the fusion centre and the protection of the enterprise · iso 27001:27005, iso 15408, iso tr 27019...
TRANSCRIPT
The Fusion Centre and the Protection of the Enterprise ICS/SCADA SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION
Dany Gagnon
February 2017
Executive Security Advisor IBM Security Business Unit Central and Eastern Europe [email protected] +421 911 076 036
@DanyGagnon
linkedin/in/DanyGagnon
2 IBM Security
Challenges facing many ICS/SCADA (OT) environments today
• Availability is paramount, Integrity & Confidentiality are secondary
• The native protocols are insecure and measures to improve them move slowly
• OT environments are slow to upgrade given critical nature of system – once a system is to be updated, it
is done in slow methodical fashion to ensure reliant systems remain available
• OT networks run older (sometimes outdated) Operating Systems
• OT networks run older virus data files to ensure latency of a ‘.dat’ file implementation does not impact
availability
• OT networks are many times viewed to be secure by nature of the ‘obsecurity’ and layered firewalls
surrounding them
• OT vendors are slow to implement security in their appliances and devices
• Once a system is deployed, it will remain in operation for decades
• Latency is not acceptable: real-time communication between control system and PLC
• Native OT protocols are not encrypted or authenticated
• Blocking not acceptable
3 IBM Security
IT / OT convergence creates additional pressures
In the past, OT was …
Now OT is …
• isolated from IT
• run on proprietary
control protocols
• run on specialized
hardware
• run on proprietary
embedded operating
systems
• connected by copper
and twisted pair
• bridged into corporate
networks
• riding common internet
protocols
• run on general purpose
hardware with IT origins
• running mainstream IT
operating systems
• increasingly connected
via standard wireless
technologies
What was air gapped and proprietary is now connected and general purpose
4 IBM Security
Distinct differences between corporate IT and OT security
4
Area Corporate IT ICS/SCADA (OT)
Antivirus /Malware Widely used Used with care
Lifetime 3-5 years 5-20 years
Outsourcing Widely used Rarely used for operations
Patching Frequent Slow (requires vendor approval or
extensive testing)
Change Frequent Rare
Security Skills and
Awareness Medium to High Poor IT security, no awareness training
Security Testing Widely used Must be used with care
Physical Security Usually secure and manned Good controls but often remote and
unmanned
6 IBM Security
Threat actors are more sophisticated, with access to tools that make it easy to infiltrate critical infrastructures
Who
Why
How
• Nation States
• Intelligence
• Hacktivists
• Insiders
• Valid Credentials
• Access
• Sabotage
• Data
• Understand you
• Stuxnet variants
• New Exploits
• Shodan
Like Google it searches the internet for publicly accessible devices,
--------------------- focused primarily on SCADA devices. Anyone can use it, it’s free
and newly discovered devices are mapped daily.
BlackEnergy
7 IBM Security
The rapidly changing threat landscape also comes with increasing requirements for regulatory compliance
Industrial Control System (SCADA): IEC 62443, IEC
62351 Parts 1-8 and NIST 800-82
Bulk Power System Protection:
NERC-CIP 001-009, NIST Special Publication (SP)
800-53 and 800-82, ENISA, CPNI
Security for Home Area Network:
OpenHAN and Zigbee
Information Technology standards:
ISO 27001:27005, ISO 15408, ISO TR 27019
Risk Management standard: ISO 31000
Business Continuity Management standard: ISO 22300
Smart Grid - Advanced Metering Infrastructure:
NIST IR 7628 Guidelines for Smart Grid Security
ENISA Smart Grid Security Recommendations
IEC 61850 substation architecture
components: Intelligent Electronic Devices
(IEDs) and Remote Terminal Unit (RTUs)
(IEEE 1686-2007)
Key:
ANSI: American National Standards Institute
AMI-SEC: Advanced metering infrastructure Security
CPNI: Center for Protection of National Infrastructure
ENISA: European Network and Information Security Agency
FERC: Federal Energy Regulatory Commission
IEC: International Electro technical Commission
ISO: International Organization for Standardization
NERC: North American Electric Reliability Corporation
NIST: National Institute of Standards and Technology
FERC -2003 - Recovery
plans
Critical Infrastructure Protection:
NIST Cyber Security Framework
ENISA National Cyber Security Strategy Framework
8 IBM Security
Network and Information Security (NIS) Directive
• The Directive will require businesses to put in place appropriate security measures:
− Enhancement of national cybersecurity capabilities and public & private cooperation
− Adoption of risk management practices in critical sectors such as energy, transport, banking and health
− Reporting of major incidents to the national authorities
• The NIS adoption will require specific investments on education, equipment, cybersecurity
software and efficient Crisis Operating Processes to cope with critical situations in case of attacks
and will impact the following:
− Government
− Economic Operators: Oil and Gas, Transport (air, rail, water and road), Banking (credit institutions), Financial
markets (trading venues, central counterparties), Healthcare providers, Utilities (energy and drinking water supply
and distribution)
− Digital infrastructure: internet exchange points (which enable interconnection between the internet's individual
networks), domain name system service providers, top level domain name registries
− Digital service providers: will also be required to take appropriate security measures and to notify incidents to
the competent authority. The Directive will therefore also cover online marketplaces, cloud computing services and
search engines. NIS Directive also applies to those based outside of the EU and offer services within the
EU
11 IBM Security
The traditional method of securing the enterprise is outdated
Defense in Depth alone is not enough
Old Paradigm New Paradigm
Security Model based on Defense in Depth (DiD)
Security Model based on DiD + Rapid Detection + Rapid Response
Security Operations Steady State and Reactive
Security Operations Elastic and Agile
Governance, Risk & Compliance IT and Compliance Focused
Governance, Risk & Compliance Integrated Risk Management
Functional Domains IT, OT, Telecom, Physical Silos
Functional Domains Converged
Security Analysis Manual and Fragmented
Security Analysis Analytics and Intelligence
12 IBM Security
The bottom line is that these modern threats and actors are forcing us to rethink how we assess risk and protect our infrastructure
• 12
17.2.2017 Г.
Adapt to the speed and sophistication of attacks
Understand current threat actors ranging from Insider to Nation States
Evolve defensive measures to deal with aging infrastructures
Enhance security posture when compliance is not enough
Monitor OT/IT environment in a common operating picture
Analyze large amounts of data and correlate events rapidly and
accurately
Respond to incidents with established protocols based on the situation
Optimize security investments by being properly prepared
Response and preparation are key. Traditional approaches continue to ring fence critical assets with more layers of defense, relying on static defenses, with too much focus on “blocking” and not enough on “rapid response”.
13 IBM Security
What is required is a Next-Generation SOC or “Fusion Centre”
Common Fusion Centre Attributes
• Creates and nurtures an ecosystem for information sharing & collaborative action
• Integrates historically separate functions; IT Security, OT Security, Physical Security, Business Units, Fraud, Compliance, Criminal Investigation, etc.
• Coordinates collaboration and analysis to predict, prevent, discover, manage, and learn
• Promotes the creation of secure and confidential enterprise security data lake
• Develops and operationalizes analytical techniques to identify and detect unusual patterns of behavior that may be indicative of cyber attacks, crime, fraud, abuse, data loss, data compromise
• Drives transparency to enhance guidance and improve decision making
13
Fusion Centre is a fluid term that varies by industry and company, however all
share common attributes and structures
14 IBM Security
Fusion Centre Core Components
SECURITY
INTELLIGENCE
ANALYTICS AND COGNITIVE
INTELLIGENCE
INCIDENT
RESPONSE
1
2
3
COLLABORATIVE THREAT
INTELLIGENCE 4
Security Intelligence
Threat Intelligence
Persona Data
Analysis
Platform
15 IBM Security
The Fusion Center allows collaboration within a common operating model
Threat
Response
SOC Data Sources Structured Data Semi-Structured Data Unstructured Data Reference Data
Threat
Monitoring
SOC Service Delivery Management Service Level Management Operational Efficiency Service Reporting Escalation
SOC Platform Components
Integration tools should be used to integrate SOC platform components
Security
Analytics
Cyber-Security Command Center (CSCC) Executive Security Intelligence Briefings Local Regulatory Security Oversight SOC Governance
Consolidated Security Analytics & Dashboards Local/Regulatory Intelligence Briefings
SO
C
Go
ve
rna
nce
SO
C
Te
ch
no
log
y
Security Intelligence
Projects and
Admin Support
CSIRT
Management
SIEM Ticketing &
Workflow
SOC
Automation
Tools
Cognitive
Analytics
Tool
Big Data
Threat
Triage
SO
C
Op
era
tio
ns
Corporate
Business Units
Legal, Audit
IT Operations
Business
Operations Security
Integration
Emergency
Response
OT Operations
Legend
SOC
IT / Corp
Digital Use
Case Library
Response
Procedure
Tool
Enterprise
Security
Tools
16 IBM Security
Our point of view - establish security as an Immune System
Threat Research
Endpoint
Advanced Fraud
Data
Mobile Network
Applications
Identity and Access
Endpoint patching and management
Malware protection
Fraud protection
Criminal detection
Data access control
Data monitoring
Device management
Content security
Network visibility
Application security management
Access management
Identity management
Entitlements and roles
Application scanning
Virtual patching
Transaction protection
Log, flow and big data analysis
Anomaly detection
Vulnerability assessment
Incident and threat management
Security Intelligence
Ecosystem Partners
Sandboxing
Firewalls
Anti-virus
Consulting Services
Managed Services
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may
change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and
other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are
designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
FOLLOW US ON:
THANK YOU