Post on 18-Jan-2017
How to Protect the Proprietary Cyber Assets That Hackers Covet and WMI Cannot See
David ZahnCMO, GM of Cybersecurity Business Unit
dzahn@pas.com
Agenda• A Simple Test• Challenges With Taking Stock• Inventory Done Right
© PAS - Confidential and Proprietary 2015 | 2
3
A Simple Test
Impact Of This ICS-CERT Vulnerability to the Enterprise?
• HART DTM Vulnerability• Honeywell Temperature
Sending Unit• Impact– Cease operations until
restarted
© PAS - Confidential and Proprietary 2015 | 4
Detect An Inadvertent Engineering Change?
•Safety instrumented system (Triconex) configuration change•Bypass condition
masked from operator
© PAS - Confidential and Proprietary 2015 | 5
Identify the Next Successful Malicious Attack?
© PAS - Confidential and Proprietary 2015 | 6
Anatomy of Stuxnet AttackSiemens S7:• Memory Block DB890• AWL File
© PAS - Confidential and Proprietary 2015 | 7
You Cannot Secure What You Cannot See
8
Challenges with Taking Stock
Hidden Cyber Assets Create Risk: A Case Study
© PAS - Confidential and Proprietary 2015 | 9
20%
80%
Network
Proprietary• Heterogeneous,
proprietary systems• Complex architecture• No agents• “Hidden” inventory• I/O cards, firmware,
installed software, configuration & more
• Heterogeneous, but common protocols
• IP addressable• Agent friendly• Inventory in plain sight
Case StudyPAS inventory
engagement to feed vulnerability assessment
ChallengeInventorying, monitoring,
and gaining full compliance on cyber assets
10
Inventory Done Right
Information Technology
Inventory In Depth (a sample data set)
© PAS - Confidential and Proprietary 2015 | 11
Windows• Ports & services• User accounts• Anti-virus• Events• OS information• HW information (HD,
memory, etc.)
Network• Global switch settings• Interface definitions• VLANS• Routing tables• Firewall objects
Operational TechnologyDCS
• IO Cards• Controllers• Com Modules• Operator Stations• Application Stations • Wireless IO Modules • Control Level Firewall• Applications
PLC / Vibration Monitoring• IO Cards• Controllers• Com Modules• 3rd Party Module• Applications
SCADA / Historian / APC • Operator Stations• Application Stations • Applications
Instrumentation• Wireless Devices• Hart Devices• Foundation Fieldbus
Devices• Profibus Devices
Malicious attack (Stuxnet) ICS-CERT Vulnerability Inadvertent Engineering Change
SIS / Turbine Control • IO Cards• Controllers
• Com Modules• Applications
Not All Inventory Is Created Equal
© PAS - Confidential and Proprietary 2015 | 12
Networked IT Networked Proprietary Islanded
Inventory Options
Manual
• Pros• Flexible
• Cons• Training time• Labor cost• Error prone• Stale data
ICS Vendor Supplied Tool
• Pros• Vendor specific• Purpose-built
• Cons• Multiple formats• Varying capabilities• Different
terminology• Data silos
Centralized and Automated
• Pros• Accuracy• Evergreen inventory• Common data
format• Efficiency• New device
detection
• Cons• Business process
changes
© PAS - Confidential and Proprietary 2015 | 13
Good ICS Inventory = Good Compliance
OT + IT Inventory
CIP-002Inventory &
review…
CIP-007Ports,
services, patching…
CIP-008Incident
response, testing, review…
CIP-009Disaster recovery, testing, review…
CIP-010Change &
configuration management…
And more....
© PAS - Confidential and Proprietary 2015 | 14
ICS Cybersecurity Best Practices
© PAS - Confidential and Proprietary 2015 | 15
Requirements• Automated OT & IT inventory• Configuration change monitoring & alerts• Patch management• Closed-loop workflows• Backup & recovery
Benefits• Increases internal & regulatory
compliance• Reduces compliance effort • Supports for all major control systems• Hardens control system security• Speeds recovery from downtime
Automation Systems
Single Repository
Background• Founded in 1993 with headquarters in
Houston, Texas• Offices in North America, Europe,
Middle East, Africa, Asia, and Australia• Serving Power, Oil & Gas, and
Processing industries globally
Industry Leadership• First-to-market solutions in ICS
Cybersecurity, Alarm Management, and HP HMI
• Honeywell, INTECH, Intergraph, Invensys, and NovaTech ecosystem
• AICHE, EMMUA 191, EPRI, ISA, NERC CIP, NIST, NPRA, and OSHA standards
• 20% annual R&D reinvestment
Who We Are
By The Numbers• 400+ customers
• 1,046 plant sites
• 8,749 licenses
• 20,560 automation assets managed • 40,000+ users
© PAS - Confidential and Proprietary 2015 | 16