nil - siemens d.o.o. beograd · © 2017 nil, security tag: public 1 nil.com © 2017 nil, security...


Robert Turnšek

CYBER SECURITY IN THE DIGITAL AGE


“THERE ARE TWO KINDS OF BIG COMPANIES, THOSE WHO’VE BEEN

HACKED, AND THOSE WHO DON’T KNOW THEY’VE BEEN HACKED.”

James Comey

Median number of days attackers are present on a victims network

before detection

200+ Days after detection

to full recovery

80 Impact of lost

productivity and growth

$3TRILLION

Average cost of a data breach (15% YoY

increase)

$3.5MILLION


STUXNET DEPLOYED

STUXNET DETECTED

BLACKENERGY LAUNCHED

HAVEX LAUNCHED

HAVEX DETECTED*

BLACKENERGY DETECTED

2008

2009

2010

2011

2012

2013

2014

2015

Cyber threats to ICS networks are increasing


More damaging than ever

Destroyed uranium centrifuges

Manipulated steel mill equipment

Ruptured oil pipeline

Range of cost to company: $1.9M - $65M


Digital Transformation on a Massive Scale

Attack Sophistication

Threat Actors

Attack Surface

Global Cybercrime Market: $450B to $1T

15B

500B

$19T Opportunity

Next 10 Years

Devices In 2030

Devices Today


Threat-Centric Security Model

Attack Continuum

Before Discover Enforce Harden

During Detect Block

Defend

After Scope

Contain Remediate

Network Endpoint Mobile Virtual Cloud

Point-in-time Continuous


Security Challenges

• Detect, understand, and block

• Manual process

• Short on resources

• Long provisioning times

• Costly

• Complex validation process

Evolving Threats ► Security Operations ► Compliance ►

►

►

►

►

►

►


Attackers

of data is stolen in hours; detection can take weeks or months

60%

of data center breaches can be tied to misconfigured security solutions

95%

of companies connect to domains that host malicious files or services

100%

Well-funded. They are part of massive operations

Inventive. They rapidly change their tactics and

tools, finding new vulnerabilities to exploit

Insidious. They blend in with the targeted

organization, sometimes taking weeks or months to establish multiple footholds in infrastructure and user databases

Today’s hackers are more advanced than ever

Sources: Verizon 2014 Data Breach Investigations Report (DBIR); Gartner; Cisco Annual Security Report 2015


Unique Needs & Differing Security Perspectives

IT OT

Information Security Triad

• Confidentiality • Integrity • Availability

• Availability • Integrity • Confidentiality

Access Control • Strict Identity Mgmt, Network

Authentication, & Access Policies • Data & Application privileges

• Strict Physical Access • Simple Network Device Access • Insecure inside systems (SCADA)

Threat Detection & Mitigation

• Shut Down Access to Detected Threat

• Isolate Threat but Keep Operating

Upgrades • Automatically Pushed During Uptime • Scheduled During Downtime

Implications of a Device Failure

• Work-around or Wait • Production is Down • ($$’s/hour …or worse)

Product Lifecycles • 3 years or less • 10-15 years


Attack Kill Chain


IT/OT Converged Security Model

Control & Safety Level 1

Device Level 0

Control Center Level 3

Legacy RTU

Process Control & Safety Networks Multiservice Networks

Wireless Sensor

Sensor Motor Valve Drive Pump Breaker Power

Monitor Starter

Historian HMI

Power Room

Safety

Process

Power

Process

CCTV

Access Control

Voice

Mobile Worker

Controller Controller Controller

Serial/Hardwired

Process Ethernet Multiservice Ethernet

WAN

Wireless

Fleet

RFID

SIEM

Actuator

Safety Systems

Printer

Instrumentation

SIEM

SCADA System Head-end

Operator & Engineer Workstations

Process Automation System Server

SIEM

SIEM

Process Historian / Distributed Historian

Application Servers

Operational Business Systems

SIEM

SIEM

SIEM

Safety & Security

Manufacturing Execution System (MES)

SIEM

SIEM

Distributed Control System (DCS)

SIEM

SIEM

PCN Domain Controller

Enterprise Levels 4-5

DMZ Level 3.5

Operational Telecoms - LAN/Field

Internet

Supervisory Level 2

DMZ Domain Controller

SIEM

Site

Identity Services

SIEM

Centralized Log Collection

SIEM

Compliance SIEM

Center

Remote Engineering via Secure TPA

SIEM

Historian

SIEM

Vendor Qualified Anti-Virus

Vendor Qualified Patching

SIEM

SIEM

Terminal Services

SIEM

Asset Inventory

SIEM

Core Networks


Example - Initial state

Win 10 Win 7 Win XP

Active directory File server

SCADA PLC Sensor

Win 7

access

data

login

IT OT


Example - After IT/OT separation

Win 10 Win 7 Win XP

Active directory File server

SCADA PLC Sensor Firewall

IT OT


Example - Additional OT services

nil - siemens d.o.o. beograd · © 2017 nil, security tag: public 1 nil.com © 2017 nil, security...

Documents