ammar alzaher honeywell industrial cyber security

© 2015 by Honeywell International Inc. All rights reserved.

www.becybersecure.comHONEYWELL INDUSTRIAL CYBER SECURITYAmmar Alzaher

2017


Agenda

• Introductions

• Why Honeywell

• Solutions Overview

• Managed Services

• Cyber Security Lab

• Risk Manager

• Secure Media Exchange (SMX)

• Wrap-up / Q&A

2


Speaker

Ammar Alzaher is Business development Manager of

Industrial Cyber Security for Saudi, Bahrain and North Africa.

He carries 10 years of experience in the industrial automation

sectors where he worked closely with end users and

corporate accounts. Ammar received his BS of Computer

Science and Engineering from King Fahad University of

petroleum and Minerals, Saudi Arabia.

3

In progress…


Industrial Cyber Attacks & Incidents Are Rising

4

Information Stealer Malware

Worm Targeting SCADA and Modifying PLCs

Virus Targeting Energy SectorLargest Wipe Attack

Virus for Targeted Cyber Espionage in Middle East

Worm Targeting ICSInformation Gathering and Stealing

Large-Scale Advanced Persistent Threat Targeting Global Energy

APT Cyber Attack on 20+High Tech, Security & Defense Cos.

Cyber-Espionage Malware Targeting Gov’t & Research Organizations

Industrial Control System Remote Access Trojan & Information Stealer

Security Bug and VulnerabilityExploited by Attackers

Threat Perception of Industrial Customers Will Continue to Grow


Threat Vectors

• Hackers

• Criminals

• Terrorists

• Employees

• Business Partners

• Sub-Contractors

• Software Components

• Network Components

• Technology Advances

• State Sponsored

• Natural Disasters

• Industry Regulations

Threat

Agents


6

• Information Security

• Cyber Security

• Cyber Resilience

Avoid Manage Accept Transfer

•Risk:-

Overview


7

• Cyber Crimes already cost businesses over $400

Billion/year (BIC)

• Average cost of a large company data breach is

$4,800,000

• Juniper research predicted by 2019, the annual

cost of data breach will reach $2.1 Trillion

Globally (4x 2015)

• Why is this happening?

• Years ago, teenagers OR Hacktivists

• Now days, Funded (Cyber Warriors)

• Our security technology is very good,

Attack our people and processes

Overview


Agenda

• Introductions

• Why Honeywell




• Risk Manager


• Wrap-up / Q&A

8


Why Honeywell Industrial Cyber Security

9

Trusted, Proven Solution Provider

First to obtain ICS product security certification with ISASecure

Largest R&D investment in cyber security solutions and technology

Strategic partnerships with best in class security product vendors

Industry Leading People and Experience

Industry Leading Processes and Expertise

Industry Leading Solutions

Global team of certified experts with deep experience across all industries

Over 1000 successful PCN / Industrial cyber security projects

Leaders in security standards ISA99 / IEC62443 / NIST Cybersecurity Framework

Proprietary methodologies specific for process control environment & operations

Best practices developed through 10 years of delivering solutions

Comprehensive understanding of unique process control security requirements


Honeywell’s Expertise

Industry Leading Certifications

CISSP Certified Information Systems Security Professional

CRISC Certified in Risk and Information Systems Control

CISM Certified Information Security Manager

CISA Certified Information Systems Auditor

CCIE Cisco Certified Internetwork Expert

CCSP Cisco Certified Security Professional

CCNP Cisco Certified Network Professional

CCDP Cisco Certified Design Professional

CCNAW Cisco Certified Network Associate Wireless

ISO 27001 LI ISO/IEC 27001 Lead Implementer

ITSM Information Technology Infrastructure Library(ITIL)

Service Manager

MCITP Microsoft Certified IT Professional

PMP Project Management Professional

VCP VMware Certified Professional


Agenda

• Introductions

• Why Honeywell




• Risk Manager


• Wrap-up / Q&A

11


Complete Industrial Cyber Security Solutions

12

• Continuous Monitoring

• Compliance & Reporting

• Cyber Security Risk Manager

• Industrial Security Information& Event Management (SIEM)

• Cyber Security Awareness & Training

Assessments

& Audits

Architecture

& Design

Network

Security

Endpoint

Protection

Situational

Awareness

TECHNOLOGY

Response

& Recovery

• Backup and Recovery

• Incident Response Planning

• Incident Response:On Site & Remote

• Industrial Cyber Security Vulnerability & Risk Assessments

• Network & Wireless Assessments

• Cyber Security & Compliance Audits

• Policy and Procedures Development

• Firewall, Next Gen FW

• Intrusion Detection & Prevention (IDS/IPS)

• Access Control

• Industrial Patching & Anti-Virus

• Industrial Application Whitelisting

• End Node Hardening

• Portable Media/Device/USB Security


• Current State Analysis

• Secure Design and Optimization

• Zone & Conduit Separation


The First Step to Security Is Understanding

the Current Environment

13

• Customer problems solved/needs addressed:– Identifying and prioritizing the biggest risks

– Meeting industry/government regulations and guidelines

– Finding which systems and devices are the most exposed, and the most vulnerable

– Prioritizing cyber security efforts for the maximum return

• Honeywell Offerings:– Network Assessment

– Wireless Assessment

– Security Assessment SL2 (coincidental & intentional attacks using simple means)

– Security Assessment SL3 (targeted attacks using sophisticated means)

– Compliance Assessments & Reports

Assessments

& Audits

Architecture

& Design

Network

Security

Endpoint

Protection

Situational

Awareness

TECHNOLOGY

Response

& Recovery


Example of using IEC 62443.03.03 Security

Levels

Security

levelSkills Motivation Means Resources

SL 1 Casual

SL 2 Generic Low Simple Low

SL 3 ICS specific Moderate Sophisticated Moderate

SL 4 ICS specific High Sophisticated Extended

ISA 99 / IEC 62443The SL determines the security requirements

Cri

tical

infr

astr

uctu

re


Maturity Indicator levels

15

Maturity

level

MIL1No formal practices exist

MIL2Initial formal practices exist but may be performed in ad hoc manner, however they must be

performed.

MIL3Practices are no longer performed irregular or ad hoc, performance of the practices is

sustained over time and are well documented. Overall performance is measured and

documented.

MIL4Practices have been further institutionalized and are now being managed. Polices exist, the

organization is fully aware and periodic audits and reviews of all activities are I place to

improve and anticipate on new threats.

The MIL determines the Maturity Indicator level Cobit / C2M2


Once You’ve Found a Gap, Fill It

16

• Customer problems solved/needs addressed:

– How to use network design to promote strong security

– Implementing Zones & Conduits (per IEC 62443) to minimize the impact of an incident

• Honeywell Offerings:

– Network Design & Optimization Services

– Wireless Design & Optimization Services

– Cyber Security Design Services

– Zones & Conduits

– Documentation of current architecture and security

Architecture

& Design

Network

Security

Endpoint

Protection

Situational

Awareness

TECHNOLOGY

Response

& Recovery

Assessments

& Audits


Before Assessment (Organic Growth)


Assessment Report Examples

Table of Contents ISA99 Security Audit and Assessment report.pdf

Table of Contents ISA99 Security Audit and Assessment report.pdf


Industrial Cyber Security Good Practices

3rd Party PLC Modbus TCP SCADA

Controllers Honeywell C300 3rd Party PLC Modbus TCP SCADA

Controllers

3rd Party DCS Systems

3rd Party DCS

Honeywell C300 PLC Modbus TCP SCADA

Controllers

Advanced Control Systems

Security Management PCN Monitoring

Level 3PCN

EPKS R410.x EPKS R430.x

Experion PKS

Network Monitoring Performance Monitoring Patch & Update Services

HoneywellManaged Services

Proxy / Relay Server

Remote AccessDMZ (PROD)

Honeywell Managed Service Center

IPS Sensor

Remote Users

Internet

Blade Chassis

IPS Sensor

Level 2

Level 2.5

Level 3

Level 3.5

Level 4

Internet

Level 1

IPS Sensor

Business LAN

Dell 01

ICS 201S

Dell 02

ICS 202S

ICS 203S

Dell 03

ICS 204S

Dell 03

ESXi hosts

L2.5 Routers

L3 Routers

L3.5 Firewalls

PCS Historian E-SVR / Collaboration Station

Process ControlDMZ

VPN

Backup & Restore VM Monitoring Passive Vulnerability

Monitoring

Honeywell Virtualization

Honeywell FTE Network

Threat Intelligence Next Generation Firewalls Intrusion Detection System Intrusion Prevention System Data Diode

Risk Manager Security Information & Event

Management (SIEM) Network Performance and Security

Monitoring Network Access Control

Backup & Restore System Hardening VM Performance Monitoring Domain High Security Policy User Access Control Passive Vulnerability Monitoring

OS/Application Vulnerability Management

Application Whitelisting ICS USB Protection Anti-Virus / Malware Protection Security Patch Management

Managed Industrial Cyber Security Services

EPKS R410.x EPKS R430.x

Experion PKS

Status

Power

FirewallCont rol

Honeywell MODBUS/TCP Firewall

Honeywell Control Firewall

Passive Security Monitoring Sensors

Backup & Restore VM Monitoring Passive Vulnerability

Monitoring

Honeywell Virtualization

ProxyFirewall

ESXi hosts

Power

Status

FirewallCont rol

Status

Power

FirewallCont rol

Power

Status

FirewallCont rol


Most Threats Come from the Network

20


– How to make it harder for the “bad guys” to get in

– What to do if/when they do get in


– Network Design Services

– Firewall Installation & Configuration

– IPS Installation & Configuration

– Perimeter Security Management

– Policy Development

Architecture

& Design

Network

Security

Endpoint

Protection

Situational

Awareness

TECHNOLOGY

Response

& Recovery

Assessments

& Audits


“Soft” Systems Are Easy Targets

21


– Identify which PCs and Servers are vulnerable to threats

– Determining if the proper access controls are in place(missing critical patches, AV is out-of-date, etc.)


– Endpoint Hardening

– Anti-Virus Installation & Configuration

– Application Whitelisting, Installation & Configuration

– Device Control

– Secure Media Exchange (SMX)

Architecture

& Design

Network

Security

Endpoint

Protection

Situational

Awareness

TECHNOLOGY

Response

& Recovery

Assessments

& Audits


Awareness is Critical

22

• Customer problems solved/needs addressed:– Staying diligent with limited security staff &

resources

– Understanding what’s happening, what’s at risk, and why

– Identifying the early-warning signs to prevent incidents

– Knowing what to do if/when an incident does occur

• Honeywell Offerings:– Honeywell Industrial Secure Connection

– Honeywell Industrial Protection Management

– Honeywell Industrial Intrusion Management

– Honeywell Industrial Intelligence Reporting

– Honeywell Industrial Risk Manager

Architecture

& Design

Network

Security

Endpoint

Protection

Situational

Awareness

TECHNOLOGY

Response

& Recovery

Assessments

& Audits


“We Have a Problem…”

23


– What do you do when an incident occurs?

– How do you recover?

– How do you regain safety and reliability?


– Backup & Restore Services

– Incident Response Services

Architecture

& Design

Network

Security

Endpoint

Protection

Situational

Awareness

TECHNOLOGY

Response

& Recovery

Assessments

& Audits


Agenda

• Introductions

• Why Honeywell




• Risk Manager


• Wrap-up / Q&A

24


Secure Connection

Secure tunnel for services

Perimeter and Intrusion Management

Firewall: Configuration rules + log file review and reporting

IPS: Signature update validation + log file review and reporting

Protection Management

Qualified anti-malware files & operating system patches

Continuous Monitoring and AlertingMonitoring of system, network & cyber security performance

24/7 alerting against thresholds

Intelligence ReportingWeekly compliance and quarterly trend reports

Managed Industrial Cyber Security Services


Agenda

• Introductions

• Why Honeywell




• Risk Manager


• Wrap-up / Q&A

26


Industrial Cyber Security Solutions Lab

World-Class and Industry Leading Innovation Platform

Flexible model of a complete process control network up to the corporate network

• Cyber Security solutions development and testing

• Training Platform for Cyber Security Engineers

• Demonstration lab for customers

- Simulate cyber attacks; demonstrate our cyber security solutions


Security Management

Intrusion Protection & Threat Intelligence

Application & Endpoint Security

Next Generation Firewall

Network Security

Cyber Security Controls and Tools: Examples


Agenda

• Introductions

• Why Honeywell




• Risk Manager


• Wrap-up / Q&A

29

Industrial Cyber Security

Risk Manager


Where do I start?

Assess Your Cyber Security Posture

Has something happened that I need to act on?

How risky is my system from a security perspective?

How can I show that we are improving our security posture?

Is my control system up to date?

Am I following best practices?

When something goes wrong, what should I do?


Industrial Cyber Security Risk Manager

Proactively Monitor, Measure, and Manage Industrial Cyber Security Risk.

Developed specifically for industrial environments


Industrial Cyber Security Risk Manager

Proactively Monitor, Measure, and Manage Industrial Cyber Security Risk.

Easy-to-use Interface. No need to be a cyber security expert.

Translates complex cyber security indicators into simple measurements

Generates accurate measurements of risk that align with industry standards and operational goals.

Real time assessment and continuous monitoring for improved situational awareness

Vendor neutral

Low impact technology won’t disrupt operations

First of its Kind for Industrial Environments


At-A-Glance Dashboard Interface

Notifications Site Trend

Risk Level by Source

Site Risk


Out-of-the-Box Benefits

Immediate Improvements.

Translate complex cyber

security indicators into

simple measurements

Prioritize and focus

efforts on managing risks

Real-time assessment of

information from devices

throughout the process

control network

Immediate information for ongoing

situational awareness


No Need To Be Cyber Security Experts

Easy-to-use interface allows users to prioritize and focus on most important risks

Executives* Map key risk indicators to KPIs* Demonstrate value of cyber security investments

Plant Management* Help focus resources on addressing threats* Provide updates on the site’s security posture

Control Systems Engineers* Track / monitor assets according to different zones* Understand how possible attacks might disrupt operations


• SIEMs look for evidence of security threats, primarily in logs

Why Risk Manager?!

Honeywell Risk Manager

SIEM / Log Manager

Vulnerability Scanner

Network Monitor

People /Staff

Assesses Risk

Detects Threats

Detects

Vulnerabilities

Safe for ICS

Context of ICS

Built for ICS/OT

Proactive

Real-time

• Vulnerability scanners probe PCs for knownvulnerabilities in applications

• Network monitors look at networkbehavior and information flow

• Dedicated staff can measurerisk by doing manual data collection, analysis and risk assessment


Agenda

• Introductions

• Why Honeywell




• Risk Manager


• Wrap-up / Q&A

38


Introducing Secure Media Exchange (SMX)An Industrial Cyber Security Innovation from Honeywell


SMX – How It Works in Your Plant

The contractor works with the “checked in”

removable media, on Windows devices with

SMX Client Software Suite. These Windows

devices are:

• Protected against malicious USB devices

• Able to log USB device and file activity

• Only able to read “checked in” removable media

The contractor is able to complete work and check out

the USB upon leaving the facility

The files are ”checked out” and can be used outside plant

When a contractor checks into the plant, he/she inserts

his/her USB into the SMX Intelligence Gateway, which:

• Inventories the drive

• Verifies inventories against Honeywell’s Advanced Threat

Intelligence Exchange (ATIX)

• Analyzes Unverified files

• Verifies & then checks in the device

No connection to

the customer’s

plant. Private

connection to the

ATIX for constant

detection updates,

patches, etc.

ATIX

_____

Honeywell Secure Media Exchange (SMX) - Industrial Cyber Security Solution for USB Protection.mp4



Built for industrial environments

Easy to deploy and use

Logs removable media usage

throughout the site and when

used with Industrial Cyber

Security Risk Manager, related

reporting is available

Allows administrator to

understand potential sources of

malware (i.e., who is attempting

to bring infected media to site)

Prohibits malware from being

propagated via removable media

Prevents unverified files from

being read on Windows hosts

Evergreen threat information

reduces potential attack window

Secures open USB ports from

non checked devices like smart

phones and other removable

media

Modernizes plant security

as part of daily site “check in”

process

Secure Media Exchange (SMX)

Extend Industrial Plant Protection to Removable Media/USBs


SMX Benefits

Modernizes plant security

Evergreen threat information

reduces potential attack window

Prevents unverified files from

being read on Windows hosts

IEC 62443 compliant

Allows plant personnel and service providers to verify and use

removable media as part of daily site “check in” process, enforcing

corporate policies

Removable media is verified against evergreen threat intelligence,

not waiting on an individual to update signatures

Renders media from “uncontrolled” devices as unreadable to

prevent spread of malware

Securely connects to the cloud for threat updates,

without exposing the plant to any risk of network threats

Alerts detect outbound threats and

log outbound file transfers

Logs event when removable media contains malware upon check out

(i.e., media infected at plant after being verified by SMX at check in)

Prohibits malware from being

propagated via removable mediaVerifies files on removable media for malware. Prevents infected

and suspect files from being accessed on Windows devices. site


SMX Use Cases: Enforcing Policy

Protected Server

Malicious USB device

Protected Server

Unapproved device types

Protected Server

Odd USB behavior

Protected Server

USB file transfer activity

Service provider tries to

use USB that is not

verified & checked in

USB Blocked

Media on drive unreadable

Bad actor tries to use USB

with infected media, that is

not verified & checked in

USB Blocked

Media on drive is unreadable

Logs odd USB behavior,

such as repeated attempts

to use quarantined files

Anomalous behavior

with USB is logged

Service provider’s activities

with USB, that is verified &

checked in, can be viewed

by SMX administrator after

check out

USB/User activity is logged

Use Case Device & Media Type Outcome

When a user has infected file

that is found during check inProtected Server

Malicious file quarantined

USB File Blocked

File on drive unreadable

1

2

3

4

5


SMX Use Cases…


Why Honeywell Industrial Cyber Security

• Global team of certified

industrial Cyber Security

experts

• 100% dedicated to industrial

cyber Security

• Experts in process control cyber

security

• Leaders in security

standards ISA99 / IEC62443 /

NIST

• Beyond Honeywell control

systems, can cover entire

operations infrastructure

• 10+ years of industrial cyber

security

• 1,000+ successful industrial

cyber projects

• 300+ managed industrial cyber

security sites

• Proprietary cyber security

methodologies and tools

• Maintain a robust security

posture with Managed Services

offerings

• Comprehensive portfolio, from

services to advanced risk

medication solutions

• Continued R&D investment

in industrial cyber security

• Integrate best in class and

vetted security solutions, such

as Palo Alto Networks, McAfee,

Cisco, Bit9, Tofino

• Industry first Cyber Security

Risk Manager

• State of art Industrial Cyber

Security Solutions Lab

Industrial Cyber

Security Experts

Proven

Experience

Investment and

Innovation


Contacts

Mike SpearGlobal Operations Manager

Phone: +1 (770) 689-1132

Cell: +1 (678) 447-6422

[email protected]

Follow us: www.twitter.com/InSecCulture

Blog: http://insecurity.honeywellprocess.com

Bulletin Board: http://hpsvault.honeywell.com/sites/hpsvault/services/

Website: http://www.becybersecure.com

Safdar AkhtarDirector Business Development

ME, Africa and Asia

Cell: +971 56 418 8706

[email protected]

Ammar AlzaherBusiness Development Manager

KSA, Bahrain, North Africa

Cell: +966 50 209 6662

[email protected]

Alex ShvidunSr. Technical Manager ME

Cell: +971 50 643 6674

[email protected]


Thank YouHoneywell Industrial Cyber Securitywww.becybersecure.com

[email protected]


APPENDIX

49


What Makes the Secure Connection Secure?

• Architecture: Relay Server L3.5 (“DMZ”) & Secure Service Node L3- Supports the ISA99 concepts of zones & conduits, authentication, security logging,

input validation and system integrity checks

- Work together for hardened PCN communications security

• Two-Factor Authentication- Validated both ways – verify really Service Center and really customer site

- Utilizes unique “fingerprints”, Honeywell generated security certificates (not 3rd party), proprietary security certificates and security keys for verification

• Secure, Encrypted Tunnel for Communications (VPN)- Encrypted communication uses licensed SSL

- Tunnel can only connect to Honeywell’s Managed Security Service Center

- Communications not visible on corporate side – encrypted; Wire Shark will tell you nothing

• Customer Controlled Connection & Security Policies- Tunnel can only be initiated by Site’s Secure Service Node

- Permissions can be set per device, person, and/or time, or system wide

• Fully Audited Recording & Reporting of Actions- Replay will show display and mouse movements of session

50


Connection Initiated by Site Secure Service Node

• SSL Encrypted, Two-Factor Authenticated Communication

• Connects to ManagedSecurity Service CenterONLY

• Encrypted communication through corporate network provides additional security

Secure Connection Architecture

51

Internet

Level 3

Level 3.5 DMZ

Level 4

Level 2

Level 1

ACE

ExperionServer

Domain Controller

Domain Controller

ExperionServer

3RD Party Apps

TerminalServer

eServer

EST

ESF

Anti-MalwareServer

DMZ

EngineeringControls

OperatorControls

CORPORATE

WindowsTM

Patch MgmtServer

(WSUS)

CorporateRouter

Communication Server

DMZ

DatabaseServers

Application Servers

CorporateProxyServer

RelayServer

SecureServiceNode

• Relay Server isolates ICS/PCN ensuring no direct communication between Level 3 & Level 4/Corporate Network

• Restricts unauthorized ICS/PCN nodes from sending or receiving data

Managed Security Service CenterIndustrial

Site


Two-Factor Authentication

Machine to Machine

- 1) Site verifies it is connecting to Honeywell

- 2) Honeywell verifies it is connecting to site

- SSL encrypted tunnel (VPN) created

- Certificate based (encrypted), keys needed to decrypt

- User passwords initiate tunnel

52

Site

Encrypted

CertificateEncrypted

Certificate

Key to Read

CertificateKey to Read

Certificate

Secure Service Node

“Fingerprint”

Site Initiates Tunnel (VPN)

12

1

2


Utilize the Secure Connection for 3rd Party

Control

53

• Optional service

• Authorized contractors sent a registered dynamic token

generator

- Generates single-use passwords used as part of login process

• No modification of corporate firewall is required

• Secure Service Node polices set permissions

• Entire session recorded and stored

Site

3rd Party

Contractor

Honeywell requests tunnel

Honeywell provides SafeNet dynamic token

Contractor login with

one time password

• Site policies define 3rd party

access & actions

• Session actions are recorded

and stored 1

23

ammar alzaher honeywell industrial cyber security

Documents