Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
ICS Cyber Security Briefing
About John Ballentine
John BallentineDirector of Cyber Security & Compliance
• Assists HPI customers by reducing their cyber security risk in industrial control system environments.
• Develops programs that identify, manage and mitigate compliance and regulatory risks.
Who is John Ballentine?Over 20 years of experience in the energy industry, including corporate and consulting roles managing cyber security and regulatory compliance at power generation facilities in North America.
CISSP
Certified Information Systems Security Professional
CISACertified Information Security Auditor
CCEP
Certified Compliance and Ethics Professional
GLEGCertified Information Law Specialist
CSSACertified SCADA Security Architect
Industry service includes:
• Board of Director of North America Generator Forum (NAGF)
• US Department of Homeland Security- Cyber Emergency Response Team
• Graduated from US FBI Compliance Academy
Security, Security, Security
HPI LLC Proprietary Information
They Strike Again (Really!)
California Power Station Attacked in 2013 is Struck AgainBack Up AttackBy Matthew L. Wald August 28, 2014 MATTHEW L. WALD AUG. 28, 2014
Back Up Attack
The Silicon Valley power substation that was attacked by a sniper in April 2013 was hit by thieves early Wednesday morning, according to the Pacific Gas and Electric Company, despite increased security.The substation, near San Jose, Calif., is the source of energy for thousands of customers, and the idea that it was the target of a well-organized attack, and that it might have been disabled for an extended period, raised anxieties about the possible broader vulnerability of the grid. The attack this week did not involve gunfire, and it did not seem intended to disable the facility.
Early Wednesday, an unknown number of thieves cut through a fence and made off with power tools, a pipe bender and ground compactors used to smooth out dirt after excavations, said Keith F. Stephens, a spokesman for Pacific Gas and Electric. The substation has an alarm system, but the “fence alarms that went on overnight were not reacted to or addressed in an appropriate manner,” Mr. Stephens said. He added that the problem was a result of “human error.”The company has not determined the value of the items taken. The intruders did not appear to try to damage operating equipment, Mr. Stephens said.
In the 2013 attack, shots were fired into the radiators of giant transformers, disabling but not destroying them. Two manhole covers were removed, and
communications lines were cut. The utility said damages came to $15.4 million. Some of the transformers were repaired using components borrowed from other utilities; others had been nearing retirement anyway and were replaced.
THE ICS SECURITY LANDSCAPE
Security as a Governance and Practical Matter
Security- whether cyber or physical- impacts how energy companies plan, manage and maintain their business objectives.
Executives and managers face increasing challenges managing the threats and potential
impacts from security issues.
HPI’s customers typically operate facilities that are vulnerable to attack-and can ill afford business interruption.
Our customers need effective strategies to properly design, plan, implement and maintain a security
program to meet the modern challenges they face.
Distributed Control System (DCS) and ProcessControl Systems
• A group of computers and/or smart field devices networked together to monitor and control industrial processes with direct feedback control.
• Control systems operate in near real-time and are used in critical sectors such as power generation, oil and gas refining, water treatment, chemicals, etc.
• May consist of HMI, PLC’s, standalone power electronic controllers, microgrid controllers, and substation automation systems
Supervisory Control and Data Acquisition(SCADA) System
• Normally applied to systems connected to devices over a larger area including multiple buildings or even many miles away.
• Operative word is SUPERVISORY, used in critical sectors such as electrical transmission and distribution, oil and gas pipelines, water/sewer and transportation.
Industrial Control Systems
Power System ICS Footprint
Generator Control Systems
SmartGrid Control and Automation Systems
Utility Monitoring and Control Systems
Supervisory Control and Data Acquisition
(SCADA) Systems• Transmission and distribution
• Fuel Management Systems
• Power Quality and UPS Systems
• Renewable Energy Control Systems
Information vs. Operations Technologies
Security Focus: Confidentiality, Integrity
People/Equipment Ratio: Number of people ~=# equipment
Object Under Protection: Information
Risk Impacts: Information disclosure (privacy), economic, legal liability for damages
Availability Requirements: 95-99% year (moderate acceptable downtime)
System Lifetime: 3-5 year replacement cycles
Main Protected Target : Central servers (CPU, memory) and PCs
Operating Systems: Windows
Software: Consumer software on PCs
Protocols: Well known (HTTP over TCP/IP), web-based
Main Actors: IBM, SAP, Oracle
Security Focus: Availability
People/Equipment Ratio: Few people, many types of equipment
Object Under Protection: Industrial process
Risk Impacts: Safety (life), health, environment, loss of production, downtime, repairs
Availability Requirements: 99.9-99.999%/year (no acceptable downtime)
System Lifetime: 15-30 years
Main Protected Target: Servers, distributed systems, sensors, PLCs
Operating Systems: Windows and proprietary
Software: Specific, customized configurations
Protocols: Industrial TCP/IP, vendor specific, polling
Main Actors: ABB, Siemens, Honeywell, Emerson
Corporate Office/IT Utility/OT/ICS
THREAT ASSESSMENT
Security Threats from Every Direction
Blunders, errors and omissions
Curiosity and ignorance, recreationaland malicious hackers
Disgruntled employees, insiders
Industrial and foreign espionage and information warfare
Fraud and theft, criminal activity
Malicious code
Internally, externally, domestically, internationally, our clients must prepare to identify and meet the threats head on:
Loss of View Manipulation of View Denial of Control Manipulate Control Total Loss of Control
Attack Modes for ICS
There are many variations of passages of Lorem Ipsum available but the suffered
alteration in
Cyber Intrusion Sequence
Surveillance
System Mapping
Initial Infection
Information Exfiltration
Pen Test Incident Detection/Response
Launch Attack
Attack Sources
External threats/ hacktivism
Insider exploits or other internal activities
Security policy violations, malware and emailphishing
Industrial espionage4.
1.
3.
2.
Attack VectorsMethod of Compromise
2%
Web ManagementConsole Missing patches
Weak passwords
Social Engineering
4% 10%
22%
62%
File Upload
Attack Vectors
12%
Less than 1 Hour
18%
1-4 Hours
29%
4-8 Hours
41%
8-16 Hours
Time to Break-In
Attack VectorsLevel of Compromise
ExternalAdminAccess Internal
UserAccess
InternalAdmin Access
ExternalUser
Access
CompleteInternal
Compromise
7%
16%
11%
38%
28%
How Attackers Navigate in ICS
SECURITY PLAN AND APPROACH
Framework Core
Restore impaired capabilities or CI services from a cyber security event
Recover
Safeguards to ensure delivery of CI services.
Protect
Take action (address) a detected cyber security event
Respond
Institutional understanding to manage cyber security risk
Identify
Identify the occurrences of a cyber security event
Detect
Keys to Securing Your Operations Technology
Assess existing systems, and document policies
and procedures.
Train personnel and contractors.
Segment the controlnetwork, and control
system access.
Harden system components. Monitorand maintain system
security.
Importance of Establishing ICS Security Policies
Demonstrates Support
Company Protection
Sets Expectations
Demonstrates management support and direction.
Protects the company and preserves management options in the event of a security incident.
Provides guidance/communicates expectations to employees and suppliers.
Technology Independent
Structure Analysis
Stays as technology independent as possible
Outlines what to achieve, not how to achieve it.
Cyber Security Vulnerability Assessment
Expert analysis of control system to identify actual and potential security vulnerabilities
Network architecture diagrams
Network component and host device configurations
Access control strategies
Software and firmware versions
Policies and procedures
Implementation Phase
Security Network Design Goals
• Unauthorized physical access to components could cause seriousdisruption of the ICS’s functionality.A combination of physical access controls should be used- such as locks, card readers, and/or guards.
Restrict physical access to the ICS network and drives
• This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
Restricting logical access to the ICS network and network activity
Security Network Design and Installation
Evaluate, test and deploy
patches prudently
Monitor system logs
Maintain Phase
Security countermeasures must be monitored and maintained
Plan and prepare incident response
plans and drills
Steps to Improve Cyber Security of SCADA Networks
Identify all connections to SCADA networks. Disconnect
unnecessary connections.
Evaluate/strengthen security of any remaining connections to
SCADA network. Harden SCADA networks by removing unnecessary services
Don’t rely on proprietary protocols to protect the
system. Implement security features provided by device
and system vendors.
Establish strong controls over any medium used as a
backdoor into the SCADA network. Implement internal
and external intrusion detection systems and
establish 24-hour incident monitoring.
Perform technical audits of SCADA devices and networks,
and any other connected networks to identify security concerns. Conduct physical security surveys and assess all remote sites connected to
the SCADA network to evaluate their security.
Establish SCADA “Red Teams” to identify and
evaluate possible attack scenarios. Clearly define
cyber security roles, responsibilities, and
authorities for managers, system administrators and
users.
Document network architecture and identify systems that serve critical functions or contain sensitive information requiring additional protection.
Establish a rigorous, ongoing risk management process. Establish a network protection strategy based on principle of defense- in-depth. Clearly identify cyber security requirements.
Establish effective configuration management processes. Conduct
routine self-assessments. Establish system backups and
disaster recovery plans.
Senior leadership should establish expectations for cyber security performance and hold individuals accountable for their performance. Establish policies and train to minimize the likelihood that personnel will disclose information regarding the SCADA system, operations or security controls.
THE HPI ADVANTAGE
HPI Security Approach: Prevent, Detect & Recover
Whether you need a full compliance or security solution, or are preparing for an audit or internal control review, HPI’s experience as operators
will maximize your return on investment.
Prevention
• People- trained and alert
• Technology-managing systems
• Processes-mitigating risks
Detection & Notification
• Network access monitoring
• Anomaly detection• Active intrusion
monitoring
Recovery & Restoration
• Back-up restoration management
• Annual compliance testing
There IS a starting and end point to get your company optimized to face the threats and reduce the likelihood of interrupting your business:
Assessment and Risk Benchmarking
Systems and Network Risk Assessment;
Cyber Vulnerability Assessment (NERC CVA);
Standards-based Audits
Applicability Assessments;
Controls and Policies Reviews;
Mock Audits
Mitigation and Design Services
Security Architecture;
Operations Network Security Upgrade;
Remediation and recovery Plans
Compliance Mitigation Plans;
Compliance Filings with Govt Agencies;
Overall Compliance Program Design
Implementation and Monitoring
Security System Conversion;
Hardware and Software Monitoring;
System Restoration
Corp Compliance Program Implementation;
Install GRC Software and Configure for Monitoring;
Compliance-as-a-Service
Cyber Security
Compliance
HPI Cyber Security & Compliance Service Offerings
Defense in Depth Focus AreasHPI subscribes to the “Defense in Depth” approach of the cyber security professional community
Defend the computing environment
• End-user environment• Application security
Defend the network and infrastructure
• Backbone network availability• Wireless network security• System interconnections
Defend the enclave boundary• Network access protection• Remote access• Multi-level security
Bridging the ICS Security Specialization Skill Gap
Many organizations substitute Information Technology/Network Specialists for Information Security Specialists.
Most IT/Network personnel possess few of the security skills needed to harden a network. Even less have the capability to secure an ICS network.
HPI has cyber security skills in the energy industry ICS- the rarest and most sought after skill set in the industry.
IT Professionals
Cyber security professionals
Control system professionals
Control System Cyber Security Professionals
Independent Architect and Audit Services
Need temporary personnel to fill a missing internal link? We can deploy on short notice to help out. Already have an ICS cyber security team, and just need to “fill the gaps”? HPI has you covered:
Security designs (physical and cyber)
Program implementationassessments
Compliance gapanalysis; Mock audits
and gap closures
Self-reports andmitigation planning
System recovery on short notice
Training and Compliance MonitoringServices
TRAINING SOLUTIONSMost clients have broad compliance and security programs with prescribed goals that often require training to achieve objectives. HPI has teamed with online training delivery systems, and can have your course up and running in weeks.
COMPLIANCE SERVICESWhether you’re in need of frequent determinations or updates on your compliance status or regulatory due diligence on potential acquisitions, HPI has you covered.
HPI designs, builds, operates, controls, maintains and repairs power generation facilities- its in our DNA.
Generic security consultants cannot match our comprehensive understanding of how those areas link together and form an aligned approach.
Unlike vendors that sell newfangled technology solutions or pre-packaged systems , HPI customizes security solutions at significantly reduces risk.
Every area of HPI is completely aligned to the cyber security challenge as the key to protecting our client’s assets.
- Hal Pontez,
HPI President & CEO
“HPI customers must be secure
so that they can focus on their
core business of efficiently
producing power to the grid.”
The HPI DifferentiatorWhy work with us?
HPI designs, builds , operates, controls, maintains and repairs power generation facilities –it’s in our DNA.
Generic security consultants cannot match our comprehensive understanding of how those areas link together and form an aligned approach.
Unlike vendors that sell newfangled technology solutions or pre-packaged systems , HPI customizes security solutions at significantly reduces risk.
Every area of HPI is completely aligned to the cyber security challenge as the key to protecting our client’s assets.
Contact Us
OFFICE: 713.457.7500 CELL: 512. 705.7242EMAIL: [email protected]
https://www.facebook.com/hpillc @hpienergy https://www.linkedin.com/company/hpi-llc/
www.hpienergy.com