Continuous Industrial Cyber Risk Mitigation with Managed Services Monitoring and Alerting

2015 Honeywell Users Group

Europe, Middle East and Africa

Continuous Industrial Cyber Risk Mitigation with Managed

Services Monitoring and Alerting

Konstantin Rogalas, Honeywell

3 © 2015 Honeywell International All Rights Reserved

Konstantin Rogalas MSc, MBA

• Business Lead for Honeywell Industrial Cyber

Security - Europe

• 1989 – 1998 in Discrete Automation & Process

Control

• 1999 – 2012 in Telecommunications: Broadband-

M2M/IoT

• 2013 – Oil & Gas, Energy, Pharmaceuticals &

Chemicals industry Certification study for ENISA in

Industrial Cyber Security

• 2014 – 2015 ICS Council with policy makers, asset

owners and service providers

• Member of the European ICS Stakeholders Group

[email protected]

About the Presenter


Agenda

Continuous Monitoring in the Security Profile

Obstacles & Managed Security Pros-Cons

Monitoring & Alerting with Managed Services

Conclusions – Open Discussion

About: Honeywell Industrial Cyber Security


ICS Continuous Monitoring: Making the Case

• Continuous Monitoring ensures Industrial Control System (ICS) reliability ‒ Detection of availability & performance issues to prevent serious degradation

• In the context of Cybersecurity: ‒ Which ICS Cyber Security controls (technical and non-technical) need to be in

place for ICS Continuous Monitoring?

‒ Where does ICS Continuous Monitoring belong in the Cyber Security Profile?

• This section: ‒ Introduces the Cyber Security Profile and its underlying principles

‒ Places “Continuous Industrial Cyber Risk Readiness” in the overall Cyber Security Profile context

‒ Proves why Continuous Monitoring is in the heart of detecting Cyber Security anomalies & events which is vital to respond/recover

‒ Explains why Continuous Monitoring is an essential performance evaluation principle which increases Cyber Security maturity


Typical Security Level


Security Levels and Security Capabilities


C2M2 Maturity Indicator Levels


Cyber Security Profile

SL1 SL2 SL3 SL4 SL1 SL2 SL3 SL4

1001 Refining process facilities 1401 Fertilizers

1102 O&G LNG terminals 1403 Petrochemicals

1103 O&G processing 1404 Plastics and fibers

1104 O&G production - on-shore 1405 Specialty chemicals

1105 O&G production - off-shore 1406 Biofuels

1108 O&G Marine - LNG IAS 1501 Alumina

1110 Gas To Liquid 1502 Aluminium

1112 Production - Coal bed M 1503 Base materials

1114 Pipeline - Liquid 1504 Cement

1115 Pipeline - Gas 1505 Coal & coal gasification

1201 Pulp 1506 Iron

1203 Paper 1509 Precious metals

1204 CWS 1510 Steel making

1303 Utility power 1508 Other

The target Protection Level is determined by the security design effectiveness

(Security Level) and security operations effectiveness (Maturity Level)

IEC 62443 standard provides the Security Level, Cobit or C2M2 toolkit

provides the Maturity Level

The Security Profile defines for each facility how to protect and how to

organize

9

13 14 15 16

9 10 11 12

5 6 7 8

1 2 3 4SL1

SL2

SL3

SL4

MIL0 MIL1 MIL2 MIL3

Defines the Security Profile


Sustainable security requires a Program

SP 16

SP 15

4

3

2

1SP 5

SP 6

SP 7

SP 10

SP 11

SP 12

Q1 Q2 Q3 Q4

SP 1

SP 2

Q3 Q4 Q1 Q2 Q3 Q4Q1 Q2 Q3 Q4 Q1 Q2

Increase security level with

Monitoring/Alerting (in addition

to Anti-Virus, Patching)

Increase maturity level

with Activity/Trend

reporting (associated

Policies) Increase security level

with SIEM, NGFW, AWL,

Risk Manager

Increase maturity level

with an organized

Security Operations

Center (SOC)

10

If you run too fast or jump too high, you might trip


Agenda







• Compatibility with DCS - Logging agents stress the control

system

• Budget for required utilities Developing Logging Agents

Servers, Databases, Proxy, etc.

• Personnel required for administration Initial implementation & testing of components above

Analysis of events to determine what is critical

Investigation of alerts to determine next steps

• Other concerns Training on new technology

Different expertise per location

Obstacles to initial self-Monitoring


Hire a company to monitor your control systems with

minimal setup time and for a fraction of the cost, while

fulfilling the following:

• Expertise in Control System Cybersecurity

• Methodology that complies with IEC 62443

• Existing set of Passive Agents

• Responding on monitored problems

• Concurrently serving 100s of sites

• Follow the sun support model

Continuous Monitoring Best Practice


1. For control system performance/availability monitoring, do you have a

process and, if yes, which kind of?

No monitoring process____

Manual monitoring process____

Automated monitoring process____

2. How satisfied are you with how you currently monitor the security of your

control system?

Dissatisfied____

Needs improvement____

Satisfied____

3. Which disadvantages do you see in using Managed Security Services?

Capex/Opex Investment ____

New Internal Processes ____

Corporate IT policy issues ____

Voice of Customer


Where would your Security Profile be?


Agenda







Key Events to Monitor

• Network Activity Logs ACL Rules, Utilization Spikes, Passwords/Strings

• System Audit Logs Unauthorized Access, Disabling Controls, Configuration Changes

• System Availability/Performance Application Health, CPU Utilization, Hardware Errors, Overruns

• Administrative Changes GPO Modifications, Group Additions, Enabling USB Devices

• Software Update Compliance Aging for Virus Signatures, Security Patches, Software Updates

• Virus Infections


What is Monitored

Performance Analyzers for 550+ Critical Parameters


APM

PHD

GUS US EST ESVT Stations

(N nos.)

Redundant

Servers

Performance Monitoring - 1

Corporate Network LEVEL

4

Relay

server

Firewall

LEVEL

3.5

DMZ

Service Node

LEVEL

3

LEVEL

2

LEVEL

1

APM HPM CLM

LCN A

LCN B

Stations

(N nos.) ESVT EST US GUS Redundant

Servers

PHD

L3 Switch

AM PM NG CG HG

C300

Performance

- CPU load

- Cycle overruns

- I/O Link bandwidth

- Parameter Rate

- Peer to peer traffic

Availability

- Controller goes offline

- Failover of redundant

controllers

TPS Controllers

Performance

- CPU load

- TPS Interface Average

Data Rate

- TPS Interface Average

Notification Rate

- Data Request Rate

- Parameter requests

Availability

- Controller goes offline

- Failover of redundant

controllers

Experion Servers

Performance

Data and Notifications Rate

for CDA, TPS and DSA

State of Critical Experion

Patches

FTE Driver Warnings

Current Experion Patch

Status

Availability

Synchronization &

Redundancy Queue state

Failure Events Alerts

Backup Server Failed

Experion Stations

Performance

State of critical Experion

services,

FTE driver warnings,

Report of current Experion

patches installed

Availability

Synchronization &



ESVT

Performance




Patches

FTE Driver Warnings


Status

Availability

Synchronization &




EST

Performance


TPS

Event Rate


Patches

FTE Driver Warnings


Status

Availability



US

Performance

Parameters per Second

HEAPFRAG

Availability

US availability

GUS

Performance




Patches

FTE Driver Warnings

Current Experion Patch Status

Availability

Synchronization &




PHD

Performance

- Data storage

- Real Time Data (RDI)

Interface

Availability

- Process/System State

- RDI State

- Services


L3 Switch

Firewall

L3 Switch


4

Relay

server

Firewall

LEVEL

3.5

DMZ

Service Node

LEVEL

3

Redundant

Servers

LEVEL

2

LEVEL

1

APM HPM CLM

LCN A

LCN B

Stations

(N nos.) ESVT EST US GUS

PHD

AM PM NG CG HG

PC Hardware

Monitoring

Performance

- Hard Disk failures

- Predictive Warnings-HDD

Failures

- RAID Degradation

- Chassis intrusion

Availability

- Loss of Redundancy

- Power Supply failure

- Fans Chassis Intrusion

Temperature High inside

Chassis

Windows Applications

Performance

- Windows performance

monitoring

- Load Percentage

- Free physical memory

- Used Space (%)

Switches (L2 and L3)

Performance

- Memory Usage

- Input / Output Rates

- Bandwidth Usage

- Input / Output Errors

- Status and configuration of

each Interface

Availability

- Device Availability

- Ping Status

- Response Time

Firewall

Performance

- Memory Usage

- Input / Output Rates

- Bandwidth Usage

- Input / Output Errors

- Status and configuration

of each Interface

Availability

- Device Availability

- Ping Status

- Response Time

Performance Monitoring - 2



4

Relay

server

Firewall

LEVEL

3.5

DMZ

Service Node

LEVEL

3

Redundant

Servers

LEVEL

2

LEVEL

1

APM HPM CLM

LCN A

LCN B

Stations

(N nos.) ESVT EST US GUS

PHD

L3 Switch

AM PM NG CG HG

Windows Security

Performance

Invalid login attempts

Authentication failure

Account Locked out

Password expired

User account expired

Unauthorized elevated

Privileges

Password policy

Password complexity/

strength policy

Guest account status

Intrusion Detection

Performance

Unauthorized login

attempts

Suspicious

packet/traffic

Ability to recognize

patterns typical of

attacks

Analysis of abnormal

activity patterns

Tracking user policy

violations

Anti-virus

Performance

Anti-virus warning

Anti-virus error

Engine policies

Availability

Virus scan failure

Virus signature

database updation

failure

Patch & Update

Management

Performance

Windows Update

Information

Patch Information

Audit policy status

Audit Trail

Security Monitoring


Honeywell Security Service Center (HSSC)

Amsterdam

Houston Amsterdam

Bucharest

Houston


Managed Industrial Cyber Security Services

Monitoring, Reporting and Honeywell Expert Support

Patch and Anti-Virus Automation

Security and Performance Monitoring

Activity and Trend Reporting

Advanced Monitoring and Co-Management

Secure Access

Tested and

qualified patches

for operating

systems & DCS

software

Tested and

qualified anti-

malware

signature file

updates

Comprehensive

system health &

cybersecurity

monitoring

24x7 alerting

against

predefined

thresholds

Monthly or

quarterly

compliance &

performance

reports

Identifying

critical issues

and chronic

problem areas

Honeywell

Industrial Cyber

Security Risk

Manager

Firewalls,

Intrusion

Prevention

Systems, etc.

Highly secure

remote access

solution

Encrypted,

two factor

authentication

Complete

auditing:

reporting &

video playback


Security and Performance Monitoring

• Continuous Monitoring

- Agentless monitoring solution for system, network

and security performance and health

- Tested to ensure no impact on systems

- Automated monitoring of critical ICS, network,

Windows TM and security parameters

- Intelligent analysis based on Honeywell engineering & expertise

• Alerts / Situational Awareness

- 24/7 automated, proactive alerting for all monitored devices

- Equipment and device specific thresholds

- Managed Security Service Center automatically generates an alert

email or SMS text to site specified contact

- Alert messages may include attached troubleshooting techniques


Activity and Trend Reporting

• Trend Analysis Complements Alerts

- Ability to catch degrading conditions

- Captures & reports frequency of intermittent issues

• Critical Parameter Reports Actionable reports of critical system & network

information plus security issues

- Out-of-date installation status for Anti-Malware signatures & WindowsTM

patches

- Inventory of all detected networked equipment

- Key source of data for compliance documentation

• Bi-Annual and/or Quarterly Reports

- Comprehensive, detailed reports including long term trends, plus expert

analysis

• Audit

- Audit capability including access to session recordings


Managed Industrial Cyber Security Services

Database Servers

Application Servers

Communication Server

Experion Servers

Domain Controller

EST/ESF

ACE

Relay Node

Service Node

Domain Controller

eServerTerminal Server

EST/ESF 3rd Party Historian

Level 4

Level 3.5

Level 3

Level 2

Level 1

Corporate Proxy Server

Anti malwarePatch ManagementMonitoringSecure access

SSL Encrypted communication

Connects to Honeywell Security Service Center ONLY!

Isolates ICS/PCN

Restricts unauthorized ICS/PCN nodes from sending or receiving data

Ensures no direct communication between L3 and L4

Security Service CenterIndustrial Site InternetG

et

up

dat

es

Sen

d d

ata

Ge

t u

pd

ate

s

Co

llect

mo

nit

ori

ng

da

ta


EMEA Managed Security Service Center

Portugal

Germany

Norway

Zambia

South Africa

North Sea

France

Sweden

Belgium

Italy

Romania

Cameroun

Tunisi

Kuwait

Slovakia

Namibia

Abu Dhabi

Saudi Arabia

Egypt

Finland

Poland

Estonia

Spain

Austria

United Kingdom

Zwitserland

Oman

Sites 203

Protection Management 147

Monitoring 112

SSC EMEA support Locations:

• Amsterdam – The Netherlands

• Bucharest - Romania

SSC

Support

team

SSC and

support

team


Agenda







Cyber Security Profile

13 14 15 16

9 10 11 12

5 6 7 8

1 2 3 4 SL1

SL2

SL3

SL4

MIL0 MIL1 MIL2 MIL3

29

Manageability Requires a S.M.A.R.T. and Holistic Approach


Security Solutions

13 14 15 16

9 10 11 12

5 6 7 8

1 2 3 4 SL1

SL2

SL3

SL4

MIL0 MIL1 MIL2 MIL3

SOC

30

Manageability Requires a S.M.A.R.T. and Holistic Approach


31

Industry-Leading Industrial Cyber Security

• Global team of certified Industrial Cyber Security experts

• 100% dedicated to Industrial Cyber Security

• Experts in process control cyber security

• Leaders in security standards ISA99 / IEC62443 / NIST

• 10+ years industrial cyber security

• 1,000+ successful industrial cyber projects

• 300+ managed industrial cyber security sites

• Proprietary cyber security methodologies and tools

• Largest R&D investment in industrial cyber security

• Partnerships with leading cyber security vendors

• Industry first Risk Manager

• First to obtain ISASecure security for ICS product

• State of art Industrial Cyber Security Solutions Lab

Proven Experience

Investment and Innovation

Industrial Cyber Security Experts

Proven Industrial Cyber Security Solution Provider

Minerals, Metals & Mining

Refining & Petrochemical Chemicals Power Generation Pulp & Paper Oil & Gas


This is what we do:

Open Discussion


Agenda







Leading Cyber Security Organization for ICS


Honeywell ICS

Industries served:

• Oil & gas

• Gas distribution

• Power

• Refineries

• Chemical

Amsterdam

Atlanta Houston

Edmonton

Santiago Perth

Kuala Lumpur

SSC + HICS HICS Office Private LSS SSC HICS Resource(s)

Dubai

Vancouver Montreal

Bracknell

Aberdeen

Bucharest Offenbach

• Water treatment

• Pulp & paper

• Maritime

Global setup to serve

global organizations

as well as local asset

owners


Honeywell’s Industrial Cyber Security Lab

Flexible model of a complete process control network up to the corporate network

• Honeywell Cyber Security solutions development and test bed

• Demonstration lab for customers ‒ Cyber security related academic

programs ‒ Hands-on training ‒ Simulate cyber attacks ‒ Demonstrate Honeywell cyber security

solutions


Typical systems H-ICS have secured

• Distributed Control Systems ‒E.g. Chemical, Petrochemical, Refining, Offshore platforms

• Leak Detection Systems, Machine Monitoring

Systems, Metering Systems, Compressor Control

Systems

• Supervisory Control and Data Acquisition (SCADA)

systems ‒E.g. Gas Distribution, Power utilities, Pipelines, oil fields

• Distributed Energy Systems ‒E.g. Wind turbines, hydropower

• Maritime systems

‒E.g. Harbor systems, shipping


Driven by Standards and Regulations

• IEC 62443 (Formerly ISA 99) • Industrial Automation Control Systems (IACS) Security

• Global standard for wide range of industry

• Honeywell ICS is active contributor to the development of the standard through ISA

• NERC CIP • North American Power

• ANSSI, BSI, CPNI, MSB, etc. • European guidelines, best practices and country-specific measures

• JRC & ENISA recommendations

• European Union

• NIST • US technology standards (SP 800-82)

• And others: ISO, API, OLF

• E.g. ISO 27000, API 1164, OLF 104

• Local regulations


Honeywell ICS Specialists Background

• Unique combination of long time experience in process control, networks and cyber security

• Gain knowledge, demonstrate knowledge, and maintain knowledge - CISSP - CCNA - MCSE

- CISM - CCNP - MCSA

- CEH - CCIE - VCP

- CRISC - CCSP

• Specialists with many backgrounds - Honeywell - Penetration testing - 14+ Languages

- Yokogawa - IT departments

- Emerson - Telecom providers

- Schneider

- ABB

39


WWW.BECYBERSECURE.COM

Technology

Continuous Industrial Cyber Risk Mitigation with Managed Services Monitoring and Alerting