critical infrastructure protection… a layered security solution for gas/oil and power utilities
TRANSCRIPT
![Page 1: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/1.jpg)
CRITICAL INFRASTRUCTURE PROTECTION…
A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES
![Page 2: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/2.jpg)
CRITICAL INFRASTRUCTURE PROTECTION BACKGROUNDER
![Page 3: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/3.jpg)
CIP Industry Overview – Energy Sector
• Regulated
• Large workforce
• 24x365 service delivery
• Sell across geographies
• Complex operational controls &
business systems
• Business demands
• Profitability
• Environmental leadership
• Smart grid
![Page 4: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/4.jpg)
Critical Infrastructure Concerns
• Passwords – can be cracked in minutes• Frequent password changes leads to help desk calls
• Existing physical access controls broken
• Attacks target critical infrastructure‒ Loss of revenue from outage
‒ Impact to customers from outage
• Malware attacks target security weak SCADA devices
• Compliance to NERC CIP, Presidential Executive Order
• Expense of annual compliance audits
![Page 5: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/5.jpg)
CRITICAL INFRASTRUCTURE NETWORKS
![Page 6: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/6.jpg)
Critical Infrastructure NetworksExternal Access
Business Systems (HTTP etc. protocols) Industrial Control Systems (SCADA protocols)
Field Systems
Core Network
InternetRemote Access (VPN)
Extended employee Access
Other Facilities
Smart Grid
ICS Suppliers
External Access
![Page 7: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/7.jpg)
Critical InfrastructureCyber Security Vulnerabilities
“The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”
February 12, 2013Barack ObamaPresident of the United States
![Page 8: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/8.jpg)
Increasedneed for connectivity between business and ICS systems
![Page 9: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/9.jpg)
Desktop malware infection
![Page 10: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/10.jpg)
Spear-phishing attacks
![Page 11: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/11.jpg)
Internet facing ICS systems
![Page 12: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/12.jpg)
http://proxclone.com/reader_cloner.html
Physical access controls
![Page 13: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/13.jpg)
Malware Is Focused On Stealing Money and IP and Disrupting Infrastructures
Physical Intrusions SQL InjectionIdentity stolen through injected fields
MITB / MITM / DDoSIntegrity attack – appear as the real identity
Session Riding/Token StealingIdentity integrity is compromised
DNS PoisoningURL identity is compromised
ZITMO / MITMOCompromising Mobile SMS, Photos & Contacts
Key LoggingIdentity & actions compromised
Stealing And Compromising is There Key to Doing That
Traditional antivirus and perimeter solutions are necessary but ineffective
DIGITALIDENTITY
![Page 14: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/14.jpg)
REGULATORY COMPLIANCE
![Page 15: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/15.jpg)
“Cybersecurity is One of the Top Standing Issues facing the Electric Sector over the Next 10 Years”
![Page 16: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/16.jpg)
Federal Energy Regulatory Commission & North American Electric Reliability Corporation
FERC: • oversee the US interstate transmission and
pricing of a variety of energy resources, including electricity, natural gas and oil
• FERC named NERC as the government's Electrical Reliability Organization (ERO), thereby granting NERC the power to oversee and regulate the electrical market
• NERC is the organization that audits power companies and levies fines for non-compliance
NERC:
• oversees and regulates the reliability of the North American electrical grids.
• has the legal authority to enforce reliability standards…in the United States, and make compliance with those standards mandatory and enforceable."
![Page 17: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/17.jpg)
NERC CIP and Identity Based Security
CIP-001: Sabotage reporting
CIP-002: Critical Cyber Asset Identification
CIP-003: Security Management Controls
CIP-004: Personnel and Training
CIP-005: Electronic Security Perimeters
CIP-006: Physical Security (of Critical Cyber Assets)
CIP-007: Systems Security Management
CIP-008: Incident Reporting and Response Planning
CIP-009: Recovery Plans (for Critical Cyber Assets)
CIP-010: Config. Change Mgmt. and Vulnerability Assessments
CIP-011: Information Protection
Credential Issuance & Revocation
User and Device Authentication
Physical Access Control
Credential Management • Workflow & roles • Audit controls• Credential strength
![Page 18: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/18.jpg)
Identity Based Security Solution checklist for Critical Infrastructure Protection
Strong authentication for both physical and logical systems• People; Devices (PC, mobile); Applications; Physical Access
Flexible authenticator support• Different types of authenticators (use cases are not homogenous)
• Easily change-out authenticators if compromise occurs
Streamlined credential management• Across all systems
• Supports roles and separation of duties
• Supports report and audit trails
Capabilities to defeat advanced malware-based attacks
Address deployment considerations
• Users: Easy to provision, easy to use, easy to self-recover
• IT: integrate to current business systems
Modular architecture that will grow / expand threats and compliance needs evolve
![Page 19: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/19.jpg)
WHAT DOES THIS MEAN FOR CRITICAL INFRASTRUCTURE ORGANIZATIONS
![Page 20: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/20.jpg)
Layered Security for CIP
1. Remote access two-factor
2. Strong authentication System Administrators
3. Strong authentication Employees
4. Secure critical information and communications with encryption
5. SCADA command transaction approval
20
![Page 21: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/21.jpg)
1. Remote Access
• utilities must protect network access as a breach can be severe, require multi-factor authentication
• Passwords• Usability, many passwords to remember,
frequent changes
• Insecure/easily compromised
• Must seamlessly integrate into existing IT environment
• VPN
• Workstation
• Directories
• Physical access
CIP-0005-5 R2.3: Require multi-factor authentication for all Interactive Remote Access sessions
![Page 22: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/22.jpg)
2. Administrator Strong Authentication / Dual Identities
• Prevent “pass the hash” attack for Administrators by providing two separate identities (credentials)
• One for corporate access and another for server domain access
• Mitigate past the hash threat by the Administrator not using corporate credentials for server domain access
Hash
Hash
Hash
CorporateAccess
DomainAccess
![Page 23: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/23.jpg)
3. Employee Physical / Logical Security
NIST certified
• Eliminates CIP-007 password complexity requirement
• No password changes• One-time-password as well
Electronic Perimeter
• Simultaneous - legacy & new systems
• CIP-006 defense in depth* combining card with PIN & biometrics
Physical Perimeter
SAML
* FERC Order No. 706, Paragraph 572
![Page 24: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/24.jpg)
4. Securing critical communications
Deployment Flexibility
Entrust EMS
Email Server
Optional Content Scanner
Sending Flexibility
Internet
-Secure PDF-Web Mail Pull / Push-Ad hoc Web push
-S/MIME Gateway
-S/MIME-OpenPGP
Delivery Flexibility
Web Mail Pull
S/MIME
Mobile Flexibility
IDGAuth.
Portal Auth.
PKI .
SAN / NFS .
Archive
AV / AS
StatementGen.
Alarms / SNMP
![Page 25: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/25.jpg)
5. Critical Transaction Monitoring
1. User initiatives online transaction
Web transactions can be:• Network access• Application access• Critical transactions
SCADA controls under investigation
Transaction details retrieved over secure connection
User reviews transaction on phone/ tablet
Notification sent“Out of Band”
Transaction is completed and Identity Assured
Transaction is digitally signed and confirmed from mobile
(X.509)
Compromised with desktop Malware?
Authentication Platform
![Page 26: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/26.jpg)
5. Critical Transaction Monitoring with Dual Controls
• Dual controls requires a second user to approve a transaction
• AKA: Maker / checker; Dual approvers; Dual signatures
• Identity of two distinct approvers is assured• Both initiator and approver
• Transaction confirmation on mobile dramatically simplifies dual controls
• Real time notification to approver
• Simple approval on mobile device (can be digitally signed)
• Speeds up transaction completion
![Page 27: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/27.jpg)
Look for Identity Based Security Solution that…
Secures digital identities and information across the organization
Provides agility to quickly & easily
modify policies OR Authenticators on
the fly
Deployment flexibility to tie into your IT systems &
business
Future Proof to grow with your business needs
![Page 28: CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES](https://reader037.vdocument.in/reader037/viewer/2022102710/551a393c550346cb358b5323/html5/thumbnails/28.jpg)
THANK YOU