Upload
honeywell-process-solutions
View
476
Download
1
Embed Size (px)
Citation preview
2015 Honeywell Users Group
Europe, Middle East and Africa
Continuous Industrial Cyber Risk Mitigation with Managed
Services Monitoring and Alerting
Konstantin Rogalas, Honeywell
3 © 2015 Honeywell International All Rights Reserved
Konstantin Rogalas MSc, MBA
• Business Lead for Honeywell Industrial Cyber
Security - Europe
• 1989 – 1998 in Discrete Automation & Process
Control
• 1999 – 2012 in Telecommunications: Broadband-
M2M/IoT
• 2013 – Oil & Gas, Energy, Pharmaceuticals &
Chemicals industry Certification study for ENISA in
Industrial Cyber Security
• 2014 – 2015 ICS Council with policy makers, asset
owners and service providers
• Member of the European ICS Stakeholders Group
About the Presenter
4 © 2015 Honeywell International All Rights Reserved
Agenda
Continuous Monitoring in the Security Profile
Obstacles & Managed Security Pros-Cons
Monitoring & Alerting with Managed Services
Conclusions – Open Discussion
About: Honeywell Industrial Cyber Security
5 © 2015 Honeywell International All Rights Reserved
ICS Continuous Monitoring: Making the Case
• Continuous Monitoring ensures Industrial Control System (ICS) reliability ‒ Detection of availability & performance issues to prevent serious degradation
• In the context of Cybersecurity: ‒ Which ICS Cyber Security controls (technical and non-technical) need to be in
place for ICS Continuous Monitoring?
‒ Where does ICS Continuous Monitoring belong in the Cyber Security Profile?
• This section: ‒ Introduces the Cyber Security Profile and its underlying principles
‒ Places “Continuous Industrial Cyber Risk Readiness” in the overall Cyber Security Profile context
‒ Proves why Continuous Monitoring is in the heart of detecting Cyber Security anomalies & events which is vital to respond/recover
‒ Explains why Continuous Monitoring is an essential performance evaluation principle which increases Cyber Security maturity
6 © 2015 Honeywell International All Rights Reserved
Typical Security Level
7 © 2015 Honeywell International All Rights Reserved
Security Levels and Security Capabilities
8 © 2015 Honeywell International All Rights Reserved
C2M2 Maturity Indicator Levels
9 © 2015 Honeywell International All Rights Reserved
Cyber Security Profile
SL1 SL2 SL3 SL4 SL1 SL2 SL3 SL4
1001 Refining process facilities 1401 Fertilizers
1102 O&G LNG terminals 1403 Petrochemicals
1103 O&G processing 1404 Plastics and fibers
1104 O&G production - on-shore 1405 Specialty chemicals
1105 O&G production - off-shore 1406 Biofuels
1108 O&G Marine - LNG IAS 1501 Alumina
1110 Gas To Liquid 1502 Aluminium
1112 Production - Coal bed M 1503 Base materials
1114 Pipeline - Liquid 1504 Cement
1115 Pipeline - Gas 1505 Coal & coal gasification
1201 Pulp 1506 Iron
1203 Paper 1509 Precious metals
1204 CWS 1510 Steel making
1303 Utility power 1508 Other
The target Protection Level is determined by the security design effectiveness
(Security Level) and security operations effectiveness (Maturity Level)
IEC 62443 standard provides the Security Level, Cobit or C2M2 toolkit
provides the Maturity Level
The Security Profile defines for each facility how to protect and how to
organize
9
13 14 15 16
9 10 11 12
5 6 7 8
1 2 3 4SL1
SL2
SL3
SL4
MIL0 MIL1 MIL2 MIL3
Defines the Security Profile
10 © 2015 Honeywell International All Rights Reserved
Sustainable security requires a Program
SP 16
SP 15
4
3
2
1SP 5
SP 6
SP 7
SP 10
SP 11
SP 12
Q1 Q2 Q3 Q4
SP 1
SP 2
Q3 Q4 Q1 Q2 Q3 Q4Q1 Q2 Q3 Q4 Q1 Q2
Increase security level with
Monitoring/Alerting (in addition
to Anti-Virus, Patching)
Increase maturity level
with Activity/Trend
reporting (associated
Policies) Increase security level
with SIEM, NGFW, AWL,
Risk Manager
Increase maturity level
with an organized
Security Operations
Center (SOC)
10
If you run too fast or jump too high, you might trip
11 © 2015 Honeywell International All Rights Reserved
Agenda
Continuous Monitoring in the Security Profile
Obstacles & Managed Security Pros-Cons
Monitoring & Alerting with Managed Services
Conclusions – Open Discussion
About: Honeywell Industrial Cyber Security
12 © 2015 Honeywell International All Rights Reserved
• Compatibility with DCS - Logging agents stress the control
system
• Budget for required utilities Developing Logging Agents
Servers, Databases, Proxy, etc.
• Personnel required for administration Initial implementation & testing of components above
Analysis of events to determine what is critical
Investigation of alerts to determine next steps
• Other concerns Training on new technology
Different expertise per location
Obstacles to initial self-Monitoring
13 © 2015 Honeywell International All Rights Reserved
Hire a company to monitor your control systems with
minimal setup time and for a fraction of the cost, while
fulfilling the following:
• Expertise in Control System Cybersecurity
• Methodology that complies with IEC 62443
• Existing set of Passive Agents
• Responding on monitored problems
• Concurrently serving 100s of sites
• Follow the sun support model
Continuous Monitoring Best Practice
14 © 2015 Honeywell International All Rights Reserved
1. For control system performance/availability monitoring, do you have a
process and, if yes, which kind of?
No monitoring process____
Manual monitoring process____
Automated monitoring process____
2. How satisfied are you with how you currently monitor the security of your
control system?
Dissatisfied____
Needs improvement____
Satisfied____
3. Which disadvantages do you see in using Managed Security Services?
Capex/Opex Investment ____
New Internal Processes ____
Corporate IT policy issues ____
Voice of Customer
15 © 2015 Honeywell International All Rights Reserved
Where would your Security Profile be?
16 © 2015 Honeywell International All Rights Reserved
Agenda
Continuous Monitoring in the Security Profile
Obstacles & Managed Security Pros-Cons
Monitoring & Alerting with Managed Services
Conclusions – Open Discussion
About: Honeywell Industrial Cyber Security
17 © 2015 Honeywell International All Rights Reserved
Key Events to Monitor
• Network Activity Logs ACL Rules, Utilization Spikes, Passwords/Strings
• System Audit Logs Unauthorized Access, Disabling Controls, Configuration Changes
• System Availability/Performance Application Health, CPU Utilization, Hardware Errors, Overruns
• Administrative Changes GPO Modifications, Group Additions, Enabling USB Devices
• Software Update Compliance Aging for Virus Signatures, Security Patches, Software Updates
• Virus Infections
18 © 2015 Honeywell International All Rights Reserved
What is Monitored
Performance Analyzers for 550+ Critical Parameters
19 © 2015 Honeywell International All Rights Reserved
APM
PHD
GUS US EST ESVT Stations
(N nos.)
Redundant
Servers
Performance Monitoring - 1
Corporate Network LEVEL
4
Relay
server
Firewall
LEVEL
3.5
DMZ
Service Node
LEVEL
3
LEVEL
2
LEVEL
1
APM HPM CLM
LCN A
LCN B
Stations
(N nos.) ESVT EST US GUS Redundant
Servers
PHD
L3 Switch
AM PM NG CG HG
C300
Performance
- CPU load
- Cycle overruns
- I/O Link bandwidth
- Parameter Rate
- Peer to peer traffic
Availability
- Controller goes offline
- Failover of redundant
controllers
TPS Controllers
Performance
- CPU load
- TPS Interface Average
Data Rate
- TPS Interface Average
Notification Rate
- Data Request Rate
- Parameter requests
Availability
- Controller goes offline
- Failover of redundant
controllers
Experion Servers
Performance
Data and Notifications Rate
for CDA, TPS and DSA
State of Critical Experion
Patches
FTE Driver Warnings
Current Experion Patch
Status
Availability
Synchronization &
Redundancy Queue state
Failure Events Alerts
Backup Server Failed
Experion Stations
Performance
State of critical Experion
services,
FTE driver warnings,
Report of current Experion
patches installed
Availability
Synchronization &
Redundancy Queue state
Failure Events Alerts
ESVT
Performance
Data and Notifications Rate
for CDA, TPS and DSA
State of Critical Experion
Patches
FTE Driver Warnings
Current Experion Patch
Status
Availability
Synchronization &
Redundancy Queue state
Failure Events Alerts
Backup Server Failed
EST
Performance
Data and Notifications Rate
TPS
Event Rate
State of Critical Experion
Patches
FTE Driver Warnings
Current Experion Patch
Status
Availability
Failure Events Alerts
Backup Server Failed
US
Performance
Parameters per Second
HEAPFRAG
Availability
US availability
GUS
Performance
Data and Notifications Rate
for CDA, TPS and DSA
State of Critical Experion
Patches
FTE Driver Warnings
Current Experion Patch Status
Availability
Synchronization &
Redundancy Queue state
Failure Events Alerts
Backup Server Failed
PHD
Performance
- Data storage
- Real Time Data (RDI)
Interface
Availability
- Process/System State
- RDI State
- Services
20 © 2015 Honeywell International All Rights Reserved
L3 Switch
Firewall
L3 Switch
Corporate Network LEVEL
4
Relay
server
Firewall
LEVEL
3.5
DMZ
Service Node
LEVEL
3
Redundant
Servers
LEVEL
2
LEVEL
1
APM HPM CLM
LCN A
LCN B
Stations
(N nos.) ESVT EST US GUS
PHD
AM PM NG CG HG
PC Hardware
Monitoring
Performance
- Hard Disk failures
- Predictive Warnings-HDD
Failures
- RAID Degradation
- Chassis intrusion
Availability
- Loss of Redundancy
- Power Supply failure
- Fans Chassis Intrusion
Temperature High inside
Chassis
Windows Applications
Performance
- Windows performance
monitoring
- Load Percentage
- Free physical memory
- Used Space (%)
Switches (L2 and L3)
Performance
- Memory Usage
- Input / Output Rates
- Bandwidth Usage
- Input / Output Errors
- Status and configuration of
each Interface
Availability
- Device Availability
- Ping Status
- Response Time
Firewall
Performance
- Memory Usage
- Input / Output Rates
- Bandwidth Usage
- Input / Output Errors
- Status and configuration
of each Interface
Availability
- Device Availability
- Ping Status
- Response Time
Performance Monitoring - 2
21 © 2015 Honeywell International All Rights Reserved
Corporate Network LEVEL
4
Relay
server
Firewall
LEVEL
3.5
DMZ
Service Node
LEVEL
3
Redundant
Servers
LEVEL
2
LEVEL
1
APM HPM CLM
LCN A
LCN B
Stations
(N nos.) ESVT EST US GUS
PHD
L3 Switch
AM PM NG CG HG
Windows Security
Performance
Invalid login attempts
Authentication failure
Account Locked out
Password expired
User account expired
Unauthorized elevated
Privileges
Password policy
Password complexity/
strength policy
Guest account status
Intrusion Detection
Performance
Unauthorized login
attempts
Suspicious
packet/traffic
Ability to recognize
patterns typical of
attacks
Analysis of abnormal
activity patterns
Tracking user policy
violations
Anti-virus
Performance
Anti-virus warning
Anti-virus error
Engine policies
Availability
Virus scan failure
Virus signature
database updation
failure
Patch & Update
Management
Performance
Windows Update
Information
Patch Information
Audit policy status
Audit Trail
Security Monitoring
22 © 2015 Honeywell International All Rights Reserved
Honeywell Security Service Center (HSSC)
Amsterdam
Houston Amsterdam
Bucharest
Houston
23 © 2015 Honeywell International All Rights Reserved
Managed Industrial Cyber Security Services
Monitoring, Reporting and Honeywell Expert Support
Patch and Anti-Virus Automation
Security and Performance Monitoring
Activity and Trend Reporting
Advanced Monitoring and Co-Management
Secure Access
Tested and
qualified patches
for operating
systems & DCS
software
Tested and
qualified anti-
malware
signature file
updates
Comprehensive
system health &
cybersecurity
monitoring
24x7 alerting
against
predefined
thresholds
Monthly or
quarterly
compliance &
performance
reports
Identifying
critical issues
and chronic
problem areas
Honeywell
Industrial Cyber
Security Risk
Manager
Firewalls,
Intrusion
Prevention
Systems, etc.
Highly secure
remote access
solution
Encrypted,
two factor
authentication
Complete
auditing:
reporting &
video playback
24 © 2015 Honeywell International All Rights Reserved
Security and Performance Monitoring
• Continuous Monitoring
- Agentless monitoring solution for system, network
and security performance and health
- Tested to ensure no impact on systems
- Automated monitoring of critical ICS, network,
Windows TM and security parameters
- Intelligent analysis based on Honeywell engineering & expertise
• Alerts / Situational Awareness
- 24/7 automated, proactive alerting for all monitored devices
- Equipment and device specific thresholds
- Managed Security Service Center automatically generates an alert
email or SMS text to site specified contact
- Alert messages may include attached troubleshooting techniques
25 © 2015 Honeywell International All Rights Reserved
Activity and Trend Reporting
• Trend Analysis Complements Alerts
- Ability to catch degrading conditions
- Captures & reports frequency of intermittent issues
• Critical Parameter Reports Actionable reports of critical system & network
information plus security issues
- Out-of-date installation status for Anti-Malware signatures & WindowsTM
patches
- Inventory of all detected networked equipment
- Key source of data for compliance documentation
• Bi-Annual and/or Quarterly Reports
- Comprehensive, detailed reports including long term trends, plus expert
analysis
• Audit
- Audit capability including access to session recordings
26 © 2015 Honeywell International All Rights Reserved
Managed Industrial Cyber Security Services
Database Servers
Application Servers
Communication Server
Experion Servers
Domain Controller
EST/ESF
ACE
Relay Node
Service Node
Domain Controller
eServerTerminal Server
EST/ESF 3rd Party Historian
Level 4
Level 3.5
Level 3
Level 2
Level 1
Corporate Proxy Server
Anti malwarePatch ManagementMonitoringSecure access
SSL Encrypted communication
Connects to Honeywell Security Service Center ONLY!
Isolates ICS/PCN
Restricts unauthorized ICS/PCN nodes from sending or receiving data
Ensures no direct communication between L3 and L4
Security Service CenterIndustrial Site InternetG
et
up
dat
es
Sen
d d
ata
Ge
t u
pd
ate
s
Co
llect
mo
nit
ori
ng
da
ta
27 © 2015 Honeywell International All Rights Reserved
EMEA Managed Security Service Center
Portugal
Germany
Norway
Zambia
South Africa
North Sea
France
Sweden
Belgium
Italy
Romania
Cameroun
Tunisi
Kuwait
Slovakia
Namibia
Abu Dhabi
Saudi Arabia
Egypt
Finland
Poland
Estonia
Spain
Austria
United Kingdom
Zwitserland
Oman
Sites 203
Protection Management 147
Monitoring 112
SSC EMEA support Locations:
• Amsterdam – The Netherlands
• Bucharest - Romania
SSC
Support
team
SSC and
support
team
28 © 2015 Honeywell International All Rights Reserved
Agenda
Continuous Monitoring in the Security Profile
Obstacles & Managed Security Pros-Cons
Monitoring & Alerting with Managed Services
Conclusions – Open Discussion
About: Honeywell Industrial Cyber Security
29 © 2015 Honeywell International All Rights Reserved
Cyber Security Profile
13 14 15 16
9 10 11 12
5 6 7 8
1 2 3 4 SL1
SL2
SL3
SL4
MIL0 MIL1 MIL2 MIL3
29
Manageability Requires a S.M.A.R.T. and Holistic Approach
30 © 2015 Honeywell International All Rights Reserved
Security Solutions
13 14 15 16
9 10 11 12
5 6 7 8
1 2 3 4 SL1
SL2
SL3
SL4
MIL0 MIL1 MIL2 MIL3
SOC
30
Manageability Requires a S.M.A.R.T. and Holistic Approach
31 © 2015 Honeywell International All Rights Reserved
31
Industry-Leading Industrial Cyber Security
• Global team of certified Industrial Cyber Security experts
• 100% dedicated to Industrial Cyber Security
• Experts in process control cyber security
• Leaders in security standards ISA99 / IEC62443 / NIST
• 10+ years industrial cyber security
• 1,000+ successful industrial cyber projects
• 300+ managed industrial cyber security sites
• Proprietary cyber security methodologies and tools
• Largest R&D investment in industrial cyber security
• Partnerships with leading cyber security vendors
• Industry first Risk Manager
• First to obtain ISASecure security for ICS product
• State of art Industrial Cyber Security Solutions Lab
Proven Experience
Investment and Innovation
Industrial Cyber Security Experts
Proven Industrial Cyber Security Solution Provider
Minerals, Metals & Mining
Refining & Petrochemical Chemicals Power Generation Pulp & Paper Oil & Gas
32 © 2015 Honeywell International All Rights Reserved
This is what we do:
Open Discussion
33 © 2015 Honeywell International All Rights Reserved
Agenda
Continuous Monitoring in the Security Profile
Obstacles & Managed Security Pros-Cons
Monitoring & Alerting with Managed Services
Conclusions – Open Discussion
About: Honeywell Industrial Cyber Security
34 © 2015 Honeywell International All Rights Reserved
Leading Cyber Security Organization for ICS
35 © 2015 Honeywell International All Rights Reserved
Honeywell ICS
Industries served:
• Oil & gas
• Gas distribution
• Power
• Refineries
• Chemical
Amsterdam
Atlanta Houston
Edmonton
Santiago Perth
Kuala Lumpur
SSC + HICS HICS Office Private LSS SSC HICS Resource(s)
Dubai
Vancouver Montreal
Bracknell
Aberdeen
Bucharest Offenbach
• Water treatment
• Pulp & paper
• Maritime
Global setup to serve
global organizations
as well as local asset
owners
36 © 2015 Honeywell International All Rights Reserved
Honeywell’s Industrial Cyber Security Lab
Flexible model of a complete process control network up to the corporate network
• Honeywell Cyber Security solutions development and test bed
• Demonstration lab for customers ‒ Cyber security related academic
programs ‒ Hands-on training ‒ Simulate cyber attacks ‒ Demonstrate Honeywell cyber security
solutions
37 © 2015 Honeywell International All Rights Reserved
Typical systems H-ICS have secured
• Distributed Control Systems ‒E.g. Chemical, Petrochemical, Refining, Offshore platforms
• Leak Detection Systems, Machine Monitoring
Systems, Metering Systems, Compressor Control
Systems
• Supervisory Control and Data Acquisition (SCADA)
systems ‒E.g. Gas Distribution, Power utilities, Pipelines, oil fields
• Distributed Energy Systems ‒E.g. Wind turbines, hydropower
• Maritime systems
‒E.g. Harbor systems, shipping
38 © 2015 Honeywell International All Rights Reserved
Driven by Standards and Regulations
• IEC 62443 (Formerly ISA 99) • Industrial Automation Control Systems (IACS) Security
• Global standard for wide range of industry
• Honeywell ICS is active contributor to the development of the standard through ISA
• NERC CIP • North American Power
• ANSSI, BSI, CPNI, MSB, etc. • European guidelines, best practices and country-specific measures
• JRC & ENISA recommendations
• European Union
• NIST • US technology standards (SP 800-82)
• And others: ISO, API, OLF
• E.g. ISO 27000, API 1164, OLF 104
• Local regulations
39 © 2015 Honeywell International All Rights Reserved
Honeywell ICS Specialists Background
• Unique combination of long time experience in process control, networks and cyber security
• Gain knowledge, demonstrate knowledge, and maintain knowledge - CISSP - CCNA - MCSE
- CISM - CCNP - MCSA
- CEH - CCIE - VCP
- CRISC - CCSP
• Specialists with many backgrounds - Honeywell - Penetration testing - 14+ Languages
- Yokogawa - IT departments
- Emerson - Telecom providers
- Schneider
- ABB
39
40 © 2015 Honeywell International All Rights Reserved
WWW.BECYBERSECURE.COM