Challenge: Harden the PI System against cyber threats. Copyr i ght 2014 O SIs oft, LLC.

Similar documents
Cyber Threats: What Should I Do to Harden my PI System?

New Technologies for Cyber Security

What s new in PI System Security?

What s new in PI System Security?

Bypassing Browser Memory Protections

2009 OSIsoft, LLC. OSIsoft vcampus Live! where PI geeks meet OSIsoft, LLC. OSIsoft vcampus Live! 2009 where PI geeks meet

Advanced Diploma on Information Security

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Cyber Security Bryan Owen PE Principal Cyber Security Manager October 11, 2016

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Hardcore PI System Hardening

Is Exploitation Over? Bypassing Memory Protections in Windows 7

What s New in PI Security?

External Supplier Control Obligations. Cyber Security

Black Hat Webcast Series. C/C++ AppSec in 2014

How-to Guide: Tenable Core Web Application Scanner for Microsoft Azure. Last Updated: May 16, 2018

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

ENDPOINT SECURITY STORMSHIELD PROTECTION FOR WORKSTATIONS. Protection for workstations, servers, and terminal devices

Security

CS 356 Operating System Security. Fall 2013

Compliance Audit Readiness. Bob Kral Tenable Network Security

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Internet infrastructure

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security

McAfee Embedded Control for Retail

IPM Secure Hardening Guidelines

Buffer overflow background

You knew the job was dangerous when you took it! Defending against CS malware

Securing Your Most Sensitive Data

Pervasive Security Accelerator

I Want to Be Secure: Best Practices for Securing Your PI System

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

Security: The Key to Affordable Unmanned Aircraft Systems

Real-time Communications Security and SDN

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Azure Sphere Transformation. Patrick Ward, Principal Solutions Specialist

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

Economies of Scale in Hacking Dave Aitel Immunity

Who s Protecting Your Keys? August 2018

Cybersecurity Best Practices

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Back to Basics: Basic CIS Controls

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Windows 10 Pro for Your Modern Workforce. Jared Bernatt Microsoft Windows

21ST CENTURY CYBER SECURITY FOR MEDIA AND BROADCASTING

CS161 Midterm 1 Review

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Chapter 9. Firewalls

Security for the Cloud Era

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Are Mobile Technologies Safe Enough for Industrie 4.0?

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Feature Comparison Summary

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Security Enhancements

align security instill confidence

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

The Oracle Trust Fabric Securing the Cloud Journey

Building a Resilient Security Posture for Effective Breach Prevention

The 3 Pillars of SharePoint Security


OSIsoft Technologies for the Industrial IoT and Industry 4.0

McAfee Embedded Control

Industrial Defender ASM. for Automation Systems Management

Security, compliance and GDPR and Google Cloud

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Implementing NIST Cybersecurity Framework Standards with BeyondTrust Solutions

SONICWALL SECURITY HEALTH CHECK PSO 2017

Reinvent Your 2013 Security Management Strategy

About NitroSecurity. Application Data Monitor. Log Mgmt Database Monitor SIEM IDS / IPS. NitroEDB

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Secure Cloud Computing Architecture (SCCA)

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

Cybersecurity for IoT to Nuclear

SONICWALL SECURITY HEALTH CHECK SERVICE

Windows 10 MCSA Bootcamp

Identity-Based Cyber Defense. March 2017

End-to-End Trust, Segmentation and Segregation in the IIoT

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

Evolution Of Cyber Threats & Defense Approaches

SONICWALL SECURITY HEALTH CHECK SERVICE

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Transcription:

1

Challenge: Harden the PI System against cyber threats Presented by Bryan S. Owen PE

4: Least Privileges 3

Hmmm. How do we get started? 4

Knowledge Base Step by Step 5

Excellent! We are just getting started. What else should we know? 6

Learning from history Steelmaking Very expensive prior to 1860 s knives, swords, armor, etc. Engineering innovation Now basic to the world industrial economy

Hardened in Development Steel Fe, C, Mn, Ni, Cr, etc Heat treating Software Input validation, Least privilege SDL process Code PI Server Version SDL Defense Pointer Encoding /Analyze PR1 3.4.375.38 WIS 3.4.380.36 2010 3.4.385 2012 3.4.390 Future Adhoc Heap corruption detection 100% Safe function migration 80% Linker SEHOP (*) Win 2008+ Win 2008+ Win 2008+ Win 2008+ /SAFESEH (*) 100% 100% 100% 100% /DYNAMICBASE (ASLR) Win 2008+ Win 2008+ Win 2008+ /NXCOMPAT (*) Win 2003 SP1+ Win 2003 SP1+ Win 2003 SP1+ /GS Compiler /GS V2 /GS V2 /GS V2 /GS V3 Compiler Version VC++ 2005 VC++ 2005 SP1 VC++ 2008 SP1 VC++ 2010 SP1 Windows Server Core Win 2008+ Win 2008 R2 Win 2008 R2+ Platform Native x64 (*) Supported Supported Supported Supported 8

Hardened in Deployment Epoxy coated pipe Connection Tunnels Windows Advanced Firewall PINET Traffic Connection Security Rules TCP 5450 PI Data Archive 9

Build Complimentary Knowledge Domains Software Development System Integration Operational Excellence Security Research 10

Early days of Cyber Hardening 11

Ideas based on physical security Portable Media Floppy disks CDROM WORM Flash (R/W) Mobile Devices (R/W) 12

Physical and logical hybrids PLC5 Key Switch Program Run Remote Remote Program Remote Test Remote Run 13

Security is Evolving Logical Hybrid Physical 14

Software Based Hardening 15

Hardening Objectives Maintain a sustainable system Increase difficulty of cyber breach Increase detection capability Reduce consequences 16

HD Moore s Law Corollary: Metasploit won t tell you you ve done enough but it just might prove if you haven t. 17

Cyber Security (301) - 5 days http://ics-cert.us-cert.gov 18

Cyber Attack Simulations 19

US Cyber Challenge Infrastructure/Application Security Challenge (April): Date Description Wed. Apr. 2, 2014 10:00am EDT Registration opens Wed. Apr. 16, 2014 7:00am EDT Quiz opens Tue. Apr. 29, 2014 9:00pm EDT Registration closes Wed. Apr. 30, 2014 11:59pm EDT Quiz closes http://uscc.cyberquests.org/ 20

Hardening is hard Technical dependencies Platform and network Application stack System integration Critical information Operational mission Cyber criminal methods Bogus configuration Software vulnerability Post exploitation and pivoting Data exfiltration Command and control 21

IT Security Baselines Microsoft Products Free Download Multi-Platform + Device Limited Free Download Subscription Model* Hardened Virtual Images* NIST + FISMA Multi-Platform + Device Free and Government Only Download 22

Before you start A single mistake can result in total system failure Test on virtual machines Harden before acceptance testing and commissioning Verify hardening in maintenance testing 23

Call to Action 24

Hardened Image Challenge Series Project Hard Rock PI Internal OSIsoft Challenge Create virtual images in Azure Prizes! Enable security features Operating system PI System 25

26

ACDC Omar Mohsen Jupiter Marcos Vainer Loeff Black Crowes Derek Endres Metallica Dan Brooks & Ram Kathiresan 27

Top 4 and More ACDC Black Crowes Jupiter Metallica Applocker Firewall Input Rules Firewall Output Rules Server Core 28

Applocker OSIsoft Publisher Rule 29

Windows Firewall 30

Server Core GUI is add/remove feature as of Windows Server 2012 Eg. Add the management GUI without full desktop: Install-WindowsFeature -name Server-Gui-Mgmt-Infra 31

Least Privilege Data Archive ACDC Black Crowes Jupiter Metallica Authentication Policy Disabled piadmin Audit trail Configuration Changes Buffering & Interface Service Hardening 32

Recommended Authentication Policy API trusts can be disabled for servers without classic interfaces. Eg. Receiving all data from PI Cloud Connect 33

Extra, Extra ACDC Black Crowes Jupiter Metallica PI Security Audit Baseline Security Analyzer Security Compliance Manager EMET 34

Security Compliance Manager Windows 2012 Server Baseline 215 Critical Items! 35

EMET 36

What about the grand prize? 37

Hard Rock PI Omar Mohsen OSIsoft Bahrain 38

Summary: Hard Rock PI Increases domain knowledge Transforms learning and advice Strengthens collaboration 39

Brought to you by

Bryan Owen bryan@osisoft.com @bryansowen Cyber Security Manager OSIsoft, LLC 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback