Rudrajit Roy 20 October 2016 INDUSTRIAL CYBER SECURITY A Comprehensive Approach
Agenda 1 Global Industrial Cyber Security Journey Industry Best Practices Honeywell Industrial Cyber Security Who we are, What can we do? Honeywell Risk Manager Why Honeywell? DEMOs at the Technology Center
SAFETY Culture Vs CYBER Security Culture 2 On the operations floor, which scenario would be considered the more serious violation? Walking through the area without a hard hat or applicable PPE? Beginning to welding without hot work permit? I don t have time for the hazard assessment Configure without security, path of least resistance Connecting untrusted portable devices to critical networks/devices I don t have time to scan Complacency is not tolerated for safety, why Cyber? No Safety, Reliability & Availability without Cyber Security
Global Journey Industrial Cyber Security 3 PAST PRESENT FUTURE 2010 YOUNG & IMMATURE 1. FEAR 2. AVAILABILITY, SAFETY and RELIABILITY 3. STANDARDS and COMPLIANCE Starts MATURING 1. STANDARDS and COMPLIANCE 2. AVAILABILITY, SAFETY and RELIABILITY 3. FEAR Scientific Discipline Integral part of Control System Lifecycle Never Solved but Managed Attack Back Integral part of Control System Lifecycle
Industrial Cyber Security Standards 4 United Arab Emirates NESA National Electronic Security Authority Qatar ICT Qatar National Electronic Security Authority Standards organizations such as IEC International Electro technical Commission ISA International Society of Automation ISASecure ISA Security Compliance Institute ISO International Standards Organization United States of America - Government / semi-government NIST National Institute of Standards &Technology NERC CIP North American Electric Reliability Corporation / Critical Infrastructure Protection Honeywell Experience
Cont rol Firewal Power Status Cont rol Firewal Power Status Cont rol Firewal Power Status Cont rol Firewal Power Status Industry Best Practice Purdue model of Controls 5 IEC-62443, ISO-99, NIST, ICT Qatar, NESA, etc. - Demarcation (DMZ Deployment) - Layered structured Enterprise Zone DMZ Internet Level 4 Level 3.5 Remote Access DMZ (PROD) Proxy / Relay Server Internet Honeywell Managed Service Center IPS Sensor Firewall L3.5 Firewalls Business LAN Remote Users Proxy VPN IPS Sensor Process Control DMZ PCS Historian E-SVR / Collaboration Station Managed Industrial Cyber Security Services Threat Intelligence Next Generation Firewalls Intrusion Detection System Intrusion Prevention System Data Diode Control Zone Level 3 Level 2.5 Level 2 Honeywell Managed Services Network Monitoring Performance Monitoring Patch & Update Services Honeywell Virtualization Backup & Restore VM Monitoring Passive Vulnerability Monitoring Experion PKS EPKS R410.x EPKS R430.x Dell 01 ICS 201S Dell 02 ICS 202S Dell 03 ICS 203S ESXi hosts Dell 03 L3 Routers L2.5 Routers ICS 204S IPS Sensor Honeywell FTE Network Passive Security Monitoring Sensors Experion PKS EPKS R410.x EPKS R430.x Honeywell Virtualization Backup & Restore VM Monitoring Passive Vulnerability Monitoring Level 3 PCN Advanced Control Systems Security Management PCN Monitoring Blade Chassis ESXi hosts 3 rd Party DCS 3 rd Party DCS Systems Risk Manager Security Information & Event Management (SIEM) Network Performance and Security Monitoring Network Access Control Backup & Restore System Hardening VM Performance Monitoring Domain High Security Policy User Access Control Passive Vulnerability Monitoring OS/Application Vulnerability Management Application Whitelisting ICS USB Protection Anti-Virus / Malware Protection Security Patch Management Level 1 Controllers Honeywell C300 PLC Modbus TCP SCADA Controllers Honeywell C300 3 rd Party PLC Modbus TCP SCADA Controllers 3 rd Party PLC Modbus TCP SCADA Honeywell MODBUS/TCP Firewall Honeywell Control Firewall
6 Honeywell Industrial Cyber Security
Honeywell Industrial Cyber Security 7 Edmonton Amsterdam Bucharest Global setup to serve global organizations as well as local asset owners Houston Atlanta Dubai Pune Kuala Lumpur Santiago Perth RSC + HICS HICS Office Private LSS RSC HICS Resource(s) Global Operations with Local Focus
Complete Industrial Cyber Security Solutions 8 Comprehensive, Holistic and Vendor Neutral Professional Field Services - Advisory consulting - Implementation and systems integration - Operational service and support Managed Cyber Security Services - Continuous monitoring and alerting - Secure automated patch & signature updates - Cyber expert support and co-management Honeywell Cyber Security Software - Industrial Cyber Security Risk Manager - Monitoring platform and assessment tools Integrated Partner Technology Proven, Trusted and Industry Leading
Solutions Addressing Cyber Security End to End 9 Backup and Recovery Incident Response Planning Incident Response: On Site & Remote Forensics & Analysis Industrial Cyber Security Vulnerability & Risk Assessments Network & Wireless Assessments Cyber Security & Compliance Audits Current State Analysis Secure Design and Optimization Zone & Conduit Separation Continuous Monitoring Compliance & Reporting Cyber Security Risk Manager Industrial Security Information & Event Management (SIEM) Cyber Security Awareness & Training Policy and Procedures Development Firewall, Next Gen FW Intrusion Detection & Prevention (IDS/IPS) Access Control Industrial Patching & Anti-Virus Industrial Application Whitelisting End Node Hardening Portable Media/Device/USB Security
Industrial Cyber Security Solutions Lab 10 Flexible Model of Complete Process Control Network Solutions Development Training and Certification Customer Demonstrations World-Class, Industry Leading Innovation
Managed Industrial Cyber Security Services 11 Patch and Anti-Virus Automation Security and Performance Monitoring Activity and Trend Reporting Advanced Monitoring and Co- Management Secure Access Tested and qualified patches for operating systems & DCS software Tested and qualified anti-malware signature file updates Comprehensive system health & cybersecurity monitoring 24x7 alerting against predefined thresholds Automated inventory Monthly or quarterly compliance & performance reports Identifying critical issues and chronic problem areas Firewalls, Intrusion Prevention Systems, etc. Honeywell Industrial Cyber Security Risk Manager Highly secure remote access solution Encrypted, two factor authentication Complete auditing: reporting & video playback Monitoring, Reporting and Honeywell Expert Support
Honeywell Security Service Center (SSC) 12
Honeywell SUIT Lab Security Update Investigation Team 13 Testing & Qualification of Microsoft Patch Updates & Anti-Malware Updates for Honeywell Systems
Honeywell Expertise 14 Operational Technology Experience
Cyber Security Controls and Tools: Examples 15 Security Management Intrusion Protection & Threat Intelligence Application & Endpoint Security Next Generation Firewall Network Security
Roadmap 16
Cyber Trainings by Automation College 17 Trained people = effective Cyber Program
Honeywell Risk Manager 18 Risk Location WHERE IS IT COMING FROM? Risk Sources WHAT IS CAUSING THE RISK? Risk Indicators WHAT DO I NEED TO DO? Risk Trends HOW AM I DOING? No Need to be a Cyber Security Expert, made for DCS
19 Monitor Measure Manage Continuously & Real-time Identify & Analyze Vulnerabilities and Threats Inside and Outside attacks Employee actions Devices on Network Network Traffic Rogue Devices Immediate Notifications Time to implement security patches % of endpoints free of malware and viruses Reduction in unplanned system downtime Reduction in number of known vulnerabilities & Threats Percentage of recurring incidents Improvements in overall site risk Reactive to proactive cyber security planning Accurately track improvements Generate correct reports Trending help you gauge the impact of decisions Manage workflow and prioritize resources based on risk severity No reconfiguration of system with each upgrade Configuration data and risk settings are preserved Proven and Trusted
Value Proposition 20
Addresses Stakeholder Responsibilities 21 Control Engineers Anticipate cyber security scenarios Plan for protective measures/safe operating procedures Understand how possible attacks might disrupt operations Monitor the IACS for indicators of threats Track/monitor assets according to different zones. Plant Management Provide updates on the site s security posture Have accurate measurements of risk aligned with industry standards Help focus resources on addressing threats Maintain uptime and meet production goals and other core business objectives Gain the know-how to prioritize efforts to manage risk Assess the impact of security controls on automation performance Establish and improve metrics for out-of-date patches and antimalware. Executives Demonstrate cyber security due diligence to board of directors, investors and regulators Map key risk indicators to KPIs Demonstrate the value of cyber security investments Incorporate meaningful cyber security risk ratings into risk management frameworks and evaluate compliance efforts Proven and Trusted
Why Honeywell? 22 Industrial Cyber Security Experts Global team of certified Industrial Cyber Security experts 100% dedicated to Industrial Cyber Security Experts in process control cyber security Leaders in security standards ISA99 / IEC62443 / NIST Proven Experience 10+ years industrial cyber security 1,000+ successful industrial cyber projects 350+ managed industrial cyber security sites Proprietary cyber security methodologies and tools Investment and Innovation Largest R&D investment in industrial cyber security Strategic partnerships with leading cyber security product vendors Industry first Cyber Security Risk Manager State of art Industrial Cyber Security Solutions Lab Refining & Minerals, Petrochemical Oil & Gas Chemicals Power Generation Metals & Mining Pulp & Paper Proven Industrial Cyber Security Solution Provider
23 Demo @ Technology Center
Industrial Cyber Security Risk Manager 24 Available Globally Easy-to-use interface and built in guidance eliminates need to be a cyber security expert Real time data collection and analytics, continuously monitors for indicators of cyber security risk Proactively identifies vulnerabilities & detects threats that could impact the ICS Internal health monitoring helps ensure the system is operating at optimum level First and only of its kind for Industrial Environments Low impact monitoring won t disrupt plant operations or cause network delays Proactively Monitor, Measure, and Manage Industrial Cyber Security Risk
Get updates Collect monitoring data Get updates Send data Managed Industrial Cyber Security Services 25 Industrial Site Internet Security Service Center Level 4 Corporate Proxy Server Level 3.5 eserver Terminal Server Relay Node Isolates ICS/PCN Ensures no direct communication between L3 and L4 Communication Server Application Servers Level 3 Restricts unauthorized ICS/PCN nodes from sending or receiving data Database Servers Service Node Anti malware Patch Management Monitoring Secure access Level 2 EST/ESF 3 rd Party Historian Domain Controller SSL Encrypted communication Connects to Honeywell Security Service Center ONLY! ACE EST/ ESF Experion Servers Domain Controller Level 1
Honeywell Industrial Cyber Security 26 Safdar Akhtar Director Business Development ME, Africa and Asia Pacific cell: +971 56 418 8706 safdar.akhtar@honeywell.com Rudrajit Roy Business Development Manager India and SEA cell: +602 4646915 rudrajit.roy@honeywell.com Mike Spear Global Operations Manager phone: +1 (770) 689-1132 cell: +1 (678) 447-6422 mike.spear@honeywell.com Chee Ban Ngai APAC Operations Manager cell: +60-122330915 cheeban.ngai@honeywell.com Follow us: www.twitter.com/insecculture Blog: http://insecurity.honeywellprocess.com Bulletin Board: http://hpsvault.honeywell.com/sites/hpsvault/services/ Website: http://www.becybersecure.com
Thank You www.becybersecure.com
28 Backup Slides
IT Vs OT 29 Corporate Industrial Controls Systems Risk Non life threatening Safety Availability & Reliability Architecture & Traffic type Interfaces Communication connectivity Roles & Responsibilities IT Important Down time is acceptable Voice, Video, Data over business IT infrastructure OS and applications, Unix, terminals, keyboards, web browsers, Graphical user interfaces, etc. LAN based on dynamic IP, WAN Based on optical, etc. Support and protect business applications OT Critical Downtime is not acceptable Events drive, real-time, Industrial embedded HD and SW. Controls, safety, motion, time synchronization, etc. Servers, Sensors, E/M switches, actuators, relays, PLC, DCS, SCADA, etc. Customized embedded OS Plant based on static IP over ethernet or customized twisted pair, etc. Support plant critical processes Availability, reliability and safety