ICS Cyber Security Briefing

About John Ballentine

John BallentineDirector of Cyber Security & Compliance

• Assists HPI customers by reducing their cyber security risk in industrial control system environments.

• Develops programs that identify, manage and mitigate compliance and regulatory risks.

Who is John Ballentine?Over 20 years of experience in the energy industry, including corporate and consulting roles managing cyber security and regulatory compliance at power generation facilities in North America.

CISSP

Certified Information Systems Security Professional

CISACertified Information Security Auditor

CCEP

Certified Compliance and Ethics Professional

GLEGCertified Information Law Specialist

CSSACertified SCADA Security Architect

Industry service includes:

• Board of Director of North America Generator Forum (NAGF)

• US Department of Homeland Security- Cyber Emergency Response Team

• Graduated from US FBI Compliance Academy

Security, Security, Security

HPI LLC Proprietary Information

They Strike Again (Really!)

California Power Station Attacked in 2013 is Struck AgainBack Up AttackBy Matthew L. Wald August 28, 2014 MATTHEW L. WALD AUG. 28, 2014

Back Up Attack

The Silicon Valley power substation that was attacked by a sniper in April 2013 was hit by thieves early Wednesday morning, according to the Pacific Gas and Electric Company, despite increased security.The substation, near San Jose, Calif., is the source of energy for thousands of customers, and the idea that it was the target of a well-organized attack, and that it might have been disabled for an extended period, raised anxieties about the possible broader vulnerability of the grid. The attack this week did not involve gunfire, and it did not seem intended to disable the facility.

Early Wednesday, an unknown number of thieves cut through a fence and made off with power tools, a pipe bender and ground compactors used to smooth out dirt after excavations, said Keith F. Stephens, a spokesman for Pacific Gas and Electric. The substation has an alarm system, but the “fence alarms that went on overnight were not reacted to or addressed in an appropriate manner,” Mr. Stephens said. He added that the problem was a result of “human error.”The company has not determined the value of the items taken. The intruders did not appear to try to damage operating equipment, Mr. Stephens said.

In the 2013 attack, shots were fired into the radiators of giant transformers, disabling but not destroying them. Two manhole covers were removed, and

communications lines were cut. The utility said damages came to $15.4 million. Some of the transformers were repaired using components borrowed from other utilities; others had been nearing retirement anyway and were replaced.

THE ICS SECURITY LANDSCAPE

Security as a Governance and Practical Matter

Security- whether cyber or physical- impacts how energy companies plan, manage and maintain their business objectives.

Executives and managers face increasing challenges managing the threats and potential

impacts from security issues.

HPI’s customers typically operate facilities that are vulnerable to attack-and can ill afford business interruption.

Our customers need effective strategies to properly design, plan, implement and maintain a security

program to meet the modern challenges they face.

Distributed Control System (DCS) and ProcessControl Systems

• A group of computers and/or smart field devices networked together to monitor and control industrial processes with direct feedback control.

• Control systems operate in near real-time and are used in critical sectors such as power generation, oil and gas refining, water treatment, chemicals, etc.

• May consist of HMI, PLC’s, standalone power electronic controllers, microgrid controllers, and substation automation systems

Supervisory Control and Data Acquisition(SCADA) System

• Normally applied to systems connected to devices over a larger area including multiple buildings or even many miles away.

• Operative word is SUPERVISORY, used in critical sectors such as electrical transmission and distribution, oil and gas pipelines, water/sewer and transportation.

Industrial Control Systems

Power System ICS Footprint

Generator Control Systems

SmartGrid Control and Automation Systems

Utility Monitoring and Control Systems

Supervisory Control and Data Acquisition

(SCADA) Systems• Transmission and distribution

• Fuel Management Systems

• Power Quality and UPS Systems

• Renewable Energy Control Systems

Information vs. Operations Technologies

Security Focus: Confidentiality, Integrity

People/Equipment Ratio: Number of people ~=# equipment

Object Under Protection: Information

Risk Impacts: Information disclosure (privacy), economic, legal liability for damages

Availability Requirements: 95-99% year (moderate acceptable downtime)

System Lifetime: 3-5 year replacement cycles

Main Protected Target : Central servers (CPU, memory) and PCs

Operating Systems: Windows

Software: Consumer software on PCs

Protocols: Well known (HTTP over TCP/IP), web-based

Main Actors: IBM, SAP, Oracle

Security Focus: Availability

People/Equipment Ratio: Few people, many types of equipment

Object Under Protection: Industrial process

Risk Impacts: Safety (life), health, environment, loss of production, downtime, repairs

Availability Requirements: 99.9-99.999%/year (no acceptable downtime)

System Lifetime: 15-30 years

Main Protected Target: Servers, distributed systems, sensors, PLCs

Operating Systems: Windows and proprietary

Software: Specific, customized configurations

Protocols: Industrial TCP/IP, vendor specific, polling

Main Actors: ABB, Siemens, Honeywell, Emerson

Corporate Office/IT Utility/OT/ICS

THREAT ASSESSMENT

Security Threats from Every Direction

Blunders, errors and omissions

Curiosity and ignorance, recreationaland malicious hackers

Disgruntled employees, insiders

Industrial and foreign espionage and information warfare

Fraud and theft, criminal activity

Malicious code

Internally, externally, domestically, internationally, our clients must prepare to identify and meet the threats head on:

Loss of View Manipulation of View Denial of Control Manipulate Control Total Loss of Control

Attack Modes for ICS

There are many variations of passages of Lorem Ipsum available but the suffered

alteration in

Cyber Intrusion Sequence

Surveillance

System Mapping

Initial Infection

Information Exfiltration

Pen Test Incident Detection/Response

Launch Attack

Attack Sources

External threats/ hacktivism

Insider exploits or other internal activities

Security policy violations, malware and emailphishing

Industrial espionage4.

1.

3.

2.

Attack VectorsMethod of Compromise

2%

Web ManagementConsole Missing patches

Weak passwords

Social Engineering

4% 10%

22%

62%

File Upload

Attack Vectors

12%

Less than 1 Hour

18%

1-4 Hours

29%

4-8 Hours

41%

8-16 Hours

Time to Break-In

Attack VectorsLevel of Compromise

ExternalAdminAccess Internal

UserAccess

InternalAdmin Access

ExternalUser

Access

CompleteInternal

Compromise

7%

16%

11%

38%

28%

How Attackers Navigate in ICS

SECURITY PLAN AND APPROACH

Framework Core

Restore impaired capabilities or CI services from a cyber security event

Recover

Safeguards to ensure delivery of CI services.

Protect

Take action (address) a detected cyber security event

Respond

Institutional understanding to manage cyber security risk

Identify

Identify the occurrences of a cyber security event

Detect

Keys to Securing Your Operations Technology

Assess existing systems, and document policies

and procedures.

Train personnel and contractors.

Segment the controlnetwork, and control

system access.

Harden system components. Monitorand maintain system

security.

Importance of Establishing ICS Security Policies

Demonstrates Support

Company Protection

Sets Expectations

Demonstrates management support and direction.

Protects the company and preserves management options in the event of a security incident.

Provides guidance/communicates expectations to employees and suppliers.

Technology Independent

Structure Analysis

Stays as technology independent as possible

Outlines what to achieve, not how to achieve it.

Cyber Security Vulnerability Assessment

Expert analysis of control system to identify actual and potential security vulnerabilities

Network architecture diagrams

Network component and host device configurations

Access control strategies

Software and firmware versions

Policies and procedures

Implementation Phase

Security Network Design Goals

• Unauthorized physical access to components could cause seriousdisruption of the ICS’s functionality.A combination of physical access controls should be used- such as locks, card readers, and/or guards.

Restrict physical access to the ICS network and drives

• This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

Restricting logical access to the ICS network and network activity

Security Network Design and Installation

Evaluate, test and deploy

patches prudently

Monitor system logs

Maintain Phase

Security countermeasures must be monitored and maintained

Plan and prepare incident response

plans and drills

Steps to Improve Cyber Security of SCADA Networks

Identify all connections to SCADA networks. Disconnect

unnecessary connections.

Evaluate/strengthen security of any remaining connections to

SCADA network. Harden SCADA networks by removing unnecessary services

Don’t rely on proprietary protocols to protect the

system. Implement security features provided by device

and system vendors.

Establish strong controls over any medium used as a

backdoor into the SCADA network. Implement internal

and external intrusion detection systems and

establish 24-hour incident monitoring.

Perform technical audits of SCADA devices and networks,

and any other connected networks to identify security concerns. Conduct physical security surveys and assess all remote sites connected to

the SCADA network to evaluate their security.

Establish SCADA “Red Teams” to identify and

evaluate possible attack scenarios. Clearly define

cyber security roles, responsibilities, and

authorities for managers, system administrators and

users.

Document network architecture and identify systems that serve critical functions or contain sensitive information requiring additional protection.

Establish a rigorous, ongoing risk management process. Establish a network protection strategy based on principle of defense- in-depth. Clearly identify cyber security requirements.

Establish effective configuration management processes. Conduct

routine self-assessments. Establish system backups and

disaster recovery plans.

Senior leadership should establish expectations for cyber security performance and hold individuals accountable for their performance. Establish policies and train to minimize the likelihood that personnel will disclose information regarding the SCADA system, operations or security controls.

THE HPI ADVANTAGE

HPI Security Approach: Prevent, Detect & Recover

Whether you need a full compliance or security solution, or are preparing for an audit or internal control review, HPI’s experience as operators

will maximize your return on investment.

Prevention

• People- trained and alert

• Technology-managing systems

• Processes-mitigating risks

Detection & Notification

• Network access monitoring

• Anomaly detection• Active intrusion

monitoring

Recovery & Restoration

• Back-up restoration management

• Annual compliance testing

There IS a starting and end point to get your company optimized to face the threats and reduce the likelihood of interrupting your business:

Assessment and Risk Benchmarking

Systems and Network Risk Assessment;

Cyber Vulnerability Assessment (NERC CVA);

Standards-based Audits

Applicability Assessments;

Controls and Policies Reviews;

Mock Audits

Mitigation and Design Services

Security Architecture;

Operations Network Security Upgrade;

Remediation and recovery Plans

Compliance Mitigation Plans;

Compliance Filings with Govt Agencies;

Overall Compliance Program Design

Implementation and Monitoring

Security System Conversion;

Hardware and Software Monitoring;

System Restoration

Corp Compliance Program Implementation;

Install GRC Software and Configure for Monitoring;

Compliance-as-a-Service

Cyber Security

Compliance

HPI Cyber Security & Compliance Service Offerings

Defense in Depth Focus AreasHPI subscribes to the “Defense in Depth” approach of the cyber security professional community

Defend the computing environment

• End-user environment• Application security

Defend the network and infrastructure

• Backbone network availability• Wireless network security• System interconnections

Defend the enclave boundary• Network access protection• Remote access• Multi-level security

Bridging the ICS Security Specialization Skill Gap

Many organizations substitute Information Technology/Network Specialists for Information Security Specialists.

Most IT/Network personnel possess few of the security skills needed to harden a network. Even less have the capability to secure an ICS network.

HPI has cyber security skills in the energy industry ICS- the rarest and most sought after skill set in the industry.

IT Professionals

Cyber security professionals

Control system professionals

Control System Cyber Security Professionals

Independent Architect and Audit Services

Need temporary personnel to fill a missing internal link? We can deploy on short notice to help out. Already have an ICS cyber security team, and just need to “fill the gaps”? HPI has you covered:

Security designs (physical and cyber)

Program implementationassessments

Compliance gapanalysis; Mock audits

and gap closures

Self-reports andmitigation planning

System recovery on short notice

Training and Compliance MonitoringServices

TRAINING SOLUTIONSMost clients have broad compliance and security programs with prescribed goals that often require training to achieve objectives. HPI has teamed with online training delivery systems, and can have your course up and running in weeks.

COMPLIANCE SERVICESWhether you’re in need of frequent determinations or updates on your compliance status or regulatory due diligence on potential acquisitions, HPI has you covered.

HPI designs, builds, operates, controls, maintains and repairs power generation facilities- its in our DNA.

Generic security consultants cannot match our comprehensive understanding of how those areas link together and form an aligned approach.

Unlike vendors that sell newfangled technology solutions or pre-packaged systems , HPI customizes security solutions at significantly reduces risk.

Every area of HPI is completely aligned to the cyber security challenge as the key to protecting our client’s assets.

- Hal Pontez,

HPI President & CEO

“HPI customers must be secure

so that they can focus on their

core business of efficiently

producing power to the grid.”

The HPI DifferentiatorWhy work with us?

HPI designs, builds , operates, controls, maintains and repairs power generation facilities –it’s in our DNA.

Generic security consultants cannot match our comprehensive understanding of how those areas link together and form an aligned approach.

Unlike vendors that sell newfangled technology solutions or pre-packaged systems , HPI customizes security solutions at significantly reduces risk.

Every area of HPI is completely aligned to the cyber security challenge as the key to protecting our client’s assets.

Contact Us

OFFICE: 713.457.7500 CELL: 512. 705.7242EMAIL: JBALLENTINE@HPI-LLC.COM

https://www.facebook.com/hpillc @hpienergy https://www.linkedin.com/company/hpi-llc/

www.hpienergy.com