Upload
mark-feldman
View
220
Download
0
Embed Size (px)
Citation preview
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
1/37
2011 ISACA. All rights reserved.
GettingPhysicalwithSecurity,Risk
andCompliance
MarkL.Feldman,Ph.D.
AlertEnterprise,
Inc.
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
2/37
2011 ISACA. All rights reserved.
DaffyDuck
Syndrome
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
3/37
2011 ISACA. All rights reserved.
PopQuiz
What is the difference between Risk & Uncertainty?
So what?
Too many locations, targets, points of entry and threats
Too much data
Too fast Too many sources
Too many distributed assets
Too many data silos
Too little context - All of the time
Hazards: Safety, Security, Revenue, Cost, Reputation,Operator Confidence
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
4/37
2011 ISACA. All rights reserved.
NoGorillas!
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
5/37
2011 ISACA. All rights reserved.
The
Mad
Hatter
Response
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
6/37
2011 ISACA. All rights reserved.
Whats
Missing?
The Big Picture
Context not only what, but what else
Real-time interaction across systems
Physical
IT
Industrial control
Safety and environmental
Automated, rules-based prevention of access andauthorization violations
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
7/37
2011 ISACA. All rights reserved.
Why
Its
Important
Blended Threats At the Simplest Level
Logged in remotely & physically Active online after badging out
After hours physical access
Violation of segregation of physical / logical access Account sharing
Disgruntled employees/contractors
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
8/37
2011 ISACA. All rights reserved.
Why
Its
Important
Blended Threats: A Path to.
Sensitive Asset Diversion Dangerous Chemicals, Pathogens, Nuclear material
Cyber Attacks
Utilities (Water, Power, Gas), Smart Grid, Transportation
Terrorism
Chemicals stolen to make explosives
Bio Terrorism
Food & Beverage, Consumer Products
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
9/37
2011 ISACA. All rights reserved.
Threats&Responsesare
IncreasinglyComplex
Up against Organized and State Sponsored Crime
Often invisible and distant and zealots
Geographically distributed assets/locations
Guards with guns?
Technology challenges - weatherMobile assets
Remote monitoring and response challenges
Is it natural, mechanical or man-made
Weather, equipment failure, deliberate actsFast AND informed response
Interoperable systems
Correlated data and rules
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
10/37
2011 ISACA. All rights reserved.
TopTargets
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
11/37
2011 ISACA. All rights reserved.
LargeTargets
ControlSystems
Linkage ToCorporateNetworks
DispersedAssets
WhyCriticalInfrastructure?
Highly VisibleTargets
Not Designed withSecurity in mind
Integration withbusiness creates
more vulnerability
Gates, Guns andGuards not effective
over thousands ofmiles
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
12/37
2011 ISACA. All rights reserved.
WhyCriticalInfrastructure?
Creating catastrophic incident is possible
Impact Large Populations
Gain Attention
Loss Of Public Confidence In Government
Instill Fear
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
13/37
2011 ISACA. All rights reserved.
BioTerror SystemsDisabled,
MaterialAltered
and
Contaminated
No correlated event monitoring Physical security teams received no
signal of systems tampering
Control systems do not have accesssecurity
A
CREDIBLE THREAT
FoodProcessing
Plant
ContaminatedLate nightintruders
entered plant,
accessedinventorysystem andadjusted the
Highlights
Adjusted Production Cycle viainventory system
After-Hours Physical Intrusion Control System production settings
changed
Why it happened
food production control system
to remove preservatives.
Result: Economic loss andhealth risks to consumers
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
14/37
2011 ISACA. All rights reserved.
BhopalTragedy
DeliberateDisabling
of
Safety
System
Primary safety system turned off bystaffer to save cost
Poor maintenance and compliancestatus not visible
Changes to SCADA configurationsand privileged user actions notvisible to security.
CREDIBLE THREAT
Deliberate Disabling ofSafety System
Poisonous gasflooded Bhopal,
India the night arefinery watertank ruptured.
Citizens woke toburning sensation in lungs.
Thousands died immediately andmany trampled in the panic.
Result: Loss of life, high economicand reputational cost
Highlights
Large amount of water entered Tank
containing 42 metric tons of methylisocyanate.
Exothermic reaction raisedpressure to level tank was notdesigned to withstand.
Why it happened
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
15/37
2011 ISACA. All rights reserved.
TexasCity,TXExplosion
Unauthorized
Override,
Slow
Response
Operator actions not monitored No adequate authorization or
process controls
No audit trail to determine who,
what, when, so no determinationof malicious or unintentional
CREDIBLE THREAT
Explosive vapor causesRefinery Explosion
Major explosion
in isomerizationunit at Texas CityRefinery, 3rdlargest in US.
Explosion killed 15, injured over 170.
Result: Loss of life, high economiclegal and reputational cost.
Highlights
Unauthorized action leads to tank
overfill, exceeding pressure limits Tank ruptures at top, creating pool
of combustible liquid
A running truck ignites vaporcloud above the liquid.
Why it happened
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
16/37
2011 ISACA. All rights reserved.
GovernmentRegulatorsPressing
Physical/Cyber
Security
Government Agency Critical Infrastructure
Homeland Security Information technology TelecommunicationsChemicals Transportation systems (masstransit, aviation, maritime, ground/surface,and rail and pipeline systems), Emergencyservices, Postal and shipping services
Agriculture Agriculture, food (meat, poultry, egg
products)
Health and Human Services Public health, healthcare, and food (otherthan meat, poultry, egg products)
EPA Drinking water and waste water treatmentsystems
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
17/37
2011 ISACA. All rights reserved.
GovernmentRegulatorsPressing
Physical/Cyber
Security
Government Agency Critical Infrastructure
Energy Energy, including the productionrefining, storage, and distribution ofoil and gas, and electric power
Treasury Banking and finance
Interior National monuments and iconsDefense Defense industrial base
Nuclear Regulatory Commission Commercial nuclear power facilities
and storage & transport of nuclear
materials (in coordination with DOE &DHS)
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
18/37
2011 ISACA. All rights reserved.
Regulatory
Rorschach
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
19/37
2011 ISACA. All rights reserved.
SituationalIntelligence
Operating status
Out-of-band performance
Unscheduled physical access
Weather conditions othernatural events
Online chatter - activism
Unauthorized use of resources
Performance history
Port scans
Sorting out simultaneous events to understand
relationships between objects, functions and events in real-time
Unauthorized systems access
Configuration changes
Policy changes
User access to assets
Incident alerts
Error conditions
Non-privileged access
KPIs
Maintenance history
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
20/37
2011 ISACA. All rights reserved.
TwoBigChallenges
Reduce risk & uncertainty by
accelerating INFORMED action-taking andevent resolution;
AUTOMATING compliance documentation
of adherence to policies, procedures andregulations
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
21/37
2011 ISACA. All rights reserved.
Solution
Accelerate informed decision-making, action-takingand compliance
Integrate real-time data on access, authorization and changes tophysical, logical and control systems
Execute rules-based correlation
Add information on external context (what else? Natural? man-made?)
Automate online action scripts
Automated audit trail for documentation for regulatorycompliance, audit,
Benefits -
Security, Safety, Revenue protection, Cost-Reduction,Regulatory Compliance
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
22/37
2011 ISACA. All rights reserved.
IntegrateThreatSignalsAcrossITSystems,
PhysicalSecurity
and
Control
Systems
Risk analysisacross all threedomains
Detect
Identify andeliminate risksbefore they
manifest, fromthreats, sabotageand terrorism
Prevent
Incidentmanagement withbuilt-inprogrammedremediation
Respond
Policy Based(Compliance tovarious regulations
/ policies)
Comply
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
23/37
2011 ISACA. All rights reserved.
Terminated user has Physicalaccess to Critical Cyber Assets
TerminatedEmployeehas
PhysicalAccesstoSubstation
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
24/37
2011 ISACA. All rights reserved.
PredictiveAnalyticscanIdentifyRisks
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
25/37
2011 ISACA. All rights reserved.
AutomatedRemediatedandPrevention
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
26/37
2011 ISACA. All rights reserved.
DashboardwithRealTimeMonitoring
andActive
Policy
Enforcement
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
27/37
2011 ISACA. All rights reserved.
SituationalAwareness:ConvergedDashboard
forOil
&
Gas
Industry
Wel l Trend
User Based R isk Ana lys is
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
28/37
2011 ISACA. All rights reserved.
AirportSecurity: IntegratingIdentityData
with
Physical
Security
Information
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
29/37
2011 ISACA. All rights reserved.
DetectUnauthorizedAccessAttempt
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
30/37
2011 ISACA. All rights reserved.
AutomatingIncidentManagement
andResponse
Identify&ConfirmInitiateNotificationWorkflowInitiateLockdownNotifyFirstRespondersforDispatch
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
31/37
2011 ISACA. All rights reserved.
GeospatialviewofSubstation
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
32/37
2011 ISACA. All rights reserved.
Highseverity drilldownfordetail
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
33/37
2011 ISACA. All rights reserved.
Substation Sabotagerisk!
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
34/37
2011 ISACA. All rights reserved.
AccessLiveVideoand
InitiatePhysical
Lockdown
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
35/37
2011 ISACA. All rights reserved.
RecommendationtoProtect
Critical
InfrastructureCreateanIntegratedViewofIncidents
Physical
Logical
Correlatedatainrealtime&logactiontaken
Rules
based
Automatedaudittrailfordocumentedcompliance
MonitorInsiderswithPrivilegedAccess
MonitorRisksbyStatus/SeverityLevel
SegregationofAccess
Establishmitigatingcontrolswithspecialaccess
IndustrialControls
External
Factors
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
36/37
2011 ISACA. All rights reserved.
Most InnovativeCompany Awards RSA Security Conference 09 Security Summit 09 Demo Jam at SAP TechEd 08 ASIS Top 10 Award 09 Gartner Cool Vendor 2010
Key Partners SAP, Cisco, HP, IBM
PwC, Deloitte, SAIC Physical Security: GE, JCI,Lenel
Plant Security: OSIsoft,Matrikon
Unique Differentiators Security Convergence Active policy Enforcement True prevention of theft,
sabotage, terrorism Eliminating Silos (IT, Physical,
Operational Systems)
Flagship Customers
Florida Power & Light Oklahoma Gas & Energy Coca-Cola Cisco
TSA
Special Projects NERC Monitoring of un-
manned critical assets
Smart Grid Cyber Security pilotwith top utilities
Nuclear Cyber Security
Experienced Teamwith UnparalleledTrack Record
Founded Application SecurityCompany Virsa (now SAPGRC)
AboutAlertEnterprise:TruePreventionof
Theft,Sabotage
and
Acts
of
Terrorism
AlertEnterprise Confidential Information
8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF
37/37
2011 ISACA. All rights reserved.
NoGorillas!
ThankYou!
MarkL.Feldman,Ph.D.
AlertEnterprise