Breakthrough Cyber Security Strategies Introducing Honeywell Risk Manager

2 © 2015 Honeywell International All Rights Reserved

Eric D. Knapp @ericdknapp

About the Presenter

• Global Director of Cyber Security Solutions and Technology for Honeywell Process Solutions

• Over 20 years of experience in Information Technology; Over 10 years dedicated to Industrial Cyber Security

• Specializing in cyber security for ICS, security analytics, risk, and advanced cyber security controls

• Patents pending for risk management metrics and methodologies

• Author of Industrial Network Security and Applied Cyber Security and the Smart Grid

3

What is (cyber security) Risk?

“…the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.” (ISO)

“…a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that

adverse event on the organization” (NIST)

4

What is the Cyber Security Risk Manager?

A tool that continuously monitors for indicators of cyber security risk i.e., Threats & vulnerabilities that could impact the ICS

5

Measurements & Methodologies

Risk is an indication of Threat, Vulnerability and Impact

• Many methodologies: ISA-99 / 62443, ISO27005:2011, etc.

– Likelihood x Impact (R = L x I)

– Threat x Vulnerability x Consequence (R = T x V x C)

• Determining what “V” “I” and “C” are is the hard part – These can be subjective without standards and precise methodologies!

6

Measurements & Methodologies

9

Quiz Time!

Level 3

Level 3.5

Level 4

Level 2

Level 1

Advanced Control

Supervisory Control

DMZ

Business Network

PC “A” is a print server. It will not impact anything if compromised.

PC “B” is an Operators workstation. If compromised it could directly impact production Q: What option would you choose for PC “A” from the following?

A B

10

Understanding Consequence

• Risk Manager understands impact within an ICS

11

Measurements & Methodologies

If R = L x I … How do we determine “Likelihood?”

• L is a function of both Vulnerability and Threat

Vulnerability “A vulnerability does not cause harm itself …” (ISO27005:2011)

Threat “A threat has the potential to harm assets … e.g. unauthorized actions, physical damage, technical failures” (ISO27005:2011)

12

Measurements & Methodologies

If R = L x I … How do we determine “Likelihood?”

• L is a function of both Vulnerability and Threat

Vulnerability Threat

(specific) Counter-measure

Threat (actor)

13

Assess the Vulnerability of the ICS

• “Vulnerability” can be a broad or focused lens:

– Each asset needs to be assessed

– The entire system needs to be assessed

– You need to understand threat to understand vulnerability

• Example:

– If HMI software is susceptible to a buffer overflow, this is a very specific vulnerability of a specific software asset.

– However, if the HMI can be used to directly impact the entire system, it is also a systemic vulnerability

– This is because malicious control of the HMI is equivalent to having a bad guy at the console, and you can easily gain control of an HMI over the network (understanding the threat)

14

Assess the Vulnerability of the ICS • Perform Vulnerability Assessments, but do them carefully

– Slow scans

– Redundant pairs

– Passive methods

– No exploits!!!

• Understand the limits – Aggressive scans tell you a lot

… but they aren’t safe to use

– Less-aggressive scans are safer

… but they tell you less

– No scan can tell you everything … you can’t scan for zero-days

• Enlist assistance from someone qualified and experienced in assessment ICS systems

15

Quiz Time!

Level 3

Level 3.5

Level 4

Level 2

Level 1

Advanced Control

Supervisory Control

DMZ

Business Network

PC “X” and “Z” are both scanned by a VA scanner and 6 critical vulnerabilities are found on each.

PC “Z” is patched fully, but PC “X” is left as is. Q: Which of the machines is vulnerable?

Z

X

16

Understanding Vulnerabilities

• Risk Manger looks for indicators of vulnerability

– Weak system defenses

– Poor access controls

– Susceptibility to misuse

17

Identify Threats Against the ICS

• What are cyber threats?

– Malware (viruses, trojans, RATs, APTs, etc)

– Hackers (script kiddies, semi-professionals, disgruntled employees, professionals, hacker-for-hire, cyber crime, nation-state)

– Accidents (insider / employees, outside / unintentional incidents)

18

Identify Threats Against the ICS

– You need to understand vulnerability to understand threat

…wait? Which came first?

(just don’t hide from the truth)

19

Quiz Time Again!

You have some credible threat statistics here … Q: What’s the biggest threat?

20

Understanding Threats

• Risk Manager looks for various indicators of active threats – Active intrusions

– Exploits of vulnerabilities

– Unauthorized activity

21

What Does Risk Manager do with all of this?

Risk Manager evaluates indicators of risk using patented algorithms to generate accurate risk scores in line with

industrial risk management standards

22

How risky is my system from a security perspective?

Assess Your Cyber Security Posture

Has something happened that I need to act on?

Where do I start?

How can I show that we are improving our security posture?

Is my control system up to date?

Am I following best practices?

When something goes wrong, what should I do?

23

At-a-glance Indication of Current Risk Levels

24

Quickly Identifies What’s Causing Risk

25

Finds the Root Cause, to the Node Level

26

Trend Risk over Time

27

Summary Reports on Risk Posture and Progress

28

Introducing the Cyber Security Risk Manager…

See it Live in the Demo Room