A Strategic Approach to Industrial CyberSecuritydonar.messe.de/exhibitor/hannovermesse/2017/T231944/a-strategic...4 Kaspersky Lab’s approach to protecting industrial systems in based

A Strategic Approach to Industrial CyberSecurity

KaspersKy IndustrIal CyberseCurIty2015

2

Do industrial control networks need protection from cyberattacks? It’s a question that, just a few years ago, was unlikely to feature in boardroom discussions at industrial enterprises. In a context where process continuity and availability come first, security was an afterthought. But everything has changed in the last few years. Multiple cyberattacks against industrial facilities around the world have demonstrated just how vulnerable industrial systems are to modern cyber weapons – and how important the cybersecurity of critical infrastructure is. It became obvious that physical isolation alone is no longer enough and more serious action must be taken.

For many years, Kaspersky Lab has worked on developing a suite of solutions that deliver cybersecurity at all tiers of the industrial network. We realise that protecting these systems isn’t easy, but it must be done – and done at the highest possible quality. It’s no exaggeration to say that industrial cybersecurity can be a matter of life and death. That’s why securing industrial and critical infrastructure is a key priority for our company.

Eugene Kaspersky

3

Malicious attacks on industrial systems – including industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) – have increased significantly in recent years. While physical isolation of industrial systems from external networks used to be “good enough” security, this is no longer the case. As the Stuxnet and Gauss attacks have shown, one infected USB drive is all it takes for malware to bridge the air gap and penetrate an isolated network.

There may be some overlap in the threats, but there are significant differences between the cyber security requirements of ICS systems and those of general business. Corporate environments focus on safeguarding confidential data; when it comes to ICS/SCADA systems, where every minute of downtime or error counts, uninterrupted operations are the ultimate priority. This is what distinguishes industrial cybersecurity from other businesses: its priorities of availability, integrity and confidentiality are often opposite of standard business priorities.

In addition, cybersecurity solutions designed specifically to protect industrial infrastructure has to comply with various government and industry regulations, including engineering organizations and integrators.

A new approach to protecting industrial and critical infrastructure

4

Kaspersky Lab’s approach to protecting industrial systems in based on more than a decade’s expertise in discovering and analysing some of the world’s most sophisticated threats. Our deep knowledge and understanding of the nature of system vulnerabilities, coupled with our close collaboration with the world’s leading law enforcement, government and industrial agencies, including Interpol, various CERTS, regulators and ISA have enabled us to take a leadership role in addressing the unique requirements of industrial cybersecurity. A practical implementation of this approach is an integrated solution that increases the availability of industrial processes by detecting and preventing actions (intentional or accidental) that result in disruption or halting of vital industrial processes.

In line with this vision, Kaspersky Lab has developed Kaspersky Industrial CyberSecurity, a solution designed specifically with the unique needs of industrial cybersecurity in mind, including a particular focus on preserving the continuity of industrial processes. The solution is intended for Ethernet-based industrial networks. Flexible, versatile settings mean the solution can be configured to meet the unique needs and requirements of individual industrial facilities.

KASPERSKY INDUSTRIAL CYBERSECURITY:• Protectsindustrialenterprisesfromcyberthreats

• Securesindustrialnetworksandthecontinuityoftechnologicalprocesses

• Minimizesdowntimeanddelaysintechnologicalprocesses

• Includesarangeofservicestomaximisetheeffectivenessofcybersecurity

The Kaspersky Lab approach

5

Kaspersky Industrial CyberSecurity is an integrated solution that combines functional components and protection technologies with a range of expert services.Working within service offering frameworks, complete analysis by Kaspersky experts of existing cybersecurity systems ensures optimal configuration of our protection technologies and services. In addition to providing effective implementation and support for Kaspersky Industrial CyberSecurity at all stages of the ICS lifecycle, this also enables bespoke consultations with the organization’s in-house specialists on any aspect of combating cyberthreats. This service is particularly beneficial to:

• Companiesthatrequireassistancewithanalysingthecurrentstateoftheircybersecuritysystemsandidentifyingareasinneedofupgrade;

• Companiesthatarealreadyimplementingacyberthreatmitigationstrategyandareevaluatingdifferentvendorofferings;

• Companiesthathaveexperiencedunauthorizedinterferencewithtechnologicalprocessesandneedemergencyanalysisofthesourceof the threat, along with incident investigation.

FlexibleselectionandconfigurationofprotectioncomponentsenablestheprovisionofprotectionforICScomponents,includingPLCs,SCADA servers, HMI panels and engineer/operator workstations. This means enterprises can realise the benefits even from the earliest stages of project implementation.

Kaspersky Industrial CyberSecurity: solution structure

6

KASPERSKY INDUSTRIAL CYBERSECURITY

TECHNOLOGIES SERVICES

CENTRALIZED MANAGEMENT

ANTI-MALWARE

INTRUSION PREVENTION

SYSTEM

VULNERABILITY MANAGEMENT

INCIDENT INVESTIGATION

INTEGRITY CONTROL

INTEGRATION WITH OTHER

SYSTEMS

KIS A KPM SafeKids SafeBrowser QR Scanner

KTS MD

K Threat Scaner K Rescue Disk KSS (PC and MAC) KVRT (PC and MAC)

KIS MDKAV KIS MAC KIS PC

Software Updater

Free tools Phound!

B2C B2BKESB Core KESB Select KESB Advanced KESB TotalKSOS

Kaspersky Securityfor mail server

Kaspersky Securityfor file server

Kaspersky Securityfor mobile devices

Kaspersky Securityfor Web Gateway

Kaspersky Securityfor Virtualization

Kaspersky Securityfor Collaboration

Kaspersky Securityfor Storage

FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity

Anti-APTKaspersky Securityfor mobile devices


SecurityInteligence

EndpointSecurity

Solutionsfor Data Centers

EducationalServices

ProfessionalServices

InvestigationServices

SecurityInteligence

IntelligenceReporting

Threat IntelligenceServices

ThreatData Feeds

Botnet ThreatTracking Support

EDUCATION AND INTELLIGENCE


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


CYBERSECURITY TRAINING


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


INTELLIGENCEREPORTING


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


SIMULATION


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds



KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


CYBERSECURITY ASSESSMENT


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


SOLUTION INTEGRATION


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


MAINTENANCE


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


INCIDENT INVESTIGATION

EXPERT SERVICES


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


7

All Kaspersky Lab solutions are built on a common code base, helping to maximise tool efficiency and effectiveness through tight integration. The functional components of Kaspersky Industrial CyberSecurity are based on unique, proven technologies, many of them patented.

CENTRALIZED MANAGEMENTAll operations related to managing the cybersecurity system are carried out from a single console, enabling the following tasks to be performed centrally:

• systemandapplicationdeployment

• securitypolicymanagement

• anti-malwaredatabaseupdates

• controlofsecurityadministratoraccessrights

• configurationandgenerationofdetailedreports

ANTI-MALWARE PROTECTIONAn effective combination of signature-based detection, heuristic analysis and proactive defense provides multi-tier anti-malware protection for Windows-based® nodes. A local Kaspersky Lab reputation database and tools rolling back malicious actions further strengthen the security system, providing protection from known, unknown and complex threats.

VULNERABILITY MANAGEMENTKaspersky Lab technologies analyze applications and operating systems running on an industrial nodes to find any vulnerabilities and uninstalled updates or patches. The order in which patches are installed can be prioritized both manually and automatically.

Kaspersky Industrial CyberSecurity: technologies

8

INTEGRITY CONTROLOn an industrial network, integrity control is achieved through integrated interaction between the following components and technologies.

Passive traffic analysisTraffic on an industrial network is processed in passive mode without affecting the industrial network in any way. This means thesolutioncanbeeasilyintegratedintoanindustrialnetworkviaaSPANportorTAPdevicewithouttheneedforanyadditional configuration changes. This also makes Kaspersky Industrial CyberSecurity invisible to cybercriminals.

Network integrity controlThis component provides industrial network integrity monitoring, including detection of devices newly connected to the network and communication between devices.

Technological process integrity controlDetectsanyattemptstosendunauthorizedcommandstoprogrammablelogiccontrollers(PLCs),aswellasattemptstoset inadmissible technological process parameter values.

Application startup controlApplication control, with support for dynamic whitelisting in Default Deny mode, blocks attempts to execute programs or load modules that are not whitelisted. To make configuring and debugging policies more convenient, a test mode is supported, in which a policy can be configured and tested before applying or updating Default Deny mode in a real-world environment.

Device controlThis component defines which devices are allowed to connect to the industrial network’s nodes. When creating Device Control rules, administrators can apply masks to add several devices to the list.

PLC project integrity controlBycontinuallymonitoringthesystem,thiscomponentdetectsanychangestoPLCprojectsandcannotifyanITsecurityexpert.

9

Kaspersky Industrial CyberSecurity: technologies

INTRUSION PREVENTION SYSTEMProtection from network attacks and firewallNetwork activity monitoring components operating on an industrial network restrict connections to the network’s nodes and block suspicious activity.

Automatic Exploit PreventionThis technology neutralizes malware that takes advantage of software vulnerabilities in order to gain control of a computer. This technology is designed to detect specific patterns in the behavior of such malware and block it before it can execute. This is achieved by controlling the startup of vulnerable programs’ executable files and monitoring their activity.

INCIDENT INVESTIGATION SYSTEMThe event logging and data analysis systems included in Kaspersky Industrial CyberSecurity provide an effective tool for assessing cybersecurity of industrial facilities, making incident investigation possible.

INTEGRATION WITH OTHER SOLUTIONSThe technologies and components included in Kaspersky Industrial CyberSecurity provide support for transferring events to SIEM systems, SCADA systems, network management systems, or to the Syslog server via dedicated interfaces, as well as sending event information by email. This means that Kaspersky Industrial CyberSecurity can be integrated effectively into the organization’s existing work processes.

10

EDUCATION AND INTELLIGENCECyberSecurity TrainingCybersecurity provision for industrial facilities involves not only implementing automated software-based protection tools but also employee training – insufficient employee awareness of cybersecurity is a leading cause of accidental infection. Kaspersky Lab offers training courses designed for both IT security experts and ICS operators and engineers. During training, attendees receive information on relevant cyberthreats, trends in their development and effective methods for protecting against them.

Intelligence reportingThe threat landscape, including the number and type of threat, changes every day. Up-to-date information about existing threats is an essential part of improving cybersecurity levels, effective incident response and successful cyberattack blocking. Kaspersky Lab offers a regular intelligence reports service, prepared by leading cybersecurity experts and tailored to the customer’s needs, based on industry, equipment and software used etc.

SimulationKaspersky Lab has developed a training game for managers and technical experts. Its purpose is to increase awareness of relevant ICS cybersecurity issues, along with developing the skills needed to address and resolve them. The game simulates real-world cyberattacksonindustrialautomationsystems,demonstratingthemainissuesassociatedwithprovidingsecurityforICS.Playersare provided with a broad range of tools and methods to apply to the simulated situation. An economic model is also built into the game, teaching participants how to select the optimal IT security strategy to minimize financial losses cause by cyberattacks. Different versions of the game have been developed for different industries, including water treatment, power generation and transmission, etc.

Our suite of expert services form an important part of Kaspersky Industrial CyberSecurity and includes employee training, industrial network analysis, cybersecurity system design, solution integration, configuration proposals and security incident investigation.

Kaspersky Industrial CyberSecurity: services


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


11

EXPERT SERVICES: CYBERSECURITY ASSESSMENTCybersecurity assessmentThe ability to identify and assess relevant cyberthreats and risks are essential aspects of effective cybersecurity implementations. To help with this, Kaspersky Lab offers a cybersecurity assessment service for industrial facilities. Within the framework of this service, Kaspersky Lab experts, in co-operation with the company’s partners, will review existing documentation defining IT security requirements, analyze the enterprise’s industrial network and interview employees. Based on the information gathered, our experts will develop an up-to-date threat model for the customer’s industrial facility, perform an assessment of risks and provide recommendations for mitigating them.

Penetration TestingKaspersky Lab offers a penetration testing service. Within the framework of this service, certified Kaspersky Lab experts carry out penetration tests on the industrial control system in accordance with existing availability, integrity and confidentiality requirements for ICS – all based on international standards,includingPTES,NIST800-115andOSSTMM.Followingthesetests,areportisprepared,detailingalistof0-dayvulnerabilitiesspecificto the customer’s systems, and assessment of the test attacks carried out and recommendations for patching any vulnerabilities identified.

Architecture analysisCybersecurity requirements should be integrated at the system design stage when developing industrial control systems (ICS) and their components(SCADA,PLC,communicationdevices).KasperskyLaboffersaserviceforanalyzingthearchitectureofthecustomer’sindustrial control systems. Within the framework of the service, cybersecurity experts will analyze the architecture of the customer’s industrial control system at the design and development stage, develop IT security requirements, create a cyberthreat model, assess risks related to vulnerabilities identified, and provide recommendations on making improvements to the architecture and system implementation.



KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


12

EXPERT SERVICES: SOLUTION INTEGRATIONPolicy and procedure developmentKaspersky Lab, in cooperation with its partners, offers a service for developing cybersecurity policies and procedures for customer industrial control systems. Within the framework of the service, the customer will receive a documentation package setting out the process of implementing and operating a cybersecurity system based on the customer’s specific industrial and business processes.

Solution tailoringIf a customer’s industrial control systems have a unique architecture or are based on custom hardware and software components that are not widely used in the industry, Kaspersky Lab offers a service to adapt recommended cybersecurity tools for these systems. Specifically, the serviceincludessupportforuniquesoftwareandhardwaresystems(includingSCADA,PLC)withtheirindustrialnetworkcommunicationprotocols. Support will also be provided for customer-specific algorithms used to control key industrial process parameters.


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


13


EXPERT SERVICES: MAINTENANCETechnical supportWithin the framework of the technical support service, Kaspersky Lab experts will help to quickly resolve any technical issues related to the operation of the industrial cybersecurity system.

Update testingKaspersky Lab offers a service for testing cybersecurity system component updates for compatibility with customer-specific computer-based systems prior to applying these updates to industrial control system. This helps to maintain minimal new threat response times without the risk of technological processes being interrupted.

Regular maintenanceSome changes made to industrial IT systems (e.g. ones linked to expanding production, upgrading existing/installing new automation systems) may require additional configuration or adaptation of existing cybersecurity systems. Kaspersky Lab offers a regular maintenance service for its solutions. Within the framework of this service, Kaspersky Lab provides customers with regular assessments of how well the product is meeting their infrastructural requirements; where necessary, functional components of Kaspersky Industrial CyberSecurity will be reconfigured or updated.


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


14

EXPERT SERVICES – INCIDENT INVESTIGATIONMalware analysisKaspersky Lab offers a malware analysis service designed for organizations that have specialists with the skills to detect malware that has penetrated the industrial network. Within the framework of the service, Kaspersky Lab experts will categorize the malware sample received from the customer, analyze its functions and behavior and develop recommendations and a plan to remove that malware and roll back any malicious actions. All the information obtained during analysis is provided to the customer in a detailed report.

Incident remediationAs part of cybersecurity incident investigation, Kaspersky Lab experts will collect and analyze data, reconstruct the timeline of an incident, determine possible sources and reasons and develop a plan to provide remediation.


KTS MD



Software Updater

Free tools Phound!









FraudPrevention

SystemManagement

DDoSprotection

IndustrialSecurity



SecurityInteligence

EndpointSecurity


EducationalServices



SecurityInteligence



ThreatData Feeds


15

About Kaspersky Lab

Kaspersky Lab is one of the world’s fastest-growing cybersecurity companies and the largest that is privately owned. The company is ranked among the world’s top four vendors of security solutions for endpoint users (IDC, 2014). Since 1997 Kaspersky Lab has been an innovator in cybersecurity and provides effective digital security solutions and threat intelligence for large enterprises, SMBs and consumers. Kaspersky Lab is an international company, operating in almost 200 countries and territories across the globe, providing protection for over 400 million users worldwide. Learn more at www.kaspersky.com

http://www.kaspersky.com

© 2015 Kaspersky Lab AO. All rights reserved. Registered trademarks and service marks are the property of their respective owners.

Documents

A Strategic Approach to Industrial CyberSecuritydonar.messe.de/exhibitor/hannovermesse/2017/T231944/a-strategic...4 Kaspersky Lab’s approach to protecting industrial systems in based