Daniel Severino, Sam Wilson October 2 nd, Achieving Cyber Security Across Your Enterprise with ICS Shield and Risk Manager

Similar documents
Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

Mark Littlejohn June Improving ICS Cyber Security Consistency Using Managed Security Services

The Claroty Difference

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Industrial Defender ASM. for Automation Systems Management

Security in Bomgar Remote Support

SilentDefense. Industrial cyber resilience made simple

Security in the Privileged Remote Access Appliance

Changing face of endpoint security

Cyber Security for Process Control Systems ABB's view

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

INDUSTRIAL CYBER SECURITY

Security Fundamentals for your Privileged Account Security Deployment

Cisco Secure Ops Solution

ABB Process Automation, September 2014

THE TRIPWIRE NERC SOLUTION SUITE

K12 Cybersecurity Roadmap

Secure Access & SWIFT Customer Security Controls Framework

Digital Wind Cyber Security from GE Renewable Energy

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

the SWIFT Customer Security

Secure wired and wireless networks with smart access control

Ensuring Your Plant is Secure Tim Johnson, Cyber Security Consultant

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

Cyber Security Solutions Mitigating risk and enhancing plant reliability

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Endpoint Security for DeltaV Systems

Industrial Networks Secured

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

Internet of Things. The Digital Oilfield: Security in SCADA and Process Control. Mahyar Khosravi

CIS Controls Measures and Metrics for Version 7

IC32E - Pre-Instructional Survey

CIS Controls Measures and Metrics for Version 7

IT Services IT LOGGING POLICY

locuz.com SOC Services

Industrial Security Getting Started

CyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory

AAD - ASSET AND ANOMALY DETECTION DATASHEET

IPM Secure Hardening Guidelines

Industrial Security Co-Sourcing: Shifting from CapEx to OpEx Presented by Vinicius Strey Manufacturing in America 03/22-23/2017

Intelligent Edge Protection

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

THE CYBERX PLATFORM: PROTECT YOUR PEOPLE, PRODUCTION, AND PROFITS HIGHLIGHTS SOLUTION BRIEF

Asset Discovery with Symantec Control Compliance Suite WHITE PAPER

Protecting productivity with Industrial Security Services

GEARS + CounterACT. Advanced Compliance Enforcement for Healthcare. December 16, Presented by:

Reinvent Your 2013 Security Management Strategy

RIPE RIPE-17. Table of Contents. The Langner Group. Washington Hamburg Munich

Cyber security tips and self-assessment for business

CyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory

Designing and Building a Cybersecurity Program

ForeScout Extended Module for Splunk

T22 - Industrial Control System Security

RKNEAL Verve Security Center Supports Effective, Efficient Cybersecurity Management

ForeScout Agentless Visibility and Control

Tenable for Palo Alto Networks

CCISO Blueprint v1. EC-Council

Continuous protection to reduce risk and maintain production availability

Securing Plant Operation The Important Steps

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

ICS Security Monitoring

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

ISO27001 Preparing your business with Snare

Total Security Management PCI DSS Compliance Guide

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Mapping BeyondTrust Solutions to

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Understanding Cisco Cybersecurity Fundamentals

Lifecycle Performance Care Services. Bulletin 43D02A00-04EN

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

ISE North America Leadership Summit and Awards

Cyber security for digital substations. IEC Europe Conference 2017

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Systrome Next Gen Firewalls

Paloalto Networks PCNSA EXAM

Juniper Vendor Security Requirements

Reviewer s guide. PureMessage for Windows/Exchange Product tour

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Best Practices for PCI DSS Version 3.2 Network Security Compliance

Critical Hygiene for Preventing Major Breaches

Watson Developer Cloud Security Overview

Cloud Services. Introduction

Plant Security Services Protecting productivity in the digital era October

Securing Industrial Control Systems

Barracuda Firewall Release Notes 6.6.X

Industrial Defender Global Leader in Automation Systems Management:

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

The Information Age has brought enormous

Altius IT Policy Collection

How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

How AlienVault ICS SIEM Supports Compliance with CFATS

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

Transcription:

Daniel Severino, Sam Wilson October 2 nd, 2018 Achieving Cyber Security Across Your Enterprise with ICS Shield and Risk Manager

Security Maturity Part of Honeywell Industrial Cyber Security Portfolio 2 INDUSTRIAL SECURITY CONSULTING Emergent Adaptive - Industrial security program development - Assessment services - Architecture and design - Implementation and systems integration - Operational service and support - Compliance audit & reporting INTEGRATED SECURITY TECHNOLOGY - Whitelisting - Antivirus - Next-generation Firewall - IDS/IPS - Security Information & Event Management (SIEM) - Threat Intelligence MANAGED SECURITY SERVICES - Secure remote access - Continuous monitoring and alerting - Secure automated patch & signature updates - Incident response & recovery/ back up - Security device co-management - Hosting and management of ICS Managed Security Service Center CYBER SECURITY SOFTWARE - Honeywell Industrial Cyber Security Risk Manager - Secure Media Exchange (SMX) - Advanced Threat Intelligence Exchange (ATIX) - Industrial assessment software & tools - ICS Shield platform for cyber security operations Comprehensive, Proven and Trusted End to End Solutions

High-level Challenges of IT-OT Integration 3 ICS/SCADA Complexity Multiple sites Multiple vendors requiring access to assets Multiple protocols on ICS network Multiple businesses Mix of legacy and proprietary equipment IT/OT Misalignment ICS security ownership is not clear OT/IT mindsets are very different Transition from plant-byplant to plant-wide security practices Skilled Resources Shortfall and Budget Limitation Cannot place experts at every site Manual processes don t scale and only provide limited security Multiple security solutions partially utilized

Honeywell s Industrial Cyber Security Risk Manager 4 Measure the Risks That Matter the Most First real-time cyber risk reporting platform designed for ICS & PCN industrial companies Measures, prioritizes and manages high priority ICS risk, to mitigate threats & improve compliance Speeds & simplifies PCN cyber data reporting, to save labor costs & improve ICS security posture

Risk Manager Evolves Feature Highlights 5 Customer Prototype Shipping Solution Enterprise-Ready Feature Enhancements 2014 2015 2016 2017 2018 Honeywell Users Group 2014, 2015 R140, R150 R160 R170 Risk data collection & scoring Virtualization: Virtual RM Dynamic rules Expanded PCN visibility: C200/C300 Controller discovery Enterprise-wide visibility: Enterprise Risk Manager Syslog Forwarding for SIEM support Power user analytics and ad-hoc reports (Analysis View) Single RM monitoring across multiple domains: AD Multiple Domain Support Customers pay less to get started : Subscription-based pricing structure

Key R170 Features & Enhancements Summary 6 Feature Enterprise Risk Manager (ERM) Syslog Forwarding Analysis View Multiple Domain & Workgroup Support New Risk Items and Dynamic Rule capabilities Benefits Multi-site visibility of Risk Manager data, all in a single pane view Securely output Enterprise Risk Manager Syslog information to SIEM Enhanced reporting and analytic tools as part of Risk Manager dashboards Single RM monitoring across multiple domains, and monitoring end nodes which are in a workgroup Expands monitored risk coverage Risk Manager R170 helps industrial enterprise security teams easily automate and share consistent plant data -- OT & IT can work together to limit enterprise-wide cyber security risk

R170 ERM - Multi-Site Data in a Single Pane View 7 Displays selected site s Risk Manager Dashboard Displays selected site s Risk Source page with chosen Risk Source details Displays selected site s System Health Status page

ICS Shield

Honeywell ICS Shield 9 Top-down OT security management Automates top-down integrated approach for deployment and enforcement of plant-wide security policies Based on proven technology acquired through Nextnine acquisition over 6000 installs Delivers unrivaled visibility, reliability and compliance for industrial plant operations Enables security of remote field assets from a single operations center Key Features: Secure remote access Secure file transfer Automated patch and AV updates Asset discovery Performance/health monitoring Compliance reporting Industry Standard Platform for Secure Remote Access 6000+ Installs

Common OT Cyber Security Challenges 10 Varying coverage of security essentials Remote employees, control system vendors, 3 rd party vendors, contractors Multiple access points No proper hardening No proper monitoring No proper governance Partial data on assets & events No proper planning & accountability

ICS Shield Deployment 11 Distributed architecture and secure tunnel between site and SOC Install SC at the data center Install VSEs at each plant Establish a secure tunnel, outbound, using port 443, TLS encrypted One FW rule to manage all remote connections Virtual Security Engine

Remote Access Flow: Fast And Secure Access Of Experts To Assets Supported remote access: RDP VNC Telnet SSH HTTP/HTTPS Vendor-Based: Simatic RSLinx/Logix Centum and all TCP & UDP based protocols 7. Following approval session is initiated with granular privilege 2. User is authenticated 4. VSE polling the CS for requests 1. 3rd party want to access an assets 3. SC ask CS to open a tunnel 5. Following a certificate based handshake, TLS encrypted outbound tunnel is established 12 6. Plant can approve/deny access, and thereafter supervise, record and terminate the remote session

Demo Risk Manager and ICS Shield Together 13

Risk Manager and ICS Shield Comparison 14 Risk Manager excels at: Being able to measure, monitor & manage risk Enterprise-wide dashboard visibility Out of the box recommendations for immediate action Risk Manager shows you what you need to do ICS Shield strengths: Asset Discovery Connect via Secure Remote Access Protect through multi-vendor monitoring and patching ICS Shield helps you do it!

15

Thank you!

Backup Slides 25

R170 Syslog Forwarding 18 Expedited Reporting Leveraging Your Existing SIEM Tools Enterprise Risk Manager at Level 4 can forward data to a Level 4 SIEM Syslog in R170 adds to Risk Manager existing capabilities: - Forward to a SIEM in L3 or L3.5 or to a forwarding device to L4 - Calculations are available as SYSLOG output in either CSV or KVP Using the Risk Manager Syslog Forwarding feature can eliminate the need for procuring, licensing, and configuring a third party syslog forwarding solution

Additional Features of IERM Secure SYSLOG Level 4 19 Data From Other Site Risk Managers Use same mechanism as ERM to securely forward SYSLOG messages to Level 4 Risk Manager can receive SYSLOG from multiple ICS devices Set up devices to send SYSLOG to Risk Manager Risk Manager configured to receive sent SYSLOGs Risk Manager will forward the SYSLOG messages to Level 4 Enterprise Risk Manager IERM will send all received SYSLOG messages to SIEM

R170 Analysis Views 20 Power User Analytics to Understand and Act on Industrial Cyber Security Risks Drag-and-drop report creation helps simplify risk analytics: No configuration or programming required Location hierarchy view expedites search and analysis across sites Save and Save As report options help simplify report documentation Table and trend views of KPIs expedite analysis 8 standard reports included from integrated Risk Manager dashboard

Discover The Starting Point For A Secure ICS 21 End-to-end visibility into the ICS Asset Discovery down to L2 Configuration collection Change monitoring Classification & labeling Visualization Assets labeling

Connect Expert To Asset, Fast And Secured 22 Improving Assets Reliability & Safety Control system vendors,3 rd party vendors, contractors Authentication, Authorization, and Accounting AAA Remote Access Control Centralized authentication Granular privilege Accountability with full audit Real-time supervision and session termination Vault Files & Data transfer

Protect Automate Plant-wide Security Policy 23 23 Control system vendors,3 rd party vendors, contractors Minimize manual effort and human mistakes 1. Create a policy 6. Refine policy Improve security and compliance by standardizing on: Plant-wide policies System Patching Anti-virus 2. Distribute 4. Send data 5. Analyze and make decision 3. Enforce

Case Study 1 Discovery And Inventory 24 Multi-National Conglomerate Active & passive discovery Down to level 2 30 plants a year >200 plants in plan >1000 field assets/plant SOLUTION BENEFITS Visibility of ICS network Inventory control Vulnerability snapshot

Case Study 2 Secure Remote Access 25 Global Pulp & Paper Enterprise 150 plants 400-1000 field assets/plant 60 vendors 1500 routine users SOLUTION BENEFITS 60 1 remote access entry Reduced risk to ICS network Reduce TTR

Case Study 3 Secure Remote Access 26 Global Chemical & Plastics Producer 130 plants 500-1200 field assets/plant ~80 vendors and 3rd party 25,000 users SOLUTION BENEFITS ~80 1 remote access entry point 30% operational savings Increased compliance

Case Study 4 Security Essentials Coverage 27 Global Tier-1 Oil & Gas Enterprise 30 upstream & downstream plants More plants are pending Outsourcing Operations 2500 users Shielding 400-1600 field assets/plant SOLUTION BENEFITS Drove annual cost savings Reduced risk to ICS network Increased compliance Asset Inventory Semi-Automated Collection of PCD Assets and Asset Information Process Control Domain (PCD) Access Standardised Remote Access on a Single Platform Maturity Reporting Centralised, Automated Maturity & Compliance Reporting Patch Management Automate QPL Synchronisation and Standardized, Automated Patching Anti-Virus Management Automated Update of Approved AV Signature Files Log Collection Leverages Group Standard SIEM for Global Awareness

ICS Shield : Secure Tunnel and Communication Server 28 Maintain data integrity and reducing the attack surface TPM Trusted Platform Module - Mutual authentication between VSE and SC using standard public key/private key cryptography protocols Modified Purdue PERA compliant through VSP(proxies) and VSF(flippers) Application/Activity Granularity(2018) RDP and VNC Supervision and Recording of sessions Password Vault Transfer files & data from plant to SOC and from SOC to plants Tunnel overcomes unstable network conditions Can handle any type of remote connection over a single outbound port Communication Server Installed at the data center DMZ Manage all communication between SC & VSE Bridge remote access tunnel PR.DS-2: Data-in-transit is protected Secure Tunnel Technology Outbound only, port 443 To a specific IP address Single FW rule TLS 1.2- encrypted

ICS Shield System Architecture 29 WMI / SNMP / OPC / SSH / HTTP / Telnet (CLI) VNC / RDP / SFTP / FTP / RSLinx / RSLogix /SIMATIC Any Proprietary TCP or UDP based protocols Windows Networking Industrial

Compliance Dashboard 30

Plant Hardening Compliance Report 31 Device IP address? Device s business criticality/exposure? AV up to date? AV installed? Backup on time? AV running? All Parameters Collected? Logs being collected and sent to the SIEM? OS patches up to date? Custodian? Devices? OS still supported?

Active Asset Discovery and Inventory 32 LOGICAL WORKFLOW BASICS The asset discovery high level workflow for detecting new devices is based on the following steps: VSEs will systematically scan designated DCS networks for existing and added assets Get all the required Properties from the Discovery Engine settings. With the given configuration and the IP range, execute network search for all the existing devices: Windows machines: WMI and run PowerShell commands on ports 135, 445, 3389 Linux Machines: SSH on ports 22, 23 Networking equipment: SNMP on port 161 Each detected device will be classified according to its OS (based on ports scan) Once devices are added, the VSE will connect to them, using given credentials(read only), in order to collect inventory data points, such as: Asset tag, Manufacturer, Operating System information, CPU, Memory, and many others. The above collected information will be transmitted to the Security Center via port 443 outbound and will be assigned to the designated asset/device.

Configuration Data For Windows Devices 33 Configuration data is collected periodically Automatically Collected via WMI o IP addresses o MAC addresses o OS name and version o Application software name and version o OS patches name and date o HW manufacturer and model o AV agent name and version o AV signatures file version and date o AV service status o Additional upon request Added manually o Custodian o Criticality (C, E, N) o Type (monitoring system, safety system, workstation, server ) o Vendor o Vendor software o Function (metering, engineering station,..) o Life-cycle (active, inactive ) o Deviation (free text)

Configuration Data For Linux Devices 34 Configuration data is collected periodically Automatically Collected via SSH o IP addresses o MAC addresses o OS name and version o Application software name and version o OS patches name and date o HW manufacturer and model o AV agent name and version o AV signatures file version and date o AV service status o Additional upon request Added manually o Custodian o Criticality (C, E, N) o Type (monitoring system, safety system, workstation, server ) o Vendor o Vendor software o Function (metering, engineering station,..) o Life-cycle (active, inactive ) o Deviation (free text)

Configuration Data For Networking Devices 35 Automatically Collected via SNMP o IP addresses o MAC addresses o Serial number o Firmware revision o HW manufacturer and model o Device attributes o Location o Description o Additional upon request Added manually o Custodian o Criticality (C, E, N) o Type (monitoring system, safety system, firewall, router ) o Vendor o Vendor software o Life-cycle (active, inactive ) o Deviation (free text)

Supported Protocols 36 OT protocols IEC 60870-5-104 DNP3 ICCP TASE.2 IEC 61850 (MMS, GOOSE, SV) IEEE C37.118 (Synchrophasor) Modbus/TCP EtherNet/IP CSLib (ABB 800xA) DMS (ABB AC 800 F) MMS (ABB AC 800 M) Step7 (Siemens) OMS+ (Siemens) OPC-DA OPC-AE DeltaV (Emerson) Ovation (Emerson) Vnet/IP (Yokogawa) BACnet PROFINET Rockwell CIP extensions Experion (Honeywell) OASyS (Telvent) IT Protocols SMB/CIFS RPC/DCOM LDAP NetBIOS HTTP (T)FTP SSH SSL SMTP IMAP POP3 VNC/RFB RDP Telnet SNMP NTP DNS Radius Kerberos MS-SQL SunRPC and others

Enjoy The Upside Of Connected Plants & Minimize Risk 37 Summary Assess your level of industrial cyber security maturity Manage cyber security as a program Solve the immediate challenges with clear ROI Ensure value for central IT as well as plant people Focus on the essentials Choose the right experienced partner Consider outsourcing planning, implementation and management

Demo Risk Manager and ICS Shield Together 38

Demo Risk Manager and ICS Shield Together 39

Demo Risk Manager and ICS Shield Together 40

Demo Risk Manager and ICS Shield Together 41

Demo Risk Manager and ICS Shield Together 42

Demo Risk Manager and ICS Shield Together 43

Demo Risk Manager and ICS Shield Together 44

Demo Risk Manager and ICS Shield Together 45

Demo Risk Manager and ICS Shield Together 46

Demo Risk Manager and ICS Shield Together 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback