ICS S Cyber ber Security curity Br Briefing iefing About t Jo - PowerPoint PPT Presentation

ICS S Cyber ber Security curity Br Briefing iefing

About t Jo John Ba Ballen lenti tine ne Who ho is John hn Ballenti ntine? Over 20 years of experience in the energy industry, including corporate and consulting roles managing cyber security and regulatory compliance at power generation facilities in North America. John n Ballentine ntine CSSA CSSA Dire rector tor of Cyber ber Certified SCADA Security Architect Securi rity ty & Compli plian ance ce CISSP • Assists HPI customers by Certified Information Systems Security reducing their cyber security risk Professional in industrial control system environments. CISA • Develops programs that identify, Certified Information Security Auditor manage and mitigate compliance and regulatory risks. Industry service includes: CCEP Certified Compliance and Ethics • Board of Director of North America Generator Forum Professional (NAGF) • US Department of Homeland Security- Cyber Emergency GLEG Response Team Certified Information Law Specialist • Graduated from US FBI Compliance Academy

Secu curity ty, Secu curity ty, , Secu curity rity HPI LLC Proprietary Information

They ey Stri rike e Agai ain n (Real eally!) ly!) Calif iforn ornia ia Power r Statio ion n At Attac tacke ked d in 2013 is Struck ruck Again in Back k Up Attack By Matthew L. Wald August 28, 2014 MATTHEW L. WALD AUG. 28, 2014 Back Up Attack The Silicon Valley power substation that was attacked by a sniper in April 2013 was hit by thieves early Wednesday morning, according to the Pacific Gas and Electric Company, despite increased security. The substation, near San Jose, Calif., is the source of energy for thousands of customers, and the idea that it was the target of a well-organized attack, and that it might have been disabled for an extended period, raised anxieties about the possible broader vulnerability of the grid. The attack this week did not involve gunfire, and it did not seem intended to disable the facility. Early Wednesday, an unknown number of thieves cut through a fence and made off with power tools, a pipe bender and ground compactors used to smooth out dirt after excavations, said Keith F. Stephens, a spokesman for Pacific Gas and Electric. The substation has an alarm system , but the “fence alarms that went on overnight were not reacted to or addressed in an appropriate manner,” Mr. Stephens said. He added that the problem wa s a result of “human error.” The company has not determined the value of the items taken. The intruders did not appear to try to damage operating equipment, Mr. Stephens said. In the 2013 attack, shots were fired into the radiators of giant transformers, disabling but not destroying them. Two manhole covers were removed, and communications lines were cut. The e utilit ility said id damages es came to $15.4 million llion. Some of the transformers were repaired using components borrowed from other utilities; others had been nearing retirement anyway and were replaced.

THE E ICS SE S SECURI RITY Y LANDS DSCAPE CAPE

Secu curity ty as a Gov overnanc ernance and Practical actical Matter ter Security- whether cyber or physical- impacts how energy companies plan, manage and maintain their business objectives. Executives and managers face increasing challenges managing the threats and potential impacts from security issues. HPI’s customers typically operate facilities that are vulnerable to attack-and can ill afford business interruption. Our customers need effective strategies to properly design, plan, implement and maintain a security program to meet the modern challenges they face.

Industrial trial Control Systems ms Distributed Control System (DCS) and Process Control Systems • A group of computers and/or smart field devices networked together to monitor and control industrial processes with direct feedback control. • Control systems operate in near real-time and are used in critical sectors such as power generation, oil and gas refining, water treatment, chemicals, etc. May consist of HMI, PLC’s, standalone power electronic • controllers, microgrid controllers, and substation automation systems Supervisory Control and Data Acquisition (SCADA) System • Normally applied to systems connected to devices over a larger area including multiple buildings or even many miles away. • Operative word is SUPERVISORY, used in critical sectors such as electrical transmission and distribution, oil and gas pipelines, water/sewer and transportation.

Power Po er Syst ystem em ICS S Footpr tprint int Generator ator Control SmartGri rid Contr trol and Utility ty Monitorin toring and Supervisory Contr trol and Syste tems ms Automa mation tion Syste tems ms Control Syste tems ms Data Acquisiti tion (SCA CADA) A) Systems ms Transmission and distribution • • Fuel Management Systems • Power Quality and UPS Systems Renewable Energy Control • Systems

Informa ormation ion vs. . Opera rati tion ons Tech chno nolog logies es Corpo porate e Offic ice/IT /IT Utili ility/O /OT/ T/ICS ICS Security Focus: Confidentiality, Integrity Security Focus: Availability People/Equipment Ratio: Number of people ~=# equipment People/Equipment Ratio: Few people, many types of equipment Object Under Protection: Information Object Under Protection: Industrial process Risk Impacts: Information disclosure (privacy), economic, legal liability for Risk Impacts: Safety (life), health, environment, loss of production, damages downtime, repairs Availability Requirements: 95-99% year (moderate acceptable downtime) Availability Requirements: 99.9-99.999%/year (no acceptable downtime) System Lifetime: 3-5 year replacement cycles System Lifetime: 15-30 years Main Protected Target : Central servers (CPU, memory) and PCs Main Protected Target: Servers, distributed systems, sensors, PLCs Operating Systems: Windows Operating Systems: Windows and proprietary Software: Consumer software on PCs Software: Specific, customized configurations Protocols: Well known (HTTP over TCP/IP), web-based Protocols: Industrial TCP/IP, vendor specific, polling Main Actors: IBM, SAP, Oracle Main Actors: ABB, Siemens, Honeywell, Emerson

THRE REAT T ASS SSESS SSMEN ENT

Security curity Threat eats s from om Eve very Direct ection on Int nternal rnally, , extern rnall ally, , dom omesti tical ally, , int ntern rnati tional nally, , our r clients nts must t pre repar pare to identi dentify fy and d meet the thre reat ats head ad on: n: Fr Fraud ud and d theft, t, crimina nal activi vity ty Blund nders, rs, erro rors rs and d omissions ssions Disgrun gruntl tled d employees, , inside ders rs Curiosity osity and ignoran orance, , re recre reation ational al Industrial ustrial and d fore reign gn espion onag age and and maliciou ous s hackers rs information ormation warfar fare Maliciou cious s code

Attack At ack Modes des for or ICS Loss of f View Manipulati ation of View Denial al of Control Manipulate ate Contr trol Total tal Loss of Control There are many variations of passages of Lorem Ipsum available but the suffered alteration in

Cyber ber Intru trusion on Sequ quenc ence Inform rmatio tion Exfil iltra tratio tion Surve veil illa lanc nce Syste tem Mapp pping Pen Test Inci cident t Detecti ction/R /Response Initial tial Infecti ction Launch ch At Attack

At Attack ack Sou ources ces 1. External rnal thre reats/ ats/ hackti tivism sm 2. 2. Securi rity ty policy y violations, olations, malwar ware and email phishi shing ng 3. Inside der exploits ploits or other r internal rnal activi vities 4. 4. Industrial ustrial espion pionag age

At Attack ack Vector tors Method of Compr mpromi mise Soci cial al Engineeri ring 62% 62% Weak passwo words Web Managem agement 22% 22% Missing patch ches Console File Upload ad 10% 0% 4% 4% 2% 2%

At Attack ack Vector tors Time to Bre reak ak-In In 12% 12% 18% 18% 29% 29% 41% 41% Less than 1-4 Hours rs 4-8 Hours rs 8-16 16 Hours 1 Hour

At Attack ack Vector tors Level of Compr mpromis mise 38% 38% 28% 28% 16% 16% 7% 7% 11% 11% Exter erna nal Exter erna nal Complet plete Admin in User er Interna nal l Interna nal Interna nal Acces ess Acces ess Compr prom omis ise User er Admin in Acc cces ess Acc cces ess

How w At Attack acker ers s Navi vigat gate e in ICS

SE SECURI RITY Y PLAN AND D APPRO ROACH ACH

Frame amewo work k Core Detect ect Identify the occurrences of a cyber security event Pro rote tect ct Respond Safeguards to ensure delivery Take action (address) a of CI services. detected cyber security event Recover er Iden entif tify Institutional understanding Restore impaired capabilities to manage cyber security risk or CI services from a cyber security event

Keys eys to Secu curing ng Your ur Operatio rations ns Technol hnology ogy Segment nt the control ol Train n person sonnel nel and d Harde rden n syste tem Assess s existi sting ng syste stems, s, network work, and control ol contrac ractors. tors. compon onents. ts. Monitor tor and docum ument nt policies syste stem access. ss. and maint ntai ain n syste tem and pro rocedure ures. secur urity ty.