Cyber Risk Mitigation via Security Monitoring Enhanced by Managed Services

2 © 2015 Honeywell International All Rights Reserved

Focus: Up to But Not Including Corporate and 3rd Party Networks

Router

ESC ESF EST ACE Experion Server

ESVT Safety Manager

Terminal Server

Qualified Cisco Switches

Optional HSRP Router

Domain Controller ESF EAS

PHD Server Experion

Server

Firewall

3RD Party App Subsystem Interface

Corporate and 3rd Party/Vendor/Contractor/Maintenance Connections

Level 3

Level 3.5 DMZ

Level 4

Terminal Server

Patch Mgmt Server

Anti Virus Server

eServer PHD Shadow Server

Level 2

Domain Controller

Level 1

IT Cyber Security

Industrial Cyber

Security

3 © 2015 Honeywell International All Rights Reserved

ICS Continuous Monitoring: Making the Case

4 © 2015 Honeywell International All Rights Reserved

Function

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

Critical Infrastructure Cybersecurity Framework

http://www.nist.gov/cyberframework/

Maps controls to: - ISO 27001 - ISA 99/IEC 62443 - NIST SP 800-53 - COBIT 5 - CCS CSC

5 © 2015 Honeywell International All Rights Reserved

Function Elements

IDENTIFY Hardware & Software Inventory, Policy & Procedures Network Topology, Security Risk Assessments

PROTECT Firewalls, Passwords, Antivirus, Patching, USB Control Physical Security, Change Control, Backup & Recovery

DETECT ?

RESPOND ?

RECOVER ?

Critical Infrastructure Cybersecurity Framework

http://www.nist.gov/cyberframework/

6 © 2015 Honeywell International All Rights Reserved

Industrial Cyber Attacks & Incidents Are Rising

Information Stealer Malware

Worm Targeting SCADA and Modifying PLCs

Virus Targeting Energy Sector Largest Wipe Attack

Virus for Targeted Cyber Espionage in Middle East

Worm Targeting ICS Information Gathering and Stealing

Large-Scale Advanced Persistent Threat Targeting Global Energy

APT Cyber Attack on 20+ High Tech, Security & Defense Cos.

Cyber-Espionage Malware Targeting Gov’t & Research Organizations

Industrial Control System Remote Access Trojan & Information Stealer

Security Bug and Vulnerability Exploited by Attackers

7 © 2015 Honeywell International All Rights Reserved

What do these 3 Plants have in common?

German Steel Plant

Turkish Pipeline

Iranian Nuclear Facility

8 © 2015 Honeywell International All Rights Reserved

Increased Activity & Success

Nov 20, 2014 NSA Chief FINALY states:

“It’s already happened!”

Jan 23, 2015 Cisco CEO states

“Cyber Attacks will double this year”

9 © 2015 Honeywell International All Rights Reserved

• Most of these attacks could have been stopped using good protection and detection capabilities

• The results/effects of ALL of these attacks could have been reduced via continuous monitoring

Is your ICS currently infected or under attack?

Common Thread

10 © 2015 Honeywell International All Rights Reserved

ICS Continuous Monitoring: Key Elements

11 © 2015 Honeywell International All Rights Reserved

Key Events to Monitor

• Network Activity Logs ACL Rules, Utilization Spikes, Passwords/Strings

• System Audit Logs Unauthorized Access, Disabling Controls, Configuration Changes

• System Availability/Performance Application Health, CPU Utilization, Hardware Errors, Overruns

• Administrative Changes GPO Modifications, Group Additions, Enabling USB Devices

• Software Update Compliance Aging for Virus Signatures, Security Patches, Software Updates

• Virus Infections

12 © 2015 Honeywell International All Rights Reserved

Key Devices to Monitor

• Control Systems Servers • Controllers • Safety Managers • Historians • Network Devices (firewall, switch, wireless) • Windows Servers • Workstations (operator & engineering) • System Backups • Virtual Hosts

13 © 2015 Honeywell International All Rights Reserved

• Budget for required utilities Intrusion Detection Systems Security Information & Event Management Logging Agents, Relay Servers, Databases, etc.

• Personnel required for administration Initial Installation of components above Analysis of events to determine what is critical Investigation of alerts to determine next steps

• Other concerns Competing DCS priorities Training on new technology Different expertise per location

Obstacles to effective Monitoring

14 © 2015 Honeywell International All Rights Reserved

Hire a company to monitor your systems for ¼ the price, but only if they have the following:

• Expertise in Control System security • Methodology that complies with IEC 62443 • Passive, Comprehensive, Secure • 100s of current ICS customers • Follow the sun support model • Geographically separate operating facilities • Vendor Agnostic

Continuous Monitoring Best Practice

15 © 2015 Honeywell International All Rights Reserved

???

Questions

16 © 2015 Honeywell International All Rights Reserved

1. For patching updates, are you using manual or automated processes? Manual ____ Automated ____

2. For antivirus updates, are you using manual or automated processes? Manual ____ Automated ____

3. On a scale of 1-10 (10 being very satisfied), how satisfied are you with how you currently monitor the security of your control system?

4. If you are not currently using Whitelisting, how soon do you intend to add Whitelisting to your cyber security program? Within 6 months 1 year 2 years or beyond Never

Voice of Customer

17 © 2015 Honeywell International All Rights Reserved

Thank You