Security Issues and Best Practices for Water...
Transcript of Security Issues and Best Practices for Water...
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Security Issues and Best Practices for Water Facilities
2013 ISA Water / Wastewater and Automatic Controls SymposiumAugust 6-8, 2013 – Orlando, Florida, USA
Jeff HayesBusiness Development ManagerBeijer Electronics
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Jeff Hayes
• 15 years in product management for computer networking and security companies
• CISSP since March 2002• President of ISSA – Utah Chapter• Business Development Manager - Beijer Electronics
– Beijer is a 31 year old industrial automation firm from Sweden with Americas HQ in Salt Lake City
– Manufacturer of HMIs, touch-panel PCs, programming software and networking equipment for industrial applications including extreme environmental conditions.
2
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Outline
• Premises• Targets• Closed Loop Corrective Action for Plants
– Security Policies– Risk Analysis– Countermeasures– Monitor & Manager
3
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Premises
• Security for infrastructure facilities is minimized, un-funded, and not part of “best practices” thinking.
• Security is not a core competency of most engineering, system integration, construction companies, nor of the operators and IT personal.
• Serious security incidents have not created ample awareness or panic to create action/funding.
• Cross-contamination risks of the corporate network domain vs. the process control domain.
• Safety and availability are jobs #1 and #2.
4
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Target
• Is a water/wastewater facility a target?• Who would target one? How difficult would it be to
conduct surveillance…to infiltrate a facility?• Are we more secure today than a year ago?
– Yes, but the “bad guys are better equipped” and the attack surface is expanding
• Security is more of a people issue than a technology issue
5
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Closed Loop Corrective Action for Plant Security
6
Security
Policies
Risk Analysis
Counter-measures
Monitor &
Measure
Closed LoopCorrectiveAction for
PlantSecurity
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Security Policies
• Policies are the basis for security design, architecture, implementation, and practices
• Consider some computer, Internet, physical security and emergency management policies– Computer, email , anti-virus– Internet– Passwords– Social media and blogging– Privacy– Pandemic – Clean desk– Cell phones– Concealed weapons– Industrial accidents– Bomb threats
Security
Policies
7
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Security Policies
• Most water/wastewater facilities have weak policies– Documented?– Understood?– Enforced?
• If they do exist, do they…– describe who owns, controls, may access what information and
in what manner?– delineate sharing vs. least privilege?– define separation of duties?– include a vulnerability / risk / gap / cost-benefit analysis?
Security
Policies
8
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Risk Analysis
• Risk management components– Evaluation and Assessment – identify assets and evaluate their
properties, characteristics and loss impact– Risk Assessment – discover threats and vulnerabilities that pose
risk to assets– Risk Mitigation – transferring, eliminating or accepting
• Internal risks– People (employees, contactors, visitors, ex-associates)– Processes and procedures– Computer systems
• External risks– Geography, weather events, neighbors– Terror, war, criminal, social & economical Risk
Analysis
9
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Risk Analysis
• Data Breach– Frequency and costs continue to rise
– Detection– Response– Notification– Ex-post
– Root Causes– Malicious/Criminal– Negligence– System Glitch
Risk
Analysis
10
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Risk Analysis
• Network Vulnerabilities– Cloud Computing– Remote access
• Protocol Vulnerabilities– Ethernet & TCP/IP (no longer security by obscurity)
• Bottom-line…– “Every security program is a risk program … the only value
proposition security policies, processes and technologies have is their effect on an organization's loss exposure — the frequency and magnitude of loss.”
Jack Jones, Co-Founder of CXOWARE
Risk
Analysis
11
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Security Architecture
• Properly aligned people, processes, & tools working to protect organizational assets, goals & strategic direction
• Potential components– Account & identity management– Access and border control– Vulnerabilities & base configurations– Privacy & integrity– Security monitoring– Incident response– Disaster recovery– User training
• Classification – trusted, untrusted and DMZCounter-measures
12
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Vulnerability Assessments
• Identifying, quantifying, and prioritizing the vulnerabilities in a “system”
• Scanning– Audit running processes, open ports, system OS details, user
accounts, executable & DLL files– Security, configuration and compliance audit
• Patch management– Zero-day exploits and responses
• Mobile device management• Monitoring and correlating logs and events • Analysis and communication
Counter-measures
13
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Penetration Testing
• A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers– Determining the feasibility of a particular set of attack vectors– Identifying vulnerabilities that may be difficult or impossible to
detect with automated tools– Assessing the impact of successful attacks– Assess existing defenses, notification and responses– Helps quantify what further investments are required
• Should include– Internal– External– Social engineering– “Ethical hacking” Counter-
measures
14
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Authentication Services
• Identity and access management (IAM)– Identification, authentication and authorization– Single- vs. multi-factor authentication– Identity consolidation and single sign-on
• Passwords– Characters, length, change frequency, re-use– Initial, lost, re-assigned and forced change– One-time passwords
• Switches and routers– VLANs, Access Control Lists
• Wireless• Remote access Counter-
measures
15
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Firewalls
• A system or combination of systems that enforces a boundary between networks – typically a private and a public network; e.g., Internet– Trusted, un-trusted and semi-trusted (DMZ)
• Implementations– IP and TCP/UDP port-level rules– Stateful / deep-packet inspection
• Deployments– Network-based – appliances, server/software, routers, switches,
access points– Host- & server-based
Counter-measures
16
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Encryption & VPN
• Encryption– Process of taking an unencrypted message (plaintext), applying
a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)
• Data at rest ensuring integrity and privacy• Data in motion
– Secure Virtual Private Network - private communication over a public network
– IPSec, HTTPS, SSL, SecureShell, etc. protocols– Remote access – client-to-machine and machine-to-machine
Counter-measures
17
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Mobile Devices & Applications
• Bring your own device (BYOD) – Smartphones & tablets
• Remote access and management• Mobile security controls
– Authentication & authorization– VPN– Lost– Malware– Personal vs. business functions
Counter-measures
18
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Intrusion Detection
• Act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource– A “burglar” alarm for computer networks
• Types– Network-based (NIDS)– Host-based (HIDS)– Physical IDS– Intrusion Prevention
• Honey Pot Systems – Decoy servers or systems setup to gather information regarding
an attacker or intruder into your system
Counter-measures
19
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Web Application & Content Control
• Secure Web applications (PHP, C++, Java, .NET)– Authentication & authorization– Data validation & handling– User and session management– Points, time and state issues– Error handling– Encryption
• Content Filtering– Limitations and enforcement points– Legal issues– Productivity issues– Bandwidth/network issues
Counter-measures
20
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Operating System Hardening
• To configure a computer or other network device to resist attacks
• Secure or insecure by default?• OS dependent• Typical steps
– Perform initial system install– Remove unnecessary software– Disable or remove unnecessary usernames, passwords and
accounts– Disable or remove unnecessary services– Apply patches– Run Nessus or similar scan
Counter-measures
21
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Physical Security
• Part of a holistic security posture– Based on layered defense design
• Physical security includes– Asset protection– Video surveillance and monitoring– Employee protection and workplace violence prevention– Fraud prevention– Loss prevention– Investigations & forensics
Counter-measures
22
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
User Awareness & Training
• Knowing and understanding an individual’s role in organizational and informational security and acting accordingly
• Constantly reinforce messaging to change behavior• Some success elements
– Management support – Partnering with other departments– Creativity & multiple modes– Use metrics– Scope and timing– Role-playing or exercises
Counter-measures
23
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Monitor & Measure
• Physical security monitoring• Information vulnerability monitoring & action plans
– Security devices and software– End systems and servers– Network equipment
• Business Continuity Planning / Disaster Recovery Planning– Threat & risk analysis– Business impact analysis
Monitor & Measure
24
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Monitor & Measure
• Security Incident Response– The complete response set of an organization to a disaster or
other abnormal event– Security information and event management– Incident & data breach responses
– Secure critical evidence to support investigation/litigation– Defend against internal and external exposure – Determine the source, scope, and sensitivity of a data loss – Identify your legal and regulatory obligations – Retain customers and opportunities – Apply processes for future prevention
Monitor & Measure
25
2013 ISA WWAC Symposium Aug 6-8, 2013 – Orlando, Florida, USA
Conclusions
• Infrastructure facilities are targets• Cybersecurity is essential• Create a reasonable security posture
– Policies– Risk Analysis– Countermeasures– Monitor & Manage
26
Security
Policies
Risk Analysis
Counter-measures
Monitor &
Measure
Closed LoopCorrectiveAction for
PlantSecurity
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Questions?
Jeff [email protected]