• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Call....

National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Call....



Shah Sheikh - Presentation at the National Oil Conference 2014 in Dubai organized by Marsh. Evolving Cyber Security - A Wake Up Call.....

Shah Sheikh - Presentation at the National Oil Conference 2014 in Dubai organized by Marsh. Evolving Cyber Security - A Wake Up Call.....



Total Views
Views on SlideShare
Embed Views



5 Embeds 50

http://www.dts-solution.com 39
http://www.linkedin.com 6
https://twitter.com 2
http://www.slideee.com 2
https://www.linkedin.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Call.... National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Call.... Presentation Transcript

    • NATIONAL OIL COMPANIES CONFERENCE 2014 BEYOND THE HORIZON – MANAGING THE NEXT FRONTIER OF RISK 18-20 MARCH 2014 Evolving Cyber Security - A wake up call… Shah H Sheikh MEng CISSP CISA CISM CRISC CCSK (shah@dts-solution.com) Co-Founder / Sr. Security Consultant @ DTS Solution INTERCONTINENTAL HOTEL FESTIVAL CITY, DUBAI
    • MARSH 113 May 2014 Agenda Evolving Cyber Security – A wake up call …. • Cyber Security Introduction and History… • Cyber Security for SCADA / Critical Infrastructure and Enterprises • Attacker and Actors Profile and Objectives • Cyber Security Risk Management Framework
    • MARSH Cyber Security Introduction • What is Cyber Security? – Protection of mission and business critical assets in the form of logical security controls (this is not physical security) to ensure no adverse impact of any kind to the business. • Why is it important? – Globalized Digital Data – Every organization has digital information data, many enterprises trade and carry business transactions online, each and every enterprise is connected to the internet in one form or another – cyber security threats can materialize from external and internal boundaries. Critical Infrastructure needs to be protected…. Many important government level discussions in 2013 cited Cyber Attacks and Digital Spying as a major concern for national security … 213 May 2014
    • MARSH Cyber Security Introduction • Information Security Investment – From Luxury to Necessity … – The perception needs to change and needs to be driven at top management level with clear governance and steering committee. • The future of Cyber Security and Risk…. – There is little doubt that the race for arms is cyber warfare… – State sponsored cyber attacks are a common place and very evident in Y2013 – Financial reward makes organized Cyber Crime very prevalent – Geo-Political Expression of Opinion – Ease of Attack Tools and Availability – …. The list goes on …… 313 May 2014
    • MARSH Cyber Security Threat Landscape – (R) evolution….. 413 May 2014
    • MARSH Cyber Security Threat Landscape – Sophistication of Attacks 513 May 2014
    • MARSH Cyber Security in the Energy Sector 613 May 2014 • Some Statistics…. – US ICS-CERT is the only organized public forum for Industrial Control Systems Security – Computer Emergency Response Team – 18 x Critical Infrastructure Sectors Identified by DHS • Concerted effort is required amongst organizations and governments alike to increase awareness of cyber security across critical infrastructure…..
    • MARSH Cyber Security in the Energy Sector 713 May 2014 Source: ICS-CERT (256 reported security incidents) – how many go unreported 
    • MARSH ….. Industrial Malware Timeline ….. 813 May 2014 Slammer •Davis-Besse Nuclear Plant •Plant monitoring offline for 5-6 hours Night Dragon •Oil and Gas Majors •Sensitive Information Stolen Stuxnet •USB infection •Natanz Facility •Controller Sabotage 2003 2009 2010 Shamoon •Oil and Gas in GCC •30K+ Devices Wiped 20122011 DuQu •Stuxnet Variant •Backdoor Rootkit Flame •Keystroke Logger •Screenshot •Cyber Espionage •Mainly in Middle East Some Malware Self-Replicating and Propagates….. (dropper and replicate, overwrite and wipe) Mahdi •Malicious PDF/PPT •Cyber Espionage •Mainly in Middle East Red October •Malicious PDF/PPT •Cyber Espionage •Swiss Knife of Malware 2013 Operations Aurora •APT •Target Hi-Tech •Defense •Source Code •Originated from CN
    • MARSH …. Industrial Malware Geo-Infections …. 913 May 2014 STUXNET FLAME Source: Kaspersky Labs
    • MARSH …. Industrial Malware Geo-Infections …. 1013 May 2014
    • MARSH Critical Infrastructure / Energy Sector – Security Attacks on SCADA Networks 1113 May 2014
    • MARSH Critical Infrastructure / Energy Sector – Impact 1213 May 2014 • Can you imagine what can go wrong…. Power Blackout Contamination Loss in Production • http://www.securityincidents.org/ - global repository of industrial control security incidents. • Database of known ICS security incidents …
    • MARSH Critical Infrastructure / Energy Sector – Ease of Exploitation 1313 May 2014 • SCADA Systems are “in-secure by design” – PLC / RTU non-hardened Operative System – Commercial of the Shelf Hardware – Legacy Industrial Control Protocols without authentication or authorization – No form of confidentiality – encryption – Security is still immature in SCADA / ICS networks unlike IT Enterprise • Control Engineers and Field Operators have little understanding of Cyber Security • Threats are multi-dimensional; – Internet Connectivity (www.shodanhq.com) all kinds of SCADA systems from HVAC to Web Cams – 3rd Party Remote Access – USB Infected Removable Media – Insecure SCADA devices (vulnerabilities) – Enterprise IT Business LAN connected to Control Systems Network – no air gap… – Legacy Windows Based Operating System (XP, NT etc…) – highly vulnerable systems
    • MARSH • Exploits readily available on the Internet – AppStore style availability of vulnerability exploits against SCADA devices….. 1513 May 2014 Critical Infrastructure / Energy Sector – Ease of Exploitation
    • MARSH Critical Infrastructure – Enterprise and Process Control Network Convergence 1613 May 2014
    • MARSH 17 External Network Control LAN Plant Network Office LAN Internet  Infected Laptops Infected Remote Support  Mis-Configured Firewalls  Unauthorized Connections  Modems   3rd Party Issues USB Drives  Security Threats on the Plant Floor
    • MARSH So how are we going to secure the critical infrastructure…. 1813 May 2014
    • MARSH So how are we going to secure the critical infrastructure…. • Follow Industry Best Practices in the Security Field – Many different Security Standards and Regulations exist for the ICS environment; - ISA-99 / IEC-62443 - NERC-CIP - NIST 800-82 - ISO27001:2013 – Begin by developing a Cyber Security Framework that incorporate Risk Management into this. – Ensure the Cyber Security Framework is going to have top management level backing….. 1913 May 2014
    • MARSH Establish a Cyber Security Governance Group 2013 May 2014 What is the role of a governance group? • Strategic: setting the process control security policy and initiating the process control security programme. • Tactical: implement the process control security programme, provide process control security awareness and training advice, and policy and standards compliance monitoring. Setting and approving budgets. • Operational: forming and liaising with the ICS Security Run & Maintain Team which monitors, analyses and responds to alerts and incidents. Monitoring risk exposure. Output – Deploy & Manage Policies, Standards, Monitoring Awareness & Training Continuity & Response Capability Definition & Creation - Governance Group Operations Safety/Risk Engineering IT Regulatory Exec Sponsor Inputs - Business Risks Threats Regulations/Standards Technologies Business Impact
    • MARSH Cyber Security - Policies, Standards and Compliance 2113 May 2014 Policies establishes the boundaries for action and is driven by the business’ appetite for risk Policy statements communicate the following: • Clear commitment to ICS security principals and practices endorsed by senior leadership • Clear statement of policy intent to provide a basis for consistent decision-making and prioritization Typical policy characteristics : • Widespread application • Change infrequently and expressed in broad terms • Are not technical documents • Based on statements of “What” and/or “Why” • Guide and determine present and future decisions Policies should include: • Statement of intent • To what or whom the policy applies to • Who owns the policy • The exception criteria process
    • MARSH Cyber Security - Policies, Standards and Compliance 2213 May 2014 Internal Standards provide a consistent organizational interpretation to achieve the desired quality of the defined policy. Typical standards characteristics : • Narrow in application • Change more frequently due to implementation feedback or system environment • Described in detail including some technical or vendor specific detail • Include statements of “How” , “When” and possibly “Who” • Describes related processes Standards documents should include: • The policy statements to which the standards applies • Intended audience • To what or whom the standard applies • Who owns the standard and information on the update cycle • The exception criteria process
    • MARSH Cyber Security – Risk Assessment Methodologies 2313 May 2014
    • MARSH Asset Lifecycle Challenges specific to ICS Security; 2413 May 2014 • Capital projects • Greenfield • Existing assets • Brownfield • Contractors and suppliers • Workforce Development • Raising Cyber Security Awareness
    • MARSH Cyber Security – Embedding Security Technical Assurance in Project Lifecycle 2513 May 2014
    • MARSH Contractors and Suppliers • Develop standards and implementation guidelines for suppliers – especially important for 3rd party vendors • Work with key suppliers to develop standard toolkits for future projects and upgrades • Set high expectations for suppliers and contractually obligate them successfully deliver a secure solution 2613 May 2014
    • MARSH Cyber Security Project Assurance Levels 2713 May 2014
    • MARSH Cyber Security Framework Development 2813 May 2014 • Security Policies Development • Security Procedures and Standards Development • Control System Asset Management • Risk Assessment for ICS/SCADA • Gap Analysis for ICS/SCADA • Business Continuity Planning • Incident Response Plan • Security Architecture Blueprint • Workforce Training and Development • Security Controls Mapping to Industry Standards • SCADA Network Traffic Analysis • Security Operations Center (SOC) for SCADA
    • MARSH Cyber Security Operations Center 2913 May 2014
    • MARSH Technical Cyber Security Implementation 3013 May 2014 • Security Architecture Review and Re-Engineering • Network Segmentation • Security Zoning and Conduits • One Way Diode Firewall • Overlay Encryption • Patch Management • Endpoint Security • Application Whitelisting • Vulnerability Management for Control System • SIEM for the ICS/SCADA Environment • 3rd Party Remote Access
    • MARSH 3113 May 2014
    • Registered in England and Wales Number: 1507274, Registered Office: 1 Tower Place West, Tower Place, London EC3R 5BU. Marsh Ltd is authorised and regulated by the Financial Conduct Authority.