Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Similar documents
Securing Industrial Control Systems

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

IBM Internet Security Systems October Market Intelligence Brief

Enterprise Guest Access

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

NW NATURAL CYBER SECURITY 2016.JUNE.16

University of Pittsburgh Security Assessment Questionnaire (v1.7)

MEETING ISO STANDARDS

Cyber Security Program

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

AUTHORITY FOR ELECTRICITY REGULATION

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Compliance with CloudCheckr

Automating the Top 20 CIS Critical Security Controls

Standard CIP Cyber Security Systems Security Management

Industrial Defender ASM. for Automation Systems Management

Information Security Controls Policy

NEXT GENERATION SECURITY OPERATIONS CENTER

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Best Practices in Securing a Multicloud World

Total Protection for Compliance: Unified IT Policy Auditing

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

The Common Controls Framework BY ADOBE

The Convergence of Security and Compliance

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Questions to Add to Your Network Access Control Request for Proposal

LESSONS LEARNED IN SMART GRID CYBER SECURITY

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

ForeScout ControlFabric TM Architecture

An ICS Whitepaper Choosing the Right Security Assessment

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Comprehensive Database Security

Cloud Customer Architecture for Securing Workloads on Cloud Services

Standard CIP Cyber Security Systems Security Management

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

MITIGATE CYBER ATTACK RISK

CyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory

Standard CIP 007 3a Cyber Security Systems Security Management

Network Security Protection Alternatives for the Cloud

SIEM: Five Requirements that Solve the Bigger Business Issues

Choosing the Right Security Assessment

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

PT Unified Application Security Enforcement. ptsecurity.com

SMARTCRYPT CONTENTS POLICY MANAGEMENT DISCOVERY CLASSIFICATION DATA PROTECTION REPORTING COMPANIES USE SMARTCRYPT TO. Where does Smartcrypt Work?

Are we breached? Deloitte's Cyber Threat Hunting

Overview. Business value

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Modern Database Architectures Demand Modern Data Security Measures

NEN The Education Network

Securing Your Most Sensitive Data

Network Visibility and Segmentation

HIPAA Regulatory Compliance

How to Create, Deploy, & Operate Secure IoT Applications

IC32E - Pre-Instructional Survey

The Honest Advantage

ATA DRIVEN GLOBAL VISION CLOUD PLATFORM STRATEG N POWERFUL RELEVANT PERFORMANCE SOLUTION CLO IRTUAL BIG DATA SOLUTION ROI FLEXIBLE DATA DRIVEN V

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

the SWIFT Customer Security

Sage Data Security Services Directory

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Changing face of endpoint security

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

CA Security Management

Mobility, Security Concerns, and Avoidance

Federal Agency Firewall Management with SolarWinds Network Configuration Manager & Firewall Security Manager. Follow SolarWinds:

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Securing Digital Transformation

CyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Teradata and Protegrity High-Value Protection for High-Value Data

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Cisco ISE Plus SIEM and Threat Defense: Strengthen Security with Context

IBM Internet Security Systems Proventia Management SiteProtector

DEFINITIONS AND REFERENCES

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Symantec Network Access Control Starter Edition

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

Unisys Security. Enabling Business Growth with Advanced Security Solutions. Tom Patterson, Vice President, Security Solutions, Unisys

Asset Discovery with Symantec Control Compliance Suite WHITE PAPER

Standard CIP 007 4a Cyber Security Systems Security Management

Verizon Software Defined Perimeter (SDP).

Education Network Security

Evaluating Encryption Products

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

Oracle Buys Automated Applications Controls Leader LogicalApps

Altius IT Policy Collection Compliance and Standards Matrix

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

IBM Exam 00M-662 Security Systems Sales Mastery Test v2 Version: 7.1 [ Total Questions: 72 ]

Effective Threat Modeling using TAM

Transcription:

Critical Infrastructure Protection for the Energy Industries Building Identity Into the Network

Executive Summary Organizations in the oil, gas, and power industries are under increasing pressure to implement tougher protections for critical cyber assets. Industry standards and government regulations are driving many of these requirements. Increasingly, organizations in the energy industries are converging business and supervisory command and control traffic onto common network infrastructures to improve efficiencies. In this converged environment, defending enterprise networks is an imperative for critical infrastructure protection. Traditional enterprise network protection strategies focus on protecting the network perimeters with firewalls, DMZs, and border and screening router ACLs. Over time, however, enterprise network boundaries have become increasingly porous. Enterprise networks now extend to remote sites, local offices and wireless networks while VPNs and virtualization solutions make access to enterprise networks possible from virtually anywhere. Protecting the perimeter is no longer a sufficient strategy for enterprise network protection. Applied Identity s Identisphere leverages identity aware networking to provide a simple and elegant solution to the problem of critical infrastructure protection. With the Identisphere solution, a gateway appliance deploys within the enterprise network and enforces access policies to traffic to and from protected resources. These policies can be defined based on user identities and attributes managed in enterprise directories. As a result, only users authorized to access sensitive resources can see those resources on the network, and traffic from unauthenticated or unauthorized users is blocked at the gateway. Identiforce implements network-level policy enforcement that complements application-level controls and helps address regulatory requirements. Applied Identity s Identisphere deploys into existing networks and does not require expensive rip-andreplace or rearchitecting of network infrastructure. System reengineering is also unnecessary since controls are applied at the network layer and are transparent to applications. Identisphere logs access and enforcement activities and provides customizable reporting capabilities for usage monitoring and auditing. Identisphere delivers these benefits with an easy to administer, firewall-like interface and policy rules, utilizing the existing enterprise directory service to provide administrators with centralized identity and policy management. One of the largest petroleum companies in the world deployed Applied Identity s Identisphere to meet its critical infrastructure protection requirements. With a distributed network extending to refineries and extraction facilities, the company recognized the need to protect the critical assets in place at these remote locations from unauthorized access, as well as protect its enterprise network from potential penetration attacks targeting these facilities. Identisphere delivered exceptional time-to-value for this company with a solution that was completely transparent to the existing systems, applications and users. 2

Challenge of Securing Critical Assets In the oil, gas and power industries, critical infrastructure vulnerabilities can potentially translate into major service disruptions and public safety concerns. As a result, organizations in these industries are under increasing pressure to implement tougher standards for protecting their critical cyber assets. Many of these requirements are being driven by industry standards and government regulations. The language from the United States Federal Energy Regulatory Commission s most recent Mandatory Reliability Standards for Critical Infrastructure Protection and the NERC s CIP Reliability Standards reflect the challenges these industries face. For example, the CIP-007 standards require: R2. Ports and Services The Responsible Entity shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled. R2.1. The Responsible Entity shall enable only those ports and services required for normal and emergency operations. R2.2. The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all Cyber Assets inside the Electronic Security Perimeter(s). R2.3. In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. Under these rules, organizations are required to establish and document processes for controlling access to all ports and services in their cyber infrastructure, have the flexibility to adapt controls for tests and emergency operations, and be capable of demonstrating their compliance with these regulations to management and third parties. Clearly, implementing these capabilities into existing applications and network infrastructures is a daunting task. This paper describes how Applied Identity s identity aware network solutions can be deployed to address these requirements without replacing network The highly distributed nature of the energy industry makes infrastructure protection challenging. 3

infrastructures or reengineering existing software and systems. Limitations of Traditional Strategies Originally, components making up critical infrastructures were segmented onto their own, physically distinct networks. This meant that network elements responsible for supervisory control and data acquisition functions such as switches, valves, pressure monitors, and the like, were physically segregated from business networks. Because of the protection afforded by such physical isolation, building extensive security into these components was not a priority for manufacturers or customers. In recent years, however, this situation has changed as organizations have come to appreciate the economic benefits of converging data on their business and supervisory control networks. Today it is not uncommon to find control and monitoring data for an oil pipeline aggregated into a local field office, or enterprise networks extending to a refinery or oil rig and carrying both business and command-and-control traffic. Because of this network convergence, effectively securing critical infrastructures in these environments has come to rely heavily on protecting the enterprise network. Traditional enterprise network protection strategies focus on defending the network perimeter. These protection strategies include approaches such as firewalls, DMZs, and border and screening router ACLs. Such controls are designed to keep the bad guys from gaining access to the internal network. Industry veterans sometimes describe this approach as hard and crunchy outside, soft and chewy inside. One problem with relying exclusively on perimeter protection solutions is that enterprise network boundaries have become increasingly porous. Extending enterprise networks to remote sites, local offices, wireless networks and semi-public locations expose networks to new threats and introduce new points of vulnerability. VPNs create many potential modes for remote users to access enterprise networks from home computers, laptops and mobile devices. Application virtualization solutions are becoming an increasingly popular approach for reducing operational costs and improving users experience, however they also bring the potential to effectively turn external threats into internal threats. Perimeter network protection is necessary, but not sufficient, to meet the challenges presented in securing today s networks and applications. Infrastructure protection approaches have been introduced which seek to address the limitations of perimeter protection strategies. These effectively move the focus for protection off of the perimeter and into the network. All, however, have their limitations. For example, network partitioning, either physical or virtual, has been used to segregate critical assets from the general enterprise network. These solutions can require network infrastructure upgrades or rearchitecture, however, and may not lend themselves to protecting critical assets in remote locations. Solutions using role-based access control (RBAC) seek to leverage application security to restrict user access to resources. However, these solutions can be expensive and time-consuming to deploy and cumbersome to manage as new applications are deployed and roles proliferate throughout the organization. Protecting Assets with Identity Aware Network Solutions Identisphere from Applied Identity addresses the challenge of critical infrastructure protection with an identity aware network solution. Identity aware networking leverages enterprise identities to effectively protect networks from the inside. With Identisphere, a client agent or hosted gateway authenticates the user against the organization s existing enterprise directory. All subsequent network traffic bound for protected resources originating from the user s client is then securely tagged with the user s identity information. Applied Identity s gateway appliance, ID-Enforce, deploys in front of protected resources, applying access policies to traffic bound for those resources. The ID-Enforce gateway consults the enterprise directory to apply the required access policies and strips the secure 4

With Applied Identity s Identisphere solution, protected resources are accessible only to privileged users. identity tag from the network traffic, making the solution completely transparent to applications and networking devices. The Identisphere Manager provides centralized administration and monitoring of access policies and makes policy definition of reporting easy. Applied Identity s Identisphere is a simple and elegant solution to the problem of protecting critical infrastructure and demonstrating compliance. With Identisphere, only users authorized to access sensitive resources can see those resources on the network. Traffic from unauthenticated or unauthorized users is blocked at the ID-Enforce gateway. The Identisphere solution introduces a network-level access policy enforcement that complements application-level controls and in many cases negates the need to re-engineer applications to address compliance requirements. Identiforce s logging and reporting capabilities make it easier for organizations to respond to compliance audits. Also, since network and application controls remain independent, the solution presents an easy approach to implementing separation of duties required in many regulated environments. Maintaining continuity of operations in the event of an emergency is a major concern for organizations responsible for critical infrastructures. Identisphere s directory-based approach to policy management provides the flexibility to adapt controls for tests and emergency operations. Identisphere Manager, Identisphere s administrative component, has the ability to determine and suggest policy rules based on monitored network traffic. Identisphere Manager then allows administrators to simulate the impact of a given set of policy rules on live network traffic without actually performing the policy enforcement. This capability enables teams to define new policy rules and evaluate their impact on operations on the fly, during live testing exercises, for example. In this way, administrators may build network access policies for normal and emergency operational scenarios which can be managed in the directory and executed at a moment s notice. 5

Applied Identity s Identisphere brings superior ease and time-to-value to the challenge of critical infrastructure protection. With Identisphere, there is no need for expensive rip-and-replace or rearchitecting of network infrastructure. System reengineering is also unnecessary since controls are applied at the network layer and are transparent to applications. Management of access privileges and policies is centralized through the directory service, and administration is simplified with an easy to use, firewall-like interface. Customer Case Study Recently, one of the largest petroleum companies in the world needed to improve critical asset protection at its remote refineries and extraction facilities. The company had far flung operations in remote, relatively unpopulated areas. Many of these locations housed critical process control infrastructure and were locally maintained by a handful of employees. To complicate matters from a security perspective, enterprise networks extended to these remote locations for the purpose of providing supervisory process control and data acquisition. The company recognized the need to protect the critical assets in place at these remote locations from unauthorized access, as well as protect the enterprise networks from potential penetration attacks targeting these facilities. This oil company leveraged Applied Identity s Identisphere to meet its critical infrastructure protection requirements. Their strategy was to deploy a high-availability pair of ID-Enforce appliances at remote locations to control and monitor network access to critical assets at the site. Lightweight agents were deployed on clients only for those users who needed access to those resources, and user authentication was transparent to these users through integration with Windows authentication. The result was that only authenticated and authorized users could access the critical assets on the network and they were rendered invisible to everyone else. The Identisphere solution provided exceptional time-to-value for this company s deployment. Since enforcement was accomplished at the network level, it was completely transparent to the existing systems and applications. The solution also had the advantage of having a low user impact. Only those users who required access to the critical assets required installation of a client agent, and the authentication experience was completely transparent for those users, negating any requirement for additional user training. Likewise, management of the solution was streamlined through centralized administration of users and access privileges through the enterprise directory services. Finally, Identisphere s access logging and reporting capabilities made it easy to track network access to critical resources on an individual user basis and generate reports to demonstrate policy compliance when needed. Summary Identity aware networking provides a superior solution to the challenge of protecting critical infrastructure assets in the energy industry. Applied Identity s Identisphere delivers the power of identity aware networking to augment traditional asset protection approaches by moving accountability and enforcement inside the enterprise network. The Identisphere solution deploys quickly into existing infrastructures with no reengineering of existing systems and applications required. It enables easy, centralized administration with directory-based identity and policy management and protects network assets with no change in user experience. 6

About Applied Identity Building Identity into the Network Applied Identity s identity aware network solutions deploy rapidly into existing infrastructures to reduce administrative overhead, protect critical assets and address your compliance initiatives. Organizations use Applied Identity s solutions to: Support compliance efforts such as GLBA, PCI, HIPAA, FISMA, NERC and EU Privacy Directives. Provide enterprise network access to contractors and others through guest networking solutions. Protect critical infrastructures and defend enterprise networks from breeches at remote sites and foreign offices. Ease the burden of network audits with automated reporting. Founded in 2004, Applied Identity is the only vendor to provide a complete policy lifecycle management solution enabling global policy creation and network-level enforcement based on user identity. Applied Identity s solutions: Save time by deploying rapidly into existing infrastructures. Save money by reducing administrative overhead and easing compliance burdens. Save networks by applying the power of identity aware networking to protect networks from the inside. Add security and accountability to your enterprise network. For more information about Applied Identity and our solutions, or to schedule a FREE Network Activity Assessment, please see our website at www. appliedidentity.com 7

2009 Applied Identity, Inc. All rights reserved. Applied Identity, Applied Identity Logo, Identisphere, ID-Unify, ID-Audit, ID-Policy, and ID-Mark are trademarks of Applied Identity, Inc. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback