Expanding Cyber Security Management for Critical InfrastructureISSEWednesday 15th November ’17, Brussels

Dr Andrew Hutchison, Telekom Security

andrew.hutchison@t-systems.com

OVERVIEW

• Attack Surface expands to include IoT/Critical Infrastructure

• Evolving Attacks

• Re-balancing the counter approach

• Broad Scope Security Monitoring

• Approach and tools

• Adding cyber-physical feeds

• Supporting implementation of ISA99/IEC62443 requirements

• Conclusions

2

EVOLVING NATURE OF THREATS

3

90% of corporate networks are protected But only 10% of industrial networks

Attacks on autonomous vehicles

RansomwareZero Day Exploits Attacks on firmware

Spear Phishing & faked identities

Attacks on cloud services

Attacks on power/ heating systems

Attacks on production plants

(SCADA systems)

ATTACKS ON CRITICAL INFRASTRUCTURE ARE REAL!

4

Source: http://app.wiwo.de/technologie/digitale-welt/cyberangriffe-it-sicherheit-verkommt-zur-randnotiz/19568942.html?mwl=ok

Stuxnet infects

industrial plant

Access to Iranian nuclear plant

SEP 2010

Attack on IT of germanBundestag

Complete exchange of IT

MAY 2015

Ukraine: attack on

power grid

80.000 people without power

DEC 2015

Ransomware attack on hospital

IT-systems shut down

FEB 2016

Mirai-Botnet-Attack on

Router

900.000 people without internet

NOV 2016

FROM PREVENTION TO “PREVENTION. DETECTION. REACTION.”

5

Responding to Targeted CyberAttacks, ISACA

BROAD SCOPE SECURITY MONITORINGSECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)

EXAMPLE SIEM SERVICE AND DELIVERY MODEL –CLOUD.

Customer 1

3

Customer 2

INTERNET

CSO

Sensor HQ

Sensor Office 1

Sensor Office 2

Head of IT

Sensor of customer 1

WebMail

AV Server Customer 1

SOC

Dedicated, customer-specific virtual cyber defense server operated by an MSSP: storage of security

events, threat intelligence, reporting.

Sensors for data collectionand normalization are installed inthe customer’s infrastructure. The data is forwarded tothe customer’scyber defense server for processing.

AV ServerCustomer2

EXAMPLE SIEM SERVICE AND DELIVERY MODEL –ON-PREMISES.

OFFICE FINLAND

3

germany

INTERNET

HQ

Factory 1

Factory 2

WebMail

SOC

Sensor Office

Only alarm data gets forwarded to SOC, data remains on-site at the customer.

Sensors for data collection &normalization are installed inthe customer’s infrastructure. The data is forwarded toan on-site customer server for processing.

Server

CSO

Head of IT

MONITORING IT + OT ENVIRONMENTS WITH IoT SOURCES

SUPPORTING THE IMPLEMENTATION OF ISA99/IEC62443 REQUIREMENTS

FR 2 – Use Control, including

SR 2.8 –Auditable events

SR 2.9 –Audit storage capacity

SR 2.10 – Response to audit processing failures

SR 2.11 – Timestamps

FR 3 – System Integrity, including

SR 3.2 – Malicious code protection

SR 3.3 - Security functionality verification

FR 5 – Restricted data flow, including

SR 5.2 – Zone boundary protection

FR 6 – Timely response to events, including

SR 6.1 –Audit Log accessibility

SR 6.2 – Continous Monitoring

Firewall-protection for industry networks and switching systems across different locations

Mobile connection and integration into existing systems (SIEM) possible

Full control of remote access

Secure management of all suppliers

Compliance conform documentation per Rendezvous-Server

Intelligent, continuous risk management for the whole production network

„Zero Impact“ installation

Continuous analysis of vulnerabilities and risk assessment

PROTECTION OF CRITICAL INDUSTRIAL INFRASTRUCTURE

11

example example example

Industrial Threat

Protection

Industrial Network

Protection

Industrial Access

Protection

INDUSTRIAL CONTROL SYSTEM SECURITY COMPONENTS

12

SO

C

Co

ns

ult

ing

EXAMPLE

Visibility: Monitoring & ResponseAssets, Topology, Flows, Change, Vulnerabilities, Attacks

“Industrial SIEM”

Industrial Threat Protection

End-Point Protectionanti-malware, port and device control, memory protection, firmware- & control-logic integrity

“Industrial End-Point Protection”

Industrial End PointProtection

EXAMPLE

Network SegmentationControl flows

“Industrial Firewall”Industrial Network Protection

Access ControlUser & identity management, remote access, privileged access

“Industrial IAM”

Industrial Access Protection EXAMPLE

OT-Net

OT*-Net

CONTINUOUS RISK MANAGEMENT, RELIABILITY, ATTACK DETECTION & COMPLIANCE REPORTING

13

example

ICS Control Center

Industrial Threat ProtectPro

* OT: Operational Network

** DNA: Device-Network-Application relation

Magenta Security

EXAMPLE ICS NETWORK CONTROL

14

OT--Net

OT*--Net

END-TO-END NETWORK SECURITY &DATA FLOW CONTROL & INSPECTION

15

example

ICS Control Center

Industrial Network Protect Pro

* OT: Operational Network

FULL CONTROL FOR REMOTE MAINTENANCE ACCESS

16

example

Technician

SecureTunnel

Management Portal

Rendezvous Server

TYPICAL NETWORK ARCHITECTURE & INTEGRATION

17

SIEM / SOC Integration and

Monitoring

LOCAL AND CENTRALISED INFRASTRUCTURE VIEWS

18

ICS ATTACK VECTOR PATHS AND PREDICTION

19

ICS EXAMPLE SECURITY USE CASES

Security Measure Description

Inventory & Asset Management Identify all assets connected to the ICS environment including PCs/ Laptops/ Switches/ PLCs/ Servers/Thin Clients etc.

Patch Management To ensure devices are patched to the latest approved version in order to reduce vulnerabilities.

PLC Update Management To ensure PLC firmware is up to date and stays current withall security related fixes.

Change Management Ensure that no changes are made to plant, equipment or process without authorisation

Perimeter Leakage Detect devices connected to external networks.

20

THREAT INTELLIGENCE

www.sicherheitstacho.eu

CONCLUSIONS

• While the management of Cyber Security environments within the Information Technology (IT) area is fairly well defined and understood, the incorporation of Operation Technology (OT) and cyber physical systems into such management frameworks and systems is less mature.

• For Critical Infrastructure (CI) in particular, it is essential that security management is conducted in a well implemented manner – especially since many of the controllers and connectivity / management models are primitive compared to IT type devices.

• Security models are often limited, with the assumption that physical isolation or protection of devices will ensure that they are not manipulated in unexpected or unauthorised ways.

• Implementation of cyber physical systems is typically layered with devices, connectivity, processing (possibly cloud), horizontal services (for example IoT enabling platforms) and vertical services (for example specific to healthcare, connected car, energy, etc.) combining to form an OT solution.

• For enhanced management of cyber physical systems, security related events can be collected and inspected – using guidelines such as the International Society for Automation (ISA) standards for Industrial Automation and Control Systems (IACS). In particular the ISA-62443-1

• Across these services extends a requirement for end-to-end security, and it is this goal which systems need to develop.

22

Questions?