industrial cyber security - honeywell...3. sc ask cs to open a tunnel 4. vse polling the cs for...

INDUSTRIAL

CYBERSECURITY

ICS SHIELD INDUSTRIAL CYBER SECURITY

Elewa Ali

18th April 2019

Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.

High-level Challenges of IT-OT Integration

2

ICS/SCADA Complexity

• Multiple sites

• Multiple vendors requiring access to assets

• Multiple protocols on ICS network

• Multiple businesses

• Mix of legacy and proprietary equipment

• ICS security ownership is not clear

• OT/IT mindsets are very different

• Transition from plant-by-plant to plant-wide security practices

IT/OT Misalignment

• Cannot place experts at every site

• Manual processes don’t scale and only provide limited security

• Multiple security solutions partially utilized

Skilled Resources Shortfall and Budget Limitation


Honeywell ICS Shield

Industry Standard Platform for Secure Remote Access – 6000+ Installs

3

Top-down OT security management

• Automates top-down integrated approach for deployment and enforcement of plant-wide security policies

• Delivers unrivaled visibility, reliability and compliance for industrial plant operations

• Enables security of remote field assets from a single operations center

• Based on proven technology with over 6000 installs

Key Features:

• Secure remote access

• Secure file transfer

• Automated patch and AV updates

• Asset discovery

• Performance/health monitoring

• Compliance reporting


Grassroots-level OT Cyber Security Issues

4

Partial coverage of security essentials

• Multiple access points

• Partial data on assets & events

• No proper hardening

• No proper monitoring

• No proper governance

• No proper planning & accountability

Remote employees, control system vendors,

3rd party vendors, contractors


The Selected Approach for ICS OT Security Management

Define, automate and monitor security policies across disparate

ICS/SCADA environments, providing increased visibility, reliability and

compliance.

OT Security Managed

Secure what matters

and doing the essential

things right, repeatedly

Centrally define

plant wide policies,

then automate

execution and

monitoring

Focus on shielding endpoint industrial assets

5


ICS Shield Deployment

6

Virtual Security Engine

Distributed architecture and secure tunnel from plants to center

• Install SC at the data center

• Install VSEs at each plant

• Establish a secure tunnel, outbound, using port 443, TLS encrypted

• One FW rule to manage all remote connections


ICS Shield System Architecture

7

DISCOVER assets and devices

CONNECT secure remote access

PROTECT monitoring, patching, AV


Discover – The Starting Point For A Secure ICS

8

NIST Cybersecurity Framework

ID.AM-2: Software platforms and applications

within the organization are inventoried.

End-to-end visibility into the ICS environment

• Passive and Active options

• Discovery down to L2

• Configuration collection

• Change monitoring

• Asset classification & tagging

© 2019 by Honeywell International Inc. All rights reserved.

Security Center Dashboard (as of Q1 2019)

9


10

Case Study 1 – Discovery And Inventory

Multi-National Conglomerate

• Active & passive discovery

• Down to level 2

• 30 plants a year

• >200 plants in plan

• >1000 field assets/plant

Visibility of ICS network

Inventory control

Vulnerability snapshot

SOLUTION BENEFITS


Connect – Expert To Asset, Fast And Secured

11

Improving remote access security

• Centralized authentication

• Granular privileges

• Accountability with full audit

• Real-time supervision and session termination

• Password Vault

• Files & Data transfer

Authentication, Authorization,

and Accounting

Access Control (AC): Access to assets and associated

facilities is limited to authorized users, processes, or

devices, and to authorized activities and transactions.

Control system vendors, 3rd party

vendors, contractors


Remote Access Flow:Fast And Secure Access Of Experts To Assets

PR.MA-2: Remote maintenance of organizational

assets is approved, logged, and performed in a

manner that prevents unauthorized access

2. User is authenticated

3. SC ask CS to open a tunnel

4. VSE polling the CS for requests

6. Following a certificate based handshake, TLS encrypted outbound tunnel is established

5. Plant can approve/deny access, and thereafter supervise, record and terminate the remote session

7. Following approval session is initiated with granular privilege

Supported protocols:

• RDP

• VNC

• Telnet

• SSH

• HTTP/HTTPS

Vendor-Based:

• Simatic

• RSLinx/Logix

• Centum

• and all TCP & UDP based protocols …

1. 3rd party want to access an assets

12


Remote Access – Security Policy

13


Remote Access – Site Operator View

14


15

Case Study 2 – Secure Remote Access

Global Pulp & Paper Enterprise

• 150 plants

• 400-1000 field assets/plant

• 60 vendors

• 1500 routine users

60 1 remote access entry

Reduced risk to ICS network

Reduce TTR

SOLUTION BENEFITS


16

Case Study 3 – Secure Remote Access

Global Chemical & Plastics Producer

• 130 plants

• 500-1200 field assets/plant

• ~80 vendors and 3rd party

• 25,000 users

~80 1 remote access entry point

30% operational savings

Increased compliance

SOLUTION BENEFITS


17

• Minimize manual effort and human mistakes

• Improve security and compliance by standardizing on plant-wide policy

Protect – Automate Plant-wide Security Policy

1. Create a policy 6. Refine policy

3. Enforce

2. Distribute

5. Analyze and make decision

Information Protection Processes and Procedures

(PR.IP): Security policies, processes, and procedures

are maintained and used to manage protection of

information systems and assets.

4. Send data

17

Control system vendors, 3rd party

vendors, contractors


Site Compliance Report18

IP Address

Device Custodian

Device criticality

AV up to date?

AV installed?

AV running?

Successful backup?

Data collection complete?

SIEM integration healthy?

OS patches current?

OS supported?


19

Case Study 4 – Security Essentials Coverage

Global Tier-1 Oil & Gas Enterprise

• 30 upstream & downstream plants

• More plants are pending

• Outsourcing Operations

• 2500 users

• Shielding 400-1600 field assets/plant

Drove annual cost savings

Reduced risk to ICS network

Increased compliance

SOLUTION BENEFITS

Asset Inventory

• Semi-Automated Collection of PCD Assets and Asset

Information

Process Control Domain (PCD) Access

• Standardised Remote Access on a Single Platform

Maturity Reporting

• Centralised, Automated Maturity & Compliance Reporting

Patch Management

• Automate QPL Synchronisation and Standardized,

Automated Patching

Anti-Virus Management

• Automated Update of Approved AV Signature Files

Log Collection

• Leverages Group Standard SIEM for Global Awareness


Enjoy The Upside Of Connected Plants & Minimize RiskW

Summary

• Assess your level of industrial cyber security maturity

• Manage cyber security as a program

• Solve the immediate challenges with clear ROI

• Ensure value for central IT as well as plant people

• Focus on the essentials

• Choose the right experienced partner

• Consider outsourcing planning, implementation and management

20


Thank You!

21

industrial cyber security - honeywell...3. sc ask cs to open a tunnel 4. vse polling the cs for...

Documents