nil - siemens d.o.o. beograd · © 2017 nil, security tag: public 1 nil.com © 2017 nil, security...
TRANSCRIPT
© 2017 NIL, Security Tag: PUBLIC 3
“THERE ARE TWO KINDS OF BIG COMPANIES, THOSE WHO’VE BEEN
HACKED, AND THOSE WHO DON’T KNOW THEY’VE BEEN HACKED.”
James Comey
Median number of days attackers are present on a victims network
before detection
200+ Days after detection
to full recovery
80 Impact of lost
productivity and growth
$3TRILLION
Average cost of a data breach (15% YoY
increase)
$3.5MILLION
© 2017 NIL, Security Tag: PUBLIC 4
STUXNET DEPLOYED
STUXNET DETECTED
BLACKENERGY LAUNCHED
HAVEX LAUNCHED
HAVEX DETECTED*
BLACKENERGY DETECTED
2008
2009
2010
2011
2012
2013
2014
2015
Cyber threats to ICS networks are increasing
© 2017 NIL, Security Tag: PUBLIC 5
More damaging than ever
Destroyed uranium centrifuges
Manipulated steel mill equipment
Ruptured oil pipeline
Range of cost to company: $1.9M - $65M
© 2017 NIL, Security Tag: PUBLIC 6
Digital Transformation on a Massive Scale
Attack Sophistication
Threat Actors
Attack Surface
Global Cybercrime Market: $450B to $1T
15B
500B
$19T Opportunity
Next 10 Years
Devices In 2030
Devices Today
© 2017 NIL, Security Tag: PUBLIC 7
Threat-Centric Security Model
Attack Continuum
Before Discover Enforce Harden
During Detect Block
Defend
After Scope
Contain Remediate
Network Endpoint Mobile Virtual Cloud
Point-in-time Continuous
© 2017 NIL, Security Tag: PUBLIC 8
Security Challenges
• Detect, understand, and block
• Manual process
• Short on resources
• Long provisioning times
• Costly
• Complex validation process
Evolving Threats ► Security Operations ► Compliance ►
►
►
►
►
►
►
© 2017 NIL, Security Tag: PUBLIC 9
Attackers
of data is stolen in hours; detection can take weeks or months
60%
of data center breaches can be tied to misconfigured security solutions
95%
of companies connect to domains that host malicious files or services
100%
Well-funded. They are part of massive operations
Inventive. They rapidly change their tactics and
tools, finding new vulnerabilities to exploit
Insidious. They blend in with the targeted
organization, sometimes taking weeks or months to establish multiple footholds in infrastructure and user databases
Today’s hackers are more advanced than ever
Sources: Verizon 2014 Data Breach Investigations Report (DBIR); Gartner; Cisco Annual Security Report 2015
© 2017 NIL, Security Tag: PUBLIC 10
Unique Needs & Differing Security Perspectives
IT OT
Information Security Triad
• Confidentiality • Integrity • Availability
• Availability • Integrity • Confidentiality
Access Control • Strict Identity Mgmt, Network
Authentication, & Access Policies • Data & Application privileges
• Strict Physical Access • Simple Network Device Access • Insecure inside systems (SCADA)
Threat Detection & Mitigation
• Shut Down Access to Detected Threat
• Isolate Threat but Keep Operating
Upgrades • Automatically Pushed During Uptime • Scheduled During Downtime
Implications of a Device Failure
• Work-around or Wait • Production is Down • ($$’s/hour …or worse)
Product Lifecycles • 3 years or less • 10-15 years
© 2017 NIL, Security Tag: PUBLIC 12
IT/OT Converged Security Model
Control & Safety Level 1
Device Level 0
Control Center Level 3
Legacy RTU
Process Control & Safety Networks Multiservice Networks
Wireless Sensor
Sensor Motor Valve Drive Pump Breaker Power
Monitor Starter
Historian HMI
Power Room
Safety
Process
Power
Process
CCTV
Access Control
Voice
Mobile Worker
Controller Controller Controller
Serial/Hardwired
Process Ethernet Multiservice Ethernet
WAN
Wireless
Fleet
RFID
SIEM
Actuator
Safety Systems
Printer
Instrumentation
SIEM
SCADA System Head-end
Operator & Engineer Workstations
Process Automation System Server
SIEM
SIEM
Process Historian / Distributed Historian
Application Servers
Operational Business Systems
SIEM
SIEM
SIEM
Safety & Security
Manufacturing Execution System (MES)
SIEM
SIEM
Distributed Control System (DCS)
SIEM
SIEM
PCN Domain Controller
Enterprise Levels 4-5
DMZ Level 3.5
Operational Telecoms - LAN/Field
Internet
Supervisory Level 2
DMZ Domain Controller
SIEM
Site
Identity Services
SIEM
Centralized Log Collection
SIEM
Compliance SIEM
Center
Remote Engineering via Secure TPA
SIEM
Historian
SIEM
Vendor Qualified Anti-Virus
Vendor Qualified Patching
SIEM
SIEM
Terminal Services
SIEM
Asset Inventory
SIEM
Core Networks
© 2017 NIL, Security Tag: PUBLIC 13
Example - Initial state
Win 10 Win 7 Win XP
Active directory File server
SCADA PLC Sensor
Win 7
access
data
login
IT OT
© 2017 NIL, Security Tag: PUBLIC 14
Example - After IT/OT separation
Win 10 Win 7 Win XP
Active directory File server
SCADA PLC Sensor Firewall
IT OT