Belden 123 Approach to Cybersecurity
Industrial Cyber Security: What You Dont Know MIGHT Hurt You
(and others)September 21, 2016
David MeltzerChief Research OfficerBelden-Tripwire
Tony GoreChief Executive OfficerRed Trident Inc.
John PowellCritical Infrastructure Engineer
2015 Belden Inc. | belden.com | @BeldenInc#
1
Understand what cyber security risks may apply to your
environmentIndustrial standards that may apply to your ICS
Operations environmentLearn how to automate and simplify the
inventory process and secure your assetsHear real-world tips on how
to prioritize and work across functional silos within your
companySuggestions and resources for future progressReceive an
industrial cyber security self-assessment checklist as a starting
point
Agenda and Objectives
2015 Belden Inc. | belden.com | @BeldenInc#You cant protect or
secure what you dont know you have
(Therefore, at-risk industrial assets can put employee or public
safety at risk)
2015 Belden Inc. | belden.com | @BeldenInc#
ICS Risks - SANS 2016 State of ICS Survey Report
Top Attack Concern External/OutsidersTop Target Concern
Commercial OS (Windows, Linux), and key assets: HMI, historians,
operations engineering workstations, control systems, asset
management systems,etc)
2015 Belden Inc. | belden.com | @BeldenInc#
ICS Vulnerability Disclosures by Year 90% of 1552 in 2011 -
April 2016123 Vendors have ICS vulnerabilities33% = No fixes or
patches available at public disclosureRisks- ICS Vulnerabilities
from 2000 - Q12016
- FireEye iSight Intelligence 2016 ICS Vulnerability Trend
Report
2015 Belden Inc. | belden.com | @BeldenInc#
Oil pipeline shut down for 6 hours after software is accidently
uploaded to a PLC on the plant network instead of test network13
auto assembly plants were shut down by a simple Internet worm;
50,000 workers stop work for 1 hour while malware removedOperators
at a major USA nuclear power plant forced to scram the reactor
after cooling drive controllers crashed due to excessive network
trafficIts Not All About Hackers & TerroristsConsider the
Financial Implications of Disruptions
NET Impact:$250KNET Impact:$14MNET Impact:$2M
2015 Belden Inc. | belden.com | @BeldenInc#
Tofino Industrial Security Solution Byres Security Inc. 6
What is an ICS Cyber Threat?
Cyber threat is an important category of industrial risk
typically targeting plant and operations networks, endpoints and
control systemsWho Does This?OutsidersControl system level breaches
grew more than 33% during 2014 and 2015 fiscal years.Malicious
Insiders49% believe insider threat is their top concern Human Error
Employees, Contractors25% of ICS incidents were due to current
employees or insiders- Sources: SANS Institute, ICS-CERT, PWC,
FireEye
2015 Belden Inc. | belden.com | @BeldenInc#
Skilled Have been working with industrial cyber security topics
for some time, possibly have industry certifications for same,
and/or have designed industrial operations networks and system
architectures, policies and procedures for security. Knowledgeable
Familiar with perhaps one or two technologies and some customer
issues (typically some details of anti-virus, ID/authentication
systems, and sometimes encryption)Conversant Knows terms and
generally what they mean, often can ask good questions, but doesnt
necessarily have the big pictureNewbie Ive heard the term cyber
securitySurvey - Cyber Security Skills Self-Assessment
2015 Belden Inc. | belden.com | @BeldenInc#National Institute of
Standards and TechnologyInternational Society of Automation
International Electrotechnical CommissionInternational Organization
for StandardizationStandards and Best Practices
2015 Belden Inc. | belden.com | @BeldenInc#
2015 Belden Inc. | belden.com | @BeldenInc#
10
NIST Framework
NIST CSF Mapping to ISA/IEC 62443
http://isa99.isa.org
2015 Belden Inc. | belden.com | @BeldenInc#
11
NIST Risk AssessmentFunctionCategorySubcategoryInformative
ReferencesIDENTIFY (ID)Risk Assessment (ID.RA): The organization
understands the cybersecurity risk to organizational operations
(including mission, functions, image, or reputation),
organizational assets, and individuals.ID.RA-1: Asset
vulnerabilities are identified and documentedCCS CSC 4COBIT 5
APO12.01, APO12.02, APO12.03, APO12.04ISA 62443-2-1:2009 4.2.3,
4.2.3.7, 4.2.3.9, 4.2.3.12ISO/IEC 27001:2013 A.12.6.1, A.18.2.3NIST
SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2,
SI-4, SI-5ID.RA-2: Threat and vulnerability information is received
from information sharing forums and sourcesISA 62443-2-1:2009
4.2.3, 4.2.3.9, 4.2.3.12ISO/IEC 27001:2013 A.6.1.4NIST SP 800-53
Rev. 4 PM-15, PM-16, SI-5ID.RA-3: Threats, both internal and
external, are identified and documentedCOBIT 5 APO12.01, APO12.02,
APO12.03, APO12.04ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12NIST
SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16ID.RA-4: Potential
business impacts and likelihoods are identifiedCOBIT 5 DSS04.02ISA
62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12NIST SP 800-53 Rev. 4 RA-2,
RA-3, PM-9, PM-11, SA-14ID.RA-5: Threats, vulnerabilities,
likelihoods, and impacts are used to determine riskCOBIT 5
APO12.02ISO/IEC 27001:2013 A.12.6.1NIST SP 800-53 Rev. 4 RA-2,
RA-3, PM-16ID.RA-6: Risk responses are identified and
prioritizedCOBIT 5 APO12.05, APO13.02NIST SP 800-53 Rev. 4 PM-4,
PM-9
2015 Belden Inc. | belden.com | @BeldenInc#
ISA/IEC 62443-2-1 RequirementsA.2.3.3.6.2 Characterize key
IACSIdentifying and prioritizing IACS risks requires that an
organization locate and identify key industrial automation and
control systems and devices, and the characteristics of these
systems that drive risk.Without an inventory of the IACS devices
and networks, it is difficult to assess and prioritize where
security measures are required and where they will have the most
impact.
Asset NumberEquipment IDFunctionalityIP
AddressZoneLocationOperating SystemEWS101EWS_101Engineering
Workstation192.168.1.20BPCSControl RoomWindows 7, Pro SP1
2015 Belden Inc. | belden.com | @BeldenInc#
NIST SP 800-82 Requirements4.5.1 Categorize ICS Systems and
Networks AssetsThe information security team should define,
inventory, and categorize the applications and computer systems
within the ICS, as well as the networks within and interfacing to
the ICS. The focus should be on systems rather than just devices,
and should include PLCs, DCS, SCADA, and instrument-based systems
that use a monitoring device such as an HMI. Assets that use a
routable protocol or are dial-up accessible should be documented.
The team should review and update the ICS asset list annually and
after each asset addition or removal.
2015 Belden Inc. | belden.com | @BeldenInc#
Document Assets andIdentify improper network designExample
System Architecture Diagram
2015 Belden Inc. | belden.com | @BeldenInc#
Partition the System into Zones and Conduits
ConduitsZones
2015 Belden Inc. | belden.com | @BeldenInc#
Partition the System into Zones and Conduits
ConduitsZones
2015 Belden Inc. | belden.com | @BeldenInc#A DPI firewall is one
way to segment SIS
Common starting point is with a risk assessmentFoundation -
Inventory of hardware and software assetsApproaches:Manual Hire it
OutAutomationHow to Mitigate the Organizational SilosStarting Point
Assessing Current State, Gaps, and What to Do First
2015 Belden Inc. | belden.com | @BeldenInc#
Hardware SoftwareFirmware CommunicationsPhysical
(Facilities)Cyber-PhysicalWhat is an Asset within Industrial
Environments?
20% are Network Assets (able to get configuration and topology
location fairly easily)
Known - above the WaterlineUnknown below the Waterline
80% are Proprietary Assets (not easily known configurations and
components such as I/O Servers, firmware, etc)
2015 Belden Inc. | belden.com | @BeldenInc#
ICS Cyber Security Risk Model
- ARC Research
2015 Belden Inc. | belden.com | @BeldenInc#The Process
2015 Belden Inc. | belden.com | @BeldenInc#Cyber Security Life
Cycle
High-Level Risk Assessment (Inventory)Management System:
Policies, Procedures, Training & Awareness
Detailed Cyber Risk AssessmentPeriodic Cybersecurity
AuditsInstallation, Commissioning & Validation of
Countermeasures
Other Means of Risk Reduction
Cyber Incident Response & Recovery
Detailed Cyber Risk AssessmentAssessPhaseAllocation of IACS
Assets to Security Zones or Conduits
Develop & Implement PhaseMaintenance, Monitoring &
Management of Change
MaintainPhaseContinuousProcessesContinuousProcessesCybersecurity
Countermeasures
2015 Belden Inc. | belden.com | @BeldenInc#
Beldens 1-2-3 Approach to Industrial Cybersecurity
2015 Belden Inc. | belden.com | @BeldenInc#
ConfigurationsMisconfigurationsWeak configurationsExploitable
vulnerabilities previously unknownUnpatchedUnpatchableNo patch
exists Insecure AccessWireless ModemsInappropriate
internet-facingIndustrial protocols Unauthorized AccessWeak or
stolen credentialsInfected filesInfected USBInfected ICS
logicInsecure serial linksComplex and proprietary multi-vendor
environmentsCommon Industrial Attack Vectors Tripwire Can
Detect
2015 Belden Inc. | belden.com | @BeldenInc#
No-Touch Visibility into ICS Cyber Security
Monitoring Full Operations Environments for Unauthorized Change
and Cyber Threats
Standards-basedIntegration with FactoryTalk AssetCentre
2015 Belden Inc. | belden.com | @BeldenInc#Part of the Belden
Industrial Cyber Security Portfolio
Vendor-neutralStandards-basedIndustrial Network
InfrastructureICS/SCADACyber Security Expertise is Our
CoreMonitoring for change and threat detectionAlert
NotificationVulnerability CheckingLog Intelligence/SIEM Automation
and IntegrationsSupport for Heterogenous Industrial Environment
Cyber Security
2015 Belden Inc. | belden.com | @BeldenInc#Tofino Xenon
Industrial Security ApplianceField-Level Layer 2 Firewall with
Security EnforcersThe Tofino Xenon Industrial Security Appliance
delivers advanced cyber security protection for industrial
networks, securing critical assets at Layer 2, making it easier to
deploy and transparent to the networkNo IP or network architecture
changes neededProtects endpoint systems and devices (PLCs, RTUs,
IEDs, DCS, HMIs, Historians, Controller Consoles, etc)Easy to
deploy with Plug and Protect - no downtimeSecure Zones and Conduits
(IEC-62443)Deep Packet Inspection for industrial protocols to
enforce security policyDNP3 and IEC
104Modbus/TCPOPCEtherNet/IPOthers comingAuto-generates firewall
rules, and controls access and ingress and egress
#
2015 Belden Inc. | belden.com | @BeldenInc#Belden Industrial
Cybersecurity Portfolio
2015 Belden Inc. | belden.com | @BeldenInc#
Benefits of a current and automated asset inventory:Mitigate
cyber security risks from outsiders, insiders, and human
errorReduce / avoid unplanned downtimeImprove productivityAutomate
to speed resolution, save time and reduce human errorProcess
improvement and efficiencyAction? - Consider a cybersecurity risk
assessment Summary - Benefits of Having an Asset Inventory
2015 Belden Inc. | belden.com | @BeldenInc#Learn good
infrastructure design for cyber security all industry
sectorsOriented toward technical and hands-on learning labsLearn
More - http://info.belden.com/designseminar
Join Us - Industrial Ethernet Infrastructure Design
SeminarOctober 10-13, 2016, Orlando Florida
2015 Belden Inc. | belden.com | @BeldenInc#Q&ATHANK YOU!
2015 Belden Inc. | belden.com | @BeldenInc#
QuestionsAnswersAre Zones accomplished using VLANs?I'm not sure
the point of the question here. There are always multiple VLAN's
employed when there's differing environments or items consolidated
on a common manageable switch. Special configurations to harden the
switch and prohibit VLAN jumping are established, documented and
tested. When we label zones VLANs, I'm not sure what that actually
is that you're thinking of, but if you contact
[email protected] with a question we can work to answer that
question thoroughly. ZonesZones are essential for the establishment
of environments that similar devices can coexist and operate. It
also helps with monitoring, troubleshooting, and adding additional
layers of security to an ICS architecture. NIST 800-82 as well as
ANSI/IEC/ISA 62443 establish zones. It is also a very common
practice within ICS environments that have a greater maturity and
adoption of ICS Cyber Security. There are common practices found in
other standards and advanced cyber security architectures.This is
all well and good, but our industrial environment is set - at
present we can't change anything. What do we do in that case?For
many circumstances where physical changes in architecture cannot be
immediately made, there are technology solutions that can be
applied sometimes to mitigate the risks - even process changes can
often solve for an interim period. Another consideration is to do
the planning for the bigger needed changes, whether architecture or
equipment while addressing the smaller things that can be altered
such as password hygiene, not sharing logins, or simply knowing
where the biggest concerns are.He just mentioned LANs - I think
that Zones are accomplished by VLANs, but also can be accomplished
via other technologiesYes, this is an absolute truth because there
are a multitude of technologies that can establish zones. The best
option for the most robust architecture are zones that can be
monitored and be dynamic in defense of the Industrial Control
System Environment. There's also some device hardening that occurs
to further ensure the zones are areas of security.Walkdown?Per
information on the NERC site and resounded in various other ICS
standards: Include a physical walk-down of sites to verify Cyber
Asset lists.A good method of ensuring that all Cyber Assets are
documented and accounted for is to perform a physical walk-down of
the computer rooms and control rooms that contain the Cyber Assets.
A typical walk-down starts with an initial list of Cyber Assets and
a network topology diagram showing connectivity. The walk-down
involves ensuring that all the Cyber Assets on the drawing or Cyber
Asset list are accounted for, all network and other connections are
deployed as indicated on the network topology drawing, and no extra
Cyber Assets or network connections are discovered that cannot be
identified on the network topology diagrams. Any discrepancies
between the Cyber Asset lists, the networktopology diagrams, and
the actual physical systems must be resolved, either by updating
the documentation orremoving the improperly installed or configured
assets. This discovery validation method can normally be
incorporated into the annual Cyber Vulnerability Assessment (CVA)
process required under CIP-007 Requirement R8.So your approach is a
walkdown to get the 80% Proprietary ICS asset inventory?No,
Tripwires suite of tools can aid in the identification of many
assets but through a combination of tools specifically configured
for the ICS environment. We perform additional discovery activity
outside the physical walkdown.
2015 Belden Inc. | belden.com | @BeldenInc#
QuestionsAnswersHow long does an industrial cyber security risk
assessment take?Scope and complexity of a environment can
dramatically affect the length of time that a holistic risk
assessment takes. Often times, we see risk assessments prematurely
halted because there are common vulnerabilities or exposures that
can be remediated or planned for. Some identified risks may also
need immediate attention, because of the threat it poses to the
revenue generating or ICS process. We do offer accelerated risk
assessments rather than full risk assessments to immediately triage
vulnerable environments. It's not as supporting as a holistic risk
assessment, but it does assist with getting an immediate look at
what could be potentially a threat to the environment.For risk
assessment, how do you acquire the data for the likelihood of a
particular vulnerability occurring and the likelihood that a
particular security threat will be exploited? Does this data exist
in a database somewhere?Likelihood is a very qualitative aspect to
the over all vulnerability. If we take a workstation for example
then we would look at the vulnerabilities present on the system.
How those vulnerabilities score for that system. Determine if that
system is a high consideration to the viability of the over all
process. Then from the gap we will explore if there are
compensating controls to reduce, mitigate, or eliminate the overall
threat. We do have several databases that contain vulnerability
data and leverage specially crafted tools that digest the
vulnerability data for additional ranking.But that is just one
vendor...ABB...what about Emerson, Honeywell, Yokagawa, Schneider
and dozens of other ICS Automation System vendors? How do you
gather ICS inventory beyond ABB Endpoints?We are working with most
- you'll continue to hear more as we finish with each one.The
solution appears to be for primarily IT-oriented assets at level 3
with the exception of ABB PLCs via Rockwell AssetCentre.If we are
basing this strictly on one architecture that some ICS environments
are based upon, then there are multiple levels of integration that
the Tripwire can integrate into from level 1 to 5. This is an
example of one type of integration and the capabilities are more
broad-reaching than only one vendor. In a future architectural
webinar, we can display how that integrates through those
environments as well as contribute to a more mature adoption of
cyber security that promotes continuous monitoring. Todays
conversation was based as well as focused on the risk assessment
enabling asset inventory rather than a deep dive of architectural
adoption.There are no cyber personnel available in utilities teams
- how do you see this gap closing? MSSP? Contractors? There is no
motivation to hire personnel except with Energy where NERC CIP
applies fines - otherwise no motivation to hire staff? Insight
?It's definitely a problem. There is "Zero" unemployment for those
with cyber security skills and it's often tough to make the case to
hire. MSSPs are a way around this, but not every infrastructure is
suited for outsourcing despite getting cyber security skills. Also,
some of the biggest trends we're seeing are in the areas of
training and certifications where we're basically trying to grow
our own. It will take time. What are you doing nationally to expand
the talent pool?We are looking for enabling partners to construct a
methodical and repeatable approach as well as networking with state
officials. Please reach out to [email protected] to learn
more and explore partnerships that are enabling the construction of
such talent pools.
2015 Belden Inc. | belden.com | @BeldenInc#