Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technologies 1 CyberSecurity. Proprietary Information Of Energy 2013 Facilities System Integration for Optimized Energy, Safety, and Comfort It’s Not.

Similar presentations


Presentation on theme: "Technologies 1 CyberSecurity. Proprietary Information Of Energy 2013 Facilities System Integration for Optimized Energy, Safety, and Comfort It’s Not."— Presentation transcript:

1 Technologies 1 CyberSecurity

2 Proprietary Information Of Energy 2013 Facilities System Integration for Optimized Energy, Safety, and Comfort It’s Not Just Temperature Controls Anymore! CyberSecurity 101 Basics on securing your data Gary Seifert PE Business Development, OSIsoft Mark McCoy Federal Solutions Architect OSIsoft, LLC

3 Proprietary Information Of Energy 2013 Overview: Industrial Control Systems (ICS): Essential for control and mission, but susceptible. Cyber Threats: How power generation systems (prime, standby, and alternate generation plants) can be compromised by cyber-attacks COTS (Commercial off the Shelf) products that are available to protect the generation systems Potential opportunities, even in the shadow of federal budget limits and sequestration

4 Proprietary Information Of Energy 2013 Power Systems Energy Surety and Sustainability - key drivers DSB 2008 Summer Study identified the linkage between generation and energy surety Presidential Executive Order – “Improving Critical Infrastructure Cybersecurity” Conventional and renewable energy important All power systems have Industrial Control Systems (ICS) But, are power system ICS Secure?

5 Proprietary Information Of Energy 2013 Federal Requirements Federal Information Security Management Act (FISMA) Connectivity IAW with DoD Information Assurance Certification and Acceptance Program (DIACAP) Network Worthiness of Information Technology And …… Every facility will have specific requirements and specific certification processes to comply with But – Do not fall in the trap of allowing the certification to become the goal, rather than the true goal – “Secure usable ICS critical infrastructure”.

6 Proprietary Information Of Energy 2013 Industrial Control Systems – ICS Distributed Control System (DCS) and Process Control Systems (PCS): – A group of computers and/or smart field devices networked together to monitor and control industrial processes with direct feedback control. – Control systems operate in near real time and is used in critical sectors such as Power Generation, Oil & Gas Refining, Water Treatment, Chemical, etc. – May consist of BMI, PLC’s, stand alone power electronics controllers, microgrid controllers, Substation Automation systems, Supervisory Control and Data Acquisition (SCADA) system: – Normally applied to a systems connected to devices over a larger area including multiple buildings or even many miles away. – Operative word is Supervisory used in critical sectors such as Electrical Transmission & Distribution, Oil & Gas Pipelines, Water/Sewer, and Transportation.

7 Proprietary Information Of Energy 2013 Critical Industrial Mission Infrastructure

8 Proprietary Information Of Energy 2013 Power System ICS Footprint – Generator Control Systems – SmartGrid Control and Automation Systems – Utility Monitoring and Control Systems – Supervisory Control and Data Acquisition (SCADA) Systems – Transmission and Distribution – Fuel management Systems – Power Quality and UPS Systems – Renewable Energy Control Systems – And More…….

9 Proprietary Information Of Energy 2013 Cyber Threat Sources National Governments Terrorists Industrial Spies and Organized Crime Groups Hacktivists Hackers Note - We no longer have days after infection to respond, current trends are minutes after infection to propagate!

10 Proprietary Information Of Energy 2013 Why Me? “in a recent presentation (October 2012), Panetta noted that the simple Shamoon worm was the most sophisticated attack seen in the business sector, and that on the same day it also struck Rasgas, Qatar’s natural gas firm” report-panetta-warns-of-threat-of-cyberattack-on-u-s/ Most people believe it will happen to others Classic threats – Insiders – Disgruntled employees – Disgruntled contractor – Active agencies – Competitors – Organized crime – Others

11 Proprietary Information Of Energy 2013 It’s Real “We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.“ Tom Donahue, the CIA's top cybersecurity analyst Quote taken from SANS NewsBites January 18, 2008 Stuxnet Worm Targets PCS PLC system 2010, Duqu, Flame, Shamoon, and Gauss follow The first worm specifically targeting control systems. %20USB%20Malware%20Targeting%20Siemens%20Control%20Software%20-%20Update%20B.pdf

12 Proprietary Information Of Energy 2013 What Can We Do? System Assessment (Know your ICS Perimeter) Restrict Logical Access to the ICS network o Develop Defense in Depth methodology Restrict Physical Access to ICS Networks and Devices Protect ICS Devices from Exploitation Address functionality During Adverse Conditions Address Restoration after the Incident is Over NIST is a good starting point Because many Legacy ICS systems are not secure, your systems will end up with a crunchy tough exterior containing your chewy ICS systems.

13 Proprietary Information Of Energy 2013 Resources Australia Department of Defense has issued specific guidelines for ICS Protection Their top 4 Mitigations that prevent 85+% of all intrusions. Their summary report NIST Guidelines (Future Cyber Framework and Risk Framework guidelines to follow) DHS ICS recommended Guidelines cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf TBD – NIST ICS Cyber Framework

14 Proprietary Information Of Energy 2013 Commercial off the Shelf Solutions Network security: Firewalls, DMZ implementations, whitelisted connections, whitelisting applications, etc Secure Internet services Using systems that have gone through third part audits, such as the INL process Upgrading legacy ICS systems Upgrading Operating systems and developing systems that can be patched Packet inspection (where possible) Secure ICS Planning and design services Third Party audits

15 Proprietary Information Of Energy 2013 Potential opportunities, even in the shadow of federal budget limits and sequestration

16 Proprietary Information Of Energy 2013 Summary Control Systems permeate our environment. All control systems are at risk. Awareness is KEY! Know your risk, manage your risk! It is ok to take baby steps! It is not ok to wait to take the first step, small or large! There are solutions, seek them out and apply them!

17 Proprietary Information Of Energy 2013 So, are SCADA’s Vulnerable? At first review, maybe this looks OK!

18 Proprietary Information Of Energy 2013 After a little more review…..

19 Proprietary Information Of Energy 2013 Direct connection of SCADA to business system is a concern And a little deeper review…

20 Proprietary Information Of Energy 2013 Even with another Firewall Back Doors are Still Open After more review Vulnerable? Yes!

21 Proprietary Information Of Energy 2013 Operator Workstation Compromised Full SCADA Control

22 Proprietary Information Of Energy 2013 Man-in-the-Middle Attack

23 Proprietary Information Of Energy 2013 Utility Control System Network Internet Attack – Remote Workstation Remote Workstation Compromised – DMZ Attack WEB Server Compromised – SCADA LAN Attack FEP Compromised, RTU Control

24 Proprietary Information Of Energy 2013 Control Network DMZ Corporate Domain Control/PLC Devices Protected Domain OS Applications Data Collector TCP Web Apps Best Practices DMZ with Two Firewalls

25 Proprietary Information Of Energy 2013 Control Network Enforcement Zone Corporate Domain Control/PLC Devices Protected Domain OS Applications Data Collector Web Apps Best Practices Data Diode

26 Proprietary Information Of Energy 2013 Questions? (208) (540)

27 Proprietary Information Of Energy 2013 Backup Slides

28 Proprietary Information Of Energy 2013 COTS (Commercial off the Shelf) Products that are available to protect power generation and distribution systems

29 Proprietary Information Of Energy 2013 Smart Distribution Network Protectors Protective Relays Power Distribution Substation Automation Solutions for both above-ground and vault applications to help utilities provide a more reliable, and safer, power distribution network Market Leadership in NA Power Distribution markets Extensive Utility offering at Generation facilities Turnkey substation automation capabilities via EESS Market Leadership in NA Power Distribution markets Extensive Utility offering at Generation facilities Turnkey substation automation capabilities via EESS

30 Proprietary Information Of Energy 2013 Smart Buildings Metering and Communications Lighting Control Systems Variable Speed Drives Power Quality Solutions Not only energy-saving products, but also products that aid in localized power control and monitoring, situational awareness Broad metering, lighting control, VFD and PQ offerings Complete facility energy offering including demand response, RCx, audits, turnkey installations Broad metering, lighting control, VFD and PQ offerings Complete facility energy offering including demand response, RCx, audits, turnkey installations

31 Proprietary Information Of Energy 2013 Smart Factories Metering, Relays, Communications Variable Speed Drives Power Distribution Control and Automation Energy Services Control, automation and power distribution products and services designed to help factories optimize operations and energy use Market leading Power Distribution, Power Quality and Control offerings. Complete facility energy offering including demand response, RCx, audits, turnkey installations Market leading Power Distribution, Power Quality and Control offerings. Complete facility energy offering including demand response, RCx, audits, turnkey installations

32 Proprietary Information Of Energy 2013 Recommended Practice Network Design Reference: US-CERT “Recommended Best Practice: Defense in Depth”

33 Proprietary Information Of Energy 2013 Agenda Stuxnet - BGP attack (2010) -15% of internet traffic routed to China “Among traffic rerouted via China was that destined for... the US Senate, the Office of the Secretary of Defence, Nasa and the Commerce Department.” Project Aurora

34 Proprietary Information Of Energy 2013 Architectures Whitelisting Upgrade software Upgrade OS Least Priveleges

35 Proprietary Information Of Energy 2013 Anti-virus used to help 10 years ago, but hackers write code faster than antivirus companies can protect. Essentially blacklisting. Still good. Didn’t help Stuxnet. Operation Red October

36 Proprietary Information Of Energy 2013 What can you do? Does your software provider use a Security Development Lifecycle (SDL) 64 bit OS is more secure than 32 (in general). More address space Windows Core


Download ppt "Technologies 1 CyberSecurity. Proprietary Information Of Energy 2013 Facilities System Integration for Optimized Energy, Safety, and Comfort It’s Not."

Similar presentations


Ads by Google