Practical SCADA Cyber Security Lifecycle Steps

Similar documents
An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

EVALUATING HOW AN OPERATOR HAS EFFECTIVELY IMPLEMENTED CYBER- SECURITY POLICIES TO MANAGE AND ADMINISTER THE SYSTEM. Wurldtech Security Technologies

Cyber security tips and self-assessment for business

How can I use ISA/IEC (Formally ISA 99) to minimize risk? Standards Certification Education & Training Publishing Conferences & Exhibits

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Cyber Security Stress Test SUMMARY REPORT

Cyber Security. Our part of the journey

Cyber Security of Industrial Control Systems (ICSs)

Just How Vulnerable is Your Safety System?

Standard CIP Cyber Security Systems Security Management

Safdar Akhtar, Cyber Director Sema Tutucu, Ops Leader 27 September CYBER SECURITY PROGRAM: Policies to Controls

IC32E - Pre-Instructional Survey

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Education Network Security

Juniper Vendor Security Requirements

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Introducing the 9202-ETS MTL Tofino industrial Ethernet security appliance

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Cyber security - why and how

Securing Industrial Control Systems

Ransomware A case study of the impact, recovery and remediation events

ANATOMY OF AN ATTACK!

SANS SCADA and Process Control Europe Rome 2011

Standard CIP Cyber Security Systems Security Management

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Cybersecurity The Evolving Landscape

IE156: ICS410: ICS/SCADA Security Essentials

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

GUIDE. MetaDefender Kiosk Deployment Guide

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

How Cyber-Criminals Steal and Profit from your Data

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Standard CIP 007 3a Cyber Security Systems Security Management

Continuous protection to reduce risk and maintain production availability

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

FERC Hydroproject Cyber Security [FERC 3A Section 9 versus CIP v5]

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

ISA Security Compliance Institute

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

AUTHORITY FOR ELECTRICITY REGULATION

A practical guide to IT security

Cyber Security. Building and assuring defence in depth

BEST PRACTICES FOR PERSONAL Security

Sage Data Security Services Directory

Monthly Cyber Threat Briefing

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Industrial Security Co-Sourcing: Shifting from CapEx to OpEx Presented by Vinicius Strey Manufacturing in America 03/22-23/2017

Department of Management Services REQUEST FOR INFORMATION

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Alternatives to Patching for more Secure and Reliable Control Systems

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

The Value of Automated Penetration Testing White Paper

AT&T Endpoint Security

Altius IT Policy Collection

Checklist: Credit Union Information Security and Privacy Policies

Detection and Response Services in the ICS Environment

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

CYBERSECURITY RISK LOWERING CHECKLIST

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Information Security Controls Policy

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Security in a Converging IT/OT World

2017 Annual Meeting of Members and Board of Directors Meeting

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

hidden vulnerabilities

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Service Provider View of Cyber Security. July 2017

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

Cybersecurity Training

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Standard CIP 007 4a Cyber Security Systems Security Management

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

Security Standards for Electric Market Participants

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Information Security Policy

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

Guide to Cyber Security Compliance with GDPR

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Addressing Cyber Threats in Power Generation and Distribution

Using ANSI/ISA-99 Standards to Improve Control System Security

Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

Critical Cyber Asset Identification Security Management Controls

playbook OpShield for NERC CIP 5 sales PlAy

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Transcription:

Practical SCADA Cyber Security Lifecycle Steps Standards Certification Jim McGlone CMO, Kenexis Education & Training Publishing Conferences & Exhibits

Bio Jim McGlone, CMO, Kenexis GICSP ISA Safety & Security Division Director Tridium (Honeywell) Rockwell Automation US Navy Submarine Nuclear Reactor Operator

Introduction Slight changes to process lifecycle to incorporate cybersecurity Improve the ICS ability to withstand a cyber security problem Improve overall network performance and reliability Specific attention will be paid to Factory Acceptance Testing (FAT) portion of the lifecycle, recognizing the challenges of connecting new equipment into an existing process

Hackers Who Owns The Problem On average, our cybersecurity screening programs block more than 70 million emails, 140 million Internet access attempts and 150,000 other potentially malicious actions each month. EXXONMOBIL 2014 CORPORATE CITIZEN REPORT Few publicized ICS incidents, news is about money We process at my facility, it is not critical infrastructure, and the IT department is protecting the perimeter anyway. Meanwhile, HMI station in your facility cannot get the data to refresh on one of the processes in the plant, you are not sure why, but you cannot let IT just scan your network to look for the problem

Embedded Microprocessors Built to Run a Very Long Time ICS were built to run a process in an isolated environment Built to run for many years very reliably Often running from commissioning until decommissioning without a code change or reboot Now we connected them Even directly to the Internet SHOWDAN, HTTPS://WWW.SHODAN.IO

Embedded Microprocessors Everywhere Embedded microprocessor can be found on virtually every asset Even simple auxiliary systems have a PLC because it is easier than using relays Vendor wants to monitor it as a service to keep it running well HVAC industry is monitoring units over the Internet for efficiency, maintenance, and energy programs These programs add great value, but they also increase the threat vector for the bad guys PURDUE REFERENCE MODEL FOR CONTROL HIERARCHY Who has access to your ICS systems?

ICS Protocols Industrial protocols are different from the IT focused protocols Developed to run originally on serial connections direct from a 9-pin D shell on the programming terminal and later a computer connected directly to the device Developed long before you had a web-browser ICS protocols are proprietary by design to support interprocess communications Now they are layered on Ethernet Communication standard is published on the Internet Commonly lack authentication or integrity checking and are vulnerable

The Problem Skid-based process arrives from a trusted vendor It was checked out and connected into the network Skid checked out clean, but the vendor s laptop had malware on it Laptop was connected to the controller for final setup Ransomware broadcast itself onto most of the machines in manufacturing and the business network before IT caught it Unfortunately, this is a common problem Similar to the Target breach, the Iranian centrifuge Stuxnet attack, and at least one nuclear power plant Easy to accidently let bad stuff in Fastest way inside your company is by dropping an expensive new looking USB memory stick in the employee parking lot It is easy to overlook connecting a piece of industrial equipment to the network on the factory floor

ICS Cybersecurity Lifecycle Cyber lifecycle should line up logically and support the organization until the process is shutdown and decommissioned These are all projects that have finite budgets with start and stop time limits

ICS Cybersecurity Lifecycle Policy Step One Establishes Requirements & Responsibility, and Governance Dictates the vendor s laptop and the incoming equipment scanned prior to connecting Executive Sponsorship Facilitate Budgeting Drives Training & Awareness Solid behaviors so mistakes are infrequent Response to incidents is planned and appropriate

ICS Cybersecurity Lifecycle Cyber Design Before & During Design Cybersecurity design phase Insure policy is met Reducing the risk to the process from cyber threats with a properly designed network Design cyber SAT and FAT

ICS Cybersecurity Lifecycle Acceptance Testing Don t Plug It In SAT should be run on new equipment, process, systems or the facility to insure you will not introduced a problem An improper connection to your business network, and engineering computer, or remote access could cause a network performance problem right from the beginning

ICS Cybersecurity Lifecycle Compliance Audit Are We Good Verify periodically, that staff are aware of policy and compliant Determining short comings and needed training Audits based on regulation are very different and I am going to skip it in this discussion because most of us do not need to do them yet

ICS Cybersecurity Lifecycle Vulnerability Assessment Required periodically by standards, or policy, or some impetuous has inspired you to get budget and have an expert evaluate your status Documents the security posture of control systems Identifying vulnerabilities that might result in security incidents Evaluating operational and change management processes Provides an actionable list of recommendations for improving security

ICS Cybersecurity Lifecycle Vulnerability Assessment Vulnerability Assessment includes: Design review Data flow analysis Traffic analysis Procedure and policy review Focuses on the devices and connections that would allow an attacker to access ICS knowledge is critical Running IT tools to evaluate the ICS network can be hazardous

ICS Cybersecurity Lifecycle Vulnerability Assessment During the walk down Observations are noted Ethernet communications packet traffic data is collected at key switch locations Packet traffic is analyzed extensively for patterns, signatures, and traffic problems Configuration of devices and systems are evaluated Best practices from the industry Recommendations from each equipment manufacturer Patch levels and patch management Common misconfigurations Default or common user names / passwords Remote access controls Segmentation of business and control system networks will also be evaluated

ICS Cybersecurity Lifecycle Vulnerability Assessment Penetration Testing Non-Destructive Vulnerability Assessment teams document what is found, but in a penetration test we pursue what we find to see how far we can get and what your ultimate vulnerability exposure looks like Agreed to prior to performance Non-Destructive

ICS Cybersecurity Lifecycle Incident Response You want someone that knows the path to your door so that they can get to work as soon as possible Designed the system and kept it safe all along Otherwise, you are starting from zero and probably do not have time to properly evaluate all options You need to know if the expert team in incident response are going to build a forensic case for you or are you hiring them to just kill the bad stuff and remove it from your networks

The Solution Earlier, a skid-based process arrived from a trusted vendor It was checked out according to policy and the acceptance test agreed on including an anti-virus / anti-malware scan, and a cybersecurity check for versions, default passwords, and all configurations prior to connecting it into the network When the vendor arrived with a laptop, the IT team assigned the vendor a remote access connection into the corporate VPN and a remote desktop connection on one of their verified computer stations, preventing the malware from propagating onto your networks and allowing the vendor to finish It might seem like a little extra work and thought, but it will be far less expensive and stressful than dealing with what can happen if you don t make the effort

Conclusion Process Lifecycle is ongoing, cybersecurity is too Projects kickoff based on impetuous Impetuous varies based on lifecycle and events Stale or missing data in an HMI screen or historian Incident, IT catches message traffic to unknown external site Policy violation, incorrect remote access New process equipment, refurbished

Thank you Jim McGlone Columbus, Ohio USA james.mcglone@kenexis.com www.kenexis.com +1-614-975-6783 INDUSTRIAL AUTOMATION AND CONTROL SYSTEM SECURITY PRINCIPLES Author: Ronald L. Krutz, Ph.D., P.E. CYBERSECURITY FOR INDUSTRIAL CONTROL SYSTEMS: SCADA, DCS, PLC, HMI, and SIS 1st Edition by Tyson Macaulay (Author), Bryan L. Singer (Author)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback