Driving Behavioral Change for Information Management through Data-Driven Gree...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Call....
1. NATIONAL OIL COMPANIES CONFERENCE 2014
BEYOND THE HORIZON – MANAGING THE NEXT
FRONTIER OF RISK
18-20 MARCH 2014
Evolving Cyber Security - A wake up call…
Shah H Sheikh
MEng CISSP CISA CISM CRISC CCSK
(shah@dts-solution.com)
Co-Founder / Sr. Security Consultant @ DTS Solution
INTERCONTINENTAL HOTEL FESTIVAL CITY, DUBAI
2. MARSH 113 May 2014
Agenda
Evolving Cyber Security – A wake up call ….
• Cyber Security Introduction and History…
• Cyber Security for SCADA / Critical Infrastructure and Enterprises
• Attacker and Actors Profile and Objectives
• Cyber Security Risk Management Framework
3. MARSH
Cyber Security Introduction
• What is Cyber Security?
– Protection of mission and business critical assets in the form of logical security
controls (this is not physical security) to ensure no adverse impact of any kind to
the business.
• Why is it important?
– Globalized Digital Data – Every organization has digital information data, many
enterprises trade and carry business transactions online, each and every
enterprise is connected to the internet in one form or another – cyber security
threats can materialize from external and internal boundaries. Critical
Infrastructure needs to be protected….
Many important government level discussions in 2013 cited Cyber Attacks and Digital
Spying as a major concern for national security …
213 May 2014
4. MARSH
Cyber Security Introduction
• Information Security Investment
– From Luxury to Necessity …
– The perception needs to change and needs to be driven at top management level
with clear governance and steering committee.
• The future of Cyber Security and Risk….
– There is little doubt that the race for arms is cyber warfare…
– State sponsored cyber attacks are a common place and very evident in Y2013
– Financial reward makes organized Cyber Crime very prevalent
– Geo-Political Expression of Opinion
– Ease of Attack Tools and Availability
– …. The list goes on ……
313 May 2014
7. MARSH
Cyber Security in the Energy Sector
613 May 2014
• Some Statistics….
– US ICS-CERT is the only organized public forum for Industrial Control Systems Security –
Computer Emergency Response Team
– 18 x Critical Infrastructure Sectors Identified by DHS
• Concerted effort is required amongst organizations and governments alike to increase
awareness of cyber security across critical infrastructure…..
8. MARSH
Cyber Security in the Energy Sector
713 May 2014
Source: ICS-CERT (256 reported security incidents) – how many go unreported
9. MARSH
….. Industrial Malware Timeline …..
813 May 2014
Slammer
•Davis-Besse Nuclear Plant
•Plant monitoring offline for 5-6 hours
Night Dragon
•Oil and Gas Majors
•Sensitive Information Stolen
Stuxnet
•USB infection
•Natanz Facility
•Controller Sabotage
2003 2009 2010
Shamoon
•Oil and Gas in GCC
•30K+ Devices Wiped
20122011
DuQu
•Stuxnet Variant
•Backdoor Rootkit
Flame
•Keystroke Logger
•Screenshot
•Cyber Espionage
•Mainly in Middle East
Some Malware Self-Replicating and Propagates….. (dropper and replicate, overwrite and wipe)
Mahdi
•Malicious PDF/PPT
•Cyber Espionage
•Mainly in Middle East
Red October
•Malicious PDF/PPT
•Cyber Espionage
•Swiss Knife of Malware
2013
Operations
Aurora
•APT
•Target Hi-Tech
•Defense
•Source Code
•Originated from CN
13. MARSH
Critical Infrastructure / Energy Sector – Impact
1213 May 2014
• Can you imagine what can go wrong….
Power Blackout Contamination Loss in Production
• http://www.securityincidents.org/ - global repository of industrial control
security incidents.
• Database of known ICS security incidents …
14. MARSH
Critical Infrastructure / Energy Sector – Ease of Exploitation
1313 May 2014
• SCADA Systems are “in-secure by design”
– PLC / RTU non-hardened Operative System
– Commercial of the Shelf Hardware
– Legacy Industrial Control Protocols without authentication or authorization
– No form of confidentiality – encryption
– Security is still immature in SCADA / ICS networks unlike IT Enterprise
• Control Engineers and Field Operators have little understanding of Cyber Security
• Threats are multi-dimensional;
– Internet Connectivity (www.shodanhq.com) all kinds of SCADA systems from HVAC to Web Cams
– 3rd Party Remote Access
– USB Infected Removable Media
– Insecure SCADA devices (vulnerabilities)
– Enterprise IT Business LAN connected to Control Systems Network – no air gap…
– Legacy Windows Based Operating System (XP, NT etc…) – highly vulnerable systems
15. MARSH
DISCLAIMER –
What is connected to the @
1413 May 2014
WEBCAMS
H2O FUEL CELL WINDFARMS
HVAC / HOME AUTOMATION
(SPEAKERS)
HEAT PUMP EMERGENCY TELCO GEAR MASSIVE COOLERS STOPLIGHTS / JUNCTIONS
16. MARSH
• Exploits readily available on the Internet – AppStore style availability of vulnerability
exploits against SCADA devices…..
1513 May 2014
Critical Infrastructure / Energy Sector – Ease of Exploitation
18. MARSH 17
External Network
Control LAN
Plant Network
Office LAN
Internet
Infected
Laptops
Infected Remote
Support
Mis-Configured
Firewalls
Unauthorized
Connections
Modems
3rd Party Issues
USB Drives
Security Threats on the Plant Floor
19. MARSH
So how are we going to secure the critical infrastructure….
1813 May 2014
20. MARSH
So how are we going to secure the critical infrastructure….
• Follow Industry Best Practices in the Security Field
– Many different Security Standards and Regulations exist for the ICS environment;
- ISA-99 / IEC-62443
- NERC-CIP
- NIST 800-82
- ISO27001:2013
– Begin by developing a Cyber Security Framework that incorporate Risk
Management into this.
– Ensure the Cyber Security Framework is going to have top management level
backing…..
1913 May 2014
21. MARSH
Establish a Cyber Security Governance Group
2013 May 2014
What is the role of a governance group?
• Strategic: setting the process control security policy and initiating the process control security programme.
• Tactical: implement the process control security programme, provide process control security awareness and training
advice, and policy and standards compliance monitoring. Setting and approving budgets.
• Operational: forming and liaising with the ICS Security Run & Maintain Team which monitors, analyses and responds to
alerts and incidents. Monitoring risk exposure.
Output – Deploy & Manage
Policies, Standards, Monitoring Awareness & Training Continuity & Response Capability
Definition & Creation - Governance Group
Operations Safety/Risk Engineering IT Regulatory Exec Sponsor
Inputs - Business Risks
Threats Regulations/Standards Technologies Business Impact
22. MARSH
Cyber Security - Policies, Standards and Compliance
2113 May 2014
Policies establishes the boundaries for action and is driven by the business’ appetite for risk
Policy statements communicate the following:
• Clear commitment to ICS security principals and practices endorsed by senior leadership
• Clear statement of policy intent to provide a basis for consistent decision-making and prioritization
Typical policy characteristics :
• Widespread application
• Change infrequently and expressed in broad terms
• Are not technical documents
• Based on statements of “What” and/or “Why”
• Guide and determine present and future decisions
Policies should include:
• Statement of intent
• To what or whom the policy applies to
• Who owns the policy
• The exception criteria process
23. MARSH
Cyber Security - Policies, Standards and Compliance
2213 May 2014
Internal Standards provide a consistent organizational interpretation to achieve the desired quality of the
defined policy.
Typical standards characteristics :
• Narrow in application
• Change more frequently due to implementation feedback or system environment
• Described in detail including some technical or vendor specific detail
• Include statements of “How” , “When” and possibly “Who”
• Describes related processes
Standards documents should include:
• The policy statements to which the standards applies
• Intended audience
• To what or whom the standard applies
• Who owns the standard and information on the update cycle
• The exception criteria process
25. MARSH
Asset Lifecycle Challenges specific to ICS Security;
2413 May 2014
• Capital projects
• Greenfield
• Existing assets
• Brownfield
• Contractors and suppliers
• Workforce Development
• Raising Cyber Security Awareness
26. MARSH
Cyber Security – Embedding Security Technical Assurance in Project Lifecycle
2513 May 2014
27. MARSH
Contractors and Suppliers
• Develop standards and implementation guidelines for suppliers – especially important for 3rd party
vendors
• Work with key suppliers to develop standard toolkits for future projects and upgrades
• Set high expectations for suppliers and contractually obligate them successfully deliver a secure
solution
2613 May 2014
29. MARSH
Cyber Security Framework Development
2813 May 2014
• Security Policies Development
• Security Procedures and Standards Development
• Control System Asset Management
• Risk Assessment for ICS/SCADA
• Gap Analysis for ICS/SCADA
• Business Continuity Planning
• Incident Response Plan
• Security Architecture Blueprint
• Workforce Training and Development
• Security Controls Mapping to Industry Standards
• SCADA Network Traffic Analysis
• Security Operations Center (SOC) for SCADA
33. Registered in England and Wales Number: 1507274, Registered Office: 1 Tower Place West, Tower Place, London EC3R 5BU.
Marsh Ltd is authorised and regulated by the Financial Conduct Authority.