security = Who / what accesses Historian 6 Presentation 7 Application Application Security = Who logs in to sensitive applications

12 Authorized Applications Break the ESP 1 Physical 2 Data Link Physical Access = Personal Identity (name, badge #) Network Access = Logical Identity (IP, MAC, hostname) 3 Network 4 Transport 5 Session Backend Access = Session Identity (port ID, session ID) 6 Presentation 7 Application Application Access = User Identity (login, domain name, etc)

13 Re-examining the Enclave Outside systems & services (e.g., Internet) Other Cyber Assets Critical Assets CS Apps & Services Business Apps & Services Remote Apps & Services the ESP is blurred

14 Monitor activity from outside of the enclave Monitor Business Apps & Services Monitor Control Systems Apps & Services

15 1 Physical Monitoring all Layers of the ESP Physical Access Control / Endpoint Security Entry Scanner Logs, Biometrics, etc. Physical Security = Who enters the control room 2 Data Link 3 Network 4 Transport 5 Session 6 Presentation 7 Application Routable Access Control = Who connects to cyber assets Separation of Networks IPS, Firewalls, Access Control Lists, etc Database Access Control Database Monitoring, DB Log Analysis, IAM, etc. Database Security = Who / what accesses Historian Application / Use Policies Application Monitoring, Application Whitelisting, etc. Application Security = Who logs in to sensitive applications

16 Enhancing SIEM for the Control System Behavior Monitoring Establish baseline network and asset behavior Advanced Vulnerability Assessment Understand vulnerabilities specific to control systems Advanced Correlation Identify threats within the context of the control system Identity Management Map logical ID (usernames) to Personnel (CIP-003) Change Management Monitor configuration changes

17 Turning Data into Intelligence Contents of Business Apps & Services Authentication & IAM Events from SCADA HIDS, NIDS, firewalls, and other security devices Asset Event Logs User Identity Physical Entry Logs Historian transactions OS events VA Scan Data Location

18 Thank You!