Developing a Cybersecurity Defense

Brad Bonfiglio, CEMDirector – Consultant Solution Architect TeamSchneider Electric

Agenda• What is Cybersecurity• Customer Examples• Risk-based Approach• 6-step Defense in Depth• Best Practices• Conclusion

CybersecurityCybersecurity is securing against risks, threats and possible crime

The objective of cybersecurity is to help provide increased levels of protection for information and physical assets from theft, corruption, misuse, or accidents while maintaining access for intended users

Real Time Cyber Attackshttps://cybermap.kaspersky.comhttps://www.fireeye.com/cyber-map/threat-map.html

Cybersecurity Landscape

Common Cybersecurity Deficiencies

• Lacking situation awareness• Lacking appropriate network

segmentation and security • Lacking appropriate endpoint security• Failure to follow Best Practice

guidance• Deficient Disaster Recovery Validation

0

50

100

150

200

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

New Malware Potential Avenues of Compromise

Cybersecurity Incident Types

There is a hacker attack every 39 seconds

Average cost of data breach in 2020 will exceed $150m

Current Business Trends

Where the story begins…Industrial PLCs 2010

June 2010: discovery of Stuxnet,1st worm developed to target automation system (Win PC & PLC). 1/3 of the centrifuges were destroyed. The Iranian nuclear program delayed by >2 years.

Network Security 2013

December 2013 Target Pays $18.5M to 47 states!

May 2014 Profit Fall 46% or $520M

Firewalls between BMS and corporate information is vital

Network Security 2016

3B user accounts compromised

Verizon-knocks $350m off Yahoo sale with data-breaches

Network Security 2017

May to July 2017 44% of US effected (145.5M)

Triggers class-action lawsuit

Ransomware

Network Security April 2018

Effected 5 of the cities 13 government departments

SamSammalware infection

The attacked stopped revenue collection

Network Security Nov. 2018

Marriott data breach of 500M guests at Starwood properties since 2014

Names, email address, DOB, Passport #, address and phone #

Key Requirements for A Risk Based Approach• Asset Identification• Threat Identification

• Vulnerability Identification• Existing Security Controls

Identification• Consequence Analysis

• Risk Ranking• Security Controls

Recommendations

Commercial Cybersecurity is More Than Just IT Security

Do you think Re-Shuffling IT priorities willallow OT needs to be met?

The “Defense in Depth” (DID) Approach 1. Security Plan

2. NetworkSeparation

3. PerimeterProtection

4. NetworkSegmentation

5. DeviceHardening

6. Monitoring &Update

6 Key Steps

Defense in Depth –Step 1: Security Plan

Assessment and Design Service

Product Alerts

Password Policy

Patch Updates

• Define• Roles and responsibilities• Allowed activities, actions and

processes• Consequences of non-compliance

• Full network assessment• Communication paths• Audit of all device• Security settings• Network drawings

• Vulnerability assessment• Potential threats• Consequences, risk assessment and

mitigation

Example Policy: Password Management

Policies and procedures on

password management

are often lacking or missing entirely

• Change all default passwords • Grant passwords only to people who need

access; Prohibit sharing• Do not display passwords during password

entry• Passwords should be strong• Require users/applications to change

passwords on a scheduled interval• Remove employee access account when

employment has terminated• Require use of different passwords for

different accounts, systems, and applications (i.e. roles)

• Passwords should not be transmitted electronically over the insecure Internet, such as via e-mail

Defense in Depth –Step 2: Network SeparationSeparate the Automation & Control System from the outside world• Create a ‘buffer’ network

(DMZ or demilitarized zone) between the BAS network and the rest of the world, using routers and firewalls

• Block inbound traffic to the BAS except through the DMZ firewall

• Limit outbound traffic to essential and authorized traffic only

• DMZ host for servers• Web Servers• Cloud • SQL Servers• Mail Servers

Defense in Depth –Step 3: Perimeter ProtectionProtect the Automation & Control System perimeter using a firewall• Validate packets and protocols• Manage authorization of

certain data packets• Restrict IP address or user

access via authorization and authentication

Secure remote accesses• Use the VPN technology of

routers and firewalls• Use the latest authentication

and authorization technologies; they’re evolving fast

Network Security – VLANSBACnet/SC to

BACnet/SC Router

Hub

Node

Node

Node

Node

Node

Node

Node

Node

Node

Defense in Depth –Step 3: Perimeter ProtectionFirewall: A device for filtering packets based on source/destination IP address and protocolIngress and Egress filtering• Source IP addresses should

be very fewRule Placement• Rules that address the

expected traffic• Permit Rules should have

specific IP addresses and TCP/UDP port numbers

Only Pre-defined traffic should be allowed from the IT network to control network

Defense in Depth –Step 4: Network Segmentation & Zones• Apply normal firewall

rules• Deep packet inspection

• Filter data requests to read/write

• Limit access to specific registers/ports

• Allow or disallow programming

• MAC address filtering• Use special rules to

mitigate vulnerabilities by blocking before they reach the device

Defense in Depth –Step 5: Device HandlingOn All Devices

• Replace default passwords with ‘strong’ passwords

• Shut off unused ports, communication services and hardware interfaces

• Set up broadcast limiter functions

• Use multicast message filteringOn Computers

• Forbid or seriously control the use of any external memory

On Software• Set up all security features:

passwords, user profiles, operator action logging

On Network Switches• Restrict access on ports to

assigned addresses only

Defense in Depth –Step 6: Monitor & Update• Monitor, Manage and

Protect service• 24/7 remote security

monitoring• Configuration monitoring• Reporting for Audit

Compliance• Network and Host Intrusion

Detection systems

Monitor• Authentication traps• Windows Event Viewer• Unauthorized login

attempts• Unusual activity• Network load• Device log files

Network Security Best Practices• Most BAS and Security System

design do not cover network security in enough detail.

• Anti-virus is rarely included or defined

• No mention of Security aspects on Network Switches (Client/IT specified):• Port Security, Firewall• VLAN or VPN Separated entities,

DMZ• No 3rd party plugins (JAVA,

Silverlight, etc.)

• DIARMF* compliant related projects

*Department of Defense Information Assurance Risk Management Framework

Designing for a Secure Solution• Collaboration with the

customer’s IT department during the early part of the design process

• Consult with manufacturers to understand the product/software security features

• Specify latest versions of all software

• Develop specifications in combination with the customer’s IT department

• Coordinate remote and local access as well as permanent or temporary network installation

Enhanced BMS Cybersecurity Features Today

Advanced Encryption and Authentication• Secure communications

throughout server / client system

IT System Integration• Enable IT management of user

and password policies• Enable IT monitoring of system

events

Full System Backup, Recovery and Reconstitution• Minimize downtime

At or Above Market Level

Technology highlights available:

• TLS 1.2 support

• CA Certificates

• Secure email via SSL

• Custom Login Banner

• Password policies

• Two Factor Authentication

• Change password on first use

• Auto logoff timers

• Role-Based Access Control (RBAC)

• Object Level Security

• Active Directory integration

• Application Whitelisting / IP Filtering

• Audit logs / Syslog

• Security Information and Event Monitoring (SIEM) integration

ConclusionCybersecurity addresses attacks on or by computer systems through computer networks that can result in accidental or intentional disruptions

The goal of cybersecurity is to provide increased levels of protection for information and physical assets from theft, corruption, misuse, or accidents while maintaining access for their intended users

Cyber security is an ongoing process that encompasses procedures, policies, software, and hardware

SummarySecurity implementation is a solution, not a product • People, policies, architectures, &

products

Security requires a multilayer or Defense in Depth (DiD) approach• Security plan, network separation,

perimeter protection, networksegmentation, device hardening, monitoring, & updating

• A Defense-in-Depth approach is the best approach: Mitigates risk and improves system reliability

Published ResourcesFive Best Practices to Improve BMS Cybersecurity

TVDA - Reducing Vulnerability to Cyber Attacks

Cyber Security Portal - Schneider Electric

Ensure your vital data and systems are secure

Information Technology System Planning Guide

QUESTIONS?