cyber security in energy & utilities industry
Post on 19-Oct-2014
916 views
DESCRIPTION
In September 2011, Prolifics & IBM hosted a speaking session at a Cyber Security Summit in California. The presentation focused on the importance of Identity and Access Management in the Energy & Utilities industry as well as today's critical regulatory requirements.TRANSCRIPT
Holistic Enterprise Security Solution
Speaker: Alex Ivkin
Holistic Enterprise Security Solution
The “Blind Slide” The Insider Threat. Identity Controls and Data Loss
protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
3
NERC CIP 2011 Violations & Fines Since January 2011, a significant increase in CIP fines
Largest numbers for Security Awareness and Testing
Source: http://www.nerc.com/filez/enforcement
Introduction Personal ID – personal accountability
Traditional identity management has always focused on these IDs. Well covered and controlled Commoditized
Service ID - corporate accountability Shared administrative ID Programs, services, databases, scripting, testing, load testing,
auditing, troubleshooting, you name it. “Too hard to deal with” “will be the next step”
Other Shared group IDs IDs in transition Template IDs
• Exchange mailboxes
4
Service IDs Service IDs are everywhere Different systems have different exposure via the Service IDs
5
Identity & Access Management
SingleSign On& Management of Web Access & Passwords
User Provisioning / Deprovisioning and Full Role Management
The 3 Rs – Reconciliation, Recertification & Reporting
Security log management & reporting
THE PLAN
REALITY
MATCH?
•A holistic way to addressing corporate identities and access controls• Identity lifecycle support and review• Access provisioning, deprovisioning certification• Policy enforcement: password, access patterns, expiration• RBAC
•IdM for FERC/NERC CIP applications• Energy management systems• Energy network components• Physical access control services• Customer Information Systems• Work Management System• Plant Maintenance Systems• Tower gateway base stations for Smart Meter infrastructure
•SOX applications. SOX 404• Corporate Reports• Financial systems
•PCI, NIST, HIPAA
7
Identity and Access Management for Energy Companies
CIP with IAM Step by Step
CIP‐003‐1 Access enforcement, audit trails, reviews and roles• Access authorization enforcement maintained via identity lifecycle
workflows with the robust approval framework and multilevel escalation.• The audit trails are preserved for each request and approval, ensuring
access is given, modified and revoked only under proper supervision.• Automatic enforcement of access privileges is linked in and based on
business roles. • Annual reviews and re‐certification of access are required from the
management and system owners.
CIP–004–1 Training, privilege revocation• Training program requirements are enforced via proper personnel on-
boarding and transfer workflows, tied into the HR and training systems.• Revocation within 24 hours of termination is a part of the closely
enforced identity lifecycle.• Critical asset access lists are available for review 24/7 by authorized
personnel via a web interface
8
CIP with IAM Step by Step
CIP‐006‐1 Physical access protection • Implemented by integrating with card access and badge systems and tied
into an identity lifecycle.
CIP–007–1 Access to CCA, Shared accounts, Least Privilege • Enforcing the creation and management of user access to Critical Cyber
Assets by employing industry standard role based access control certification, provisioning, rights and password management.
• Directly assigning owners and custodians for individuals and shared system accounts on a "need to know basis" and subjecting it to periodic reviews.
• Analysis and remediation of orphan accounts.
• Password policies are deployed in the automated identity management system to ensure only qualified passwords are allowed.
9
Service Identity Management is an essential part of IAM Governance Expansion of the traditional Identity and Access Management to cover
identities used by administrators, systems, software and automated processes.
Assign responsibility for Service accounts, track people who manage the accounts, reports and enforces policies.
Tracking accounts used by various IT assets Databases Enterprise applications Devices Scheduling and monitoring software Automatic maintenance processes and many more.
10
How PIM works
LDAP
ADITIM
1 • Tivoli Identity Manager (TIM) with custom module provisions privileged IDs and manages pools of shared IDs
• Shared IDs are stored in a secured data store
2 • Periodically recertify account authorizations through a consistent work flow.
4 • Tivoli Compliance Insight Manager (TCIM) monitors all logs for end to end tracking
TCIMEnterprise
Reports
Event Logs
Recertification of privileged users
Authorization
3 • Admin logs into Tivoli Access Manager for E-SSO (TAM E-SSO)• TAM E-SSO automatically checks out/in shared ID as required to
ensure accountability while simplifying usage
E-SSO
1
2
4
3
IBM Software Map for NERC CIP Requirements
R1. Have procedures forrecognition and reporting ofsabotage events.
R2. Have procedures forcommunication of sabotage toappropriate parties.
R3. Have guideline formonitoring and reporting.
R4: Have establishedcommunication contacts asapplicable with local authorities.
CIP-001 SabotageReporting
R1. Critical Asset IdentificationMethod
R2. Critical Asset Identification
R3. Critical Cyber AssetIdentification
R4. Annual Approval
CIP-002 CriticalCyber Assets
R1. Cyber Security Policy
R2. Leadership
R3. Exceptions
R4. Information Protection
R5. Access Control
R6. Change Control andConfiguration Mgmt.
CIP-003 SecurityMgmt. Controls
R1. Awareness
R2. Training
R3. Personnel Risk Assessment
R4. Access
CIP-004 CyberSecurity – Pers. &
Training
R1. Electronic Security Perimeter
R2. Electronic Access Controls
R3. Monitoring Electronic Access
R4. Cyber VulnerabilityAssessment
R5. Documentation Review andMaintenance
R1. Physical Security Plan
R2. Physical Access Controls
R3. Monitoring Physical Access
R4. Logging Physical Access
R5. Access Log Retention
R6. Maintenance and Testing
CIP-006 PhysicalSecurity of Cyber
Assets
R1. Test Procedures
R2. Ports and Services
R3. Security Patch Management
R4. Malicious SoftwarePrevention
R5. Account Management
R6. Security Status Monitoring
R7. Disposal or Redeployment
R8. Cyber VulnerabilityAssessment
R9. Documentation Review andMaintenance
CIP-007 CyberSecurity – Systems
Security Mgmt
R1. Cyber Security IncidentResponse Plan
R2. Cyber Security IncidentDocumentation
CIP-008 CyberSecurity – IncidentRept. & Response
R1. Recovery Plans
R2. Excercises
R3 Change Control
R4. Backup and Restore
R5. Testing Backup Media
CIP-009 RecoveryPlans for Critical
Cyber Assets
Tivoli SecurityCompliance Manager
Tivoli SecurityOperations Manager
Tivoli Storage Manager
Alerts Notification Auditing Reporting Workflow Team Definition Measurement
NERC Compliance Portal
CIP-005 ElectronicSecurity
Parameters
Tivoli Identity Manager
Tivoli SecurityCompliance
Manager
Tivoli Access Manager
Lotus LearningManagement System
Enterprise Content and Record Manager
Internet SecuritySystems
Tivoli ProvisioningManager
Maximo
Tivoli Monitoring
Tivoli Provisioning Manager
Tivoli Security Compliance Manager
Tivoli Compliance Insight Manager
Tivoli Enterprise Portal Tivoli Netcool
Tivoli Compliance Insight Manager
Internet Security Systems
Prolifics-IBM Support For NIST Industrial Control Systems Security Objectives
NIST Directive NIST Objectives IBM Technology
NIST SP 800-12 Security Policies and Procedures TSPM, TIM, TAMeb
NIST SP 800-53 Security Controls- Configuration Management
Access Management
TAM ESSO
TAMeb-TAM OS
TFIM
NIST SP 800-94 Guidance on Intrusion Detection/Prevention Systems ISS Proventia
NIST SP 800-61 Guidance on Incident Handling and Reporting TSIEM
NIST SP 800-73/76 Guidance on Personal Identity Verification TIM, PIM
NIST SP 800-63 Guidance on Remote Electronic Authentication TFIM
NIST SP 800-64 Guidance on Security considerations for System Development Lifecycle Rational AppScan
NIST SP 800-61 Guidance on Incident Handling/Audit Log Retention TSIEM
NIST SP 800-56/57 Guidance on Cryptographic Key Establishment and Management TKLM
Holistic Enterprise Security Solution
The “Blind Slide” The Insider Threat. Identity Controls and Data Loss
protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
15
Application Vulnerabilities Continue to Dominate Web app. vulnerabilities represent the largest category in vulnerability disclosures In 1H10, 55.95% of all vulnerabilities are web application vulnerabilities SQL injection and cross-site scripting are neck and neck in a race for the top spot
IBM Internet Security Systems 2010 X-Force®
Mid-Year Trend & Risk Report
Motivation for becoming Secure by Design…
100,000x
10x
1x
Development Test Deployment
Imp
act
to E
nte
rpri
se
Functional Flaw
Security Flaw
- e.g., Database crash
- e.g., Database hacked
Unbudgeted Costs:
Downtime Customer notification/care Fines/Litigation Reputational damage Cost to clean-up
Application Security Tools Strategy
Static Code Analysis = Whitebox
Scanning source code for security issues
Dynamic Analysis = Blackbox
Performing security analysis of a compiled application
Total PotentialTotal PotentialSecurity IssuesSecurity Issues
DynamicDynamicAnalysisAnalysis
StaticStaticAnalysisAnalysis
Complete Coverage
CIP-002 CriticalCyber Assets
CIP-005 SecurityMgmt. Control
CIP-007 CyberSecurity-Systems
Security Mgmt.
Providing for numerous compliance requirements; including NERC-CIP
SQL injection played a role in 79% of records compromised during
2010 breaches
SQL injection played a role in 79% of records compromised during
2010 breaches
“Although much angst and security funding is given to …. mobile
devices and end-user systems, these assets are simply not
a major point of compromise.”
“Although much angst and security funding is given to …. mobile
devices and end-user systems, these assets are simply not
a major point of compromise.”
Database Servers Are The Primary Source of Breached Data
2010 Data Breach Report from Verizon Business RISK Teamhttp://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Source of Breached Records
… up from 75% in 2009 Report
Real-Time Database Monitoring
• No DBMS or application changes
• Does not rely on DBMS-resident logs that can easily be erased by attackers, rogue insiders
• 100% visibility including local DBA access
• Minimal performance impact (1-2%)
• Cross-DBMS solution
• Granular, real-time policies & auditing– Who, what, when, how
• Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.)
CollectorHost-based Probes (S-TAPs)
CIP-005 SecurityMgmt. Control
CIP-007 CyberSecurity-Systems
Security Mgmt.
CIP-002 CriticalCyber Assets
CIP-003 SecurityMgmt. Controls
Holistic Enterprise Security Solution
The “Blind Slide” The Insider Threat. Identity Controls and Data Loss
protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
21
Protocol Analysis Module (PAM) is the Engine Behind our Products
What It Does:Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability.
Why Important:Eliminates the need for constant signature updates. Protection includes the proprietary Shellcode Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.
What It Does:Monitors and identifies unencrypted PII & other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.
Why Important:Flexible and scalable customized data search criteria; serves as a complement to data security strategy.
What It Does:Protects Web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery).
Why Important:Expands security capabilities to meet both compliance requirements and threat evolution.
What It Does:Manages control of unauthorized applications and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling.
Why Important:Enforces network application and service access based on corporate policy and governance.
What It Does:Protects end users against attacks targeting applications used every day such as Microsoft Office, Adobe PDF, Multimedia files and Web browsers.
Why Important:At the end of 2009, vulnerabilities, which affect personal computers, represented the second-largest category of vulnerability disclosures and represent about a fifth of all vulnerability disclosures.
What It Does:Shields vulnerabilities from exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach
Why Important:At the end of 2009, 52% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability. In mid-2010, the percentage increased to 55%.
Others: constant thrashing to address today’s latest threat. IBM with PAM: “Ahead of the Threat”
44CIP-005 SecurityMgmt. Control
CIP-007 CyberSecurity-Systems
Security Mgmt.
Preemptive Ahead of the Threat Security – backed up by data
22
Top 61 Vulnerabilities 2009
341 Average days Ahead of the Threat
91 Median days Ahead of the Threat
35 Vulnerabilities Ahead of the Threat
57% Percentage of Top Vulnerabilities – Ahead of the Threat
9 Protection released post announcement
17 same day coverage
45
2010 – Average days Ahead of the Threat increased to 437!
© 2011 IBM Corporation
Securing the Virtualized Runtime:IBM Security Virtual Server Protection for VMware vSphere 4
Helps customers to be more secure, compliant and cost-effective by delivering integrated and optimized security for virtual data centers
• VMsafe Integration
• Firewall and Intrusion Detection & Prevention
• Rootkit Detection & Prevention
• Inter-VM Traffic Analysis
• Automated Protection for Mobile VMs (VMotion)
• Virtual Network Segment Protection
• Virtual Network-Level Protection
• Virtual Infrastructure Auditing (Privileged User Access)
• Virtual Network Access Control
• Virtual Patch
IBM Virtual Server Protection for VMware
http://www-01.ibm.com/software/tivoli/products/virtual-server-protection/http://www-01.ibm.com/software/tivoli/products/virtual-server-protection/
Tivoli Endpoint Manager: Smarter, Faster Endpoint Management
• Network Asset Discovery
• Endpoint HW, SW Inventory
• Patch Management
• Software Distribution
• OS Deployment
• Remote Desktop Control
• Software Use Analysis (add on)
• Power Management (add on)
Whether it’s a Mac connecting from hotel wi-fi, or a Windows laptop at 30K feet, or Red Hat Linux Server in your data center, Tivoli Endpoint Manager hasit covered. In real-time, at any scale.
24
CIP-005 SecurityMgmt. Control
CIP-007 CyberSecurity-Systems
Security Mgmt.
CIP-002 CriticalCyber Assets
CIP-003 SecurityMgmt. Controls
Holistic Enterprise Security Solution
The “Blind Slide” The Insider Threat. Identity Controls and Data Loss
protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
Experience
Treating identities as an enterprise asset Consistent, standards based method for authentication and authorization Provisioning and, more importantly, de-provisioning accounts within a specified period of time (account lifecycle) Application accounts, Databases, Servers, Network devices Approval process with multi-level escalation and delegation Quarterly access certification reports FERC M/T code throughout the whole system and in reports Standardization helps with FERC reliability regulations Energy Management Systems kept on an isolated network SSO limits password exposure and simplifies sign on process Service ID Management to address shared accounts (SOX) Separation of Duties checks (SOX)
26
Other features
Self-service user interface Auditing and reporting enhancements Dormant Accounts Management External security audit recommended adding all enterprise applications, not just those covered by SOX and FERC regulations Flexible life-cycle and operational workflows
27
28
29
By managing security for customers across the world, IBM has a clear and current picture of threats and attacks
IBM has the unmatched global and local expertise to deliver complete solutions – and manage the cost and complexity of security
9 Security Research Centres
9 Security Operations
Centres
9 Security Operations
Centres
11 Security Solution Development
Centres
11 Security Solution Development
Centres++ ++ 133 Monitored Countries
133 Monitored Countries
3 Branches of the Institute for
Advanced Security (“IAS”)
3 Branches of the Institute for
Advanced Security (“IAS”)
IAS Americas
IAS Americas
IAS Europe
IAS Europe
IASAsia Pacific
IASAsia Pacific
Our strategy: Comprehensive solutions that also leverage partners products
Professional Services
Products
Managed Services
Cloud Delivered
Security Governance, Risk and Compliance
Security Information and Event Management (SIEM) & Log Management
Identity & Access Management
Identity Management Access Management
GRCGRCGRCGRC
Data Security
Database Monitoring & Protection
Encryption & Key Lifecycle Management
Data Loss Prevention Data Entitlement Management
Data Masking
Messaging Security
E-mail Security
Application Security
Web / URL Filtering
Application Vulnerability Scanning
Access & Entitlement Management
Web Application Firewall
SOA Security
Infrastructure Security
Threat Analysis
Firewall, IDS/IPS MFS Management
Physical Security
Mainframe Security Audit, Admin & Compliance
Security Event Management
Security Configuration & Patch Management
Intrusion Prevention System
Endpoint ProtectionVirtual System Security
Vulnerability Assessment
Managed Mobility Svcs
IBM Security Solutions:
1. Assess Risks
2. Mitigate Risks
3. Manage Security Controls
IBM Security Solutions:
1. Assess Risks
2. Mitigate Risks
3. Manage Security Controls
Our strategy: IBM is investing in Security Solutions The only security vendor in the market with
end-to-end coverage of the security foundation
15,000 researchers, developers and SMEs on security initiatives
3,000+ security & risk management patents
200+ security customer references and 50+ published case studies
40+ years of proven success securing the zSeries environment
600+ security certified employees (CISSP,CISM,CISA,..)
DASCOM
IBM Security acquisitions (1999 – 2010):
The mission of the IBM X-Force research and
development team is to:
Research and evaluate threat and protection issues
Deliver security protection for today’s security problems
Develop new technology for tomorrow’s security challenges
Educate the media and user communities
IBM builds technology for tomorrow based on IBM Research
• Identify mission-critical enterprise assets and very sensitive data.
• Build fine-grained perimeters• Monitor fine-grained perimeters and
close the loop• End-to-end security• Secure by design
Our strategy: Research = intelligence = security
• 13B analyzed Web pages & images
• 150M intrusion attempts daily
• 40M spam & phishing attacks
• 54K documented vulnerabilities
• Millions of unique malware samples
33
Solutions
The Importance of Research to Security:IBM Internet Security Systems X-Force® Research Team
Protection Technology Research
Threat Landscape Forecasting
Malware Analysis
Public Vulnerability Analysis
Original Vulnerability Research
Research
The X-Force team delivers reduced operational complexity – helping to build integrated technologies that feature “baked-in” simplification-
“Protecting people from themselves”
The X-Force team delivers reduced operational complexity – helping to build integrated technologies that feature “baked-in” simplification-
“Protecting people from themselves”
X-Force Protection Engines
Extensions to existing engines New protection engine creation
X-Force XPU’s
Security Content Update Development
Security Content Update QA
X-Force Intelligence
X-Force Database Feed Monitoring and Collection
Intelligence Sharing
Technology
IBM’s security portfolio today
IT Infrastructure – Operational Domains
Security / Compliance Analytics and Reporting
IBM OpenPages Tivoli Security Information and
Event Management
GRC Consulting and Implementation Services Audit and Compliance Assessment Services (e.g., PCI) Privacy and Risk Assessments Cloud-based Vulnerability Management Portal Security Event and Log Management
Tivoli Identity and Access
Tivoli Federated ID
Tivoli Single Sign-On
Identity Assessment, Deployment and Hosting Services
InfoSphere Guardium
InfoSphere Optim Data Masking
Tape / Disk encryption
Tivoli Key Manager
Data Security Assessment
Encryption and DLP Deployment
Rational AppScan Source Edition
Rational AppScan Standard Edition
Tivoli Security Policy Manager
Application Assessment Services
AppScan On Demand - SaaS
Tivoli Network Intrusion Prevention
WebSphere Datapower XML Gateway
Penetration Testing
Firewall, IPS, Vulnerability Managed Services
Tivoli Endpoint Manager (anti-virus using Trend Micro)
Tivoli zSecure Mainframe security
Managed Mobile Protection (using Juniper)
IBM
Pro
du
cts
IBM
Ser
vic
es
Security Consulting
Implemen-tation
Services
ManagedServices
Sec
urity
Ser
vice
sPeople Data Applications InfrastructurePeople Data Applications Infrastructure
IBM
Pro
du
cts
IBM
Ser
vic
es
IBM Security Offering Reference Model
Network Endpoint
DOORS FocalPoint