ics cybersecurity: how to protect the proprietary cyber assets that hackers covet and wmi cannot see

How to Protect the Proprietary Cyber Assets That Hackers Covet and WMI Cannot See

David ZahnCMO, GM of Cybersecurity Business Unit

[email protected]

mailto:[email protected]

Agenda• A Simple Test• Challenges With Taking Stock• Inventory Done Right

© PAS - Confidential and Proprietary 2015 | 2

3

A Simple Test

Impact Of This ICS-CERT Vulnerability to the Enterprise?

• HART DTM Vulnerability• Honeywell Temperature

Sending Unit• Impact– Cease operations until

restarted


Detect An Inadvertent Engineering Change?

•Safety instrumented system (Triconex) configuration change•Bypass condition

masked from operator


Identify the Next Successful Malicious Attack?


Anatomy of Stuxnet AttackSiemens S7:• Memory Block DB890• AWL File


You Cannot Secure What You Cannot See

8

Challenges with Taking Stock

Hidden Cyber Assets Create Risk: A Case Study


20%

80%

Network

Proprietary• Heterogeneous,

proprietary systems• Complex architecture• No agents• “Hidden” inventory• I/O cards, firmware,

installed software, configuration & more

• Heterogeneous, but common protocols

• IP addressable• Agent friendly• Inventory in plain sight

Case StudyPAS inventory

engagement to feed vulnerability assessment

ChallengeInventorying, monitoring,

and gaining full compliance on cyber assets

10

Inventory Done Right

Information Technology

Inventory In Depth (a sample data set)


Windows• Ports & services• User accounts• Anti-virus• Events• OS information• HW information (HD,

memory, etc.)

Network• Global switch settings• Interface definitions• VLANS• Routing tables• Firewall objects

Operational TechnologyDCS

• IO Cards• Controllers• Com Modules• Operator Stations• Application Stations • Wireless IO Modules • Control Level Firewall• Applications

PLC / Vibration Monitoring• IO Cards• Controllers• Com Modules• 3rd Party Module• Applications

SCADA / Historian / APC • Operator Stations• Application Stations • Applications

Instrumentation• Wireless Devices• Hart Devices• Foundation Fieldbus

Devices• Profibus Devices

Malicious attack (Stuxnet) ICS-CERT Vulnerability Inadvertent Engineering Change

SIS / Turbine Control • IO Cards• Controllers

• Com Modules• Applications

Not All Inventory Is Created Equal


Networked IT Networked Proprietary Islanded

Inventory Options

Manual

• Pros• Flexible

• Cons• Training time• Labor cost• Error prone• Stale data

ICS Vendor Supplied Tool

• Pros• Vendor specific• Purpose-built

• Cons• Multiple formats• Varying capabilities• Different

terminology• Data silos

Centralized and Automated

• Pros• Accuracy• Evergreen inventory• Common data

format• Efficiency• New device

detection

• Cons• Business process

changes


Good ICS Inventory = Good Compliance

OT + IT Inventory

CIP-002Inventory &

review…

CIP-007Ports,

services, patching…

CIP-008Incident

response, testing, review…

CIP-009Disaster recovery, testing, review…

CIP-010Change &

configuration management…

And more....


ICS Cybersecurity Best Practices


Requirements• Automated OT & IT inventory• Configuration change monitoring & alerts• Patch management• Closed-loop workflows• Backup & recovery

Benefits• Increases internal & regulatory

compliance• Reduces compliance effort • Supports for all major control systems• Hardens control system security• Speeds recovery from downtime

Automation Systems

Single Repository

Background• Founded in 1993 with headquarters in

Houston, Texas• Offices in North America, Europe,

Middle East, Africa, Asia, and Australia• Serving Power, Oil & Gas, and

Processing industries globally

Industry Leadership• First-to-market solutions in ICS

Cybersecurity, Alarm Management, and HP HMI

• Honeywell, INTECH, Intergraph, Invensys, and NovaTech ecosystem

• AICHE, EMMUA 191, EPRI, ISA, NERC CIP, NIST, NPRA, and OSHA standards

• 20% annual R&D reinvestment

Who We Are

By The Numbers• 400+ customers

• 1,046 plant sites

• 8,749 licenses

• 20,560 automation assets managed • 40,000+ users


Thank You

David ZahnCMO, GM of Cybersecurity Business Unit

[email protected]

mailto:[email protected]