Expanding Cyber Security Management for Critical Infrastructure ISSE Wednesday 15 th November ’17, Brussels Dr Andrew Hutchison, Telekom Security [email protected]
Expanding Cyber Security Management for Critical InfrastructureISSEWednesday 15th November ’17, Brussels
Dr Andrew Hutchison, Telekom Security
OVERVIEW
• Attack Surface expands to include IoT/Critical Infrastructure
• Evolving Attacks
• Re-balancing the counter approach
• Broad Scope Security Monitoring
• Approach and tools
• Adding cyber-physical feeds
• Supporting implementation of ISA99/IEC62443 requirements
• Conclusions
2
EVOLVING NATURE OF THREATS
3
90% of corporate networks are protected But only 10% of industrial networks
Attacks on autonomous vehicles
RansomwareZero Day Exploits Attacks on firmware
Spear Phishing & faked identities
Attacks on cloud services
Attacks on power/ heating systems
Attacks on production plants
(SCADA systems)
ATTACKS ON CRITICAL INFRASTRUCTURE ARE REAL!
4
Source: http://app.wiwo.de/technologie/digitale-welt/cyberangriffe-it-sicherheit-verkommt-zur-randnotiz/19568942.html?mwl=ok
Stuxnet infects
industrial plant
Access to Iranian nuclear plant
SEP 2010
Attack on IT of germanBundestag
Complete exchange of IT
MAY 2015
Ukraine: attack on
power grid
80.000 people without power
DEC 2015
Ransomware attack on hospital
IT-systems shut down
FEB 2016
Mirai-Botnet-Attack on
Router
900.000 people without internet
NOV 2016
EXAMPLE SIEM SERVICE AND DELIVERY MODEL –CLOUD.
Customer 1
3
Customer 2
INTERNET
CSO
Sensor HQ
Sensor Office 1
Sensor Office 2
Head of IT
Sensor of customer 1
WebMail
AV Server Customer 1
SOC
Dedicated, customer-specific virtual cyber defense server operated by an MSSP: storage of security
events, threat intelligence, reporting.
Sensors for data collectionand normalization are installed inthe customer’s infrastructure. The data is forwarded tothe customer’scyber defense server for processing.
AV ServerCustomer2
EXAMPLE SIEM SERVICE AND DELIVERY MODEL –ON-PREMISES.
OFFICE FINLAND
3
germany
INTERNET
HQ
Factory 1
Factory 2
WebMail
SOC
Sensor Office
Only alarm data gets forwarded to SOC, data remains on-site at the customer.
Sensors for data collection &normalization are installed inthe customer’s infrastructure. The data is forwarded toan on-site customer server for processing.
Server
CSO
Head of IT
SUPPORTING THE IMPLEMENTATION OF ISA99/IEC62443 REQUIREMENTS
FR 2 – Use Control, including
SR 2.8 –Auditable events
SR 2.9 –Audit storage capacity
SR 2.10 – Response to audit processing failures
SR 2.11 – Timestamps
FR 3 – System Integrity, including
SR 3.2 – Malicious code protection
SR 3.3 - Security functionality verification
FR 5 – Restricted data flow, including
SR 5.2 – Zone boundary protection
FR 6 – Timely response to events, including
SR 6.1 –Audit Log accessibility
SR 6.2 – Continous Monitoring
Firewall-protection for industry networks and switching systems across different locations
Mobile connection and integration into existing systems (SIEM) possible
Full control of remote access
Secure management of all suppliers
Compliance conform documentation per Rendezvous-Server
Intelligent, continuous risk management for the whole production network
„Zero Impact“ installation
Continuous analysis of vulnerabilities and risk assessment
PROTECTION OF CRITICAL INDUSTRIAL INFRASTRUCTURE
11
example example example
Industrial Threat
Protection
Industrial Network
Protection
Industrial Access
Protection
INDUSTRIAL CONTROL SYSTEM SECURITY COMPONENTS
12
SO
C
Co
ns
ult
ing
EXAMPLE
Visibility: Monitoring & ResponseAssets, Topology, Flows, Change, Vulnerabilities, Attacks
“Industrial SIEM”
Industrial Threat Protection
End-Point Protectionanti-malware, port and device control, memory protection, firmware- & control-logic integrity
“Industrial End-Point Protection”
Industrial End PointProtection
EXAMPLE
Network SegmentationControl flows
“Industrial Firewall”Industrial Network Protection
Access ControlUser & identity management, remote access, privileged access
“Industrial IAM”
Industrial Access Protection EXAMPLE
OT-Net
OT*-Net
CONTINUOUS RISK MANAGEMENT, RELIABILITY, ATTACK DETECTION & COMPLIANCE REPORTING
13
example
ICS Control Center
Industrial Threat ProtectPro
* OT: Operational Network
** DNA: Device-Network-Application relation
OT--Net
OT*--Net
END-TO-END NETWORK SECURITY &DATA FLOW CONTROL & INSPECTION
15
example
ICS Control Center
Industrial Network Protect Pro
* OT: Operational Network
FULL CONTROL FOR REMOTE MAINTENANCE ACCESS
16
example
Technician
SecureTunnel
Management Portal
Rendezvous Server
ICS EXAMPLE SECURITY USE CASES
Security Measure Description
Inventory & Asset Management Identify all assets connected to the ICS environment including PCs/ Laptops/ Switches/ PLCs/ Servers/Thin Clients etc.
Patch Management To ensure devices are patched to the latest approved version in order to reduce vulnerabilities.
PLC Update Management To ensure PLC firmware is up to date and stays current withall security related fixes.
Change Management Ensure that no changes are made to plant, equipment or process without authorisation
Perimeter Leakage Detect devices connected to external networks.
20
CONCLUSIONS
• While the management of Cyber Security environments within the Information Technology (IT) area is fairly well defined and understood, the incorporation of Operation Technology (OT) and cyber physical systems into such management frameworks and systems is less mature.
• For Critical Infrastructure (CI) in particular, it is essential that security management is conducted in a well implemented manner – especially since many of the controllers and connectivity / management models are primitive compared to IT type devices.
• Security models are often limited, with the assumption that physical isolation or protection of devices will ensure that they are not manipulated in unexpected or unauthorised ways.
• Implementation of cyber physical systems is typically layered with devices, connectivity, processing (possibly cloud), horizontal services (for example IoT enabling platforms) and vertical services (for example specific to healthcare, connected car, energy, etc.) combining to form an OT solution.
• For enhanced management of cyber physical systems, security related events can be collected and inspected – using guidelines such as the International Society for Automation (ISA) standards for Industrial Automation and Control Systems (IACS). In particular the ISA-62443-1
• Across these services extends a requirement for end-to-end security, and it is this goal which systems need to develop.
22