about nitrosecurity · about nitrosecurity born from the inl highly optimized core architecture,...
TRANSCRIPT
About NitroSecurity
Born from the INL
Highly Optimized Core Architecture, Using Patented Technology
- 8 unique mechanisms to improve performance (collection & analysis)
- Unique mechanisms to improve the diversity of supported devices
- Unique mechanisms to improve storage efficiency and archiving
- Additional open technology to further optimize performance
NitroEDB
IDS / IPS
SIEM
Log Mgmt
Database
Monitor
Application
Data Monitor
All Assets Need Security
– “The Responsible Entity shall ensure that all Cyber
Assets within the Electronic Security Perimeter, as
technically feasible, implement automated tools or
organizational process controls to monitor system
events that are related to cyber security.”
~ CIP-007-3 (R6)
What does this mean?
1. The assets themselves need security baked in
– Hardened (ports & services)
– Cleaned (protected against malware and patched)
– Restricted (account / access control)
– Monitored (audit trail of security event activity)
1. All Assets need to be monitored as a system
– Analyzed (trends, anomalies)
– Correlated (threats, risk)
– Organized (reports, compliance)
Alternate Security Monitoring
• What if an Asset doesn’t produce sufficient
security events?
– CIP compliant “drop in” security appliances can
passively monitor the control system
– Events are generated passively (no impact to asset)
• Example
– Network-based IDS with advanced SCADA pre-
processors
– Advanced detection signatures for exploit threats
against control systems (e.g., OPC)
What’s a SIEM?
• A Security Information & Event Management
System (SIEM) collects all relevant information
from the enterprise network, to:
– Understand systems & protocols of the ENTERPRISE
– Detect patterns indicative of THREATS
– Analyze VULNERABILITY and RISK
– Provide forensic detail required to INVESTIGATE
– Provide actionable data for INCIDENT RESPONSE
– Produce a clear audit trail for COMPLIANCE
But this isn’t “The Enterprise” …
… it’s a Control System
Diagram courtesy of US CERT
So, what does the Control System need?
• A Security Information & Event Management
System (SIEM) that collects all relevant
information from the control system, to:
– Provide CONTEXT to threats within the Control System
– Monitor Control System SYSTEMS & PROTOCOLS to
detect anomalies/patterns that threaten RELIABILITY
– Analyze EVENTS in accordance with CIP-007
– Provide actionable data for INCIDENT RESPONSE
– Produce auditable reports for SUSTAINED NERC-CIP
COMPLIANCE
Outside systems & services (e.g., Internet)
Other Cyber Assets
The Secure Enclave
Critical Assets
&
All Systems that
Access them
… is it this easy?
The Evolution of Threats
• They’re moving “up the stack”
– Targeting the application layer
• They’re getting more complex
– Multiple vectors
– Tiered reconnaissance
– Low & slow profiles
Threats are “Moving up the Stack”
① Physical
② Data Link
③ Network
④ Transport
⑤ Session
⑥ Presentation
⑦ Application
Physical Security = Who enters the control room
Routable Access Control = Who connects to cyber assets
Database Security = Who / what accesses Historian
Application Security = Who logs in to sensitive applications
Authorized Applications Break the ESP
① Physical
② Data Link
③ Network
④ Transport
⑤ Session
⑥ Presentation
⑦ Application
Physical Access = Personal Identity (name, badge #)
Network Access = Logical Identity (IP, MAC, hostname)
Backend Access = Session Identity (port ID, session ID)
Application Access = User Identity (login, domain name, etc)
Outside systems & services (e.g., Internet)
Other Cyber Assets
Re-examining the Enclave
Business Apps & Services
CS Apps & Services
Remote Apps & Services
Critical Assets
… the ESP is blurred
Monitor activity from outside of the enclave
Monitor Business Apps & Services
Monitor Control Systems Apps & Services
Monitoring all Layers of the ESP
① Physical
② Data Link
③ Network
④ Transport
⑤ Session
⑥ Presentation
⑦ Application
Physical Security = Who enters the control room
Routable Access Control = Who connects to cyber assets
Database Security = Who / what accesses Historian
Application Security = Who logs in to sensitive applications
Physical Access Control / Endpoint Security
Entry Scanner Logs, Biometrics, etc.
Separation of Networks
IPS, Firewalls, Access Control Lists, etc
Database Access Control
Database Monitoring, DB Log Analysis, IAM, etc.
Application / Use Policies
Application Monitoring, Application Whitelisting, etc.
Enhancing SIEM for the Control System
• Behavior Monitoring
– Establish baseline network and asset behavior
• Advanced Vulnerability Assessment
– Understand vulnerabilities specific to control systems
• Advanced Correlation
– Identify threats within the context of the control system
• Identity Management
– Map logical ID (usernames) to Personnel (CIP-003)
• Change Management
– Monitor configuration changes
Turning Data into Intelligence
Events from SCADA
HIDS, NIDS, firewalls,
and other security
devices
Historian
transactions
OS events
Contents of
Business Apps
& Services
User
Identity
VA Scan
Data
Asset Event Logs
Authentication
& IAM
Location
Physical
Entry
Logs
Thank You!