CYBER SECURITY PROGRAM: Sema Tutucu, Ops · PDF fileCYBER SECURITY PROGRAM: Sema Tutucu, Ops...

CYBER SECURITY PROGRAM:Safdar Akhtar, Cyber DirectorSema Tutucu, Ops Leader

27 September 2017Policies to Controls

Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.

Can You Answer These Questions?1

What’s my company’s exposure to the latest industrial cyber threat?

Are my plants compliant with our corporate cyber security directive?

Are there “non-sanctioned” devices, like USBs, that have been added to plant process control networks?

What happens if I have a malware outbreak in my control network?

– Production impact?– Operations staff SOP?

>50% of Board of Directors are not satisfied with Leaderships

Cyber Issue Management


Agenda2

• Industrial Cybersecurity Overview• Where to Start• Honeywell Vision• Assessment & Remediation

- Examples• Brownfield Vs. Greenfield• Cybersecurity Project Phases• Q & A


Industrial Cyber Security3

• Industrial Cyber Security is the body of practices, processesand technologies designed to defend process control networks, systems, computers, programs and data from attack, damage, disruption, unauthorized access or misuse

- Protecting against external and internal threats- Detecting, Responding and Recovering from cyber attacks and

incidents

• Safeguarding availability, safety and reliability and managing risk

- Keeping plants running smoothly without disruption- IT cyber security, in contrast, focuses more on protecting

information than physical assets, operations and people• Requires deep understanding of process control networks,

operations, information technology and cyber security


No Silver Bullet4

• Process- Management System- Through policies and procedures

Patch Management Secure Remote Access Anti-virus Backup and Restore Change Management Perimeter Security

- Periodic Audits• People – Weakest link

- Training and Awareness- Professional Skills & Qualification - Motivation

• Technology- Installed and maintained

• If any part fails you are at risk


Where to Start5

• Cybersecurity Management System (CSMS) in Place (Best)- Unacceptable Risk Require Mitigation

• Cybersecurity Assessment Identified the Gaps (Better)- Critical & High Priority Gaps Need to be Fixed

• Mandatory Compliance Requirements (Good)- Non-Compliance Items Need a Fix

• Facing Technical Issues – Functional or Security (OK)- Need a Solution

• Adhoc Approach (Bad)- Likeness, Following the trend etc.

• Wrong Impression of Cybersecurity (Worst)- Air-gap, Misconfigured Cybersecurity Solutions etc.

• Don’t know – Start with Cybersecurity Assessment- Aim for a roadmap with CSMS as an ultimate goal


Honeywell Industrial Cyber Security Vision6

• Assess assets against industry standards, regulatory requirements and best practices

- Provides roadmap to eliminate exposed risk• Remediate addresses issues identified in the Assess phase with a custom-

designed Industrial Cybersecurity Program- Multi-layered secure defense-in-depth network design- System hardening- Compliance and governance development- Security awareness program

• Manage focus is on preserving and enhancing the investment made in security, by applying services and training

- Workflow Implementation- Anti-virus and Patch Management- Network Perimeter Management- Change Management Program

• Assure focuses on program monitoring to assure its functioning as designed- Reporting, Verification, Analytics etc.


Cybersecurity Assessment7

• Planning Phase- Assessment Team- Assessment Scope & Goals- List of Attack Vectors- Assessment Plan

• Data Collection Phase- Vulnerability Scan- Configuration Data- Document Collection- Interview Key Personnel

• Analysis Phase- Evaluation of Vulnerabilities, Patches,

Malwares- Attack Surface Analysis - Password Auditing

- Log Management Auditing - Network Access Auditing- Evaluation of Network Architecture - Evaluation of Authorized Software and

Network Traffic - Configuration Reviews- Policy & Procedure Reviews- Risk Profiling- Risk Mitigation

• Outcome – Execution Gap, Design Gap, Technology Gap

• Reporting Phase- Detailed Report - Executive Summary Report- Audit Report against ISA 99- Presentation / Workshop


Risk Summary Example8

Plants Security Control CategoriesSite Location Type SP PE SA NA AC SM

ABCDEFG

SP Security Policies and Procedures

PE Physical and Environmental Security

SA Security ArchitectureNA Network ArchitectureAC Cyber Access ControlSM Cyber Security

Management

HighThe capability of the threat is significant, andcompensating controls to reduce the probability ofvulnerability exploitation are insufficient

MediumThe capability of the threat is medium, andimplemented compensating controls lessen theprobability of vulnerability exploitation.

LowThe capability of the threat is limited, andcompensating controls are in place that effectivelyreduces the probability of vulnerability exploitation.


Risk Summary Example Cont’d9


Remediation - Example10

No. Recommended Solution Priority Phase 1

1 Multi-layered Secure Defense-in-Depth Network Design High2 Secure Next-Gen Firewall with IPS / Industrial Firewalls High3 Centralized Antivirus & Patch Management System High4 Security Hardening High5 Application White Listing Solution High

Phase 26 Backup & Restore Medium7 Centralized Network Monitoring Solution Medium8 USB Protection Solution Medium9 Cybersecurity Risk Manager Medium

Phase 310 Security Information and Event Management (SIEM) Solution Low11 Secure Remote Access, Monitoring & Alerting Low12 Policies & Procedures Development Low


Phase 0 – Cybersecurity Overlooked11

Does not comply with Cybersecurity Standards


Phase 0 – Cont’d12

• Cybersecurity was never a priority • Flat Network - All devices connected on same level• Missing Network Segregation

- Zones & Conduits – ISA99/IEC62433 Recommended Practice- Levels as per ISA95 Perdue Model - Might have levels but without proper

segregation & access control• Some miss-configured cybersecurity controls• Gap identification - Assessment


Phase 1 – Complying with Standards13

Physical Zones & Segmentation – Comply with Cybersecurity Standards


Phase 1 – Network/System Segregation14



• Segregation as per international standards (ISA99/IEC 62443)• All Obsolete devices replaced• All Systems moved to their proper levels• Level 4 Introduced – Business Connectivity

- Level 4 Corporate Segregation – Separation of Duties• Level 3.5 DMZ Introduced – Data to/from Business• Level 3 Introduced – Operations Management• Level 2.5 Introduced – If Required

- In case of multiple FTE communities- Virtualization

• Segregation at Level 2


Phase 2 – Cybersecurity Begun 16



Router

ESC ESF ESTACE ExperionServer

ESVT SafetyManager

TerminalServer

Qualified Cisco Switches

HSRPRouter

Domain Controller ESF EAS

PHDServer ExperionServer

Firewall

3RD Party App SubsystemInterface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

TerminalServer

PatchMgmtServer

AntiVirusServer

RelayServer

PHD ShadowServer

Level 2 Domain Controller

pe o et o e e s

Level 1

L1 to L1

Limite

d L2

to L1

L2 to L2

L3 to L3

Limite

d L2

.5 to

L3

Limited L3.5 to L3.5

Very

Limi

ted

L 3 to

L3.5

to L3

Comm flowL4 to L4

Very

Limi

ted

L 3. 5

to L 4

No D

irect

comm

unica

tions

betw

een L

4 & L3

or L2

No co

mmun

icatio

ns be

twee

n L1

& L 3

or L 4

L 2.5 RouterPrimary

L2.5 RouterSecondary

Domain Controller

Blade Server NASNAS

vCenterServer

Level 2.5

L2.5 to L2.5

Catalyst 2960SeriesPoE-24SYSTDUPLXSPEEDMODECOCIS 1 2

1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET

13X14X

11X12X

23X24X

STATRPSPoE MT 1 2 3 4 5 6SM1 SM2

MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT

Catalyst 2960SeriesPoE-24SYSTDUPLXSPEEDMODECOCIS 1 2

1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET

13X14X

11X12X

23X24X

STATRPSPoE MT 1 2 3 4 5 6SM1 SM2

MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT

ServerBlade

VM Client

Firewall

PLC

Very

Limi

ted L

2

Risk Manager/Palo Alto Service Node

Firewall

NETWORKMODULE

G1 G2/TE1 G3 G4/TE2

C3KX-NM-10G

NETWORKMODULE

G1 G2/TE1 G3 G4/TE2

C3KX-NM-10G

TAP

NETWORKMODULE

G1 G2/TE1 G3 G4/TE2

C3KX-NM-10G

NETWORKMODULE

G1 G2/TE1 G3 G4/TE2

C3KX-NM-10G

TAP

TAP

Aggregator

Tap Located between Level 3 & Border

firewall to capture ingress & egress

traffic from Level 3

Tap Located between Level 3 and Level 2.5 to

capture ingress & egress traffic from Level

2.5

Tap Located between Level 2 and Level 2.5 to capture ingress & egress traffic from

Level 2

Aggregator Located at Level 3 to provide

filtered traffic to RM, SIEM & other Tools

Tap Located between 3rd party & Level 2 to

capture ingress & egress traffic from

Third Party Systems

TAP



• Various Cybersecurity Solutions Introduced- Defense In Depth- Defense In Breadth

• IPS Introduced on PCN Level 3.5 DMZ Next Generation Firewalls• Honeywell Secure Media eXchange (SMX) Introduced• Honeywell Managed Services Introduced (AV, AWL, Patch, Monitoring etc.)• Honeywell Risk Manager Introduced• Security Information and Event Management (SIEM) Introduced• Network Management System (NMS) Introduced• 2nd Domain Controller Introduced (Domain Redundancy)• Central Management Station Introduced• Passive IPS Sensors Introduced• System & Network Hardening done as per CIS Standards• Network taps introduced• Nextnine or Data-Diode between PCN DMZ and IT/Corporate can be introduced


Phase 3 – Procedural Controls19

• Policy & Procedures- Risk Management- Change Management - Patch Management - Malware Protection- Account Management- Backup and Restore- Asset Management - Portable Media- Logging & Monitoring- Etc.

• Incident Response & Management Plan• Operational Manuals• Security Awareness & Training

Information Security

Physical Controls

Technical Controls

ProceduralControls


Cybersecurity Never Sleeps20

• Cybersecurity is a Process – Not One Time Solution/Project


Brownfield Vs. Greenfield21

• ICS Lifecycle- Design, Build, Operation and Decommissioning

• Bolting on Cybersecurity on Live ICS - Difficult & Costly- Less Effective

• Build-in and maintain Cybersecurity from an early stage- More Effective - Less Costly- Business Enabler


Cybersecurity Project Phases22

• Project Award• Project Initiation/Kickoff (Remote / Head Office / On-Site)

- Project Organizational Chart- Communication Protocol Identification- Roles & Responsibilities- Scope of Work Discussion- Project Schedule - Site Survey – Snapshot of Current Situation

Brief Site Survey Report

• Project Design Phase- Project Bill of Material (BOM)

Preparation – Submission – Approval- Cyber Security System Architecture

Preparation – Submission – Approval- Network Cabinet & PD Drawing

Preparation – Submission – Approval


Cybersecurity Project Phases Cont’d23

- Functional Design Specification (FDS) Preparation – Submission – Approval

- Detailed Design Specification (DDS) Preparation – Submission – Approval

- BOM Procurement

• Factory Acceptance Phase- Factory Acceptance Test (FAT) Procedure

Preparation – Submission – Approval- FAT Configuration- Pre-FAT and FAT Execution- Punch Point Resolution & Signoff- Equipment Shipment to Site

• Site Execution Phase- Site Acceptance Test (SAT) Procedure

Preparation – Submission – Approval- Devices, Cabinets etc. Installation & Configuration- Pre-SAT and SAT Execution- Punch Point Resolution & Signoff


Cybersecurity Project Phases Cont’d24

• Knowledge Transfer / Training Phase- First line maintenance and training manuals- Training as per agreed scope

• As-Built Document- Updated DDS – Submission – Approval

• Project Monthly Progress Report• Project Closeout Meeting


Conclusion25

CYBER SECURITY PROGRAM: Sema Tutucu, Ops · PDF fileCYBER SECURITY PROGRAM: Sema Tutucu, Ops...

Documents

Transcript of CYBER SECURITY PROGRAM: Sema Tutucu, Ops · PDF fileCYBER SECURITY PROGRAM: Sema Tutucu, Ops...