Industry Best Practices for Securing Critical Infrastructure

Transcription

1 Industry Best Practices for Securing Critical Infrastructure

2 Cyber Security and Critical Infrastructure AGENDA - Difference between IT and OT - Real World Examples of Cyber Attacks Across the IT/OT Boundary - How to Select Industry Standards that help bridge the gap between IT and OT - Apply Industry Standards that help bridge the gap between IT and OT

3 The Difference Between IT and OT

4 IT Meets OT IT OT

5 Difference between IT and OT ICS control the physical world and IT systems manage data Risk Health and safety of human lives Damage to environment Financial issues such as production losses Priorities (CIA) Performance Reliability

6 Real World Examples of Cyber Attacks Across the IT/OT Boundary

7 Real World Examples of Cyber Attacks Across the IT/OT Boundary - Target Corporation Attack - Ukraine s Power Plant Hack - German Steel Mill Cyber Attack - Baku-Tbilisi-Ceyhan (BTC) Pipeline Blast in Eastern Turkey

8 Real World Examples of Cyber Attacks Across the IT/OT Boundary Target Corporation Attack o November 2013 hackers stole unencrypted credit and debit card data for 40 million customers including PINS from point of sale machines o The names, addresses, phone numbers, and addresses of some 70 million customers which indicated backend databases breached probably the CRM system o Not the first time, In 2005 Target was hacked o Companies accepting credit and debit cards adhere to a Payment Card Industry standard for security known as PCI-DSS o Audits take only a snapshot of a company s security at the time of the audit, which can change quickly if anything on the system changes o The payment card industry now uses a technology called EMV, also known as chip-and-pin cards o Target will pay hack victims $10Million

9 Real World Examples of Cyber Attacks Across the IT/OT Boundary Ukraine s Power Plant Hack o December 23, 2015 two power distribution companies in Ukraine said that hackers had hijacked their systems to cut power to more than 80,000 people o Hackers sabotaged operator workstations to make it harder to restore electricity to customers. Screens were frozen o Power was out in some areas up to 6 hours o Breakers had to be manually closed since the SCADA management system was down (the outage was caused by opening breakers on the grid) o BlackEnergy 3 Malware was used to go from the IT to the OT o Utility company call center was the victim of a Denial of Service Attack simultaneously during the outage so that operators would be unaware of how wide spread was the outage o The KillDisk malware was used to destroy the Operator Workstations and Servers. o March 2015 BlackEnergy 2 was used as part of a spear-phishing campaign

10 Real World Examples of Cyber Attacks Across the IT/OT Boundary German Steel Mill Cyber Attack o December 2015, German Agency (BSI) Reported Hackers attacked a steel mill and through the ICS destroyed a blast furnace o Caused Massive damaged o The attackers gained access to the steel mill through the plant s business IT network o Used a spear-phishing attack o Demonstrated knowledge of traditional IT Security and applied Industrial Controls o Illustrates the need for strict separation between business IT and production OT networks

11 Real World Examples of Cyber Attacks Across the IT/OT Boundary Baku-Tbilisi-Ceyhan (BTC) Pipeline Blast in Eastern Turkey o August 7, 2008 The pipeline had sensors and cameras to monitor 1000 miles of pipeline. Pressure and oil flow were fed to a central control room via a SCADA control system o Hackers had shut off alarms, cut off communications and overpressurized the crude oil in the line o No Alarms were triggered by the blast o 60 hours of surveillance video were erased by the hackers o A single infrared camera not connected to the SCADA network captured images of two men with laptop computers walking near the pipeline days before the explosion o The control room didn t learn about the blast until 40 minutes after it happened, from a security worker who saw the flames o The hackers point of entry was the surveillance cameras o The explosion caused more than 30,000 barrels of oil to spill in an area above a water aquifer. Cost BP and its partners $5 million a day o The State Oil Fund of the Republic of Azerbaijan lost $1 billion in export revenue

12 Selecting a Cyber Security Program

13 Security Controls and Assessments 1. Security Controls Standards 2. Assessment Methodologies

14 1. Security Controls ISA/IEC Industrial Automation and Control Systems Security Document Series (including principles in ISA-99). Can be purchased here:

15 1. Security Controls NIST Guideline to Industrial Control Systems (ICS) Security. Includes guidance on how to tailor traditional IT security controls to accommodate unique ICS performance: - Reliability and safety requirements - Sections on threats and vulnerabilities - Risk management - Recommended practices - Security architectures and security capabilities and tools Here is the link:

16 2. Assessment Methodologies Open Source Security Testing Methodology Manual (OSSTMM). Focus is on transparency and getting business value: - Useful broad description of categories of testing (Step by step process description) - Covers scoping, metrics, human security testing, physical security testing, wireless security testing, telecomm security testing, and data networks security testing - Includes numerous information-gathering templates You can obtain a copy at

17 2. Assessment Methodologies Penetration Testing Execution Standard (PTES). - Helps organizations understand what is involved in conducting a penetration test - Includes information about Pre-engagement interactions (Scoping and Rules of Engagement), Intelligence gathering (recon), Threat modeling, Vulnerability analysis, Exploitation and post exploitation, and Reporting - A great Outline of an in-depth penetration test Available for free from

18 2. Assessment Methodologies NIST Guideline on Network Security Testing. - Covers planning, process, analysis, and validation techniques - Includes an appendix with rules of engagement template - Includes an appendix with some common tools used in Vulnerability Assessments and Penetration Tests Available at

19 2. Assessment Methodologies NIST Rev 1 Risk Management Guide for Information Technology Systems. Provides guidance for carrying out each of the three steps in a risk assessment process (i.e., prepare for the assessment, conduct the assessment, and maintain the assessment Available here:

20 How to Apply Industry Standards that help bridge the gap between IT and OT

21 Types of Assessments 1. Vulnerability Assessment 2. Risk Assessment 3. Penetration Test

22 Types of Assessments Definitions Vulnerability : a security flaw that can be exploited to cause harm 1. Vulnerability Assessment: - Focus on finding vulnerabilities but not Exploiting said vulnerabilities - Includes Policy, Process and Procedure review

23 Types of Assessments Definitions Risk = Impact Probability Impact : Amount of harm that would be done if a Threat successfully exploits a vulnerability Probability : Likelihood that a Threat will exploit a vulnerability 2. Risk Assessment : Analyzes the Likelihood that a Threat will exploit a Vulnerability to cause harm to a customer s business

24 Types of Assessments Definitions 3. Penetration Test : - Identifies Vulnerabilities in the environment - Exploits said Vulnerabilities to gain access to customers systems - Mimics what real world hackers would do

25 Cyber Security Program Methodology ASSESS IMPLEMENT MANAGE People Training Competence management Processes Risk and Vulnerability Assessment Process improvement Continuous process improvement Products Perimeter protection Inline protection End point protection System and event monitoring and management Transparency on risks and vulnerabilities Wholistic approach of security breaches from different angles Solution oriented Minimized risk for unauthorized access, downtime and security breach Extensive, long-term support for all security concerns by security experts and trusted vendor of automation systems Fully integrated monitoring solution Overall visibility of security related events and status of security measures

26 Defense in Depth concept Creating multiple layers of protection Physical Security Physical access to facilities and equipment Policies & procedures Security management processes Operational Guidelines Business Continuity Management & Disaster Recovery Security cells & DMZ Secure architecture based on network segmentation Potential attack IT Firewalls and VPN Implementation of Firewalls as the only access point to a security cell System hardening adapting system from default to secure User Account Management Administration of operator and user rights (role based access control) Patch Management Malware detection and prevention Anti Virus and Whitelisting

27 Cyber Security Risk Assessment Offer Multiple Benefits Identify the risks Know what controls are in place Know your current security posture Develop a prioritized security roadmap

28 Cyber Security Risk Assessment Process CYBER SECURITY ASSESSMENT PHASE I PHASE II PHASE III PHASE IV Request Documentation On-site Assessment Analyze Information Deliver Report

29 Cyber Security Assessment Report Policy Gap Analysis Vulnerability Assessment Threat Assessment Risk Assessment Security Roadmap (Solution)

30 Advantages of closing the gap between IT and OT

31 Marketplace Advantages of an Intel Cyber Security Program 1.Take Advantage of Data Driven Services (EA, MTA, DTA) 2. The Right Decision at the Right Time based on Reliable Real Time Data 3. Increase Availability, Performance and Quality at lower Energy Costs

32 ICS Cyber Security Services group thanks you for your attention! Khaled BROWN, CISSP Intel Security ICS Cyber Security Services Senior Cyber Security Consultant Mobile: Site :