A Strategic Approach to Industrial CyberSecurity. Kaspersky Industrial CyberSecurity

Transcription

1 A Strategic Approach to Industrial Cyber Kaspersky Industrial Cyber 2015

2 Do industrial control networks need protection from cyberattacks? It s a question that, just a few years ago, was unlikely to feature in boardroom discussions at industrial enterprises. In a context where process continuity and availability come first, security was an afterthought. But everything has changed in the last few years. Multiple cyberattacks against industrial facilities around the world have demonstrated just how vulnerable industrial systems are to modern cyber weapons and how important the cybersecurity of critical infrastructure is. It became obvious that physical isolation alone is no longer enough and more serious action must be taken. For many years, Kaspersky Lab has worked on developing a suite of solutions that deliver cybersecurity at all tiers of the industrial network. We realise that protecting these systems isn t easy, but it must be done and done at the highest possible quality. It s no exaggeration to say that industrial cybersecurity can be a matter of life and death. That s why securing industrial and critical infrastructure is a key priority for our company. Eugene Kaspersky 2

3 A new approach to protecting industrial and critical infrastructure Malicious attacks on industrial systems including industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) have increased significantly in recent years. While physical isolation of industrial systems from external networks used to be good enough security, this is no longer the case. As the Stuxnet and Gauss attacks have shown, one infected USB drive is all it takes for malware to bridge the air gap and penetrate an isolated network. There may be some overlap in the threats, but there are significant differences between the cyber security requirements of ICS systems and those of general business. Corporate environments focus on safeguarding confidential data; when it comes to ICS/SCADA systems, where every minute of downtime or error counts, uninterrupted operations are the ultimate priority. This is what distinguishes industrial cybersecurity from other businesses: its priorities of availability, integrity and confidentiality are often opposite of standard business priorities. In addition, cybersecurity solutions designed specifically to protect industrial infrastructure has to comply with various government and industry regulations, including engineering organizations and integrators. 3

4 The Kaspersky Lab approach Kaspersky Lab s approach to protecting industrial systems in based on more than a decade s expertise in discovering and analysing some of the world s most sophisticated threats. Our deep knowledge and understanding of the nature of system vulnerabilities, coupled with our close collaboration with the world s leading law enforcement, government and industrial agencies, including Interpol, various CERTS, regulators and ISA have enabled us to take a leadership role in addressing the unique requirements of industrial cybersecurity. A practical implementation of this approach is an integrated solution that increases the availability of industrial processes by detecting and preventing actions (intentional or accidental) that result in disruption or halting of vital industrial processes. In line with this vision, Kaspersky Lab has developed Kaspersky Industrial Cyber, a solution designed specifically with the unique needs of industrial cybersecurity in mind, including a particular focus on preserving the continuity of industrial processes. The solution is intended for Ethernet-based industrial networks. Flexible, versatile settings mean the solution can be configured to meet the unique needs and requirements of individual industrial facilities. KASPERSKY INDUSTRIAL CYBERSECURITY: Protects industrial enterprises from cyberthreats Secures industrial networks and the continuity of technological processes Minimizes downtime and delays in technological processes Includes a range of services to maximise the effectiveness of cybersecurity 4

5 Kaspersky Industrial Cyber: solution structure Kaspersky Industrial Cyber is an integrated solution that combines functional components and protection technologies with a range of expert services. Working within service offering frameworks, complete analysis by Kaspersky experts of existing cybersecurity systems ensures optimal configuration of our protection technologies and services. In addition to providing effective implementation and support for Kaspersky Industrial Cyber at all stages of the ICS lifecycle, this also enables bespoke consultations with the organization s in-house specialists on any aspect of combating cyberthreats. This service is particularly beneficial to: Companies that require assistance with analysing the current state of their cybersecurity systems and identifying areas in need of upgrade; Companies that are already implementing a cyberthreat mitigation strategy and are evaluating different vendor offerings; Companies that have experienced unauthorized interference with technological processes and need emergency analysis of the source of the threat, along with incident investigation. Flexible selection and configuration of protection components enables the provision of protection for ICS components, including PLCs, SCADA servers, HMI panels and engineer/operator workstations. This means enterprises can realise the benefits even from the earliest stages of project implementation. 5

6 KIS A KPM SafeKids SafeBrowser QR Scanner KTS MD KAV KIS MAC KIS PC K Threat Scaner K Rescue Disk KSS (PC and MAC) KVRT (PC and MAC) Free tools Phound! KIS MD Software Updater KSOS for mail server DDoS protection Educational Educational KESB Core KESB Select KESB Advanced KESB Total KIS A KPM SafeKids SafeBrowser QR Scanner for file server Industrial Professional Professional for mail server for file server for mail server for file server for Web Gateway for Web Gateway for Colla Anti-APT Investigation Investigation for Web Gateway KIS A KPM SafeKids SafeBrowser QR Scanner KIS A KPM SafeKids SafeBrowser QR Scanner KTS MD KTS MD K Threat Scaner K Rescue Disk KSS (PC and MAC) KVRT (PC and MAC) Fraud KTS MD for Collaboration KAV for Storage KIS MAC Prevention KIS PC Free tools Endpoint Solutions K Threat Scaner K Rescue Disk KSS (PC and MAC) for Data KVRT Centers (PC and MAC) Intelligence Threat Intelligence ReportingFree tools Phound! Intelligence Threat Intelligence ReportingFree tools Phound! KAV KIS MAC KIS PC KAV KIS MAC KIS PC K Threat Scaner K Rescue Disk KSS (PC and MAC) KVRT (PC and MAC) Phound! Threat Data Feeds Threat Data Feeds Botnet Threat Tracking Botnet Threat Tracking System Management KIS MD Support Support KIS MD KIS MD KIS A KPM SafeKids SafeBrowser QR Scanner KTS MD K Threat Scaner K Rescue Disk KSS (PC and MAC) KVRT (PC and MAC) Free tools KAV KIS MAC KIS PC Phound! Software Updater Software Updater KIS MD Software Updater Software Updater KSOS KSOS for mail server KSOS for mail server KSOS DDoS protection for mail server DDoS protection for mail server Educational DDoS protection Educational DDoS protection Educational Educational KESB Core KESB Select KESB Advanced KESB Total KESB Core KESB Select KESB Advanced KESB Total for file server for file server Industrial Industrial Professional Anti-APT Anti-APT Investigation for Web Gateway for Web Gateway KESB Core KESB Select KESB Advanced KESB Total Professional Investigation KESB Core KESB Select KESB Advanced KESB Total for file server for file server Industrial Industrial Professional Professional Anti-APT Anti-APT Investigation Investigation for Web Gateway for Web Gateway Intelligence Reporting Intelligence Reporting Intelligence Reporting Intelligence Reporting for Collaboration for Collaboration for Collaboration for Collaboration Threat Intelligence Threat Intelligence Threat Intelligence Threat Intelligence for Storage for Storage Endpoint for Storage Endpoint for Storage Threat Data Feeds Endpoint Threat Data Feeds Endpoint Threat Data Feeds Threat Data Feeds Fraud Prevention Fraud Prevention Solutions for Data Centers Fraud Prevention Solutions for Data Centers Fraud Prevention Botnet Threat Tracking Solutions for Data Centers Botnet Threat Tracking Solutions for Data Centers Botnet Threat Tracking Botnet Threat Tracking System Management System Management System Management System Management Support Support Support Support DDoS K Threat Scaner K Rescue Disk K Threat Scaner KSS (PC and MAC) K Rescue KVRT Disk(PC and KSS MAC) (PC and Software MAC) Updater KVRT (PC and MAC) Software Updater protection Industrial DDoS Anti-APT protection Industrial Anti-APT Inteli Kaspersky Industrial Cyber Free tools TECHNOLOGIES Phound! Free tools Phound! Educational SERVICES ProfessionalEducational InvestigationProfessional InvestigationIntelligence Threat In B2C B2B Reporting Ser B2C B2B B2C B2B B2C B2B B2C B2B VULNERABILITY MANAGEMENT EDUCATION AND INTELLIGENCE EXPERT SERVICES ANTI-MALWARE INTEGRITY CONTROL CYBERSECURITY TRAINING INTELLIGENCE REPORTING SIMULATION CYBERSECURITY ASSESSMENT SOLUTION INTEGRATION MAINTENANCE INCIDENT INVESTIGATION CENTRALIZED MANAGEMENT INTRUSION PREVENTION SYSTEM INTEGRATION WITH OTHER SYSTEMS INCIDENT INVESTIGATION 6

7 Kaspersky Industrial Cyber: technologies All Kaspersky Lab solutions are built on a common code base, helping to maximise tool efficiency and effectiveness through tight integration. The functional components of Kaspersky Industrial Cyber are based on unique, proven technologies, many of them patented. CENTRALIZED MANAGEMENT All operations related to managing the cybersecurity system are carried out from a single console, enabling the following tasks to be performed centrally: system and application deployment security policy management anti-malware database updates control of security administrator access rights configuration and generation of detailed reports ANTI-MALWARE PROTECTION An effective combination of signature-based detection, heuristic analysis and proactive defense provides multi-tier antimalware protection for Windows-based nodes. A local Kaspersky Lab reputation database and tools rolling back malicious actions further strengthen the security system, providing protection from known, unknown and complex threats. VULNERABILITY MANAGEMENT Kaspersky Lab technologies analyze applications and operating systems running on an industrial nodes to find any vulnerabilities and uninstalled updates or patches. The order in which patches are installed can be prioritized both manually and automatically. 7

8 INTEGRITY CONTROL On an industrial network, integrity control is achieved through integrated interaction between the following components and technologies. Passive traffic analysis Traffic on an industrial network is processed in passive mode without affecting the industrial network in any way. This means the solution can be easily integrated into an industrial network via a SPAN port or TAP device without the need for any additional configuration changes. This also makes Kaspersky Industrial Cyber invisible to cybercriminals. Network integrity control This component provides industrial network integrity monitoring, including detection of devices newly connected to the network and communication between devices. Technological process integrity control Detects any attempts to send unauthorized commands to programmable logic controllers (PLCs), as well as attempts to set inadmissible technological process parameter values. Application startup control Application control, with support for dynamic whitelisting in Default Deny mode, blocks attempts to execute programs or load modules that are not whitelisted. To make configuring and debugging policies more convenient, a test mode is supported, in which a policy can be configured and tested before applying or updating Default Deny mode in a real-world environment. Device control This component defines which devices are allowed to connect to the industrial network s nodes. When creating Device Control rules, administrators can apply masks to add several devices to the list. PLC project integrity control By continually monitoring the system, this component detects any changes to PLC projects and can notify an IT security expert. 8

9 Kaspersky Industrial Cyber: technologies INTRUSION PREVENTION SYSTEM Protection from network attacks and firewall Network activity monitoring components operating on an industrial network restrict connections to the network s nodes and block suspicious activity. Automatic Exploit Prevention This technology neutralizes malware that takes advantage of software vulnerabilities in order to gain control of a computer. This technology is designed to detect specific patterns in the behavior of such malware and block it before it can execute. This is achieved by controlling the startup of vulnerable programs executable files and monitoring their activity. INCIDENT INVESTIGATION SYSTEM The event logging and data analysis systems included in Kaspersky Industrial Cyber provide an effective tool for assessing cybersecurity of industrial facilities, making incident investigation possible. INTEGRATION WITH OTHER SOLUTIONS The technologies and components included in Kaspersky Industrial Cyber provide support for transferring events to SIEM systems, SCADA systems, network management systems, or to the Syslog server via dedicated interfaces, as well as sending event information by . This means that Kaspersky Industrial Cyber can be integrated effectively into the organization s existing work processes. 9

10 Kaspersky Industrial Cyber: services Our suite of expert services form an important part of Kaspersky Industrial Cyber and includes employee training, industrial network analysis, cybersecurity system design, solution integration, configuration proposals and security incident investigation. EDUCATION AND INTELLIGENCE Cyber Training Cybersecurity provision for industrial facilities involves not only implementing automated software-based protection tools but also employee training insufficient employee awareness of cybersecurity is a leading cause of accidental infection. Kaspersky Lab offers training courses designed for both IT security experts and ICS operators and engineers. During training, attendees receive information on relevant cyberthreats, trends in their development and effective methods for protecting against them. Intelligence reporting The threat landscape, including the number and type of threat, changes every day. Up-to-date information about existing threats is an essential part of improving cybersecurity levels, effective incident response and successful cyberattack blocking. Kaspersky Lab offers a regular intelligence reports service, prepared by leading cybersecurity experts and tailored to the customer s needs, based on industry, equipment and software used etc. Simulation Kaspersky Lab has developed a training game for managers and technical experts. Its purpose is to increase awareness of relevant ICS cybersecurity issues, along with developing the skills needed to address and resolve them. The game simulates real-world cyberattacks on industrial automation systems, demonstrating the main issues associated with providing security for ICS. Players are provided with a broad range of tools and methods to apply to the simulated situation. An economic model is also built into the game, teaching participants how to select the optimal IT security strategy to minimize financial losses cause by cyberattacks. Different versions of the game have been developed for different industries, including water treatment, power generation and transmission, etc. 10

11 Kaspersky Industrial Cyber: services Expert : Cybersecurity Assessment Cybersecurity assessment The ability to identify and assess relevant cyberthreats and risks are essential aspects of effective cybersecurity implementations. To help with this, Kaspersky Lab offers a cybersecurity assessment service for industrial facilities. Within the framework of this service, Kaspersky Lab experts, in co-operation with the company s partners, will review existing documentation defining IT security requirements, analyze the enterprise s industrial network and interview employees. Based on the information gathered, our experts will develop an up-to-date threat model for the customer s industrial facility, perform an assessment of risks and provide recommendations for mitigating them. Penetration Testing Kaspersky Lab offers a penetration testing service. Within the framework of this service, certified Kaspersky Lab experts carry out penetration tests on the industrial control system in accordance with existing availability, integrity and confidentiality requirements for ICS all based on international standards, including PTES, NIST and OSSTMM. Following these tests, a report is prepared, detailing a list of 0-day vulnerabilities specific to the customer s systems, and assessment of the test attacks carried out and recommendations for patching any vulnerabilities identified. Architecture analysis Cybersecurity requirements should be integrated at the system design stage when developing industrial control systems (ICS) and their components (SCADA, PLC, communication devices). Kaspersky Lab offers a service for analyzing the architecture of the customer s industrial control systems. Within the framework of the service, cybersecurity experts will analyze the architecture of the customer s industrial control system at the design and development stage, develop IT security requirements, create a cyberthreat model, assess risks related to vulnerabilities identified, and provide recommendations on making improvements to the architecture and system implementation. 11

12 EXPERT SERVICES: SOLUTION INTEGRATION Policy and procedure development Kaspersky Lab, in cooperation with its partners, offers a service for developing cybersecurity policies and procedures for customer industrial control systems. Within the framework of the service, the customer will receive a documentation package setting out the process of implementing and operating a cybersecurity system based on the customer s specific industrial and business processes. Solution tailoring If a customer s industrial control systems have a unique architecture or are based on custom hardware and software components that are not widely used in the industry, Kaspersky Lab offers a service to adapt recommended cybersecurity tools for these systems. Specifically, the service includes support for unique software and hardware systems (including SCADA, PLC) with their industrial network communication protocols. Support will also be provided for customer-specific algorithms used to control key industrial process parameters. 12

13 Kaspersky Industrial Cyber: services EXPERT SERVICES: MAINTENANCE Technical support Within the framework of the technical support service, Kaspersky Lab experts will help to quickly resolve any technical issues related to the operation of the industrial cybersecurity system. Update testing Kaspersky Lab offers a service for testing cybersecurity system component updates for compatibility with customer-specific computerbased systems prior to applying these updates to industrial control system. This helps to maintain minimal new threat response times without the risk of technological processes being interrupted. Regular maintenance Some changes made to industrial IT systems (e.g. ones linked to expanding production, upgrading existing/installing new automation systems) may require additional configuration or adaptation of existing cybersecurity systems. Kaspersky Lab offers a regular maintenance service for its solutions. Within the framework of this service, Kaspersky Lab provides customers with regular assessments of how well the product is meeting their infrastructural requirements; where necessary, functional components of Kaspersky Industrial Cyber will be reconfigured or updated. 13

14 EXPERT SERVICES INCIDENT INVESTIGATION Malware analysis Kaspersky Lab offers a malware analysis service designed for organizations that have specialists with the skills to detect malware that has penetrated the industrial network. Within the framework of the service, Kaspersky Lab experts will categorize the malware sample received from the customer, analyze its functions and behavior and develop recommendations and a plan to remove that malware and roll back any malicious actions. All the information obtained during analysis is provided to the customer in a detailed report. Incident remediation As part of cybersecurity incident investigation, Kaspersky Lab experts will collect and analyze data, reconstruct the timeline of an incident, determine possible sources and reasons and develop a plan to provide remediation. 14

15 About Kaspersky Lab Kaspersky Lab is one of the world s fastest-growing cybersecurity companies and the largest that is privately owned. The company is ranked among the world s top four vendors of security solutions for endpoint users (IDC, 2014). Since 1997 Kaspersky Lab has been an innovator in cybersecurity and provides effective digital security solutions and threat intelligence for large enterprises, SMBs and consumers. Kaspersky Lab is an international company, operating in almost 200 countries and territories across the globe, providing protection for over 400 million users worldwide. Learn more at 15

16 2015 Kaspersky Lab AO. All rights reserved. Registered trademarks and service marks are the property of their respective owners.