No compromises for secure SCADA Communications even over 3rd Party Networks

Similar documents
ICS Security. Trends, Issues, and New Standards. Speaker: David Mattes CTO, Asguard Networks

Centralized Control System Architecture

Simple and Secure Micro-Segmentation for Internet of Things (IoT)

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

Security Issues and Best Practices for Water Facilities

Data Diode Cybersecurity Implementation Protects SCADA Network and Facilitates Transfer of Operations Information to Business Users

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Simple and secure PCI DSS compliance

Cybersecurity. Can Standards Bring Clarity from the Confusion? Speaker: David Doggett

T22 - Industrial Control System Security

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Why the cloud matters?

Firewalls (IDS and IPS) MIS 5214 Week 6

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Best Practices in Securing a Multicloud World

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Identity-Defined Networking. TDDD17, LiU

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Building a More Secure Cloud Architecture

NETWORKING 3.0. Network Only Provably Cryptographically Identifiable Devices INSTANT OVERLAY NETWORKING. Remarkably Simple

Use Case: Data Diode Cybersecurity Implementation Protects Water Utility OT Network

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

IPM Secure Hardening Guidelines

Automate to Win: The Business Case for Standards-based Security. An InformationWeek Webcast Sponsored by

Securing Devices in the Internet of Things

HIPrelay Product. The Industry's First Identity-Based Router Product FAQ

Cyber Resilience Solution for Smart Buildings

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Container Deployment and Security Best Practices

AAD - ASSET AND ANOMALY DETECTION DATASHEET

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Defense in Depth Security in the Enterprise

IC32E - Pre-Instructional Survey

SECURING DEVICES IN THE INTERNET OF THINGS

SECURING DEVICES IN THE INTERNET OF THINGS

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Cybersecurity and Communications Based Train Control

Comprehensive Networking Solutions

Securing Your Cloud Introduction Presentation

Practical SCADA Cyber Security Lifecycle Steps

Ensuring a Consistent Security Perimeter with CloudGenix AppFabric

A Better Way to Connect and Protect Industrial Control Systems and Assets

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Cybersecurity Training

Cyber Resilience. Think18. Felicity March IBM Corporation

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

PROTECT WORKLOADS IN THE HYBRID CLOUD

WHITE PAPER MICRO-SEGMENTATION. illumio.com

CyberFence Protection for DNP3

Indegy. Industrial Cyber Security. The Anatomy of an Industrial Cyber Attack

Mitigating Risks with Cloud Computing Dan Reis

TARGET, PROTECT. your cyber vulnerabilities

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Enterprise & Cloud Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

ForeScout ControlFabric TM Architecture

Security for an age of zero trust

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Secure Development Lifecycle

Securing Industrial Control Systems

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Secure Access & SWIFT Customer Security Controls Framework

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

ISA99 - Industrial Automation and Controls Systems Security

Industry Best Practices for Securing Critical Infrastructure

System Wide Awareness Training. your cyber vulnerabilities. your critical control systems

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

What matters in Cyber Security

Expanding Cyber Security Management for Critical Infrastructure

INDUSTRIAL NETWORK RESILIENCE. Davide Crispino Salvatore Brandonisio

Symantec Endpoint Protection Family Feature Comparison

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

GSE/Belux Enterprise Systems Security Meeting

CASE STUDY INSIGHTS: MICRO-SEGMENTATION TRANSFORMS SECURITY. How Organizations Around the World Are Protecting Critical Data

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Securing Your Virtual World Harri Kaikkonen Channel Manager

Protecting Your Cloud

McAfee Embedded Control

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Security Landscape Thorsten Stoeterau Security Systems Engineer - Barracuda Networks

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Mapping BeyondTrust Solutions to

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

The Common Controls Framework BY ADOBE

HikCentral V.1.1.x for Windows Hardening Guide

Why do customers buy G/On?

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Identity-Based Cyber Defense. March 2017

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

AVAYA SDN Fx HEALTHCARE SOLUTION BRIEF

The Future of Threat Prevention

WHITE PAPER. Vericlave The Kemuri Water Company Hack

Transcription:

No compromises for secure SCADA Communications even over 3rd Party Networks The Gamble of Using ISP Private Networks How to Stack the Odds in Your Favor Standards Certification Education & Training Publishing Conferences & Exhibits Speaker: David Mattes CTO & Co-Founder of Tempered Networks 2015 ISA Water / Wastewater and Automatic Controls Symposium August 4-6, 2015 Orlando, Florida, USA

Presenter Co-Founder and CTO, Tempered Networks Co-founded Tempered Networks in 2012 to create standards-based products that address the challenge of managing connectivity and information security for industrial control systems (ICS). Prior to Tempered Networks, Mattes spent 13 years in Boeing s R&D organization working on advanced networking for manufacturing. Co-created and led deployment and implementation of ICS Security Architecture, and worked to publish this architecture as international standards Mattes has patents pending in distributed network configuration and orchestration. M.S. degree in electrical engineering from the University of Washington and a B.S. degree in electrical engineering from the University of New Mexico. 2

Current Infrastructure Agenda Issues & Challenges for Water/Wastewater Looking to the Future Standards & Sharing Deployment & Implementation How to Secure Your Network 3

Industry Status Need this soon Need this now Connectivity today Secure comms over Internet Secure comms over intranets Security Posture today A control panel intranet connected Using some IP Network technologies Isolated proprietary solutions 4

The Evolving Threat Landscape for ICS Two year study on devices exposed on Internet SHODAN Search Engine Sampled ~2.2 Million devices exposed >25% (587,000) ICS, SCADA systems, HVAC systems SHODAN reveals a device s: IP address, geo coordinates, owner, service port header, firmware details, and more Source: Infracritical s Project SHINE Findings Report, October 2014 ICS Devices 5

Attacks Focusing on ICS Systems Havex Malware Discovered June 2014 Targets OPC on Windows Vendor download sites compromised German Steel Mill A cyberattack has caused confirmed physical damage for the second time ever

Limitations of Current Technology Firewalls Firewalls inspect data - they do not protect data IP and MAC addresses are spoofable Management is costly Prone to misconfiguration your FW is only as secure as its configuration Perimeter security is no longer adequate Requires highly skilled staff to deploy Management is time consuming and costly VPNs Geared towards connecting networks to networks or people to networks Do not scale well Once authenticated, there is broad access to a flat trusted network All your eggs in one basket a flat trusted network VLANs High cost per managed port Change management is time consuming and expensive Granting & revoking remote access is challenging Security is embedded in the core of the underlying network

State of ICS Networks

ICS Networks: Ideal

Standards-Based Future In the 80 s TCP and IP specs are finished No security designed into the protocols at all Small trusted networked community to ubiquitous Internet usage with many untrusted users IP address used to identify and locate a host International Society for Automation (ISA) ISA100 TR100.15.01 Overlay Network Architecture Model ISA99 Zones and Conduits Trusted Computing Group (TCG) IF-MAP Metadata for ICS Security Internet Engineering Task Force (IETF) RFC 5201 Host Identity Protocol 10

ISA 100.15.01 Architecture Goals Leverage shared network infrastructure to minimize costs Isolate SCADA and Control networks from shared network Dynamic and flexible network segmentation Process Minimize attack surface - limit connectivity Success Technology People Allow automation engineers to manage their own devices Create a clear delineation of roles & responsibilities of engineers and IT Keep CapEx/OpEx costs LOW; Reliability HIGH Enabler of additive defensive measures

ISA 100.15.01 Functional Architecture The Story Behind the Solution Industry standard overlay network architecture Encrypt host identities with industry standard HIP protocol and create a secure, peer-to-peer trust mechanism Create many private overlay networks, each with only trusted peers Orchestrate and automate, at scale, all overlays, devices and users with industry standard IF-MAP protocol

Securing Remote Access 1. Risks and challenges of ISP lock-in ISP as a network utility & switching costs 2. Benefits of an independent layer of security Network components patch and obsolescence issues 3. Appropriate levels of visibility, auditing, governance, and change control Implementing a governance model appropriate for the org 4. Standards-based solutions that are open and vetted Standards, open forums 13

Implementation & Deployment Florida Water Utility Case Public Safety Network Shared network resource VLAN for SCADA IT Services appearing on SCADA VLAN Goals Fine grained control over connectivity policies Integrity protection of data over PSN backhaul SCADA-focused visibility and alerting at network layer Flexible and secure remote access 14

Implementation & Deployment 15

Fine-grained Connectivity Policy Control 16

Summary Threat level is rising Duty to protect Connectivity is increasing And it s not going away tablets and mobile Operations needs to be at the table Networking Security Policy Awareness Resilience Standards are maturing Standards alone are not enough Solutions are here today to bridge the gaps 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback