Monitoring Your OT Systems for Cybersecurity Threats€¦ · 100 GBPS DDoS attacks increased in...

Monitoring Your OT Systems for Cybersecurity Threats

usa.siemens.comUnrestricted © Siemens Industry, Inc. 2019

Agenda

• Global industrial cybersecurity threat picture and situational awareness

• Why the Board should be concerned

• Balancing IT and OT cybersecurity demands

• The impact of functional safety on OT cybersecurity

• Establishing an OT monitoring approach

• Next steps

Global Cyber Threat Trends A growing trend of using cyberattacks to target critical infrastructure and strategic industrial sectors. raising fears that, in a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning.

2016357 million new malware variants

Cybercriminals have an exponentially increasing number of potential targets, because the use of cloud services continue to accelerate.

20164+ BILLION data records breached

2017Cost of responding to cyber-attack $15 million per company (27.4% Y-o-Y increase)

2016100 GBPS DDoS attacks increased in frequency by 140%

2017DDoS target were repeatedly hit 32 times within three months (avj.)

Government RegulatorTransportation sector systems are subject to an average of 1,000 attacks each month

Threat IntelligenceIncrease in spear-phishing emails (stealing data or installing malware) against companies operating nuclear plants

2017Ransomware affected 300,000+ computers

Source: The Global Risk Report 2018, 13th Edition

A brief History of Attacks on OT SystemsAttack frequency and impact is increasing

Production outage 50k employees affected

Daimler-Chrysler

Damage to Iran's nuclear program

Stuxnet

Industrial espionage Attack on steel plant

Thyssen Krupp

Ransomware attack Huge outage €300M Damage

Maersk

Dispatch system outage Manual dispatching of emergency services Ransomware attack

Baltimore

Ransomware attack Outage forced manual operations USD50M cost?

Norsk Hydro

2005 20102016

2017 20192018

Power outage 230k people affected

Ukraine Power Grid

2015

5

Types of Cyber Attacks on Control SystemsIndustrial control systems and operational technology systems experience traditional IT attacks and sophisticated advanced persistent threats which alter the mission of the control system.

Typical IT systems experience cyber attacks to compromise confidentiality.

The objective of most targets is to gain unauthorized access to infrastructure and data, secondary objective is to render a service unusable (DDoS).

The attacks on IT systems usually deploy a simpler kill chain.

Little to no threat of inflicting a cyber-physical impact.

IT SYSTEMS

Typical ICS systems experience cyber attacks to compromise availability or safety.

The primary objective of most attackers is to gain unauthorized access to steal information (intellectual property or engineering information) and the secondary objective is to have a physical impact.

Attackers utilize information about an industrial system (hacked or public domain or research) to understand the process and conduct complex attacks.

There is a higher risk of causing cyber-physical damage with increased threat to human life and environmental contamination.

Loss of control includes unauthorized changes in control system logic to deviate from the intended outcome.

INDUSTRIAL CONTROL SYSTEMS

Agenda






• Next steps

Impact of an Industrial Cybersecurity Breach/ IncidentRecent reports from both government and private communities have highlighted the risk that cyber hacking may now cause serious physical injury or damage. Because of the intense interconnected state of critical sectors; a cyber-physical disruption is more likely to trigger a domino effect with a higher magnitude of impact.

Financial Loss

Intellectual Property TheftPublic Image

Shareholder ConfidenceInjury or Fatal Accident

Destruction of Property

In the news…

Agenda






• Next steps

Information Technology Security Operational Technology CybersecurityIndustrial control systems utilizing operational technology is different in architecture, design and ways of working from traditional information technology being used in an enterprise environment. This creates

Information Technology (IT) Operational technology (OT)

Purpose Transaction processing Systems analysis and applications Technical and business analytics Human decision support

Asset monitoring and control Process control, metering and protection Device-to-device communication Server-to-device communication

Operating Environment

Corporate data centers Offices and server rooms Control centers

Substations Field equipment Control centers

Input Data Manual data entry Other IT systems Data from OT systems

Transducers and sensors via RTU’s and PLC’s

IED’s, relays and meters Operator inputs and other OT systems

Output Data summaries Results of analysis and calculations Commands issued to other OT systems

Device control actions Displays of status and alarms Operating logs

Owners CIO and IT departments Finance Operations

Operations and engineering managers Line of business managers Maintenance departments

Connectivity Corporate network IP- based

Process control networks IP- based, serial, hardwired analog and

digital

Suppliers Many options for products and services Skill set and competence available

Few options for products and services Fewer industry specific resources with

specialized-skills

What are the security objectives?

What assets (man, machine, methods) need to be secured?

How can you mitigate cybersecurity risk in widely distributed and often harsh terrain?

Does the existing operating process, technology and environment consider security (built with security in mind)?

Can existing systems and data be used effectively (without any alteration) to address security objectives?

Am I monitoring alarms, logs and systems for signs of cyber intrusion or attack?

Who is responsible for OT security?

Do IT staff have ICS/OT skills or do engineering staff have security skills?

Is my facility and critical infrastructure really air-gapped?

Does the security vendor or consulting firm have knowledge and credentials to support my industry’s unique security requirements?

Do the security tools and products understand OT protocols without much customization?

Consider these while Planning for OT Security

=

The myth about air gaps

IN THEORY IN PRACTICE

Sources: https://www.pinterest.com/pin/378443174911816347/https://www.apartmenttherapy.com/hide-your-usb-drive-next-to-yo-74552

Agenda






• Next steps

Functional Safety and Cybersecurity

Cybersecurity

Defence against negligent and wilful actions to protect devices and facilities

Functional Safety

Defence against random and systematic technical failure to protect life and environment

Relationship between Functional Safety & CybersecurityGeneric Standard for Functional Safety: IEC 61508:2010.

If the hazard analysis identifies that malevolent or unauthorised action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out.

NOTE 3 For guidance on security risks analysis, see IEC 62443 series.

7.4.2.3

If security threats have been identified, then a vulnerability analysis should be undertaken in order to specify security requirements.

NOTE Guidance is given in IEC 62443 series.

7.5.2.2

IEC62443

IEC61508

Requirements for CybersecurityFoundational requirements for product development according to IEC 62443

FR 6 – Timely response to events

FR 7 – Resource availability FR 1 – Identification and authentication control

FR 2 – User control

IACS

FR 5 – Restricted data flow FR 4 – Data Confidentiality FR 3 – System integrity

Patch

Operator Administrator

PLCIEC

62443

Lifecycle for Functional Safety and Cybersecurity

Functional SafetyIEC 61508

Cyber SecurityIEC 62443

Safety IntegrityLevel (SIL) 1 – 4

Probability of a dangerous failure in:

SIL 1 ≈ 10 years

SIL 2 ≈ 100 years

SIL 3 ≈ 1,000 years

SIL 4 ≈ 10,000 years

Concept

Overall scope definition

Overall safety & security requirements

Overall safety & security requirements allocation

Specification of E/E/PE System

Realization of E/E/PES Systems

Overall installationand commissioning

Overall validation

Overall operation, maintenance and repair

Decommissioning

Security Level (SL) 1 – 4

SL 1 Protection against casual or coincidental violation

SL 2 Protection against intentional violation using simple means

SL 3 Protection against intentional violation using sophisticated means

SL 4 Protection against intentional violation using sophisticatedmeans with extended resources

1

2

3

4

5

9

10

12

13

14

16

Hazard and risk analysis Risk and threat analysis

Triton – a seminal moment - reported December 2017

Sources: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.htmlhttps://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.htmhttps://www.eenews.net/stories/1060123327l

Triton acts as a "payload" after hackers have already gained deep access to a facility's network When Triton is installed in an industrial control system, the code looks for Schneider's Triconex

equipment, confirms that it can connect to it, and then begins injecting new commands into its operations

If those commands aren't accepted by the Triconex components, it can crash the safety system. SIS controllers entered a failed safe state Target – Petro Rabigh plant, Saudi Arabia Attribution – Russian Government-Owned Lab

Agenda






• Next steps

Industrial and OT Asset Management and Monitoring – Increasingly a Regulatory and Statutory Requirement Up-to-date asset information is essential for maintaining critical operations and to optimize security investments.

Prescribed by Industry Regulations and International Standards

ISA 99/ IEC 62443ISO 27001 & ISO 27005ISO 31000ISO 22301

NIST SP 800-82-r2NIST SP 800-53

NIST SP 800-82-r2

ISA 99; IEC 62443

1

Security Prerequisite Operational Requirement2 3

Security Policy and Compliance

End Point Protection and Information Privacy

Incident Identification and Management

Risk Assessment and Mitigation

Spare Management

Asset Consolidation

Change Management

Capacity Management

OT Monitoring and Threat Detection is ParamountOT environments require passive monitoring techniques

Network switch

SIEM

Active Directory/LDAP

CMDB

Monitoring sensorWork-stations

Domain controller

Historian

Asset Discovery and Inventory Communication Profile

Vulnerability Assessment

Threat Management Capabilities

Threat Detection & Response Efficient Compliance

Threat Modelling

Service Delivery Models

1. Pilot and proof of value engagement (one time)

2. OT Cybersecurity Risk Assessment (one time or regular)

3. Managed Service for OT Security Monitoring (continues protection)

LEVE

L 4

Cor

pora

teN

etw

ork

LEVE

L 3

Ope

ratio

nsan

d C

ontro

l

LEVE

L 2

Sup

ervi

sory

N

etw

ork

LEVE

L 1

Con

trol

Net

wor

k

Network switch Monitoring sensorEngineering workstation

DCS/SCADA server

HMI

Network switch Monitoring sensorPLC/RTU PLC/RTUPLC/RTU

ICS NETWORK 1

OT Monitoring and Threat DetectionIt goes beyond cybersecurity and provides value for daily OT operations

Enhance Network Visibility Provide a full list of assets inside networks

Identify the role of each components

Identify new and inactive nodes

Enhance Industrial Visibility Provide a full list of PLCs in the network

Identify process variables and changes to their values

Analyze PLC traffic bandwidth usage

Asset Management Automated and up-to-date asset inventory

Software and firmware versions

Serial numbers

Enhance Operations - track actions and trigger events based on operational issues

Reconnections

Idle links

Bandwidth limits exceeded

OPERATIONAL ICS VISIBILITY

Asset Management

Network Visualization & Modelling

Real-time Network Monitoring

Dynamic OT Behavioural Learning

DMZ

Achieving a complete picture across OT and the entire enterpriseAttackers will use IT systems to access OT systems (and vice-versa!)

Network switch Monitoring sensorWork-stations

Domain controller

Historian

Threat Management: Detection and Response in OT/IT environments

LEVE

L 3

Ope

ratio

nsan

d C

ontro

l

LEVE

L 2

Sup

ervi

sory

N

etw

ork

LEVE

L 1

Con

trol

Net

wor

k

Network switch Monitoring sensorEngineering workstation

DCS/SCADA server

HMI

Network switch Monitoring sensorPLC/RTU PLC/RTUPLC/RTU

ICS NETWORK

LEVE

L 4

/ 5B

usin

ess

&En

terp

rise

ENTERPRISE NETWORK

Internet

ERP MIS Apps/ServerEndpoints

ADLDAP

ITSMCMDB

Extranet

Extranet

…

DEFENCE CENTRE

“Extranet”

Data from Security Infrastructure IT Endpoint, Server, DB, Apps Business Apps / Transaction

Data from Passive OT Monitoring Security Infrastructure IT Endpoint, Server, Apps

Data from Passive OT Monitoring Security Infrastructure OT-IT Endpoints (limited)

Integrated Platform

Log & DataManagement

Security Analytics

API

Content Library

Threat Feeds

Social-Media Feeds

Asset Information Discovery Sample Output Asset information discovery report can include device subparts such as:The inner components of a modular PLCPhysical device state and information, as well as

logical device state and information Logical node subsystems

OT Incident Response

Motive None - Innocent Employee Re-sale of assets Publicity …

IsDiscovered

Incident Response Team

Primary Services: Legal and Forensics

Primary Response Services

Event or incident

Actor Innocent Employee Malicious Employee Organized Criminals Competitor Espionage Hacker Hacktivists State Espionage …

InternalResponse

Incident Management Team

Secondary Services: Crisis PR; Notification Communication; Call Centre;

1 Hour 1 Day 1 Week 1 Month 6 Months 12 Months2 Days

Communication to Customers / Partners

Communication to Regulators

Communication to Law Enforcement

Incident Triage

Post Incident Review and Workshop

Indicative Time Line (not to scale)

Q. Would your control room staff recognise a cybersecurity event/incident?

Next steps

Understand your risk by conducting an assessment of your plants, factories, products or sites

Consider implementing OT systems monitoring as soon as possible

Regularly monitor new and emerging cyber risks on your OT network

Understand how new connected systems can enhance productivity and safety if properly implemented

Review and watch for new and emerging legislation and regulations that may impact cybersecurity in your industry

Questions?

LEGAL DISCLAIMERThis document remains the property of TÜV Rheinland. It is supplied in confidence solely for information purposes for the recipient. Neither this document nor any information or data contained therein may be used for any other purposes, or duplicated or disclosed in whole or in part, to any third party, without the prior written authorization by TÜV Rheinland.This document is not complete without a verbal explanation (presentation) of the content. TÜV Rheinland AG

Contact details:

[email protected]

Industrial Security in 2019: A TÜV Rheinland Perspectivewww.tuv.com/ot-security19

Cybersecurity Trends 2019www.tuv.com/cybersecuritytrends2019

Monitoring Your OT Systems for Cybersecurity Threats€¦ · 100 GBPS DDoS attacks increased in...

Documents

Transcript of Monitoring Your OT Systems for Cybersecurity Threats€¦ · 100 GBPS DDoS attacks increased in...