The Fusion Centre and the Protection of the Enterprise ICS/SCADA SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION

Dany Gagnon

February 2017

Executive Security Advisor IBM Security Business Unit Central and Eastern Europe dgagnon@sk.ibm.com +421 911 076 036

@DanyGagnon

linkedin/in/DanyGagnon

2 IBM Security

Challenges facing many ICS/SCADA (OT) environments today

• Availability is paramount, Integrity & Confidentiality are secondary

• The native protocols are insecure and measures to improve them move slowly

• OT environments are slow to upgrade given critical nature of system – once a system is to be updated, it

is done in slow methodical fashion to ensure reliant systems remain available

• OT networks run older (sometimes outdated) Operating Systems

• OT networks run older virus data files to ensure latency of a ‘.dat’ file implementation does not impact

availability

• OT networks are many times viewed to be secure by nature of the ‘obsecurity’ and layered firewalls

surrounding them

• OT vendors are slow to implement security in their appliances and devices

• Once a system is deployed, it will remain in operation for decades

• Latency is not acceptable: real-time communication between control system and PLC

• Native OT protocols are not encrypted or authenticated

• Blocking not acceptable

3 IBM Security

IT / OT convergence creates additional pressures

In the past, OT was …

Now OT is …

• isolated from IT

• run on proprietary

control protocols

• run on specialized

hardware

• run on proprietary

embedded operating

systems

• connected by copper

and twisted pair

• bridged into corporate

networks

• riding common internet

protocols

• run on general purpose

hardware with IT origins

• running mainstream IT

operating systems

• increasingly connected

via standard wireless

technologies

What was air gapped and proprietary is now connected and general purpose

4 IBM Security

Distinct differences between corporate IT and OT security

4

Area Corporate IT ICS/SCADA (OT)

Antivirus /Malware Widely used Used with care

Lifetime 3-5 years 5-20 years

Outsourcing Widely used Rarely used for operations

Patching Frequent Slow (requires vendor approval or

extensive testing)

Change Frequent Rare

Security Skills and

Awareness Medium to High Poor IT security, no awareness training

Security Testing Widely used Must be used with care

Physical Security Usually secure and manned Good controls but often remote and

unmanned

5 IBM Security

This convergence of IT and OT makes cybersecurity even more imperative

6 IBM Security

Threat actors are more sophisticated, with access to tools that make it easy to infiltrate critical infrastructures

Who

Why

How

• Nation States

• Intelligence

• Hacktivists

• Insiders

• Valid Credentials

• Access

• Sabotage

• Data

• Understand you

• Stuxnet variants

• New Exploits

• Shodan

Like Google it searches the internet for publicly accessible devices,

--------------------- focused primarily on SCADA devices. Anyone can use it, it’s free

and newly discovered devices are mapped daily.

BlackEnergy

7 IBM Security

The rapidly changing threat landscape also comes with increasing requirements for regulatory compliance

Industrial Control System (SCADA): IEC 62443, IEC

62351 Parts 1-8 and NIST 800-82

Bulk Power System Protection:

NERC-CIP 001-009, NIST Special Publication (SP)

800-53 and 800-82, ENISA, CPNI

Security for Home Area Network:

OpenHAN and Zigbee

Information Technology standards:

ISO 27001:27005, ISO 15408, ISO TR 27019

Risk Management standard: ISO 31000

Business Continuity Management standard: ISO 22300

Smart Grid - Advanced Metering Infrastructure:

NIST IR 7628 Guidelines for Smart Grid Security

ENISA Smart Grid Security Recommendations

IEC 61850 substation architecture

components: Intelligent Electronic Devices

(IEDs) and Remote Terminal Unit (RTUs)

(IEEE 1686-2007)

Key:

ANSI: American National Standards Institute

AMI-SEC: Advanced metering infrastructure Security

CPNI: Center for Protection of National Infrastructure

ENISA: European Network and Information Security Agency

FERC: Federal Energy Regulatory Commission

IEC: International Electro technical Commission

ISO: International Organization for Standardization

NERC: North American Electric Reliability Corporation

NIST: National Institute of Standards and Technology

FERC -2003 - Recovery

plans

Critical Infrastructure Protection:

NIST Cyber Security Framework

ENISA National Cyber Security Strategy Framework

8 IBM Security

Network and Information Security (NIS) Directive

• The Directive will require businesses to put in place appropriate security measures:

− Enhancement of national cybersecurity capabilities and public & private cooperation

− Adoption of risk management practices in critical sectors such as energy, transport, banking and health

− Reporting of major incidents to the national authorities

• The NIS adoption will require specific investments on education, equipment, cybersecurity

software and efficient Crisis Operating Processes to cope with critical situations in case of attacks

and will impact the following:

− Government

− Economic Operators: Oil and Gas, Transport (air, rail, water and road), Banking (credit institutions), Financial

markets (trading venues, central counterparties), Healthcare providers, Utilities (energy and drinking water supply

and distribution)

− Digital infrastructure: internet exchange points (which enable interconnection between the internet's individual

networks), domain name system service providers, top level domain name registries

− Digital service providers: will also be required to take appropriate security measures and to notify incidents to

the competent authority. The Directive will therefore also cover online marketplaces, cloud computing services and

search engines. NIS Directive also applies to those based outside of the EU and offer services within the

EU

9 IBM Security

IoT – Increased Interconnection

Source: TU München, Prof. Dr. Alfons Kemper

10 IBM Security

Industrial IoT requires security from end to end

11 IBM Security

The traditional method of securing the enterprise is outdated

Defense in Depth alone is not enough

Old Paradigm New Paradigm

Security Model based on Defense in Depth (DiD)

Security Model based on DiD + Rapid Detection + Rapid Response

Security Operations Steady State and Reactive

Security Operations Elastic and Agile

Governance, Risk & Compliance IT and Compliance Focused

Governance, Risk & Compliance Integrated Risk Management

Functional Domains IT, OT, Telecom, Physical Silos

Functional Domains Converged

Security Analysis Manual and Fragmented

Security Analysis Analytics and Intelligence

12 IBM Security

The bottom line is that these modern threats and actors are forcing us to rethink how we assess risk and protect our infrastructure

• 12

17.2.2017 Г.

Adapt to the speed and sophistication of attacks

Understand current threat actors ranging from Insider to Nation States

Evolve defensive measures to deal with aging infrastructures

Enhance security posture when compliance is not enough

Monitor OT/IT environment in a common operating picture

Analyze large amounts of data and correlate events rapidly and

accurately

Respond to incidents with established protocols based on the situation

Optimize security investments by being properly prepared

Response and preparation are key. Traditional approaches continue to ring fence critical assets with more layers of defense, relying on static defenses, with too much focus on “blocking” and not enough on “rapid response”.

13 IBM Security

What is required is a Next-Generation SOC or “Fusion Centre”

Common Fusion Centre Attributes

• Creates and nurtures an ecosystem for information sharing & collaborative action

• Integrates historically separate functions; IT Security, OT Security, Physical Security, Business Units, Fraud, Compliance, Criminal Investigation, etc.

• Coordinates collaboration and analysis to predict, prevent, discover, manage, and learn

• Promotes the creation of secure and confidential enterprise security data lake

• Develops and operationalizes analytical techniques to identify and detect unusual patterns of behavior that may be indicative of cyber attacks, crime, fraud, abuse, data loss, data compromise

• Drives transparency to enhance guidance and improve decision making

13

Fusion Centre is a fluid term that varies by industry and company, however all

share common attributes and structures

14 IBM Security

Fusion Centre Core Components

SECURITY

INTELLIGENCE

ANALYTICS AND COGNITIVE

INTELLIGENCE

INCIDENT

RESPONSE

1

2

3

COLLABORATIVE THREAT

INTELLIGENCE 4

Security Intelligence

Threat Intelligence

Persona Data

Analysis

Platform

15 IBM Security

The Fusion Center allows collaboration within a common operating model

Threat

Response

SOC Data Sources Structured Data Semi-Structured Data Unstructured Data Reference Data

Threat

Monitoring

SOC Service Delivery Management Service Level Management Operational Efficiency Service Reporting Escalation

SOC Platform Components

Integration tools should be used to integrate SOC platform components

Security

Analytics

Cyber-Security Command Center (CSCC) Executive Security Intelligence Briefings Local Regulatory Security Oversight SOC Governance

Consolidated Security Analytics & Dashboards Local/Regulatory Intelligence Briefings

SO

C

Go

ve

rna

nce

SO

C

Te

ch

no

log

y

Security Intelligence

Projects and

Admin Support

CSIRT

Management

SIEM Ticketing &

Workflow

SOC

Automation

Tools

Cognitive

Analytics

Tool

Big Data

Threat

Triage

SO

C

Op

era

tio

ns

Corporate

Business Units

Legal, Audit

IT Operations

Business

Operations Security

Integration

Emergency

Response

OT Operations

Legend

SOC

IT / Corp

Digital Use

Case Library

Response

Procedure

Tool

Enterprise

Security

Tools

16 IBM Security

Our point of view - establish security as an Immune System

Threat Research

Endpoint

Advanced Fraud

Data

Mobile Network

Applications

Identity and Access

Endpoint patching and management

Malware protection

Fraud protection

Criminal detection

Data access control

Data monitoring

Device management

Content security

Network visibility

Application security management

Access management

Identity management

Entitlements and roles

Application scanning

Virtual patching

Transaction protection

Log, flow and big data analysis

Anomaly detection

Vulnerability assessment

Incident and threat management

Security Intelligence

Ecosystem Partners

Sandboxing

Firewalls

Anti-virus

Consulting Services

Managed Services

17 IBM Security

Then take the Immune System to OT

18 IBM Security

Q & A

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express

or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,

creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these

materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may

change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and

other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks

or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.

Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or

product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are

designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT

OF ANY PARTY.

FOLLOW US ON:

THANK YOU