Presentation is loading. Please wait.

Presentation is loading. Please wait.

CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES.

Similar presentations


Presentation on theme: "CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES."— Presentation transcript:

1 CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES

2 CRITICAL INFRASTRUCTURE PROTECTION BACKGROUNDER

3 CIP Industry Overview – Energy Sector Regulated Large workforce 24x365 service delivery Sell across geographies Complex operational controls & business systems Business demands Profitability Environmental leadership Smart grid

4 Critical Infrastructure Concerns Passwords – can be cracked in minutes Frequent password changes leads to help desk calls Existing physical access controls broken Attacks target critical infrastructure Loss of revenue from outage Impact to customers from outage Malware attacks target security weak SCADA devices Compliance to NERC CIP, Presidential Executive Order Expense of annual compliance audits

5 CRITICAL INFRASTRUCTURE NETWORKS

6 Critical Infrastructure Networks External Access Business Systems (HTTP etc. protocols) Industrial Control Systems (SCADA protocols) Field Systems Core Network Internet Remote Access (VPN) Extended employee Access Other Facilities Smart Grid ICS Suppliers External Access

7 Critical Infrastructure Cyber Security VulnerabilitiesThe cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. February 12, 2013 Barack Obama President of the United States

8 Increased need for connectivity between business and ICS systems

9 Desktop malware infection

10 Spear-phishing attacks

11 Internet facing ICS systems

12 Physical access controls

13 Malware Is Focused On Stealing Money and IP and Disrupting Infrastructures Physical Intrusions SQL Injection Identity stolen through injected fields MITB / MITM / DDoS Integrity attack – appear as the real identity Session Riding/Token Stealing Identity integrity is compromised DNS Poisoning URL identity is compromised ZITMO / MITMO Compromising Mobile SMS, Photos & Contacts Key Logging Identity & actions compromised Stealing And Compromising is There Key to Doing That Traditional antivirus and perimeter solutions are necessary but ineffective DIGITAL IDENTITY

14 REGULATORY COMPLIANCE

15 Cybersecurity is One of the Top Standing Issues facing the Electric Sector over the Next 10 Years

16 F ederal E nergy R egulatory C ommission & N orth A merican E lectric R eliabilit y C orporation FERC: oversee the US interstate transmission and pricing of a variety of energy resources, including electricity, natural gas and oil FERC named NERC as the government's Electrical Reliability Organization (ERO), thereby granting NERC the power to oversee and regulate the electrical market NERC is the organization that audits power companies and levies fines for non-compliance NERC: oversees and regulates the reliability of the North American electrical grids. has the legal authority to enforce reliability standards…in the United States, and make compliance with those standards mandatory and enforceable."

17 NERC CIP and Identity Based Security CIP-001: Sabotage reporting CIP-002: Critical Cyber Asset Identification CIP-003: Security Management Controls CIP-004: Personnel and Training CIP-005: Electronic Security Perimeters CIP-006: Physical Security (of Critical Cyber Assets) CIP-007: Systems Security Management CIP-008: Incident Reporting and Response Planning CIP-009: Recovery Plans (for Critical Cyber Assets) CIP-010: Config. Change Mgmt. and Vulnerability Assessments CIP-011: Information Protection Credential Issuance & Revocation User and Device Authentication Physical Access Control Credential Management Workflow & roles Audit controls Credential strength

18 Identity Based Security Solution checklist for Critical Infrastructure Protection Strong authentication for both physical and logical systems People; Devices (PC, mobile); Applications; Physical Access Flexible authenticator support Different types of authenticators (use cases are not homogenous) Easily change-out authenticators if compromise occurs Streamlined credential management Across all systems Supports roles and separation of duties Supports report and audit trails Capabilities to defeat advanced malware-based attacks Address deployment considerations Users: Easy to provision, easy to use, easy to self-recover IT: integrate to current business systems Modular architecture that will grow / expand threats and compliance needs evolve

19 WHAT DOES THIS MEAN FOR CRITICAL INFRASTRUCTURE ORGANIZATIONS

20 Layered Security for CIP 1.Remote access two-factor 2.Strong authentication System Administrators 3.Strong authentication Employees 4.Secure critical information and communications with encryption 5.SCADA command transaction approval 20

21 1. Remote Access utilities must protect network access as a breach can be severe, require multi-factor authentication Passwords Usability, many passwords to remember, frequent changes Insecure/easily compromised Must seamlessly integrate into existing IT environment VPN Workstation Directories Physical access CIP R2.3: Require multi-factor authentication for all Interactive Remote Access sessions

22 2. Administrator Strong Authentication / Dual Identities Prevent pass the hash attack for Administrators by providing two separate identities (credentials) One for corporate access and another for server domain access Mitigate past the hash threat by the Administrator not using corporate credentials for server domain access Hash Corporate Access Domain Access

23 3. Employee Physical / Logical Security NIST certified Eliminates CIP-007 password complexity requirement No password changes One-time-password as well Electronic Perimeter Simultaneous - legacy & new systems CIP-006 defense in depth* combining card with PIN & biometrics Physical Perimeter SAML * FERC Order No. 706, Paragraph 572

24 4. Securing critical communications Deployment Flexibility Entrust EMS Server Optional Content Scanner Sending Flexibility Internet -Secure PDF -Web Mail Pull / Push -Ad hoc Web push -S/MIME Gateway -S/MIME -OpenPGP Delivery Flexibility Web Mail Pull S/MIME Mobile Flexibility IDG Auth. Portal Auth. PKI. SAN / NFS. Archive AV / AS Statement Gen. Alarms / SNMP

25 5. Critical Transaction Monitoring 1.User initiatives online transaction Web transactions can be: Network access Application access Critical transactions SCADA controls under investigation Transaction details retrieved over secure connection User reviews transaction on phone/ tablet Notification sent Out of Band Transaction is completed and Identity Assured Transaction is digitally signed and confirmed from mobile (X.509) Compromised with desktop Malware? Authentication Platform

26 5. Critical Transaction Monitoring with Dual Controls Dual controls requires a second user to approve a transaction AKA: Maker / checker; Dual approvers; Dual signatures Identity of two distinct approvers is assured Both initiator and approver Transaction confirmation on mobile dramatically simplifies dual controls Real time notification to approver Simple approval on mobile device (can be digitally signed) Speeds up transaction completion

27 Look for Identity Based Security Solution that… Secures digital identities and information across the organization Provides agility to quickly & easily modify policies OR Authenticators on the fly Deployment flexibility to tie into your IT systems & business Future Proof to grow with your business needs

28 THANK YOU


Download ppt "CRITICAL INFRASTRUCTURE PROTECTION… A LAYERED SECURITY SOLUTION FOR GAS/OIL AND POWER UTILITIES."

Similar presentations


Ads by Google