Developing a Cybersecurity Defense...Security implementation is a solution, not a product •...
Transcript of Developing a Cybersecurity Defense...Security implementation is a solution, not a product •...
Developing a Cybersecurity Defense
Brad Bonfiglio, CEMDirector – Consultant Solution Architect TeamSchneider Electric
Agenda• What is Cybersecurity• Customer Examples• Risk-based Approach• 6-step Defense in Depth• Best Practices• Conclusion
CybersecurityCybersecurity is securing against risks, threats and possible crime
The objective of cybersecurity is to help provide increased levels of protection for information and physical assets from theft, corruption, misuse, or accidents while maintaining access for intended users
Real Time Cyber Attackshttps://cybermap.kaspersky.comhttps://www.fireeye.com/cyber-map/threat-map.html
Cybersecurity Landscape
Common Cybersecurity Deficiencies
• Lacking situation awareness• Lacking appropriate network
segmentation and security • Lacking appropriate endpoint security• Failure to follow Best Practice
guidance• Deficient Disaster Recovery Validation
0
50
100
150
200
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
New Malware Potential Avenues of Compromise
Cybersecurity Incident Types
There is a hacker attack every 39 seconds
Average cost of data breach in 2020 will exceed $150m
Current Business Trends
Where the story begins…Industrial PLCs 2010
June 2010: discovery of Stuxnet,1st worm developed to target automation system (Win PC & PLC). 1/3 of the centrifuges were destroyed. The Iranian nuclear program delayed by >2 years.
Network Security 2013
December 2013 Target Pays $18.5M to 47 states!
May 2014 Profit Fall 46% or $520M
Firewalls between BMS and corporate information is vital
Network Security 2016
3B user accounts compromised
Verizon-knocks $350m off Yahoo sale with data-breaches
Network Security 2017
May to July 2017 44% of US effected (145.5M)
Triggers class-action lawsuit
Ransomware
Network Security April 2018
Effected 5 of the cities 13 government departments
SamSammalware infection
The attacked stopped revenue collection
Network Security Nov. 2018
Marriott data breach of 500M guests at Starwood properties since 2014
Names, email address, DOB, Passport #, address and phone #
Key Requirements for A Risk Based Approach• Asset Identification• Threat Identification
• Vulnerability Identification• Existing Security Controls
Identification• Consequence Analysis
• Risk Ranking• Security Controls
Recommendations
Commercial Cybersecurity is More Than Just IT Security
Do you think Re-Shuffling IT priorities willallow OT needs to be met?
The “Defense in Depth” (DID) Approach 1. Security Plan
2. NetworkSeparation
3. PerimeterProtection
4. NetworkSegmentation
5. DeviceHardening
6. Monitoring &Update
6 Key Steps
Defense in Depth –Step 1: Security Plan
Assessment and Design Service
Product Alerts
Password Policy
Patch Updates
• Define• Roles and responsibilities• Allowed activities, actions and
processes• Consequences of non-compliance
• Full network assessment• Communication paths• Audit of all device• Security settings• Network drawings
• Vulnerability assessment• Potential threats• Consequences, risk assessment and
mitigation
Example Policy: Password Management
Policies and procedures on
password management
are often lacking or missing entirely
• Change all default passwords • Grant passwords only to people who need
access; Prohibit sharing• Do not display passwords during password
entry• Passwords should be strong• Require users/applications to change
passwords on a scheduled interval• Remove employee access account when
employment has terminated• Require use of different passwords for
different accounts, systems, and applications (i.e. roles)
• Passwords should not be transmitted electronically over the insecure Internet, such as via e-mail
Defense in Depth –Step 2: Network SeparationSeparate the Automation & Control System from the outside world• Create a ‘buffer’ network
(DMZ or demilitarized zone) between the BAS network and the rest of the world, using routers and firewalls
• Block inbound traffic to the BAS except through the DMZ firewall
• Limit outbound traffic to essential and authorized traffic only
• DMZ host for servers• Web Servers• Cloud • SQL Servers• Mail Servers
Defense in Depth –Step 3: Perimeter ProtectionProtect the Automation & Control System perimeter using a firewall• Validate packets and protocols• Manage authorization of
certain data packets• Restrict IP address or user
access via authorization and authentication
Secure remote accesses• Use the VPN technology of
routers and firewalls• Use the latest authentication
and authorization technologies; they’re evolving fast
Network Security – VLANSBACnet/SC to
BACnet/SC Router
Hub
Node
Node
Node
Node
Node
Node
Node
Node
Node
Defense in Depth –Step 3: Perimeter ProtectionFirewall: A device for filtering packets based on source/destination IP address and protocolIngress and Egress filtering• Source IP addresses should
be very fewRule Placement• Rules that address the
expected traffic• Permit Rules should have
specific IP addresses and TCP/UDP port numbers
Only Pre-defined traffic should be allowed from the IT network to control network
Defense in Depth –Step 4: Network Segmentation & Zones• Apply normal firewall
rules• Deep packet inspection
• Filter data requests to read/write
• Limit access to specific registers/ports
• Allow or disallow programming
• MAC address filtering• Use special rules to
mitigate vulnerabilities by blocking before they reach the device
Defense in Depth –Step 5: Device HandlingOn All Devices
• Replace default passwords with ‘strong’ passwords
• Shut off unused ports, communication services and hardware interfaces
• Set up broadcast limiter functions
• Use multicast message filteringOn Computers
• Forbid or seriously control the use of any external memory
On Software• Set up all security features:
passwords, user profiles, operator action logging
On Network Switches• Restrict access on ports to
assigned addresses only
Defense in Depth –Step 6: Monitor & Update• Monitor, Manage and
Protect service• 24/7 remote security
monitoring• Configuration monitoring• Reporting for Audit
Compliance• Network and Host Intrusion
Detection systems
Monitor• Authentication traps• Windows Event Viewer• Unauthorized login
attempts• Unusual activity• Network load• Device log files
Network Security Best Practices• Most BAS and Security System
design do not cover network security in enough detail.
• Anti-virus is rarely included or defined
• No mention of Security aspects on Network Switches (Client/IT specified):• Port Security, Firewall• VLAN or VPN Separated entities,
DMZ• No 3rd party plugins (JAVA,
Silverlight, etc.)
• DIARMF* compliant related projects
*Department of Defense Information Assurance Risk Management Framework
Designing for a Secure Solution• Collaboration with the
customer’s IT department during the early part of the design process
• Consult with manufacturers to understand the product/software security features
• Specify latest versions of all software
• Develop specifications in combination with the customer’s IT department
• Coordinate remote and local access as well as permanent or temporary network installation
Enhanced BMS Cybersecurity Features Today
Advanced Encryption and Authentication• Secure communications
throughout server / client system
IT System Integration• Enable IT management of user
and password policies• Enable IT monitoring of system
events
Full System Backup, Recovery and Reconstitution• Minimize downtime
At or Above Market Level
Technology highlights available:
• TLS 1.2 support
• CA Certificates
• Secure email via SSL
• Custom Login Banner
• Password policies
• Two Factor Authentication
• Change password on first use
• Auto logoff timers
• Role-Based Access Control (RBAC)
• Object Level Security
• Active Directory integration
• Application Whitelisting / IP Filtering
• Audit logs / Syslog
• Security Information and Event Monitoring (SIEM) integration
ConclusionCybersecurity addresses attacks on or by computer systems through computer networks that can result in accidental or intentional disruptions
The goal of cybersecurity is to provide increased levels of protection for information and physical assets from theft, corruption, misuse, or accidents while maintaining access for their intended users
Cyber security is an ongoing process that encompasses procedures, policies, software, and hardware
SummarySecurity implementation is a solution, not a product • People, policies, architectures, &
products
Security requires a multilayer or Defense in Depth (DiD) approach• Security plan, network separation,
perimeter protection, networksegmentation, device hardening, monitoring, & updating
• A Defense-in-Depth approach is the best approach: Mitigates risk and improves system reliability
Published ResourcesFive Best Practices to Improve BMS Cybersecurity
TVDA - Reducing Vulnerability to Cyber Attacks
Cyber Security Portal - Schneider Electric
Ensure your vital data and systems are secure
Information Technology System Planning Guide
QUESTIONS?