2015 Honeywell Users Group 2015 Honeywell Users Group Europe, Middle East and Africa Breakthrough Cyber Security Strategies: Introducing Honeywell Risk Manager Eric Knapp, Honeywell
2015 Honeywell Users Group2015 Honeywell Users Group Europe, Middle East and Africa
Breakthrough Cyber Security Strategies: Introducing Honeywell Risk Manager
Eric Knapp, Honeywell
About the Presenter
Eric D. Knapp@ericdknapp@ericdknapp
• Global Director of Cyber Security Solutions and Technology for Honeywell Process Solutions
• Over 20 years of experience in Information Technology; Over 10 years dedicated to Industrial Cyber Security
• Specializing in cyber security for ICS, security analytics, risk, and advanced cyber security controls
• Patents pending for risk management metrics and methodologies
Author of Industrial Network Security and Applied Cyber• Author of Industrial Network Security and Applied Cyber Security and the Smart Grid
2 © 2015 Honeywell International All Rights Reserved
What is (cyber security) Risk?
“…the potential that a given threat will exploit vulnerabilities of an t f t d th b h t th i ti ”asset or group of assets and thereby cause harm to the organization.”
(ISO)
“ a function of the likelihood of a given threat-source’s exercising a…a function of the likelihood of a given threat source s exercising a particular potential vulnerability, and the resulting impact of that
adverse event on the organization” (NIST)
3
What is the Cyber Security Risk Manager?
A tool that continuously monitors for indicators of cyber security risk i e Threats & vulnerabilities that could impact the ICS
4
i.e. Threats & vulnerabilities that could impact the ICS
Measurements & Methodologies
Risk is an indication of Threat, Vulnerability and Impact
•Many methodologies: ISA-99 / 62443, ISO27005:2011, etc.Lik lih d I t (R L I)– Likelihood x Impact (R = L x I)
– Threat x Vulnerability x Consequence (R = T x V x C)
•Determining what “V” “I” and “C” are is the hard part– These can be subjective without standards and precise
th d l i !methodologies!
5
Measurements & Methodologies
6
Measurements & Methodologies
How do we quantify “Consequence?”
•C is derived from knowledge of system functionality, dependencies and conditionsdependencies and conditions
Consequence“magnitude of harm that could be caused by a threat’s exercise of a
lnerabilit ”vulnerability”(NIST SP800-30)
7
(in memory of Rube Goldberg)
Practice Quiz
What are the consequences (C) threats (T) and
8
What are the consequences (C), threats (T) and vulnerabilities (V) in this process?
Quiz Time!
Level 4 Business NetworkPC “A” is a print server. It will not impact anything ifnot impact anything if compromised.
PC “B” is an A B
Level 3.5 DMZOperators workstation. If compromised it could directly impact production
Level 3 Advanced Control Q: What option would you choose for PC “A” from the following?
Level 2 Supervisory Control
following?
Level 1
9
Understanding Consequence
•Risk Manager understands impact within an ICS
10
Measurements & Methodologies
If R = L x I … How do we determine “Likelihood?”
•L is a function of both Vulnerability and Threat
Vulnerability Threaty“A vulnerability does not cause harm itself …”(ISO27005:2011)
Threat“A threat has the potential to harm assets … e.g. unauthorized actions,unauthorized actions, physical damage, technical failures” (ISO27005:2011)
11
Measurements & Methodologies
If R = L x I … How do we determine “Likelihood?”
•L is a function of both Vulnerability and Threat
Vulnerability Threat(specific)
Counter-measure
Threat(actor)
12
Assess the Vulnerability of the ICS• “Vulnerability” can be a broad or focused lens:
– Each asset needs to be assessed
– The entire system needs to be assessed
– You need to understand threat to understand vulnerability
• Example: p
– If HMI software is susceptible to a buffer overflow, this is a very specific vulnerability of a specific software asset.
– However, if the HMI can be used to directly impact the entire system, it is also a systemic vulnerability
This is because malicious control of the HMI is equivalent to having a bad– This is because malicious control of the HMI is equivalent to having a bad guy at the console, and you can easily gain control of an HMI over the network (understanding the threat)
13
Assess the Vulnerability of the ICS• Perform Vulnerability Assessments, but do them carefully
– Slow scans
Redundant pairs– Redundant pairs
– Passive methods
– No exploits!!!
• Understand the limits– Aggressive scans tell you a lot
… but they aren’t safe to use
– Less-aggressive scans are safer
but they tell you less… but they tell you less
– No scan can tell you everything
… you can’t scan for zero-days
• Enlist assistance from someone qualified and experienced in assessment ICS systems
14
1
Quiz Time!
Level 4 Business Network
X
Level 3.5 DMZPC “X” and “Z” are both scanned by a VA scanner and 6 critical vulnerabilities are Z
Level 3 Advanced Control
found on each.
PC “Z” is patched fully, but PC “X” is left as is.
Level 2 Supervisory Control
C s e t as s
Q: Which of the machines is vulnerable?
Level 1
machines is vulnerable?
15
Identify Threats Against the ICS
•What are cyber threats?– Malware (viruses trojans RATs APTs etc)Malware (viruses, trojans, RATs, APTs, etc)
– Hackers (script kiddies, semi-professionals, disgruntled employees, professionals, hacker-for-hire, cyber crime, nation-state)
– Accidents (insider / employees, outside / unintentional incidents)
16
Identify Threats Against the ICS
–You need to understand vulnerability to understand threat
…wait? Which came first?…wait? Which came first?
(just don’t hide(just don t hide from the truth)
17
Quiz Time Again!
You have some credible threat statistics here …
Q: What’s the biggest threat?
18
What Does Risk Manager do with all of this?
Risk Manager evaluates indicators of risk using patented
19
Risk Manager evaluates indicators of risk using patented algorithms to generate accurate risk scores in line with
industrial risk management standards
Assess Your Cyber Security PostureHow risky is my system from a security perspective?
Has something happened that I need to act on?
Where do I start?
How can I show that we are improving our security posture?
Is my control system up to date?
Am I following best practices?
When something goes wrong
20
When something goes wrong, what should I do?
At-a-glance Indication of Current Risk Levels
21
Quickly Identifies What’s Causing Risk
22
Finds the Root Cause, to the Node Level
23
Trend Risk over Time
24
Summary Reports on Risk Posture and Progress
25
Introducing the Cyber Security Risk Manager…
See it Live in the
26
Demo Room