cybersecurity - wonderware california · nist cybersecurity frameworkist. cybersecurity framework....
TRANSCRIPT
Cybersecurity Best Practices
Cybersecurity
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Presented By:
Tom Gallagher, Head of Quality and Cybersecurity
Tom Gallagher
• Head of Quality and Cybersecurity at AVEVA
• Works with DHS, ICS-CERT, and other government agencies
• B.S. in Computer Information Systems
• Advanced CEH training
Speaker’s Introduction
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Agenda
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Cybersecurity Overview
Risk Analysis and Management
Improving Operational Technology Security
Recommended Actions
Conclusions
Resources
Cybersecurity Overview
AVEVA’s Cybersecurity Program
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
2019 Threat Landscape
• 90% of OT Organizations represented in study have experienced at least one damaging cyberattack over past two years.
• Large companies suffering annual losses of nearly $500K
• Majority reported between 2 and 4 incidents in the past year
• 67% wish to keep up with sophistication and stealth of attackers
• 60% worry about an attack against OT infrastructure
• The Global Average cost of a breach has increased by 6.4% over the previous year to $3.86M
• The average cost for each lost or stolen record containing sensitive or confidential information is up 4.8% year over year to $148
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
OT/ICS Security & Cost of a Data Breach Study by Ponemon
References: 2017 Kaspersky Report on OT/ICS Security & 2018 Cost of a Data Breach Study by Ponemon & 2019 Cybersecurity in Operational Technology by Ponemon
AVEVA’s Security Goals and Objectives• Keep our Customers Secure
• Improve the Security Posture of our products.
• Increase Security knowledge of R&D Engineers.
• Enable rapid response to issues (CERT).
• Security Process Compliance
• ISASecure SDLA certified processes.
• Define KPI’s to measure results.
• Quality Management System (QMS) provides Governance.
• Increase Security Awareness
• Across organizational functions in all Business Units.
• Ensure Security Requirements are defined.
• Build Security into Architectures.
Security Development Lifecycle• All Software R&D teams follow our ISASecure® SDLA
Certified Process.
• We have aligned our Security Development Lifecycle with the IEC 62443 standard and our Agile/Lean development practices.
• The Quality Management System (QMS) and Security Development Lifecycle (SDL) provides for governance across the software business.
• All product teams have assigned Security Advisors.
Security Training• Security Training is mandatory and provided to:
• Dev Engineers
• Test Engineers
• Architects
• Dev/QA Managers
• Team Members have annual security training goals aligned with product technologies.
• Any new teams and/or team members are trained in Security.
• We use Microsoft, Team Professor, and Plural Sight trainings.
Security Tools
Automated, Secure Build SystemsModern compiler versions with security options enabledDigital Signing of all Binaries and Installs
Static Code AnalysisCheckMarxVisual Studio Code Analysis (FXCop)BinscopeWhite Source (Open Source scans)
Security RulesCWE-SANS Top 25OWASP Top 10
Other ToolsMS Threat ModelingAttack Surface AnalyzerNessus ScannerCylance ProtectWurldtech AchillesbeSTORMBurpsuiteArachniCSET
Threat Models
Example Product Threat Model
▲ Threat Modeling is a structured approach to analyze the security architecture of the product and identify potential threats that may impact the system.
▲ We use Threat Models to develop specific product security tests (e.g. fuzz and penetration tests).
▲ Reviewed and updated as needed every product release.
▲ We have regular Threat Modeling Workshops with Microsoft.
Incident Response and Management• We have a defined response process that is aligned with
ISO/IEC 30111 Standards.
• Response process includes:
• Investigation, Validation, and Triage of issue.
• We use Common Vulnerability Scoring System (CVSS) to rank issues as Low, Medium or High based on their CVSS base scores.
• Communication with ICS-CERT.
• If necessary, a software patch plan is developed.
• Security Bulletins, Distributor and Customer alerts, and public announcements as warranted.
• The working procedures are documented within our Quality Management System (QMS).
• Our Vulnerability Management Policy is available for review online at: http://www.schneider-electric.com/en/download/document/Vuln_Mgmt_Policy/
Cloud Product Security
• Physical Security
• Azure regional datacenters are protected by layers of defense-in-depth security
• Information Security
• Azure provides in-transit and at-rest data encryption
• Azure Key Vault protects keys, secrets and certificates
• Azure Virtual Networks and Network Security Groups
• Threat management and intrusion detection
Azure and AWS Hosting
© 2018 AVEVA Solutions Limited and its subsidiaries. All rights reserved.
• Azure Certifications
• ISO/IEC 27001, 22301, 27017 and 27018
• CSA Star Gold
• SOC 1, SOC 2 and SOC 3.
• And many others…
AVEVA Security Highlights and CertificationsCapabilities that Differentiate Our Products
© 2018 AVEVA Solutions Limited and its subsidiaries. All rights reserved.
• Azure DevOps
• Global R&D AD Federation
• CI/CD Pipelines
• DevSecOps
• Azure Security Center
• AWS CloudTrail
• SAST/DAST/IAST
• Cloud Security
• Cloud Security Alliance
• SOC 2 Audit Reports
• Pursuing ISO 27001
Risk Analysis and Management
How to Identify, Analyze, and Describe Risks
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
NIST Cybersecurity FrameworkISTCybersecurity Framework
The Framework guides you to correct
outcomes through the five basic functions.
Framework for Improving Critical Infrastructure Cybersecurity
Identify
Protect
DetectRespond
Recover
FrameworkCore
Identify Risks to Assets
• Identify the risks to the OT environment
• Consider vulnerabilities of what you have and how they may be exploited, by whom, and what would be the impact of a successful attack
• Asset Discovery and Identification
• Physical assets are inventoried through both technology and manual processes to locate and identify all assets aligned with OT, including RTUs, PLCs, IEDs, users, applications, switches, routers, firewalls and security devices
• Identify the protocols in use across the field infrastructure
• Logical aspects include organizational structure
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Review Network and Computer Security
Vulnerability
Exploit
Vulnerability Assessment
• Focus
• Through internal or external resources and tools, investigate the system for vulnerabilities:
• Open ports, unneeded services, weak or default passwords, USB access, clear text communication or tool usage, weak access control definitions
• Consider not just technology, but also environmental vulnerabilities
• Hurricanes, flooding, terrorist attacks, severe thunderstorms, etc.
• Consider physical access at facilities across your infrastructure
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
How Vulnerable are the Systems?
• Tools
• NESSUS, OpenVAS, NMAP, Cisco, etc.
• Active versus Passive system interaction within a production environment
Threat Assessment
• Identify the Threat Actors
• External: Script Kiddies, Darknet Criminals, Nation States
• Internal: Disgruntled Worker, Careless Worker, Dedicated Worker
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
• Identify the Attack Vectors that could be used
• Phishing, Ransomware, Advanced Persistent Threat, Process Attacks
• Physical Security, Rogue Network Devices, Severe Weather
Risk Assessment
• Take the information created in prior steps and combine to perform a risk analysis
• Components of Risk
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Quantifying Risk in order to Prioritize Improvements
• Specifies how a vulnerability exploitation could happen, for example a fire in the control room or a password being compromised
Situation
• Designates the source of the threat and combines with the vulnerability, for example the same vulnerability could exist as both an internal and external threat
Threat/Vulnerability
• Specifies the security control area to which the risk pertains, for example Policy, Process, or Technical
Area
• Corrective actions that would mediate the identified risk
Remediation
• FAIR by the Open Group is an example of a recognized Value at Risk Framework
Quantitative Risk Assessment
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Quantifying your Risk
Situation Threat/VulnerabilityAsset
(Value)Vulnerability (Likelihood)
Threat (Impact)
Risk (Valuation) Area Remediation
Users accessing data that is not within their role and responsibility
Internal / Access Control $1,000,000 20% 50% $100,000 Technical Implement a robust role based access control paradigm that leverages Active Directory and is used to control data access universally
Passwords easily compromised External + Internal / Weak Passwords
$500,000 30% 50% $75,000 Policy Establish a password policy aligned to NIST’s best practices for critical sites
• Quantitative
Risk = Asset * Vulnerability * ThreatWhere:
Asset is the dollar value of the asset at risk
Vulnerability is the likelihood of it happening (0-100%)
Threat is the impact of the threat, High (100%), Medium (50%), Low (10%)
Risk Assessment
• Qualitative
• Leverage experience to quantify the probability of a risk occurring
• Valuation: Very High, High, Moderate, Low, Very Low
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Describing the Risk
Situation Threat/VulnerabilityAsset
(Value)Vulnerability (Likelihood)
Threat (Impact)
Risk (Valuation) Area Remediation
Users accessing data that is not within their role and responsibility
Internal / Access Control
Very High Low Moderate High Technical Implement a robust role based access control paradigm that leverages Active Directory and is used to control data access universally
Passwords easily compromised External + Internal / Weak Passwords
High Moderate High High Policy Establish a password policy aligned to NIST’s best practices for critical sites
Risk Assessment
• Qualitative Versus Quantitative
• Begin Simple and build your risk models over time
• Strive for incremental improvements
• Results will help to justify the changes you need to implement
• Clearly document budget impacts
• Consider Dollars, Resources, and Technology
• Clearly State ROI
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Using this information to drive Change
Improving Operational Technology Security
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Vulnerability Management Program
A continuous process to identify, assess, and
correct system vulnerabilities.
Execute on a monthly basis, reducing
vulnerabilities based on prioritized risk
Framework for Managing Vulnerability
Scan Assets for
Vulnerabilities
Assess and Rank the
Identified Risk
Remediation
Validate Corrective
Actions
VMPPreparation
Vulnerability Management Program• IT and OT are increasingly becoming more aligned
with technology and processes.
• A focused means to collaborate
• The OT group responsible for the safe operation of the assets
• The IT/Security groups responsible for managing, patching, and ensuring the secure operation of IT assets
• Objective: Maintain the security of the infrastructure while respecting the unique needs and demands of the OT space
• Provides a practical framework to create and maintain a secure operating environment
• Iterative Progress and Continuous Improvement is Key to Success
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Shared Program between IT/OT/Security
Security Controls
• Security Controls are the safeguards/countermeasures prescribed for information systems or organizations and are designed to:
• Protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations
• Satisfy a set of defined security requirements.
• Questions to Ask:
• What Controls are needed to satisfy the security requirements to mitigate risk?
• Have the security controls been implemented or is there a plan in place?
• What is the desired or required level of assurance that the selected security controls, as implemented, are effective in their application?
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
NIST 800-53 r4 – Security Controls and Assessment Procedures for FIS and Organizations
MP – Media Protection
IR – Incident Response
AT – Awareness and Training
AC – Access Control
IA – Identification and Authentication
Recommended Actions
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Guidance for Customers
Architectural Concepts
• Implement the system in layers
• Protect segments with NG Firewalls
• Data flows from more secure to less secure
• When using VLANs, do not use default LAN 0
• Model dataflows to identify flow risks betweensystem components
• Secure Data in Motion and At Rest
• Consider Certificate Management
• IT and OT Convergence, IIoT, Digital Transformation Impacting Traditional Model© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Defense in Depth and a Secure Infrastructure
Purdue ICS Model
Cloud
System Management
• User Management
• Inter- and Intra-Domain User Management
• Align as part of a comprehensive Role Based Access Control (RBAC) model
• Least Privilege as the guiding principal
• Group Policy Configuration
• DO NOT expect to use a typical IT GPO configuration within an OT system
• Review and apply recommended Microsoft’s Baseline GPO’s
• https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines
• Review and apply recommended Center for Internet Security (CIS) GPO’s
• https://www.cisecurity.org/benchmark/microsoft_windows_server/
• Change default passwords, disable unneeded services, block/remove ports, remove unneeded software© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Baseline Recommendations
Asset Management
• A fundamental requirement for a VMP is knowing the details of what is on your network
• Includes Versions of software, what is supported, along with valid configurations
• A formal tool is recommended to perform this functionality
• Document all components that comprise the OT environment, including field devices, routers, firewalls, switches, VPNs, wireless devices, IDS/IPS, servers, workstations, BYOD, phones
• Include Production, Test and Development, Engineering, Training, IDMZ/DMZ/DSS
• Include all sites, LAN Configuration, WAN configuration, Web Interactions
• Regularly scan and review the network to ensure no unexpected additions/removals/changes
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Knowing what is on your network
Patch Program
• Use a Test Environment to validate all patches, updates, and upgrades prior to deployment
• Consider risk
• Implement the program in Phases
• Start with common/baseline systems
• Move to more complex systems, one-off’s, and legacy
• Coordinate the monitoring and update process across those responsible
• Minimize the amount of software to be monitored and managed
• Consider how updates are installed and managed along with who may do it
• Align with Asset Management
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Updates of Software and Firmware
System Protections
• Antivirus, Antimalware
• Traditional Signature Based
• Algorithmic, Machine Learning, AI
• Process Monitoring for Branching and Behavior
• Intrusion Detection System / Intrusion Prevention System
• Use of an IPS is not recommended for control networks
• Consider effect of monitoring to ensure that performance is not negatively impacted
• Firewalls
• Host-Based, Network-Based, NextGen
• Whitelisting© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Means of Protecting From and For Detecting Exploitations
Policy, Monitoring and Reporting
• Policy
• Formal definition of rules and procedures for all people accessing and using the computing environment
• Include topics such as Passwords, User Exit, Data Disposal, Equipment Disposal, Reporting, etc.
• Monitoring and Reporting
• Consider centrally monitoring the security state of the OT system through a System Information and Event Management (SIEM) system
• Establish policies for regular reporting and auditing of the security environment
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Guiding Principles and Demonstratively Showing Compliance
Incident Response (IR)
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Response Process
•Oversees the team and directs their response actions
Incident Response Manager
•Performs the work associated with the cyber incident•Triage – analyzes intrusion warnings, removes false positives•Forensic – captures and analyzes data related to incident
Security Analyst (Triage & Forensic)
•Provide threat analysis, threat research, provide incident context
Threat Researchers
•Works with other organizations (e.g. IT, HR, Exec) to handle optics, etc.
Cross-Functional Support
Roles & Responsibilities
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
Preparation
Identification
Containment
Eradication
Recovery
LessonsLearned
Business Continuity / Disaster Recovery
• Strategic - Business Continuity Planning
• The process to create a plan that defines how the business will continue to provide its services in case of a disaster.
• Tactical - Disaster Recovery
• Process to Recover the business activities after a disaster occurs.
• Validation - Test the Plans
• Teams should meet and exercise these plans
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Two Sides of the Same Coin
BSP/SM/DR (Investor’s Business Daily, 2018)
Business Continuity / Disaster Recovery
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Roadmaps for Planning, Recovery, Validation
Determine Scope of the Plan
Document Key Business Areas Identify Dependencies Determine Acceptable
DowntimeRecovery Plan for each
Area or Function
Business Continuity Planning
Roles and Responsibilities Communications Equipment Preventative or
Preparatory Activities Document Budget
Disaster Recovery
Table Top Exercises Structured Walkthrough Disaster Simulation Testing
Plan Validation
Training and User Education
• Establish an organization-wide training program
• Leverage online to make it as practical as possible
• Role out in phases
• Require annual refresher courses
• Require new employees to take as part of on-boarding process
• Training topics include
• Relevant Policies
• Awareness of malware tactics, e.g. Phishing emails
• Clearly define how to respond to suspicious activities
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Educate and Motivate
Conclusions
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Takeaways
• Security is NOT a destination but a journey
• Improving your Security Posture will be challenging and will require investment in time, dollars, and resources
• Do NOT attempt to boil the ocean, you will be overwhelmed and fail
• Look for continuous and incremental improvements
• Monitor, Audit, Measure, and Report on progress
• Cooperation is critical
• IT
• Vendors
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Key Messages and Parting Thoughts
challenging
continuous improvements
Monitor, Audit, Measure, and Report
IT
Vendors
Takeaways
• Plan, Plan, Plan – Do not leave to chance
• It is critical to have a Business Continuity / Disaster Recovery Plan in place
• Use the provided strategic concepts to help you frame the discussion with your executives• Need to bring budget implications along with cost of keeping the status quo
• Educate and Motivate
• You are not alone and there are numerous standards and resources available to help!
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Key Messages and Parting Thoughts
Plan, Plan, Plan
Business Continuity / Disaster Recovery
help yourexecutives
You are not alone
Moving Forward• AVEVA is committed to keeping our customers secure.
• We will continue our focus on product Cybersecurity SDL, Tools, and Practices.
• We will continue to evolve our products with the latest technology to enable customers a secure experience with our product offerings.
Resources
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Resources
• NIST Framework for Improving Critical Infrastructure Cybersecurity
• https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
• NIST 800-53 r4, Security Controls
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
• https://nvd.nist.gov/800-53/Rev4 (Online Version of Control Families, Very Helpful)
• NIST 800-61 r2, Computer Security Incident Handling Guide
• https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
• NIST 800-82 r2: Guide to Industrial Control Systems (ICS) Security
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Page 1
Resources
• NIST 800-184, Guide for Cybersecurity Event Recovery
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf
• NIST 800-30 r1, Guide for Conducting Risk Assessments
• https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
• GPO Resources
• https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines
• https://www.cisecurity.org/benchmark/microsoft_windows_server/
• Microsoft’s Threat Modeling Tool
• https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Page 2
Resources
• CISCO-AVEVA-SE Oil and Gas Pipeline Security Reference Document
• https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Oil_and_Gas/Pipeline/SecurityReference/Security-IRD/Security-IRD.html
• National Vulnerability Database (NVD) by NIST
• https://nvd.nist.gov/
• Common Vulnerabilities and Exposures (CVE)
• https://cve.mitre.org/
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Page 3
Resources
• SANS (Information Security Training and Resources)
• https://www.sans.org/
• Center for Internet Security (CIS)
• https://www.cisecurity.org/
• ICS-CERT
• https://ics-cert.us-cert.gov/
• OWASP (Open Web Application Security Project)
• https://owasp.org/
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Page 4
Resources
• NIS Directive
• https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive
• Standards
• IEC 62443, ISO 2700x, NERC, NIST
• From ICS-CERT: https://ics-cert.us-cert.gov/Standards-and-References
• FAIR (Factor Analysis of Information Risk)
• Value at Risk (VaR) Framework for cybersecurity and operational risk
• https://www.fairinstitute.org/
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Page 5
linkedin.com/company/aveva
@avevagroup
ABOUT AVEVA AVEVA is a global leader in engineering and industrial software driving digital transformation across the entire asset and operational life cycle of capital-intensive industries.
The company’s engineering, planning and operations, asset performance, and monitoring and control solutions deliver proven results to over 16,000 customers across the globe. Its customers are supported by the largest industrial software ecosystem, including 4,200 partners and 5,700 certified developers. AVEVA is headquartered in Cambridge, UK, with over 4,400 employees at 80 locations in over 40 countries.aveva.com
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Presented By: Tom Gallagher• Head of Quality and Cybersecurity