Industrial Control System Cyber Security Disaster Recovery Information Exchange Bruce Tyson June 28, 2017 Lunch and Learn
Introduction Bruce Tyson is a certified engineering technologist (CET Telecommunications ) and a professional project manager (PMP) with over 30 years experience in the energy sector. Bruce is the President and CEO of KZenEdge Strategic Program Execution. He and his partner Tim Ewasiuk (VP and COO) operate a management consulting firm delivering solutions that span operations, engineering, maintenance and IT processes. Disaster Recovery, Cyber Security, and Industrial Controls have all been components of successful program and project delivery. For more information, visit: www.kzenedge.com 2
Agenda Cybersecurity Risk For Industrial Control Systems Impacting Disaster Recovery Review the baseline ICS environment and key business drivers Review the cybersecurity threat landscape and a few real world case studies Review some frameworks and key resource/stakeholders for addressing ICS Cybersecurity RISK Evaluate the question, Does your current DRP incorporate the threats, priorities, standards and regulations for ICS Cyber scenarios? Logistics 40-45 minutes of presentation 10 minutes of Q&A 3
Safety Moment In the event of an evacuation exits Washroom facilities Lunch allergy; choking 4
Safety Moment In the event of an evacuation exits Washroom facilities Lunch allergy; choking 5
Definitions Cybersecurity The body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. (WhatIs) Encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. (Gartner) Industrial Control System (ICS) Term encompassing several types of control systems technology and associated instrumentation including SCADA, DCS, and PLC s often found in the industrial sector and critical infrastructures. (Wikipedia) 6
The Issue Business Driver - Safe and Secure Operations Cybersecurity is a component of Safe and Secure Operations needs fit for purpose solutions that match their expectations for ICS integrity Clarity on organizational responsibilities Visibility to board level What is the cybersecurity posture? Plan? 7
Cybersecurity Priorities Information Technology (IT/IS) Confidential personal information Business Continuity Operational Technology (OT/Ops) Safety & Environment Production (Continuity) Data Integrity Confidential company info Reputation Regulatory Compliance Data Integrity Confidential company data Reputation Regulatory Compliance IT Note - Very dependent on the type of business OT Note Typical for many types of ICS environments 8
Cybersecurity Priorities Information Technology (IT/IS) IT Confidential personal information Personal information Business Continuity Business Continuity Data Integrity Confidential company info Reputation Regulatory Compliance Operational Technology (OT/Ops) OT Safety & Environment Safety Production (Continuity) Production Data Integrity Confidential company data Reputation Regulatory Compliance IT Note - Very dependent on the type of business OT Note Typical for many types of ICS environments 9
ICS Cybersecurity Context 10
Examples of Access Points and the Resultant Security Challenges 11
Real World Threat Examples June 24, 2017 UK Parliament E-Mails November 2016 PoisonTap physical access compromise October 2016 +400 million user accounts (confidentiality/blackmail) October 21, 2016 - Distributed Denial of Service (Access/performance) October 11, 2016 Multiple Pipeline Valve Closures (safety, production, reputation) March 2016 - Georgia Pacific Disgruntled Employee Cyber Attack (production, reputation) January 2016 - Critical Infrastructure Incidents Increased in 2015: ICS- CERT December 23, 2015 - Ukraine Power Grid ICS CERT Alerts (safety, production, reputation) Top 10 Security Breaches of 2015 (all) 2014 - Dragonfly Attacks on Energy Companies (all) 12
Real World Threat Case Study October 21, 2016 - Distributed Denial of Service (Access/performance) Scientific American Publication (abridged) Last week s distributed denial of service (DDoS) attacks in which tens of millions of hacked devices were exploited to jam and take down internet computer servers is an ominous sign for the Internet of Things. Dyn Statement (abridged) Dyn s operations and security teams initiated our mitigation and customer communications process through our incident management system. We practice and prepare for scenarios like this on a regular basis, and we run constantly evolving playbooks and work with mitigation partners to address scenarios like these. 13
Real World Threat Case Study December 23, 2015 - Ukraine Power Grid Impact (excerpt) Power substations taken offline leaving more than 230,000 residents in the dark. Backup power at two of the three distribution centers were also taken offline leaving operators in the dark. The power wasn t out long in Ukraine: just one to six hours for all the areas hit. But more than two months after the attack, the control centers are still not fully operational. Details from extensive investigation (excerpt) they were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault 14
Threat Tree Identification External Internal Malicious Accidental Accidental Malicious Targeted Individual or small org Criminal For Gain Automatic Opportunistic Random High Volume Vendor Service Provider Operations Staff IT Staff Individual or small org Vandalism/ Headlines Government or sophisticated org Terrorism Ongoing Operational or Project Normal Activities Single Event Activity (example termination/ exit) 15
Risk Management 16
Risk Management Mitigation DR/ER does not influence probability it reduces impact 17
Incident Response Plan Have cybersecurity event scenarios been evaluated (Risked?) When does it become an explicit part of DRP? ------ An incident is an event that could lead to loss of, or disruption to, an organization's operations, services or functions. If not managed an incident can escalate into an emergency, crisis or a disaster. Incident management is therefore the process of limiting the potential disruption caused by such an event, followed by a return to business as usual. Without effective incident management an incident can rapidly disrupt business operations, information security, IT systems, employees or customers and other vital business functions. 18
ICS Cybersecurity Framework DRP Source National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity V1.0 February 12, 2014
ICS Cybersecurity Framework Cyber Security Frameworks DRP Source Department of Energy Sector Specific Plan - May 2007 SSP Sector Specific Plan NIPP National Infrastructure Protection Plan CI/KR Critical Infrastructure/Key Resources 20
21
Incident Management Establish an incident response and disaster recover capability. Produce and test incident management plans. Provide specialist training to the incident management team. 22
ISC Cyber Training/Certification SANS/GIAC Training and Certifications ISO 27001 Information Security Management Systems ICS-CERT Multiple courses ISA/IEC 62443 - Cybersecurity Certificate Programs NIST Standards training support Product Vendors ICS, Network, Applications Training Vendors Institutions Diploma, Certificate, Courses Note SAIT is developing a new program for ICS Security 23
24
DRP, ERP, BCP 25
Is your current DRP structured to address the threats, priorities, standards and regulations associated with ICS Cybersecurity? 26
A Proven Delivery Methodology to Execute Your Vision www.kzenedge.com