ICS S Cyber ber Security curity Br Briefing iefing About t Jo - - PowerPoint PPT Presentation

ICS S Cyber ber Security curity Br Briefing iefing

About t Jo John Ba Ballen lenti tine ne

John n Ballentine ntine Dire rector tor of Cyber ber Securi rity ty & Compli plian ance ce

• Assists HPI customers by

reducing their cyber security risk in industrial control system environments.

• Develops programs that identify,

manage and mitigate compliance and regulatory risks.

Who ho is John hn Ballenti ntine?

Over 20 years of experience in the energy industry, including corporate and consulting roles managing cyber security and regulatory compliance at power generation facilities in North America.

CISSP

Certified Information Systems Security Professional

CISA

Certified Information Security Auditor

CCEP

Certified Compliance and Ethics Professional

GLEG

Certified Information Law Specialist

CSSA CSSA

Certified SCADA Security Architect

Industry service includes:

• Board of Director of North America Generator Forum

(NAGF)

• US Department of Homeland Security- Cyber Emergency

Response Team

• Graduated from US FBI Compliance Academy

Secu curity ty, Secu curity ty, , Secu curity rity

HPI LLC Proprietary Information

They ey Stri rike e Agai ain n (Real eally!) ly!)

Calif iforn

• rnia

ia Power r Statio ion n At Attac tacke ked d in 2013 is Struck ruck Again in

Back k Up Attack By Matthew L. Wald August 28, 2014 MATTHEW L. WALD AUG. 28, 2014

Back Up Attack

The Silicon Valley power substation that was attacked by a sniper in April 2013 was hit by thieves early Wednesday morning, according to the Pacific Gas and Electric Company, despite increased security. The substation, near San Jose, Calif., is the source of energy for thousands of customers, and the idea that it was the target of a well-organized attack, and that it might have been disabled for an extended period, raised anxieties about the possible broader vulnerability of the grid. The attack this week did not involve gunfire, and it did not seem intended to disable the facility. Early Wednesday, an unknown number of thieves cut through a fence and made off with power tools, a pipe bender and ground compactors used to smooth

• ut dirt after excavations, said Keith F. Stephens, a spokesman for Pacific Gas and Electric. The substation has an alarm system, but the “fence alarms that

went on overnight were not reacted to or addressed in an appropriate manner,” Mr. Stephens said. He added that the problem was a result of “human error.” The company has not determined the value of the items taken. The intruders did not appear to try to damage operating equipment, Mr. Stephens said. In the 2013 attack, shots were fired into the radiators of giant transformers, disabling but not destroying them. Two manhole covers were removed, and communications lines were cut. The

e utilit ility said id damages es came to $15.4 million

• llion. Some of the transformers were repaired using components borrowed from
• ther utilities; others had been nearing retirement anyway and were replaced.

THE E ICS SE S SECURI RITY Y LANDS DSCAPE CAPE

Secu curity ty as a Gov

• vernanc

ernance and Practical actical Matter ter

Security- whether cyber or physical- impacts how energy companies plan, manage and maintain their business objectives. Executives and managers face increasing challenges managing the threats and potential impacts from security issues. HPI’s customers typically operate facilities that are vulnerable to attack-and can ill afford business interruption. Our customers need effective strategies to properly design, plan, implement and maintain a security program to meet the modern challenges they face.

Distributed Control System (DCS) and Process Control Systems

• A group of computers and/or smart field devices networked

together to monitor and control industrial processes with direct feedback control.

• Control systems operate in near real-time and are used in

critical sectors such as power generation, oil and gas refining, water treatment, chemicals, etc.

• May consist of HMI, PLC’s, standalone power electronic

controllers, microgrid controllers, and substation automation systems

Supervisory Control and Data Acquisition (SCADA) System

• Normally applied to systems connected to devices over a

larger area including multiple buildings or even many miles away.

• Operative word is SUPERVISORY, used in critical sectors

such as electrical transmission and distribution, oil and gas pipelines, water/sewer and transportation.

Industrial trial Control Systems ms

Po Power er Syst ystem em ICS S Footpr tprint int

Generator ator Control Syste tems ms SmartGri rid Contr trol and Automa mation tion Syste tems ms Utility ty Monitorin toring and Control Syste tems ms Supervisory Contr trol and Data Acquisiti tion (SCA CADA) A) Systems ms

• Transmission and distribution
• Fuel Management Systems
• Power Quality and UPS

Systems

• Renewable Energy Control

Systems

Informa

• rmation

ion vs. . Opera rati tion

• ns Tech

chno nolog logies es

Security Focus: Confidentiality, Integrity People/Equipment Ratio: Number of people ~=# equipment Object Under Protection: Information Risk Impacts: Information disclosure (privacy), economic, legal liability for damages Availability Requirements: 95-99% year (moderate acceptable downtime) System Lifetime: 3-5 year replacement cycles Main Protected Target : Central servers (CPU, memory) and PCs Operating Systems: Windows Software: Consumer software on PCs Protocols: Well known (HTTP over TCP/IP), web-based Main Actors: IBM, SAP, Oracle Security Focus: Availability People/Equipment Ratio: Few people, many types of equipment Object Under Protection: Industrial process Risk Impacts: Safety (life), health, environment, loss of production, downtime, repairs Availability Requirements: 99.9-99.999%/year (no acceptable downtime) System Lifetime: 15-30 years Main Protected Target: Servers, distributed systems, sensors, PLCs Operating Systems: Windows and proprietary Software: Specific, customized configurations Protocols: Industrial TCP/IP, vendor specific, polling Main Actors: ABB, Siemens, Honeywell, Emerson

Corpo porate e Offic ice/IT /IT Utili ility/O /OT/ T/ICS ICS

THRE REAT T ASS SSESS SSMEN ENT

Security curity Threat eats s from

• m Eve

very Direct ection

• n

Blund nders, rs, erro rors rs and d omissions ssions Curiosity

• sity and ignoran
• rance,

, re recre reation ational al and maliciou

• us

s hackers rs Disgrun gruntl tled d employees, , inside ders rs Industrial ustrial and d fore reign gn espion

• nag

age and information

• rmation warfar

fare Fr Fraud ud and d theft, t, crimina nal activi vity ty Maliciou cious s code

Int nternal rnally, , extern rnall ally, , dom

• mesti

tical ally, , int ntern rnati tional nally, , our r clients nts must t pre repar pare to identi dentify fy and d meet the thre reat ats head ad on: n:

Loss of f View Manipulati ation of View Denial al of Control Manipulate ate Contr trol Total tal Loss of Control

At Attack ack Modes des for

• r ICS

There are many variations of passages of Lorem Ipsum available but the suffered alteration in

Cyber ber Intru trusion

• n Sequ

quenc ence

Surve veil illa lanc nce Syste tem Mapp pping Initial tial Infecti ction Inform rmatio tion Exfil iltra tratio tion Pen Test Inci cident t Detecti ction/R /Response Launch ch At Attack

At Attack ack Sou

• urces

ces

External rnal thre reats/ ats/ hackti tivism sm Inside der exploits ploits or other r internal rnal activi vities Securi rity ty policy y violations,

• lations, malwar

ware and email phishi shing ng Industrial ustrial espion pionag age

4. 4. 1. 3. 2. 2.

At Attack ack Vector tors

Method of Compr mpromi mise

2% 2%

Web Managem agement Console Missing patch ches Weak passwo words Soci cial al Engineeri ring

4% 4%

10% 0%

22% 22%

62% 62%

File Upload ad

At Attack ack Vector tors

12% 12% Less than 1 Hour 18% 18% 1-4 Hours rs 29% 29% 4-8 Hours rs 41% 41% 8-16 16 Hours

Time to Bre reak ak-In In

At Attack ack Vector tors

Level of Compr mpromis mise

Exter erna nal Admin in Acces ess Interna nal User er Acc cces ess Interna nal Admin in Acc cces ess Exter erna nal User er Acces ess Complet plete Interna nal l Compr prom

• mis

ise

7% 7% 16% 16% 11% 11% 38% 38% 28% 28%

How w At Attack acker ers s Navi vigat gate e in ICS

SE SECURI RITY Y PLAN AND D APPRO ROACH ACH

Frame amewo work k Core

Restore impaired capabilities

• r CI services from a cyber

security event

Recover er

Safeguards to ensure delivery

• f CI services.

Pro rote tect ct

Take action (address) a detected cyber security event

Respond

Institutional understanding to manage cyber security risk

Iden entif tify

Identify the occurrences of a cyber security event

Detect ect

Keys eys to Secu curing ng Your ur Operatio rations ns Technol hnology

• gy

Assess s existi sting ng syste stems, s, and docum ument nt policies and pro rocedure ures. Train n person sonnel nel and d contrac ractors. tors. Segment nt the control

• l

network work, and control

• l

syste stem access. ss. Harde rden n syste tem compon

• nents.
• ts. Monitor

tor and maint ntai ain n syste tem secur urity ty.

Impo portan tance of Es Estab ablishin ishing g ICS S Securi curity ty Po Polici cies es

Demonstrates Support Company Protection Sets Expectations

Demonstrates management support and direction. Protects the company and preserves management options in the event of a security incident. Provides guidance/communicates expectations to employees and suppliers.

Technology Independent Structure Analysis

Stays as technology independent as possible Outlines what to achieve, not how to achieve it.

Cyber ber Secu curity ty Vulner nerab abili ility ty Assessment sessment

Expert analysis of control system to identify actual and potential security vulnerabilities

Network architecture diagrams Network component and host device configurations Access control strategies Software and firmware versions Policies and procedures

Impl pleme menta ntati tion

• n Phase

ase

Secu curity ty Network k Desi sign Goals

• Unauthorized physical access to

components could cause serious disruption of the ICS’s functionality. A combination of physical access controls should be used- such as locks, card readers, and/or guards.

Restrict trict physical cal access to the ICS CS netwo work and dri rives

• This includes using a

demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

Restricti tricting logical cal access to the ICS netwo work and d netwo work activity ty

Secu curity ty Network

• rk Desi

sign gn and Insta tallation ation

Eva valuate te, , test and deploy y patches es prudently ently Monitor tor syste tem logs

Mainta ntain in Phase ase

Securi rity ty counte term rmeas asure res must t be monitor tored and maintai ained

Plan and pre repar are e inciden ent t res response se plans and drills ls

Steps ps to Impr prove e Cyber ber Secu curity ty of SCAD ADA A Netwo works rks

Identify all connections to SCADA networks. Disconnect unnecessary connections. Evaluate/strengthen security of any remaining connections to SCADA network. Harden SCADA networks by removing unnecessary services Don’t rely on proprietary protocols to protect the

• system. Implement security

features provided by device and system vendors. Establish strong controls over any medium used as a backdoor into the SCADA

• network. Implement internal

and external intrusion detection systems and establish 24-hour incident monitoring. Perform technical audits of SCADA devices and networks, and any other connected networks to identify security

• concerns. Conduct physical

security surveys and assess all remote sites connected to the SCADA network to evaluate their security.

Establish SCADA “Red Teams” to identify and evaluate possible attack

• scenarios. Clearly define

cyber security roles, responsibilities, and authorities for managers, system administrators and users. Document network architecture and identify systems that serve critical functions or contain sensitive information requiring additional protection. Establish a rigorous, ongoing risk management process. Establish a network protection strategy based on principle of defense- in-depth. Clearly identify cyber security requirements. Establish effective configuration management processes. Conduct routine self-assessments. Establish system backups and disaster recovery plans. Senior leadership should establish expectations for cyber security performance and hold individuals accountable for their

• performance. Establish policies and train to

minimize the likelihood that personnel will disclose information regarding the SCADA system, operations or security controls.

THE E HPI HPI ADVAN ANTAGE AGE

HPI Security curity Appr proa

• ach:

h: Prevent, nt, Detect ect & Recover er

Whether you need a full compliance or security solution, or are preparing for an audit or internal control review, HPI’s experi rienc nce as operators rators will maximize yo your re return rn on inves vestm tment. nt.

Prevention

• People- trained and

alert

• Technology-

managing systems

• Processes-

mitigating risks

Detection & Notification

• Network access

monitoring

• Anomaly detection
• Active intrusion

monitoring

Recovery & Restoration

• Back-up restoration

management

• Annual compliance

testing

There IS a starting ting and end point t to get your r compan any opti timiz mized to face the thre reats ats and re reduce ce the likelihood of interru rrupting ting your business:

Assessmen sessment t and Risk k Benchma chmarking king

Syste tems s and Network work Risk Assessm ssment nt; Cyber r Vu Vulner nerab ability ty Assessm ssment nt (NERC C CVA); Standa dards-ba base sed Audits ts Applica cabil bility ty Assessm ssments; nts; Controls

• ls and Po

Policie cies s Revie views; ws; Mock Audits ts

Mitiga igatio tion n and Desig ign n Servic ices es

Securi urity ty Arc rchite tectur ture; Operati ration

• ns

s Network work Securi urity ty Upgrad ade; Remedia diati tion n and re recovery y Plans ns Compli plian ance ce Mitiga gati tion n Plans ns; Compli plian ance ce Filing ngs with th Gov

• vt Agenc

ncies; s; Ove verall rall Complian pliance Pro rogram gram Design gn

Impleme lementatio ntation n and Monitor itoring ing

Securi urity ty System Conver version; sion; Hard rdwar ware and Softwar ware Monitoring toring; Syste tem Restora storati tion Corp Compli plian ance ce Pro rogram gram Implementa ntati tion

• n;

Install all GRC Softwa tware and Configur ure for Monitori toring; g; Compli plian ance ce-as as-a-Service vice

Cyber er Security rity Complian ance ce

HPI PI Cyber ber Secur curity ity & Compl mpliance iance Service vice Of Offerings erings

Defense nse in Depth th Focus us Areas as

HPI subscribes to the “Defense in Depth” approach of the cyber security professional community

Defend d the comput puting ng envir vironme nment

• End-user environment
• Application security

Defend the netwo work rk and infras frastructu tructure

• Backbone network availability
• Wireless network security
• System interconnections

Defend the encl clave boundary

• Network access protection
• Remote access
• Multi-level security

Bridg dging ing the ICS S Secu curity ty Speci ecializati alization

• n Skill Gap

Many organizations substitute Information Technology/Network Specialists for Information Security Specialists. Most IT/Network personnel possess few of the security skills needed to harden a

• network. Even less have the capability to

secure an ICS network. HPI has cyber security skills in the energy industry ICS- the rarest and most sought after skill set in the industry.

IT Pro rofess essionals als

Cyb yber r secu curity rity pro rofessional als Control system m pro rofessional als Control Syste tem Cyber r Securi rity ty Pro rofessional als

Inde depen penden dent t Arch chitect tect and Audit t Services vices

Need temporar ary pers rsonnel to fill a missing inte tern rnal al link? We can deploy on short notice tice to help out. Already have an ICS cyber security team, and just need to “fill the gaps”? HPI has as you covered:

Secur urit ity design gns (phys hysic ical l and cyber ber) Progr gram implem lemen entation ion asses essment ents Complia plianc nce e gap analysis is; ; Mock k audit its and gap closur

• sures

es Self lf-repo eports and mitig igation ion plann nning ing System em recov

• ver

ery on shor

• rt notic

ice

Trai aining ning and and Compli lianc ance Monitoring toring Services ces

TRAINING AINING SOLUTI UTIONS NS

Most clients have broad compliance and security programs with prescribed goals that

• ften require training to achieve objectives.

HPI has teamed with online training delivery systems, and can have your course up and running in weeks.

COMPLI MPLIANCE ANCE SERVICES VICES

Whether you’re in need of frequent determinations or updates on your compliance status or regulatory due diligence on potential acquisitions, HPI has you covered.

HPI designs, builds, operates, controls, maintains and repairs power generation facilities- its in our DNA. Generic security consultants cannot match our comprehensive understanding of how those areas link together and form an aligned approach. Unlike vendors that sell newfangled technology solutions or pre-packaged systems , HPI customizes security solutions at significantly reduces risk. Every area of HPI is completely aligned to the cyber security challenge as the key to protecting our client’s assets.

• Hal Pontez,

HPI President & CEO

“HPI custom

tomers rs must be secu cure so that they can focu cus on their core re bus usiness of effi fici ciently tly producing power to the grid.”

Th The HPI PI Differ eren enti tiat ator

• r

Why work rk with h us?

HPI designs, builds , operates, controls, maintains and repairs power generation facilities –it’s in our DNA. Generic security consultants cannot match our comprehensive understanding of how those areas link together and form an aligned approach. Unlike vendors that sell newfangled technology solutions or pre-packaged systems , HPI customizes security solutions at significantly reduces risk. Every area of HPI is completely aligned to the cyber security challenge as the key to protecting our client’s assets.

Contac tact t Us

OFFICE: E: 713.45 3.457.75 7500 00 C CELL: 512.

• 2. 705.7242

7242 EMAIL: L: JBALLENTI TINE@HP @HPI-LLC.COM OM

https: ps://www ww.fac acebo book.c

• k.com
• m/hp

hpillc @hpiener nergy gy https: ps://www ww.link nkedin. din.com

• m/com
• mpa

pany ny/hp hpi-llc/ c/

www.h .hpie piener nergy gy.co .com