monitoring your ot systems for cybersecurity threats€¦ · 100 gbps ddos attacks increased in...
Post on 07-Jun-2020
1 Views
Preview:
TRANSCRIPT
Monitoring Your OT Systems for Cybersecurity Threats
usa.siemens.comUnrestricted © Siemens Industry, Inc. 2019
Agenda
• Global industrial cybersecurity threat picture and situational awareness
• Why the Board should be concerned
• Balancing IT and OT cybersecurity demands
• The impact of functional safety on OT cybersecurity
• Establishing an OT monitoring approach
• Next steps
Agenda
• Global industrial cybersecurity threat picture and situational awareness
• Why the Board should be concerned
• Balancing IT and OT cybersecurity demands
• The impact of functional safety on OT cybersecurity
• Establishing an OT monitoring approach
• Next steps
Global Cyber Threat Trends A growing trend of using cyberattacks to target critical infrastructure and strategic industrial sectors. raising fears that, in a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning.
2016357 million new malware variants
Cybercriminals have an exponentially increasing number of potential targets, because the use of cloud services continue to accelerate.
20164+ BILLION data records breached
2017Cost of responding to cyber-attack $15 million per company (27.4% Y-o-Y increase)
2016100 GBPS DDoS attacks increased in frequency by 140%
2017DDoS target were repeatedly hit 32 times within three months (avj.)
Government RegulatorTransportation sector systems are subject to an average of 1,000 attacks each month
Threat IntelligenceIncrease in spear-phishing emails (stealing data or installing malware) against companies operating nuclear plants
2017Ransomware affected 300,000+ computers
Source: The Global Risk Report 2018, 13th Edition
A brief History of Attacks on OT SystemsAttack frequency and impact is increasing
Production outage 50k employees affected
Daimler-Chrysler
Damage to Iran's nuclear program
Stuxnet
Industrial espionage Attack on steel plant
Thyssen Krupp
Ransomware attack Huge outage €300M Damage
Maersk
Dispatch system outage Manual dispatching of emergency services Ransomware attack
Baltimore
Ransomware attack Outage forced manual operations USD50M cost?
Norsk Hydro
2005 20102016
2017 20192018
Power outage 230k people affected
Ukraine Power Grid
2015
5
Types of Cyber Attacks on Control SystemsIndustrial control systems and operational technology systems experience traditional IT attacks and sophisticated advanced persistent threats which alter the mission of the control system.
Typical IT systems experience cyber attacks to compromise confidentiality.
The objective of most targets is to gain unauthorized access to infrastructure and data, secondary objective is to render a service unusable (DDoS).
The attacks on IT systems usually deploy a simpler kill chain.
Little to no threat of inflicting a cyber-physical impact.
IT SYSTEMS
Typical ICS systems experience cyber attacks to compromise availability or safety.
The primary objective of most attackers is to gain unauthorized access to steal information (intellectual property or engineering information) and the secondary objective is to have a physical impact.
Attackers utilize information about an industrial system (hacked or public domain or research) to understand the process and conduct complex attacks.
There is a higher risk of causing cyber-physical damage with increased threat to human life and environmental contamination.
Loss of control includes unauthorized changes in control system logic to deviate from the intended outcome.
INDUSTRIAL CONTROL SYSTEMS
Agenda
• Global industrial cybersecurity threat picture and situational awareness
• Why the Board should be concerned
• Balancing IT and OT cybersecurity demands
• The impact of functional safety on OT cybersecurity
• Establishing an OT monitoring approach
• Next steps
Impact of an Industrial Cybersecurity Breach/ IncidentRecent reports from both government and private communities have highlighted the risk that cyber hacking may now cause serious physical injury or damage. Because of the intense interconnected state of critical sectors; a cyber-physical disruption is more likely to trigger a domino effect with a higher magnitude of impact.
Financial Loss
Intellectual Property TheftPublic Image
Shareholder ConfidenceInjury or Fatal Accident
Destruction of Property
In the news…
Agenda
• Global industrial cybersecurity threat picture and situational awareness
• Why the Board should be concerned
• Balancing IT and OT cybersecurity demands
• The impact of functional safety on OT cybersecurity
• Establishing an OT monitoring approach
• Next steps
Information Technology Security Operational Technology CybersecurityIndustrial control systems utilizing operational technology is different in architecture, design and ways of working from traditional information technology being used in an enterprise environment. This creates
Information Technology (IT) Operational technology (OT)
Purpose Transaction processing Systems analysis and applications Technical and business analytics Human decision support
Asset monitoring and control Process control, metering and protection Device-to-device communication Server-to-device communication
Operating Environment
Corporate data centers Offices and server rooms Control centers
Substations Field equipment Control centers
Input Data Manual data entry Other IT systems Data from OT systems
Transducers and sensors via RTU’s and PLC’s
IED’s, relays and meters Operator inputs and other OT systems
Output Data summaries Results of analysis and calculations Commands issued to other OT systems
Device control actions Displays of status and alarms Operating logs
Owners CIO and IT departments Finance Operations
Operations and engineering managers Line of business managers Maintenance departments
Connectivity Corporate network IP- based
Process control networks IP- based, serial, hardwired analog and
digital
Suppliers Many options for products and services Skill set and competence available
Few options for products and services Fewer industry specific resources with
specialized-skills
What are the security objectives?
What assets (man, machine, methods) need to be secured?
How can you mitigate cybersecurity risk in widely distributed and often harsh terrain?
Does the existing operating process, technology and environment consider security (built with security in mind)?
Can existing systems and data be used effectively (without any alteration) to address security objectives?
Am I monitoring alarms, logs and systems for signs of cyber intrusion or attack?
Who is responsible for OT security?
Do IT staff have ICS/OT skills or do engineering staff have security skills?
Is my facility and critical infrastructure really air-gapped?
Does the security vendor or consulting firm have knowledge and credentials to support my industry’s unique security requirements?
Do the security tools and products understand OT protocols without much customization?
Consider these while Planning for OT Security
=
The myth about air gaps
IN THEORY IN PRACTICE
Sources: https://www.pinterest.com/pin/378443174911816347/https://www.apartmenttherapy.com/hide-your-usb-drive-next-to-yo-74552
Agenda
• Global industrial cybersecurity threat picture and situational awareness
• Why the Board should be concerned
• Balancing IT and OT cybersecurity demands
• The impact of functional safety on OT cybersecurity
• Establishing an OT monitoring approach
• Next steps
Functional Safety and Cybersecurity
Cybersecurity
Defence against negligent and wilful actions to protect devices and facilities
Functional Safety
Defence against random and systematic technical failure to protect life and environment
Relationship between Functional Safety & CybersecurityGeneric Standard for Functional Safety: IEC 61508:2010.
If the hazard analysis identifies that malevolent or unauthorised action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out.
NOTE 3 For guidance on security risks analysis, see IEC 62443 series.
7.4.2.3
If security threats have been identified, then a vulnerability analysis should be undertaken in order to specify security requirements.
NOTE Guidance is given in IEC 62443 series.
7.5.2.2
IEC62443
IEC61508
Requirements for CybersecurityFoundational requirements for product development according to IEC 62443
FR 6 – Timely response to events
FR 7 – Resource availability FR 1 – Identification and authentication control
FR 2 – User control
IACS
FR 5 – Restricted data flow FR 4 – Data Confidentiality FR 3 – System integrity
Patch
Operator Administrator
PLCIEC
62443
Lifecycle for Functional Safety and Cybersecurity
Functional SafetyIEC 61508
Cyber SecurityIEC 62443
Safety IntegrityLevel (SIL) 1 – 4
Probability of a dangerous failure in:
SIL 1 ≈ 10 years
SIL 2 ≈ 100 years
SIL 3 ≈ 1,000 years
SIL 4 ≈ 10,000 years
Concept
Overall scope definition
Overall safety & security requirements
Overall safety & security requirements allocation
Specification of E/E/PE System
Realization of E/E/PES Systems
Overall installationand commissioning
Overall validation
Overall operation, maintenance and repair
Decommissioning
Security Level (SL) 1 – 4
SL 1 Protection against casual or coincidental violation
SL 2 Protection against intentional violation using simple means
SL 3 Protection against intentional violation using sophisticated means
SL 4 Protection against intentional violation using sophisticatedmeans with extended resources
1
2
3
4
5
9
10
12
13
14
16
Hazard and risk analysis Risk and threat analysis
Triton – a seminal moment - reported December 2017
Sources: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.htmlhttps://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.htmhttps://www.eenews.net/stories/1060123327l
Triton acts as a "payload" after hackers have already gained deep access to a facility's network When Triton is installed in an industrial control system, the code looks for Schneider's Triconex
equipment, confirms that it can connect to it, and then begins injecting new commands into its operations
If those commands aren't accepted by the Triconex components, it can crash the safety system. SIS controllers entered a failed safe state Target – Petro Rabigh plant, Saudi Arabia Attribution – Russian Government-Owned Lab
Agenda
• Global industrial cybersecurity threat picture and situational awareness
• Why the Board should be concerned
• Balancing IT and OT cybersecurity demands
• The impact of functional safety on OT cybersecurity
• Establishing an OT monitoring approach
• Next steps
Industrial and OT Asset Management and Monitoring – Increasingly a Regulatory and Statutory Requirement Up-to-date asset information is essential for maintaining critical operations and to optimize security investments.
Prescribed by Industry Regulations and International Standards
ISA 99/ IEC 62443ISO 27001 & ISO 27005ISO 31000ISO 22301
NIST SP 800-82-r2NIST SP 800-53
NIST SP 800-82-r2
ISA 99; IEC 62443
1
Security Prerequisite Operational Requirement2 3
Security Policy and Compliance
End Point Protection and Information Privacy
Incident Identification and Management
Risk Assessment and Mitigation
Spare Management
Asset Consolidation
Change Management
Capacity Management
OT Monitoring and Threat Detection is ParamountOT environments require passive monitoring techniques
Network switch
SIEM
Active Directory/LDAP
CMDB
Monitoring sensorWork-stations
Domain controller
Historian
Asset Discovery and Inventory Communication Profile
Vulnerability Assessment
Threat Management Capabilities
Threat Detection & Response Efficient Compliance
Threat Modelling
Service Delivery Models
1. Pilot and proof of value engagement (one time)
2. OT Cybersecurity Risk Assessment (one time or regular)
3. Managed Service for OT Security Monitoring (continues protection)
LEVE
L 4
Cor
pora
teN
etw
ork
LEVE
L 3
Ope
ratio
nsan
d C
ontro
l
LEVE
L 2
Sup
ervi
sory
N
etw
ork
LEVE
L 1
Con
trol
Net
wor
k
Network switch Monitoring sensorEngineering workstation
DCS/SCADA server
HMI
Network switch Monitoring sensorPLC/RTU PLC/RTUPLC/RTU
ICS NETWORK 1
OT Monitoring and Threat DetectionIt goes beyond cybersecurity and provides value for daily OT operations
Enhance Network Visibility Provide a full list of assets inside networks
Identify the role of each components
Identify new and inactive nodes
Enhance Industrial Visibility Provide a full list of PLCs in the network
Identify process variables and changes to their values
Analyze PLC traffic bandwidth usage
Asset Management Automated and up-to-date asset inventory
Software and firmware versions
Serial numbers
Enhance Operations - track actions and trigger events based on operational issues
Reconnections
Idle links
Bandwidth limits exceeded
OPERATIONAL ICS VISIBILITY
Asset Management
Network Visualization & Modelling
Real-time Network Monitoring
Dynamic OT Behavioural Learning
DMZ
Achieving a complete picture across OT and the entire enterpriseAttackers will use IT systems to access OT systems (and vice-versa!)
Network switch Monitoring sensorWork-stations
Domain controller
Historian
Threat Management: Detection and Response in OT/IT environments
LEVE
L 3
Ope
ratio
nsan
d C
ontro
l
LEVE
L 2
Sup
ervi
sory
N
etw
ork
LEVE
L 1
Con
trol
Net
wor
k
Network switch Monitoring sensorEngineering workstation
DCS/SCADA server
HMI
Network switch Monitoring sensorPLC/RTU PLC/RTUPLC/RTU
ICS NETWORK
LEVE
L 4
/ 5B
usin
ess
&En
terp
rise
ENTERPRISE NETWORK
Internet
ERP MIS Apps/ServerEndpoints
ADLDAP
ITSMCMDB
Extranet
Extranet
…
DEFENCE CENTRE
“Extranet”
Data from Security Infrastructure IT Endpoint, Server, DB, Apps Business Apps / Transaction
Data from Passive OT Monitoring Security Infrastructure IT Endpoint, Server, Apps
Data from Passive OT Monitoring Security Infrastructure OT-IT Endpoints (limited)
Integrated Platform
Log & DataManagement
Security Analytics
API
Content Library
Threat Feeds
Social-Media Feeds
Asset Information Discovery Sample Output Asset information discovery report can include device subparts such as:The inner components of a modular PLCPhysical device state and information, as well as
logical device state and information Logical node subsystems
OT Incident Response
Motive None - Innocent Employee Re-sale of assets Publicity …
IsDiscovered
Incident Response Team
Primary Services: Legal and Forensics
Primary Response Services
Event or incident
Actor Innocent Employee Malicious Employee Organized Criminals Competitor Espionage Hacker Hacktivists State Espionage …
InternalResponse
Incident Management Team
Secondary Services: Crisis PR; Notification Communication; Call Centre;
1 Hour 1 Day 1 Week 1 Month 6 Months 12 Months2 Days
Communication to Customers / Partners
Communication to Regulators
Communication to Law Enforcement
Incident Triage
Post Incident Review and Workshop
Indicative Time Line (not to scale)
Q. Would your control room staff recognise a cybersecurity event/incident?
Next steps
Understand your risk by conducting an assessment of your plants, factories, products or sites
Consider implementing OT systems monitoring as soon as possible
Regularly monitor new and emerging cyber risks on your OT network
Understand how new connected systems can enhance productivity and safety if properly implemented
Review and watch for new and emerging legislation and regulations that may impact cybersecurity in your industry
Questions?
LEGAL DISCLAIMERThis document remains the property of TÜV Rheinland. It is supplied in confidence solely for information purposes for the recipient. Neither this document nor any information or data contained therein may be used for any other purposes, or duplicated or disclosed in whole or in part, to any third party, without the prior written authorization by TÜV Rheinland.This document is not complete without a verbal explanation (presentation) of the content. TÜV Rheinland AG
Contact details:
nigel.stanley@us.tuv.com
Industrial Security in 2019: A TÜV Rheinland Perspectivewww.tuv.com/ot-security19
Cybersecurity Trends 2019www.tuv.com/cybersecuritytrends2019
top related