Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS
Can You Answer These Questions? 1 What s my company s exposure to the latest industrial cyber threat? Are my plants compliant with our corporate cyber security directive? >50% of Board of Directors are not satisfied with Leaderships Cyber Issue Management Are there non-sanctioned devices, like USBs, that have been added to plant process control networks? What happens if I have a malware outbreak in my control network? Production impact? Operations staff SOP?
WannaCry so many ways to deal with cyber 2
No Silver Bullet 3 Process - Management System - Through policies and procedures Patch Management Secure Remote Access Anti-virus Backup and Restore Change Management Perimeter Security - Periodic Audits People Weakest link - Training and Awareness - Professional Skills & Qualification - Motivation Technology - Installed and maintained If any part fails you are at risk
Agenda 4 Risk Tolerance Baseline Assessment Mitigate and Measure Risk Incident Response Secure Supply Chain
Define Risk Tolerance 5 Work with leadership Define Acceptable Risk Categorize How Risk Will affect the Business Use this to determine define what needs protection and to what level Industry needs a quick way to reassess risk landscape.
IEC 62443 security levels
C2M2 Maturity Indicator Levels
Security Profile Diagram 13 14 15 16 SL4 9 10 11 12 SL3 5 6 7 8 SL2 1 2 3 4 SL1 MIL0 MIL1 MIL2 MIL3 A protection level (e.g PL 11) fully defines: Security capabilities of all security controls (Security Requirements) Operational capabilities within the organization (Maturity Requirements) What determines our target level? Security Level (SL) is determined by the category attacker relevant for the plant Maturity Indicator Level (MIL) follows the Security Level
Maturity level 1 Maturity Level 2 Maturity Level 3 Maturity Level 4 Levels of Security Security level 4 Typical critical infrastructure: Oil & gas, power, water Security level 3 Security level 2 Security level 1 Where are we today? Non-critical infrastructure Critical infrastructure Typical non-critical infrastructure: Plastics, steel, resins, food, paper, beverages In our security assessments most companies score between SL 1 and SL 2 and ML 1 and ML 2 Classifications of criticality can differ by country!
Baseline Assessment 10 Just like Evel Knievel needs to know how many cars before he jumps ICS needs to know current configuration and security features in order to manage risk
Baseline Assessment 11 Planning Phase - Assessment Team - Assessment Scope & Goals - List of Attack Vectors - Assessment Plan Data Collection Phase - Vulnerability Scan - Configuration Data - Document Collection - Interview Key Personnel Analysis Phase - Evaluation of Vulnerabilities, Patches, Malwares - Attack Surface Analysis - Password Auditing - Log Management Auditing - Network Access Auditing - Evaluation of Network Architecture - Evaluation of Authorized Software and Network Traffic - Configuration Reviews - Policy & Procedure Reviews - Risk Profiling - Risk Mitigation Outcome Execution Gap, Design Gap, Technology Gap Reporting Phase - Detailed Report - Executive Summary Report - Audit Report against ISA 99 - Presentation / Workshop
Manage Risk Take care of High Risk First Recommended Solution Phase 1 High Multi-layered Secure Defense-in-Depth Network Design 12 Implement Mitigation Plan Extend Enterprise Risk Management Policies Institute a plan to regularly measure and Report Risk High High High High Medium Medium Medium Secure Next-Gen Firewall with IPS / Industrial Firewalls Centralized Antivirus & Patch Management System Security Hardening Application White Listing Solution Phase 2 Backup & Restore Centralized Network Monitoring Solution USB Protection Solution Understand Trends Medium Cybersecurity Risk Manager Phase 3 Understand threats Low Low Low Security Information and Event Management (SIEM) Solution Secure Remote Access, Monitoring & Alerting Policies & Procedures Development
Where Do you Want to be?
Incident Response 14 Organize and Formalize plan to Address Incident Response Planning Training Conduct Regular Tests of Cross Functional Teams Find Gaps and Make Improvements Incident Response Repeat Lessons Learned Exercises
Secure Supply Chain 15 Determine which security requirements to convey to suppliers and service providers. Consider tying requirements back to known industry standards for greater cost efficiencies. Lastly, consider holding workshops for your suppliers to clarify requirements, minimizing costs and non-value added activities.
There is no Silver Bullet 16
17