Safdar Akhtar, Cyber Director Sema Tutucu, Ops Leader 27 September 2017 CYBER SECURITY PROGRAM: Policies to Controls
Can You Answer These Questions? 1 What s my company s exposure to the latest industrial cyber threat? Are my plants compliant with our corporate cyber security directive? >50% of Board of Directors are not satisfied with Leaderships Cyber Issue Management Are there non-sanctioned devices, like USBs, that have been added to plant process control networks? What happens if I have a malware outbreak in my control network? Production impact? Operations staff SOP?
Agenda 2 Industrial Cybersecurity Overview Where to Start Honeywell Vision Assessment & Remediation - Examples Brownfield Vs. Greenfield Cybersecurity Project Phases Q & A
Industrial Cyber Security 3 Industrial Cyber Security is the body of practices, processes and technologies designed to defend process control networks, systems, computers, programs and data from attack, damage, disruption, unauthorized access or misuse - Protecting against external and internal threats - Detecting, Responding and Recovering from cyber attacks and incidents Safeguarding availability, safety and reliability and managing risk - Keeping plants running smoothly without disruption - IT cyber security, in contrast, focuses more on protecting information than physical assets, operations and people Requires deep understanding of process control networks, operations, information technology and cyber security
No Silver Bullet 4 Process - Management System - Through policies and procedures Patch Management Secure Remote Access Anti-virus Backup and Restore Change Management Perimeter Security - Periodic Audits People Weakest link - Training and Awareness - Professional Skills & Qualification - Motivation Technology - Installed and maintained If any part fails you are at risk
Where to Start 5 Cybersecurity Management System (CSMS) in Place (Best) - Unacceptable Risk Require Mitigation Cybersecurity Assessment Identified the Gaps (Better) - Critical & High Priority Gaps Need to be Fixed Mandatory Compliance Requirements (Good) - Non-Compliance Items Need a Fix Facing Technical Issues Functional or Security (OK) - Need a Solution Adhoc Approach (Bad) - Likeness, Following the trend etc. Wrong Impression of Cybersecurity (Worst) - Air-gap, Misconfigured Cybersecurity Solutions etc. Don t know Start with Cybersecurity Assessment - Aim for a roadmap with CSMS as an ultimate goal
Honeywell Industrial Cyber Security Vision Assess assets against industry standards, regulatory requirements and best practices - Provides roadmap to eliminate exposed risk Remediate addresses issues identified in the Assess phase with a customdesigned Industrial Cybersecurity Program - Multi-layered secure defense-in-depth network design - System hardening - Compliance and governance development - Security awareness program Manage focus is on preserving and enhancing the investment made in security, by applying services and training - Workflow Implementation - Anti-virus and Patch Management - Network Perimeter Management - Change Management Program Assure focuses on program monitoring to assure its functioning as designed - Reporting, Verification, Analytics etc. 6
Cybersecurity Assessment 7 Planning Phase - Assessment Team - Assessment Scope & Goals - List of Attack Vectors - Assessment Plan Data Collection Phase - Vulnerability Scan - Configuration Data - Document Collection - Interview Key Personnel Analysis Phase - Evaluation of Vulnerabilities, Patches, Malwares - Attack Surface Analysis - Password Auditing - Log Management Auditing - Network Access Auditing - Evaluation of Network Architecture - Evaluation of Authorized Software and Network Traffic - Configuration Reviews - Policy & Procedure Reviews - Risk Profiling - Risk Mitigation Outcome Execution Gap, Design Gap, Technology Gap Reporting Phase - Detailed Report - Executive Summary Report - Audit Report against ISA 99 - Presentation / Workshop
Risk Summary Example 8 A B C D E F G Plants Security Control Categories Site Location Type SP PE SA NA AC SM SP PE SA NA AC SM Security Policies and Procedures Physical and Environmental Security Security Architecture Network Architecture Cyber Access Control Cyber Security Management High Medium Low The capability of the threat is significant, and compensating controls to reduce the probability of vulnerability exploitation are insufficient The capability of the threat is medium, and implemented compensating controls lessen the probability of vulnerability exploitation. The capability of the threat is limited, and compensating controls are in place that effectively reduces the probability of vulnerability exploitation.
Risk Summary Example Cont d 9
Remediation - Example 10 No. Recommended Solution Priority Phase 1 1 Multi-layered Secure Defense-in-Depth Network Design High 2 Secure Next-Gen Firewall with IPS / Industrial Firewalls High 3 Centralized Antivirus & Patch Management System High 4 Security Hardening High 5 Application White Listing Solution High Phase 2 6 Backup & Restore Medium 7 Centralized Network Monitoring Solution Medium 8 USB Protection Solution Medium 9 Cybersecurity Risk Manager Medium Phase 3 10 Security Information and Event Management (SIEM) Solution Low 11 Secure Remote Access, Monitoring & Alerting Low 12 Policies & Procedures Development Low
Phase 0 Cybersecurity Overlooked 11 Does not comply with Cybersecurity Standards
Phase 0 Cont d 12 Cybersecurity was never a priority Flat Network - All devices connected on same level Missing Network Segregation - Zones & Conduits ISA99/IEC62433 Recommended Practice - Levels as per ISA95 Perdue Model - Might have levels but without proper segregation & access control Some miss-configured cybersecurity controls Gap identification - Assessment
Phase 1 Complying with Standards 13 Physical Zones & Segmentation Comply with Cybersecurity Standards
Phase 1 Network/System Segregation 14
Phase 1 Cont d 15 Segregation as per international standards (ISA99/IEC 62443) All Obsolete devices replaced All Systems moved to their proper levels Level 4 Introduced Business Connectivity - Level 4 Corporate Segregation Separation of Duties Level 3.5 DMZ Introduced Data to/from Business Level 3 Introduced Operations Management Level 2.5 Introduced If Required - In case of multiple FTE communities - Virtualization Segregation at Level 2
Phase 2 Cybersecurity Begun 16
BladeCenter CIS CO SYST S RPS STAT DUPLX SPEED SM1 MODE PoE SM1 1 3 5 72 94 11 6 813 10 1512 1719 1421 16 23 1820 Catalyst 24 22Serie spoe-24 2960 MT 1 2 31X 4 5 611X 13X SM223X 1 2 2X OVER POWER ETHERNET 12X 14X 24X 1 I/O 3 2 MT MT MT MT MT I/O 4 MT 1 2 3 4 5 6 MT SM2 BladeCenter CIS CO SYST S RPS STAT DUPLX SPEED SM1 MODE PoE SM1 1 3 5 72 94 11 6 813 10 1512 1719 1421 16 23 1820 Catalyst 24 22Serie spoe-24 2960 MT 1 2 31X 4 5 611X 13X SM223X 1 2 2X OVER POWER ETHERNET 12X 14X 24X 1 I/O 3 2 MT MT MT MT MT I/O 4 MT 1 2 3 4 5 6 MT SM2 C3KX-NM-10G NETWORK MODULE G1 G2/TE1 G3 G4/TE2 C3KX-NM-10G NETWORK MODULE G1 G2/TE1 G3 G4/TE2 C3KX-NM-10G C3KX-NM-10G NETWORK MODULE G1 G2/TE1 G3 G4/TE2 NETWORK MODULE G1 G2/TE1 G3 G4/TE2 Phase 2 Cont d Tap Located between Level 3 & Border firewall to capture ingress & egress traffic from Level 3 Aggregator Located at Level 3 to provide filtered traffic to RM, SIEM & other Tools Tap Located between Level 3 and Level 2.5 to capture ingress & egress traffic from Level 2.5 Tap Located between Level 2 and Level 2.5 to capture ingress & egress traffic from Level 2 Tap Located between 3 rd party & Level 2 to capture ingress & egress traffic from Third Party Systems Level 4 Level 3.5 DMZ Level 3 Level 2.5 Level 2 Level 1 Domain Controller Domain Controller ESF Router Blade Server L 2.5 Router Primary PHD Server Blade Server Firewall Enterprise Switch Experion Server ESC ESF ACE Experion EST Server TAP TAP TAP Firewall NAS EAS NAS ESVT Terminal Server HSRP Router Safety Manager Qualified Cisco Switches Patch Mgmt Server 3 RD Party App Subsystem Interface VM Client L2.5 Router Secondary Terminal Server Anti Virus Server vcenter Server Relay Server Domain Controller PHD Shadow Server Risk Manager/ Palo Alto Service Node Aggregator Firewall TAP PLC Comm flow L4 to L4 Limited L3.5 to L3.5 L3 to L3 L2 to L2 L1 to L1 Limited L2.5 to L2.5 L2.5 to L3 Very Limited L3.5 to L4 Very Limited L3 to L3.5 No Direct communications between L4 & L3 or L2 Limited Very Limited L2 to L3 L2 to L1 No communications between L1 & L3 or L4 17
Phase 2 Cont d 18 Various Cybersecurity Solutions Introduced - Defense In Depth - Defense In Breadth IPS Introduced on PCN Level 3.5 DMZ Next Generation Firewalls Honeywell Secure Media exchange (SMX) Introduced Honeywell Managed Services Introduced (AV, AWL, Patch, Monitoring etc.) Honeywell Risk Manager Introduced Security Information and Event Management (SIEM) Introduced Network Management System (NMS) Introduced 2 nd Domain Controller Introduced (Domain Redundancy) Central Management Station Introduced Passive IPS Sensors Introduced System & Network Hardening done as per CIS Standards Network taps introduced Nextnine or Data-Diode between PCN DMZ and IT/Corporate can be introduced
Phase 3 Procedural Controls 19 Policy & Procedures - Risk Management - Change Management - Patch Management - Malware Protection - Account Management - Backup and Restore - Asset Management - Portable Media - Logging & Monitoring - Etc. Incident Response & Management Plan Operational Manuals Security Awareness & Training Technical Controls Physical Controls Information Security Procedural Controls
Cybersecurity Never Sleeps 20 Cybersecurity is a Process Not One Time Solution/Project
Brownfield Vs. Greenfield 21 ICS Lifecycle - Design, Build, Operation and Decommissioning Bolting on Cybersecurity on Live ICS - Difficult & Costly - Less Effective Build-in and maintain Cybersecurity from an early stage - More Effective - Less Costly - Business Enabler
Cybersecurity Project Phases 22 Project Award Project Initiation/Kickoff (Remote / Head Office / On-Site) - Project Organizational Chart - Communication Protocol Identification - Roles & Responsibilities - Scope of Work Discussion - Project Schedule - Site Survey Snapshot of Current Situation Brief Site Survey Report Project Design Phase - Project Bill of Material (BOM) Preparation Submission Approval - Cyber Security System Architecture Preparation Submission Approval - Network Cabinet & PD Drawing Preparation Submission Approval
Cybersecurity Project Phases Cont d 23 - Functional Design Specification (FDS) Preparation Submission Approval - Detailed Design Specification (DDS) Preparation Submission Approval - BOM Procurement Factory Acceptance Phase - Factory Acceptance Test (FAT) Procedure Preparation Submission Approval - FAT Configuration - Pre-FAT and FAT Execution - Punch Point Resolution & Signoff - Equipment Shipment to Site Site Execution Phase - Site Acceptance Test (SAT) Procedure Preparation Submission Approval - Devices, Cabinets etc. Installation & Configuration - Pre-SAT and SAT Execution - Punch Point Resolution & Signoff
Cybersecurity Project Phases Cont d 24 Knowledge Transfer / Training Phase - First line maintenance and training manuals - Training as per agreed scope As-Built Document - Updated DDS Submission Approval Project Monthly Progress Report Project Closeout Meeting
Conclusion 25