ppt template - iom.invensys.comiom.invensys.com/en... · the invensys cyber security team offers a...
TRANSCRIPT
Slide 1
GEN-14Cyber Security Solutions for LessRegulated Industries
Douglas CliftonTim JohnsonMichael Martinez
http://twitter.com/cybercompliant | #SoftwareRevolution
http://www.youtube.com/watch?v=SYzKhmWUDrM
http://invensyscybersecurity.blogspot.com/
© 2013 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries.All third party trademarks and service marks are the proprietary marks of their respective owners.
Douglas CliftonTim JohnsonMichael Martinez http://www.youtube.com/watch?v=SYzKhmWUDrM
Agenda
1. Cyber Security Compliance
2. Technology
3. Invensys Critical Infrastructure & Security Practice (CISP)
Slide 3
Cyber Security Compliance
Michael Martinez
© 2013 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries.All third party trademarks and service marks are the proprietary marks of their respective owners.
What is Cyber Security?
Slide 5
Cyber Security Compliance
Why do it?• Increase safety• Protect intellectual property• Reduce down time• Industry or internal policy• It could be the law
How to do it?• Leverage product security
features• Augment with cyber security
knowledge and solutions• Repeat
Slide 6
Why do it?• Increase safety• Protect intellectual property• Reduce down time• Industry or internal policy• It could be the law
How to do it?• Leverage product security
features• Augment with cyber security
knowledge and solutions• Repeat
It’s all about compliance…
Regulatory requirements
Customer requirements built on customer expectations
Customer compliance
Slide 7
Development
Product security standards
Cyber security solutions
Regulatory requirements
Product v. Client Compliance
Invensys ProductDevelopment Concerns• ISASecure™
• Achilles™
• WIB
• MS SDL
• Etc.
Customer Concerns• NERC CIP
• NEI 08-09
• ISA 99
• NIST SP 800-82
• ISO/IEC 15408
• 6 CFR 27 (CFATS)
• ANSI/AWWA G430
• 49 CFR 195
• API 1164
Invensys fills the GAP between product offering and clientcompliance needs.
Slide 8
Invensys ProductDevelopment Concerns• ISASecure™
• Achilles™
• WIB
• MS SDL
• Etc.
Customer Concerns• NERC CIP
• NEI 08-09
• ISA 99
• NIST SP 800-82
• ISO/IEC 15408
• 6 CFR 27 (CFATS)
• ANSI/AWWA G430
• 49 CFR 195
• API 1164
February 12, 2013 Executive OrderImproving Critical Infrastructure Cyber Security
Sec 6. Consultative Process – calls for DHS to work with existing Sector Coordinating Councils (SCC) or the
transportation sector in the case of pipelines
Sec 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure – Call for NIST to establish a
“Cybersecurity Framework” – within approx 1 year of order (Feb 12,2013)
Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program – temporary
Sec. 9. Identification of Critical Infrastructure at Greatest Risk – within 150 days of order these assets shall
be identified
Sec. 10. Adoption of Framework – within 90 days of final framework, the existing sectors must report on
their ability to comply with framework – special attention to Sec 9 assets
If they do not/cannot comply, then other agencies must step in to define mitigating actions.
Slide 9
Sec 6. Consultative Process – calls for DHS to work with existing Sector Coordinating Councils (SCC) or the
transportation sector in the case of pipelines
Sec 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure – Call for NIST to establish a
“Cybersecurity Framework” – within approx 1 year of order (Feb 12,2013)
Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program – temporary
Sec. 9. Identification of Critical Infrastructure at Greatest Risk – within 150 days of order these assets shall
be identified
Sec. 10. Adoption of Framework – within 90 days of final framework, the existing sectors must report on
their ability to comply with framework – special attention to Sec 9 assets
If they do not/cannot comply, then other agencies must step in to define mitigating actions.
U.S. Critical Infrastructure
Chemical Sector
Commercial Facilities Sector
Communications Sector
Emergency Services Sector
Energy Sector
Financial Services Sector
Information TechnologySector
Nuclear Reactors, Materials,and Waste Sector
Transportation SystemsSector
Slide 10
Critical Manufacturing Sector
Dams Sector
Defense Industrial Base Sector
Food and Agriculture Sector
Government Facilities Sector
Healthcare and Public Health Sector
Transportation SystemsSector
Water and WastewaterSystems Sector
NIST Framework Update
February 12, 2013 Executive Order
Executive Order 13636 – Improving Critical Infrastructure Cyber Security
September 11-13, 2013 Fourth Cyber Security Framework Workshop
Draft Compendium of Informative References
Review of over 320 National and International Standards, Guidelines, Directives, Best
Practices, Models, Specifications, Policies, and Regulations, including input from:
Slide 11
February 12, 2013 Executive Order
Executive Order 13636 – Improving Critical Infrastructure Cyber Security
September 11-13, 2013 Fourth Cyber Security Framework Workshop
Draft Compendium of Informative References
Review of over 320 National and International Standards, Guidelines, Directives, Best
Practices, Models, Specifications, Policies, and Regulations, including input from:
• ANSI• ISA• NERC• API• ISO
• IEC• NEI• NIST• NFPA• OIG
• OLF• OPC• SANS• TIA
Discussion Draft of the Preliminary Cybersecurity Framework, August 28, 2013
The framework complements, and does not replace, anorganization’s existing business or cyber security risk managementprocess and cyber security program. Rather, the organization can use itscurrent processes and leverage the framework to identify opportunities toimprove an organization’s cyber security risk management. Alternatively,an organization without an existing cyber security program can use theframework as a reference when establishing one.
Key Concepts• Framework Core
• Framework Implementation Tiers
• Framework Profile
NIST Framework Concepts
Slide 12
The framework complements, and does not replace, anorganization’s existing business or cyber security risk managementprocess and cyber security program. Rather, the organization can use itscurrent processes and leverage the framework to identify opportunities toimprove an organization’s cyber security risk management. Alternatively,an organization without an existing cyber security program can use theframework as a reference when establishing one.
Key Concepts• Framework Core
• Framework Implementation Tiers
• Framework Profile
Discussion Draft of the Preliminary Cybersecurity Framework, August 28, 2013
Core Tier Profile
NIST Framework Concepts
Slide 13
Core
Functions
Categories
Subcategories
Informative Reference
Tier
0 - Partial
1- Risk Informed
2 - Repeatable
3 - Adaptive
Profile
Establish a Roadmap
Discussion Draft of the Preliminary Cybersecurity Framework, August 28, 2013
Framework CoreFunction Category Subcategory Informative Reference(s)
IDENTIFY
PROTECT
DETECT
RESPOND
Slide 14
RESPOND
RECOVER
14Discussion Draft of the Preliminary Cybersecurity Framework, August 28, 2013
Invensys provides a full lifecycle Cyber Security Methodology,NOT a product-centric point solution like many IT-based securitycompanies do.
Point solutions such as anti-virus software or firewalls on theirown fall short and miss the security target.
The integration of sound cyber security best practices thatencompass best-in-class COTS products provides and enables acomplete and holistic cyber security compliance solution thathits the target.
Products + Consulting = Compliance
Slide 15
Invensys provides a full lifecycle Cyber Security Methodology,NOT a product-centric point solution like many IT-based securitycompanies do.
Point solutions such as anti-virus software or firewalls on theirown fall short and miss the security target.
The integration of sound cyber security best practices thatencompass best-in-class COTS products provides and enables acomplete and holistic cyber security compliance solution thathits the target.
Technology
Tim Johnson
© 2013 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries.All third party trademarks and service marks are the proprietary marks of their respective owners.
Impact of Cyber Security to Business
• ICS-CERT responded to and investigated198 cyber incidents (compared to 130 in2011)
• The Energy sector was the most targetedindustry in 2012, accounting for 41% ofevents
• The Water sector was the second mosttargeted industry in 2012, accounting for15% of events
• The cyber security response team helpedwith incident responses for 23 oil/naturalgas sector events
• Chemical organizations reported 7incidents to ICS-CERT
• The Nuclear sector reported 6 incidents toICS-CERT
Slide 17
• 90% of companies suffered a cyber attack in the past 12months
• Some suffered multiple• Of all the attacks reported, 41% claimed at least half a
million U.S. dollars ($500,000) in damages• Other reported they were unable to determine their
immediate losses.
• ICS-CERT responded to and investigated198 cyber incidents (compared to 130 in2011)
• The Energy sector was the most targetedindustry in 2012, accounting for 41% ofevents
• The Water sector was the second mosttargeted industry in 2012, accounting for15% of events
• The cyber security response team helpedwith incident responses for 23 oil/naturalgas sector events
• Chemical organizations reported 7incidents to ICS-CERT
• The Nuclear sector reported 6 incidents toICS-CERT
ePolicy Orchestrator (ePO)
Anti Malware
Host Intrusion Detection (HIDS)
Data Loss Prevention (DLP)
Active Directory (A/D)
Hardened OS
Whitelisting
Backup Exec System Recovery
(BESR)
Invensys Recommended IndustrialControl System Security Features
Slide 18
ePolicy Orchestrator (ePO)
Anti Malware
Host Intrusion Detection (HIDS)
Data Loss Prevention (DLP)
Active Directory (A/D)
Hardened OS
Whitelisting
Backup Exec System Recovery
(BESR)
Standards organizations like those in the image below help companies developeffective cyber security strategies. While these organizations have differentapproaches, they all have a common element—to establish a “best practice”approach to cyber security.
Cyber Security Best Practices
Slide 19
Control System Enhancements
Sample Control Systems
• MS Active Directory
• McAfee Suite ePO, AV, DLP,Whitelisting
• Symantec BESR
• Product level patching
• No Fixed Root User
• Hardened OS
• Etc.
Consulting Services
All Process Systems
• Security Best Practices
• Access Control / ADWorkshop
• Technology Workshop
• Disaster Recovery Planning
• System SecurityManagement Controls
• Patch Management (entiresite)
AND
Cyber Security in Industry
Slide 20
Control System Enhancements
Sample Control Systems
• MS Active Directory
• McAfee Suite ePO, AV, DLP,Whitelisting
• Symantec BESR
• Product level patching
• No Fixed Root User
• Hardened OS
• Etc.
Consulting Services
All Process Systems
• Security Best Practices
• Access Control / ADWorkshop
• Technology Workshop
• Disaster Recovery Planning
• System SecurityManagement Controls
• Patch Management (entiresite)
Invensys Industrial Control SystemSecurity FeaturesePolicy Orchestrator (ePO)ePolicy Orchestrator (ePO) is a unifying security management open platform byMcAfee. ePO makes risk and compliance management simpler, enabling clientsto connect security solutions to their enterprise infrastructure to increasevisibility, gain efficiencies, and strengthen protection.
Anti-MalwareVirus scans prevent, detect, and remove malware, including but not limited tosystem viruses, computer viruses, computer worms, Trojan horses, spyware,and adware.
Host Intrusion Detection System (HIDS)Host Intrusion Detection System (HIDS) monitors and analyzes the internals ofa computing system. A host-based IDS monitors all or parts of the dynamicbehavior and the state of a computer system.
Slide 21
ePolicy Orchestrator (ePO)ePolicy Orchestrator (ePO) is a unifying security management open platform byMcAfee. ePO makes risk and compliance management simpler, enabling clientsto connect security solutions to their enterprise infrastructure to increasevisibility, gain efficiencies, and strengthen protection.
Anti-MalwareVirus scans prevent, detect, and remove malware, including but not limited tosystem viruses, computer viruses, computer worms, Trojan horses, spyware,and adware.
Host Intrusion Detection System (HIDS)Host Intrusion Detection System (HIDS) monitors and analyzes the internals ofa computing system. A host-based IDS monitors all or parts of the dynamicbehavior and the state of a computer system.
Invensys Industrial Control SystemSecurity FeaturesData Loss Prevention (DLP)Data Loss Prevention (DLP) systems enable organizations to reduce thecorporate risk of the unintentional disclosure of confidential information.
Active Directory (A/D)Active Directory (A/D) provides a central location for network administrationand security. It authenticates and authorizes all users and computers in aWindows domain type network—assigning and enforcing security policies forall computers and installing or updating software.
Harden OSFactory hardening is a procedure that updates patches and anti-virus softwareand disables unused ports and services. System hardening is necessarybecause default operating system installations focus more on ease of userather than security.
Slide 22
Data Loss Prevention (DLP)Data Loss Prevention (DLP) systems enable organizations to reduce thecorporate risk of the unintentional disclosure of confidential information.
Active Directory (A/D)Active Directory (A/D) provides a central location for network administrationand security. It authenticates and authorizes all users and computers in aWindows domain type network—assigning and enforcing security policies forall computers and installing or updating software.
Harden OSFactory hardening is a procedure that updates patches and anti-virus softwareand disables unused ports and services. System hardening is necessarybecause default operating system installations focus more on ease of userather than security.
Invensys Industrial Control SystemSecurity FeaturesWhitelistingWhitelisting is the opposite of Blacklisting. Whitelists contain onlythose programs you wish to grant access to as opposed to those youdo not. This makes Whitelisting a lot less labor intensive since youonly have to keep up with the applications you know about.
Backup Exec System Recovery (BESR)Centrally manage backup and recovery tasks for multiple desktopsacross the network. Schedule backups to run automatically, includingevent-triggered backups, without disrupting network usage.
Slide 23
WhitelistingWhitelisting is the opposite of Blacklisting. Whitelists contain onlythose programs you wish to grant access to as opposed to those youdo not. This makes Whitelisting a lot less labor intensive since youonly have to keep up with the applications you know about.
Backup Exec System Recovery (BESR)Centrally manage backup and recovery tasks for multiple desktopsacross the network. Schedule backups to run automatically, includingevent-triggered backups, without disrupting network usage.
The CTM Module is a unique offering fromthe Invensys Cyber Security team.
• Combination of “Best-in-Class” firewallplus Invensys’ in-depth industry andcyber security knowledge
• Focuses on the Water, Power, Oil/GasPipeline, and Manufacturing industries
• Comes with Invensys’ pre-configuredrule sets for each focus industry
• Each CTM is pre-bundled to ensure fastturn around
Cyber Threat Management (CTM) Module
Slide 24
The CTM Module is a unique offering fromthe Invensys Cyber Security team.
• Combination of “Best-in-Class” firewallplus Invensys’ in-depth industry andcyber security knowledge
• Focuses on the Water, Power, Oil/GasPipeline, and Manufacturing industries
• Comes with Invensys’ pre-configuredrule sets for each focus industry
• Each CTM is pre-bundled to ensure fastturn around
Cyber Threat Management ModuleAll pre-bundled as part of the Invensys CTM
ForiWifi 60CMWireless or non-wireless operation
FortiGuardAnti-virusIntrusion PreventionWeb filteringAnti-spamApplication ControlVulnerability scanIPSec and SSL VPNData Loss PreventionDevice Awareness
FortiClientEnd Point Management
Wifi802.11a/b/g/n (multi SSID)
FortiWifi 60CM Features
Slide 25
All pre-bundled as part of the Invensys CTM
ForiWifi 60CMWireless or non-wireless operation
FortiGuardAnti-virusIntrusion PreventionWeb filteringAnti-spamApplication ControlVulnerability scanIPSec and SSL VPNData Loss PreventionDevice Awareness
FortiClientEnd Point Management
Wifi802.11a/b/g/n (multi SSID)
Why SQL Server Hardening?
Slide 26
…SQL Injection is the #1 server attack!
SQL Server Hardening ServiceServer hardening is one of the most importanttasks to be done on your servers. Most server “outof the box” configurations are not designed withsecurity in mind. SQL servers should be seen ascritical assets and any compromise to them couldresult in significant loss to business andproduction.
Some of the threats to a SQL server are:• Indirect attack—SQL injection• Direct—exploit attack• Cracking SA Password• Direct—exploit attack• Google hacks
SQL server hardening is critical toany cyber security initiative and ispart of many regulatory complianceprograms.
Slide 27
Server hardening is one of the most importanttasks to be done on your servers. Most server “outof the box” configurations are not designed withsecurity in mind. SQL servers should be seen ascritical assets and any compromise to them couldresult in significant loss to business andproduction.
Some of the threats to a SQL server are:• Indirect attack—SQL injection• Direct—exploit attack• Cracking SA Password• Direct—exploit attack• Google hacks
SQL server hardening is critical toany cyber security initiative and ispart of many regulatory complianceprograms.
IIS servers are a favorite target of hackers.Research shows that 75% of cyber attacksoccur at the application level.
Business and Industry pay a heavy cost forthese security failures:• Cost of server clean-up• Cost of data loss• Cost of lost business opportunities• Cost of reduced productivity
Server hardening not only provides securitybut also establishes a baseline for all serverplatforms assisting with maintenance,patching, and planning.
IIS Server Hardening
Slide 28
IIS servers are a favorite target of hackers.Research shows that 75% of cyber attacksoccur at the application level.
Business and Industry pay a heavy cost forthese security failures:• Cost of server clean-up• Cost of data loss• Cost of lost business opportunities• Cost of reduced productivity
Server hardening not only provides securitybut also establishes a baseline for all serverplatforms assisting with maintenance,patching, and planning.
Do I Need an Assessment?
Slide 29
…64% of companies expect to be hacked!Source: Bit9, Verizon Threat Report
Most organizations think of anti-virus software,firewalls, and hardening when they think ofsecurity. However, few think of a SecurityAssessment as part of their overallcomprehensive security program.
They are often faced with a number ofchallenges:• Knowing their current security position• Determining their vulnerability level,
exposure, and possible impact• Experiencing inability to monitor who has
access to their network and critical assets• Enhancing their existing security strategy
Security Assessment
Slide 30
Most organizations think of anti-virus software,firewalls, and hardening when they think ofsecurity. However, few think of a SecurityAssessment as part of their overallcomprehensive security program.
They are often faced with a number ofchallenges:• Knowing their current security position• Determining their vulnerability level,
exposure, and possible impact• Experiencing inability to monitor who has
access to their network and critical assets• Enhancing their existing security strategy
Invensys Enhanced Solutions
ActiveDirectory
CentralizedBack Up
& Restoration
PatchManagement
NetworkManagement/ePO
RelayServer
Firewall‘Secure Zone’
Slide 31
OTS
NetworkManagement/ePO
LogManagement
Secure FileServer
TriStation‘Compliance’
NetworkInfrastructure
• Active Directory (A/D) Workshop• Technology Roadmap• Procedures/SOPs• Secure Zones• Centralized Backups• Event Logging• Patch Management• Network Management• Remote Access Relay Server• Managed Secure Services
The Invensys cyber security team offers a comprehensive list ofcyber security solutions to help address any internal needs,regulatory requirements, or program mandates. All of theseelements are synergistic, providing not only a broad scope ofsecurity but also the defense-in-depth necessary for true cybersecurity compliance. Our most common solutions include:
Invensys cyber security team provides security solutionsCyber Security Solutions
Slide 32
• Active Directory (A/D) Workshop• Technology Roadmap• Procedures/SOPs• Secure Zones• Centralized Backups• Event Logging• Patch Management• Network Management• Remote Access Relay Server• Managed Secure Services
Invensys Critical Infrastructure andSecurity Practice
Doug Clifton
© 2013 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries.All third party trademarks and service marks are the proprietary marks of their respective owners.
Cyber Security Consulting
• Providing cyber security services in Industrial Automation since 2001
• Largest vendor-based Industrial Control Security Group in the market
• Delivering cyber solutions to a global customer base
• Experienced with IT technologies but with a Process Automation mindset
Why Invensys?
Slide 34
CISP Certifications• CISSP• CCNA• CCDA• CEH• ECS• NNCDA• CCNP• CCS1• CCSA
Invensys Critical Infrastructure &Security Practice (CISP)
• CWNA• CCFE• MCSE• CISM• CISA• CCSE• OSCP• CCIE• plus others
Slide 35
CISP Certifications• CISSP• CCNA• CCDA• CEH• ECS• NNCDA• CCNP• CCS1• CCSA
We are a very active business within Invensys.Currently active projects (August 2013):
• 31 embedded projects
• 21 CISP-only projects
• CWNA• CCFE• MCSE• CISM• CISA• CCSE• OSCP• CCIE• plus others
Platform IndependentThe CISP solution portfolio will work on ANY control system platform,expanding the market beyond the traditional Invensys customer base.
Network AgnosticThe CISP solution portfolio can be deployed on any network topology ortechnology, independent of network lifecycle, due to the lifecyclemethodology of the solution portfolio.
Industry RelevantThe CISP solution portfolio is applicable to any industrial manufacturingindustry, whether the focus is on cyber security compliance or networksystems optimization.
Solution EcosystemCISP is greater than the sum of its parts: cyber security consulting, networkcompliance, regulatory experts, auditors, network systems design andimplementation, system integrators, and trusted advisors.
What Makes CISP Unique?
Slide 36
Platform IndependentThe CISP solution portfolio will work on ANY control system platform,expanding the market beyond the traditional Invensys customer base.
Network AgnosticThe CISP solution portfolio can be deployed on any network topology ortechnology, independent of network lifecycle, due to the lifecyclemethodology of the solution portfolio.
Industry RelevantThe CISP solution portfolio is applicable to any industrial manufacturingindustry, whether the focus is on cyber security compliance or networksystems optimization.
Solution EcosystemCISP is greater than the sum of its parts: cyber security consulting, networkcompliance, regulatory experts, auditors, network systems design andimplementation, system integrators, and trusted advisors.
• We can support our clients’ roadmap by assisting with theircompliance requirements.
• Our customers have requirements. We don’t want them to go italone.
• Critical time in the market; we have the skills to grow business.
• It’s a market differentiator.
Cyber Security Consulting
Slide 37
• We can support our clients’ roadmap by assisting with theircompliance requirements.
• Our customers have requirements. We don’t want them to go italone.
• Critical time in the market; we have the skills to grow business.
• It’s a market differentiator.
• Program definition
• Assessment
• Remediation
• Program deployment
• Audit preparation
• Audit support
The Invensys cyber security team partners with clientsthroughout the compliance lifecycle.
Partnering for Compliance
Slide 38
• Program definition
• Assessment
• Remediation
• Program deployment
• Audit preparation
• Audit support
Implement a cyber security program.
Align cyber security programs withimplementation of upgrades.
Maintain compliance to current andfuture cyber security regulations.
Plan for Cyber Security
Slide 39
Implement a cyber security program.
Align cyber security programs withimplementation of upgrades.
Maintain compliance to current andfuture cyber security regulations.
1. Our clients have compliance requirements larger in scope thansecure products alone can provide.
2. We have a comprehensive solution that includes:• Compliance with industry standards• Products designed with security• Cyber security experts and delivery/support personnel• Enhanced solutions to meet clients’ cyber security program
needs
3. We are vigilant. Our cyber security solutions will meet thechallenging industrial landscape.
Summary
Slide 40
1. Our clients have compliance requirements larger in scope thansecure products alone can provide.
2. We have a comprehensive solution that includes:• Compliance with industry standards• Products designed with security• Cyber security experts and delivery/support personnel• Enhanced solutions to meet clients’ cyber security program
needs
3. We are vigilant. Our cyber security solutions will meet thechallenging industrial landscape.
“Safety and cyber security are job one at Invensys.”- Mike Caliel, President & CEO Invensys
Slide 41
Slide 42
INDUSTRY• High-cost prevention• High skills• Static networks• Cyber security is not
what they do
The Cyber Security Problem…this is why we do what we do
Slide 43
HACKERS• Low-cost tools• Low skills• Dynamic landscape• Hacking is all they do
Cyber Threat Management Module
Slide 44
Source: Hackmageddon
Motivations Behind Attacks47% Cyber Crime46% Hacktivism4% Cyber Warfare3% Cyber Espionage
100100% Targeted!% Targeted!