![Page 1: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/1.jpg)
INDUSTRIAL
CYBERSECURITY
ICS SHIELD INDUSTRIAL CYBER SECURITY
Elewa Ali
18th April 2019
![Page 2: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/2.jpg)
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
High-level Challenges of IT-OT Integration
2
ICS/SCADA Complexity
• Multiple sites
• Multiple vendors requiring access to assets
• Multiple protocols on ICS network
• Multiple businesses
• Mix of legacy and proprietary equipment
• ICS security ownership is not clear
• OT/IT mindsets are very different
• Transition from plant-by-plant to plant-wide security practices
IT/OT Misalignment
• Cannot place experts at every site
• Manual processes don’t scale and only provide limited security
• Multiple security solutions partially utilized
Skilled Resources Shortfall and Budget Limitation
![Page 3: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/3.jpg)
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Honeywell ICS Shield
Industry Standard Platform for Secure Remote Access – 6000+ Installs
3
Top-down OT security management
• Automates top-down integrated approach for deployment and enforcement of plant-wide security policies
• Delivers unrivaled visibility, reliability and compliance for industrial plant operations
• Enables security of remote field assets from a single operations center
• Based on proven technology with over 6000 installs
Key Features:
• Secure remote access
• Secure file transfer
• Automated patch and AV updates
• Asset discovery
• Performance/health monitoring
• Compliance reporting
![Page 4: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/4.jpg)
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Grassroots-level OT Cyber Security Issues
4
Partial coverage of security essentials
• Multiple access points
• Partial data on assets & events
• No proper hardening
• No proper monitoring
• No proper governance
• No proper planning & accountability
Remote employees, control system vendors,
3rd party vendors, contractors
![Page 5: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/5.jpg)
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
The Selected Approach for ICS OT Security Management
Define, automate and monitor security policies across disparate
ICS/SCADA environments, providing increased visibility, reliability and
compliance.
OT Security Managed
Secure what matters
and doing the essential
things right, repeatedly
Centrally define
plant wide policies,
then automate
execution and
monitoring
Focus on shielding endpoint industrial assets
5
![Page 6: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/6.jpg)
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ICS Shield Deployment
6
Virtual Security Engine
Distributed architecture and secure tunnel from plants to center
• Install SC at the data center
• Install VSEs at each plant
• Establish a secure tunnel, outbound, using port 443, TLS encrypted
• One FW rule to manage all remote connections
![Page 7: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/7.jpg)
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ICS Shield System Architecture
7
DISCOVER assets and devices
CONNECT secure remote access
PROTECT monitoring, patching, AV
![Page 8: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/8.jpg)
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Discover – The Starting Point For A Secure ICS
8
NIST Cybersecurity Framework
ID.AM-2: Software platforms and applications
within the organization are inventoried.
End-to-end visibility into the ICS environment
• Passive and Active options
• Discovery down to L2
• Configuration collection
• Change monitoring
• Asset classification & tagging
![Page 9: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/9.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
Security Center Dashboard (as of Q1 2019)
9
![Page 10: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/10.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
10
Case Study 1 – Discovery And Inventory
Multi-National Conglomerate
• Active & passive discovery
• Down to level 2
• 30 plants a year
• >200 plants in plan
• >1000 field assets/plant
Visibility of ICS network
Inventory control
Vulnerability snapshot
SOLUTION BENEFITS
![Page 11: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/11.jpg)
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Connect – Expert To Asset, Fast And Secured
11
Improving remote access security
• Centralized authentication
• Granular privileges
• Accountability with full audit
• Real-time supervision and session termination
• Password Vault
• Files & Data transfer
Authentication, Authorization,
and Accounting
Access Control (AC): Access to assets and associated
facilities is limited to authorized users, processes, or
devices, and to authorized activities and transactions.
Control system vendors, 3rd party
vendors, contractors
![Page 12: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/12.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
Remote Access Flow:Fast And Secure Access Of Experts To Assets
PR.MA-2: Remote maintenance of organizational
assets is approved, logged, and performed in a
manner that prevents unauthorized access
2. User is authenticated
3. SC ask CS to open a tunnel
4. VSE polling the CS for requests
6. Following a certificate based handshake, TLS encrypted outbound tunnel is established
5. Plant can approve/deny access, and thereafter supervise, record and terminate the remote session
7. Following approval session is initiated with granular privilege
Supported protocols:
• RDP
• VNC
• Telnet
• SSH
• HTTP/HTTPS
Vendor-Based:
• Simatic
• RSLinx/Logix
• Centum
• and all TCP & UDP based protocols …
1. 3rd party want to access an assets
12
![Page 13: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/13.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
Remote Access – Security Policy
13
![Page 14: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/14.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
Remote Access – Site Operator View
14
![Page 15: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/15.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
15
Case Study 2 – Secure Remote Access
Global Pulp & Paper Enterprise
• 150 plants
• 400-1000 field assets/plant
• 60 vendors
• 1500 routine users
60 1 remote access entry
Reduced risk to ICS network
Reduce TTR
SOLUTION BENEFITS
![Page 16: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/16.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
16
Case Study 3 – Secure Remote Access
Global Chemical & Plastics Producer
• 130 plants
• 500-1200 field assets/plant
• ~80 vendors and 3rd party
• 25,000 users
~80 1 remote access entry point
30% operational savings
Increased compliance
SOLUTION BENEFITS
![Page 17: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/17.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
17
• Minimize manual effort and human mistakes
• Improve security and compliance by standardizing on plant-wide policy
Protect – Automate Plant-wide Security Policy
1. Create a policy 6. Refine policy
3. Enforce
2. Distribute
5. Analyze and make decision
Information Protection Processes and Procedures
(PR.IP): Security policies, processes, and procedures
are maintained and used to manage protection of
information systems and assets.
4. Send data
17
Control system vendors, 3rd party
vendors, contractors
![Page 18: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/18.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
Site Compliance Report18
IP Address
Device Custodian
Device criticality
AV up to date?
AV installed?
AV running?
Successful backup?
Data collection complete?
SIEM integration healthy?
OS patches current?
OS supported?
![Page 19: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/19.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
19
Case Study 4 – Security Essentials Coverage
Global Tier-1 Oil & Gas Enterprise
• 30 upstream & downstream plants
• More plants are pending
• Outsourcing Operations
• 2500 users
• Shielding 400-1600 field assets/plant
Drove annual cost savings
Reduced risk to ICS network
Increased compliance
SOLUTION BENEFITS
Asset Inventory
• Semi-Automated Collection of PCD Assets and Asset
Information
Process Control Domain (PCD) Access
• Standardised Remote Access on a Single Platform
Maturity Reporting
• Centralised, Automated Maturity & Compliance Reporting
Patch Management
• Automate QPL Synchronisation and Standardized,
Automated Patching
Anti-Virus Management
• Automated Update of Approved AV Signature Files
Log Collection
• Leverages Group Standard SIEM for Global Awareness
![Page 20: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/20.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
Enjoy The Upside Of Connected Plants & Minimize RiskW
Summary
• Assess your level of industrial cyber security maturity
• Manage cyber security as a program
• Solve the immediate challenges with clear ROI
• Ensure value for central IT as well as plant people
• Focus on the essentials
• Choose the right experienced partner
• Consider outsourcing planning, implementation and management
20
![Page 21: INDUSTRIAL CYBER SECURITY - Honeywell...3. SC ask CS to open a tunnel 4. VSE polling the CS for requests 6. Following a certificate based handshake, TLS encrypted outbound tunnel is](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed6e5a9df0eda5e752aebc3/html5/thumbnails/21.jpg)
© 2019 by Honeywell International Inc. All rights reserved.
Thank You!
21