industrial security: manufacturing facility learns about ... · pdf fileindustrial security:...
TRANSCRIPT
Unrestricted © Siemens Industry Inc. 2016. All rights reserved. www.usa.siemens.com/services
Industrial Security: Manufacturing Facility Learns about
Vulnerability and Risk aster Assessment (case study)
Ken Keiser
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 2 Ken Kesier
Current Events
Page 2
Pressure SCADA Developers on Security
Dangerous Security Holes in U.S.
Power Plant & Factory Software Hacking the Grid
U.S. at Risk of Hack Attack
Aging industrial control systems increasingly
vulnerable to cyber attack
Feb. 12, 2013: „Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses... Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.“
- U.S. President Barack Obama
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 3 Ken Kesier
External News
Page 3
December 2014
“…the attackers used a spear
phishing campaign aimed at
particular individuals in the
company to trick people into
opening messages that sought
and grabbed login names and
passwords.”
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 4 Ken Kesier
Chrysler Hack
Page 4
Spring 2015
Researchers found
vulnerabilities in
Chrysler automobiles
allowing someone to
take control of a vehicle
remotely.
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 5 Ken Kesier
Why Do this Cyber Security Assessment?
Page 5
Compelling Event!
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 6 Ken Kesier
Industrial Security
Security Integrated is an essential component of a Defense in Depth concept
Plant security
• Access blocked for unauthorized persons
• Physical prevention of access to critical components
Network security
• Controlled interfaces with SCALANCE firewalls
• Further segmentation with Advanced CPs
System integrity
• Know-how protection
• Copy protection
• Protection against manipulation
• Access protection
• Expanded access protection with CP 1543-1
Siemens products with Security Integrated provide security features such as integrated
firewall, VPN communication, access protection, protection against manipulation.
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 7 Ken Kesier
Step 2:
Implement
Planning, development and
implementation of a holistic
cyber security program
Step 3:
Manage
Continuous security through
detection and proactive protection
Risk Management methodology
• Vulnerability analysis
• Gap analysis
• Threat analysis
• Risk analysis
• Continuous operations
• Detection and resolution of
incidents
• Fast adaptation to changing
threats
• Cyber security training
• Development of security
strategies and procedures
• Implementation of security
technology
Step 1:
Assess
Information about the
security status and
development of a security
roadmap
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 8 Ken Kesier
Assessment Process
Setup
• Gather Information
• Online meeting to confirm
Action day
• Meeting to discuss process
• Plant Tour
• Active Network Analysis
Analysis
• Siemens write-up
• Face-to-face meeting to summarize results
Page 8
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 9 Ken Kesier
Plant Tour Found…
• HMIs connected to Internet
• Inconsistent USB policies
• Non-Logical USB policies
• Active malware on plant computers
• Old Operating systems (DOS, NT, 2000, XP)
• Modem connected to PLC (unknown)
• Whitelisting disabled
• Network devices not owned by any group
• Corporate wide flat network (obfuscated by VLANs)
• Inconsistent backup programs (cell by cell)
• No plan B for important applications running on legacy equipment
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 10 Ken Kesier
Deliverables
Page 10
Customer 3
Title Initiative 3
Observation What was found
Blah blah blah
Yada yada yada
Priority Medium
Recommendation Implement program
• Long report with appendices
• List of current issues
• review of each proposed
initiative individually
Customer 2
Title Initiative 3
Observation This is what we found…
Priority High
Recommendation Implement program
Customer 1
Title Initiative 1
Observation This is what we found…
Priority High
Recommendation Implement program
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 11 Ken Kesier
What’s Next
Additional projects, strategy, or thoughts about
the future
• Prioritized list of initiatives for this plant
• Investigate ways to securely monitor
network activity
• (SIEM = Security information and event
management )
Page 11
Example of a SIEM dashboard
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 12 Ken Kesier
Benefits of Assessment
• We were able to review the cyber security footing
• Found some areas that could be improved
• IT in Corporation worked with us
• Better understanding of risks
• Prioritized list of topics (Color coded below)
• Criticality and Cost Review
Page 12
Description of Initiative Relative Cost
XXX $$
YYY $
ZZZ $-$$$
AAA $
BBB $
CCC $-$$
MMM $$
NNN $
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 13 Ken Kesier
State of the Manufacturing environment (IoT)
Enterprise Environment Customer
Environment
Connected
Services
Connected
Products
Enterprise IT
Plants
Supply Chain
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 14 Ken Kesier
State of the Manufacturing environment (IoT)
Enterprise Environment Customer
Environment
Connected
Services
Connected
Products
Enterprise IT
Plants
Supply Chain
IT/OT Integration
Business drivers are forcing the
connectivity of IT and OT. This
establishes new attack avenues to
critical OT.
Information Technology (IT)
Internet-connected networks and devices that
enable a company to do business, are filled with
exposures and face constant attack.
Operational Technology (OT)
Industrial Control Systems (ICS) comprise most
of the OT environment. These systems allow
operators to monitor and control industrial
processes, and are the lifeblood of industrial
companies.
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 15 Ken Kesier
Manufacturing
Flat Network
Mix of Legacy and New, NOT isolated
Process
Hierarchical Net
Legacy System Already isolated
What we found in a Manufacturing Site (Versus a Process Site)
Page 15
IT
Flat Network
Confidentiality Updated Hardware
Availability
Integrity
Confidentiality
Confidentiality
Integrity
Availability
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 16 Ken Kesier
Segmentation (showing real PCS 7 network)
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 17 Ken Kesier
DMZ concept
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 18 Ken Kesier
Conclusion
• Assessment helped plant focus on Cyber Security
• Roadmap to improve our position
• Blueprint for future plants
• Confirmed results of previous assessments
Page 18
Unrestricted © Siemens Industry Inc. 2016. All rights reserved.
2016-23-03 Page 19 Ken Kesier
Questions
Page 19