National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Call....

3,146 views
2,632 views

Published on

Shah Sheikh - Presentation at the National Oil Conference 2014 in Dubai organized by Marsh. Evolving Cyber Security - A Wake Up Call.....

Published in: Technology

National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Call....

  1. 1. NATIONAL OIL COMPANIES CONFERENCE 2014 BEYOND THE HORIZON – MANAGING THE NEXT FRONTIER OF RISK 18-20 MARCH 2014 Evolving Cyber Security - A wake up call… Shah H Sheikh MEng CISSP CISA CISM CRISC CCSK (shah@dts-solution.com) Co-Founder / Sr. Security Consultant @ DTS Solution INTERCONTINENTAL HOTEL FESTIVAL CITY, DUBAI
  2. 2. MARSH 113 May 2014 Agenda Evolving Cyber Security – A wake up call …. • Cyber Security Introduction and History… • Cyber Security for SCADA / Critical Infrastructure and Enterprises • Attacker and Actors Profile and Objectives • Cyber Security Risk Management Framework
  3. 3. MARSH Cyber Security Introduction • What is Cyber Security? – Protection of mission and business critical assets in the form of logical security controls (this is not physical security) to ensure no adverse impact of any kind to the business. • Why is it important? – Globalized Digital Data – Every organization has digital information data, many enterprises trade and carry business transactions online, each and every enterprise is connected to the internet in one form or another – cyber security threats can materialize from external and internal boundaries. Critical Infrastructure needs to be protected…. Many important government level discussions in 2013 cited Cyber Attacks and Digital Spying as a major concern for national security … 213 May 2014
  4. 4. MARSH Cyber Security Introduction • Information Security Investment – From Luxury to Necessity … – The perception needs to change and needs to be driven at top management level with clear governance and steering committee. • The future of Cyber Security and Risk…. – There is little doubt that the race for arms is cyber warfare… – State sponsored cyber attacks are a common place and very evident in Y2013 – Financial reward makes organized Cyber Crime very prevalent – Geo-Political Expression of Opinion – Ease of Attack Tools and Availability – …. The list goes on …… 313 May 2014
  5. 5. MARSH Cyber Security Threat Landscape – (R) evolution….. 413 May 2014
  6. 6. MARSH Cyber Security Threat Landscape – Sophistication of Attacks 513 May 2014
  7. 7. MARSH Cyber Security in the Energy Sector 613 May 2014 • Some Statistics…. – US ICS-CERT is the only organized public forum for Industrial Control Systems Security – Computer Emergency Response Team – 18 x Critical Infrastructure Sectors Identified by DHS • Concerted effort is required amongst organizations and governments alike to increase awareness of cyber security across critical infrastructure…..
  8. 8. MARSH Cyber Security in the Energy Sector 713 May 2014 Source: ICS-CERT (256 reported security incidents) – how many go unreported 
  9. 9. MARSH ….. Industrial Malware Timeline ….. 813 May 2014 Slammer •Davis-Besse Nuclear Plant •Plant monitoring offline for 5-6 hours Night Dragon •Oil and Gas Majors •Sensitive Information Stolen Stuxnet •USB infection •Natanz Facility •Controller Sabotage 2003 2009 2010 Shamoon •Oil and Gas in GCC •30K+ Devices Wiped 20122011 DuQu •Stuxnet Variant •Backdoor Rootkit Flame •Keystroke Logger •Screenshot •Cyber Espionage •Mainly in Middle East Some Malware Self-Replicating and Propagates….. (dropper and replicate, overwrite and wipe) Mahdi •Malicious PDF/PPT •Cyber Espionage •Mainly in Middle East Red October •Malicious PDF/PPT •Cyber Espionage •Swiss Knife of Malware 2013 Operations Aurora •APT •Target Hi-Tech •Defense •Source Code •Originated from CN
  10. 10. MARSH …. Industrial Malware Geo-Infections …. 913 May 2014 STUXNET FLAME Source: Kaspersky Labs
  11. 11. MARSH …. Industrial Malware Geo-Infections …. 1013 May 2014
  12. 12. MARSH Critical Infrastructure / Energy Sector – Security Attacks on SCADA Networks 1113 May 2014
  13. 13. MARSH Critical Infrastructure / Energy Sector – Impact 1213 May 2014 • Can you imagine what can go wrong…. Power Blackout Contamination Loss in Production • http://www.securityincidents.org/ - global repository of industrial control security incidents. • Database of known ICS security incidents …
  14. 14. MARSH Critical Infrastructure / Energy Sector – Ease of Exploitation 1313 May 2014 • SCADA Systems are “in-secure by design” – PLC / RTU non-hardened Operative System – Commercial of the Shelf Hardware – Legacy Industrial Control Protocols without authentication or authorization – No form of confidentiality – encryption – Security is still immature in SCADA / ICS networks unlike IT Enterprise • Control Engineers and Field Operators have little understanding of Cyber Security • Threats are multi-dimensional; – Internet Connectivity (www.shodanhq.com) all kinds of SCADA systems from HVAC to Web Cams – 3rd Party Remote Access – USB Infected Removable Media – Insecure SCADA devices (vulnerabilities) – Enterprise IT Business LAN connected to Control Systems Network – no air gap… – Legacy Windows Based Operating System (XP, NT etc…) – highly vulnerable systems
  15. 15. MARSH DISCLAIMER – What is connected to the @ 1413 May 2014 WEBCAMS H2O FUEL CELL WINDFARMS HVAC / HOME AUTOMATION (SPEAKERS) HEAT PUMP EMERGENCY TELCO GEAR MASSIVE COOLERS STOPLIGHTS / JUNCTIONS
  16. 16. MARSH • Exploits readily available on the Internet – AppStore style availability of vulnerability exploits against SCADA devices….. 1513 May 2014 Critical Infrastructure / Energy Sector – Ease of Exploitation
  17. 17. MARSH Critical Infrastructure – Enterprise and Process Control Network Convergence 1613 May 2014
  18. 18. MARSH 17 External Network Control LAN Plant Network Office LAN Internet  Infected Laptops Infected Remote Support  Mis-Configured Firewalls  Unauthorized Connections  Modems   3rd Party Issues USB Drives  Security Threats on the Plant Floor
  19. 19. MARSH So how are we going to secure the critical infrastructure…. 1813 May 2014
  20. 20. MARSH So how are we going to secure the critical infrastructure…. • Follow Industry Best Practices in the Security Field – Many different Security Standards and Regulations exist for the ICS environment; - ISA-99 / IEC-62443 - NERC-CIP - NIST 800-82 - ISO27001:2013 – Begin by developing a Cyber Security Framework that incorporate Risk Management into this. – Ensure the Cyber Security Framework is going to have top management level backing….. 1913 May 2014
  21. 21. MARSH Establish a Cyber Security Governance Group 2013 May 2014 What is the role of a governance group? • Strategic: setting the process control security policy and initiating the process control security programme. • Tactical: implement the process control security programme, provide process control security awareness and training advice, and policy and standards compliance monitoring. Setting and approving budgets. • Operational: forming and liaising with the ICS Security Run & Maintain Team which monitors, analyses and responds to alerts and incidents. Monitoring risk exposure. Output – Deploy & Manage Policies, Standards, Monitoring Awareness & Training Continuity & Response Capability Definition & Creation - Governance Group Operations Safety/Risk Engineering IT Regulatory Exec Sponsor Inputs - Business Risks Threats Regulations/Standards Technologies Business Impact
  22. 22. MARSH Cyber Security - Policies, Standards and Compliance 2113 May 2014 Policies establishes the boundaries for action and is driven by the business’ appetite for risk Policy statements communicate the following: • Clear commitment to ICS security principals and practices endorsed by senior leadership • Clear statement of policy intent to provide a basis for consistent decision-making and prioritization Typical policy characteristics : • Widespread application • Change infrequently and expressed in broad terms • Are not technical documents • Based on statements of “What” and/or “Why” • Guide and determine present and future decisions Policies should include: • Statement of intent • To what or whom the policy applies to • Who owns the policy • The exception criteria process
  23. 23. MARSH Cyber Security - Policies, Standards and Compliance 2213 May 2014 Internal Standards provide a consistent organizational interpretation to achieve the desired quality of the defined policy. Typical standards characteristics : • Narrow in application • Change more frequently due to implementation feedback or system environment • Described in detail including some technical or vendor specific detail • Include statements of “How” , “When” and possibly “Who” • Describes related processes Standards documents should include: • The policy statements to which the standards applies • Intended audience • To what or whom the standard applies • Who owns the standard and information on the update cycle • The exception criteria process
  24. 24. MARSH Cyber Security – Risk Assessment Methodologies 2313 May 2014
  25. 25. MARSH Asset Lifecycle Challenges specific to ICS Security; 2413 May 2014 • Capital projects • Greenfield • Existing assets • Brownfield • Contractors and suppliers • Workforce Development • Raising Cyber Security Awareness
  26. 26. MARSH Cyber Security – Embedding Security Technical Assurance in Project Lifecycle 2513 May 2014
  27. 27. MARSH Contractors and Suppliers • Develop standards and implementation guidelines for suppliers – especially important for 3rd party vendors • Work with key suppliers to develop standard toolkits for future projects and upgrades • Set high expectations for suppliers and contractually obligate them successfully deliver a secure solution 2613 May 2014
  28. 28. MARSH Cyber Security Project Assurance Levels 2713 May 2014
  29. 29. MARSH Cyber Security Framework Development 2813 May 2014 • Security Policies Development • Security Procedures and Standards Development • Control System Asset Management • Risk Assessment for ICS/SCADA • Gap Analysis for ICS/SCADA • Business Continuity Planning • Incident Response Plan • Security Architecture Blueprint • Workforce Training and Development • Security Controls Mapping to Industry Standards • SCADA Network Traffic Analysis • Security Operations Center (SOC) for SCADA
  30. 30. MARSH Cyber Security Operations Center 2913 May 2014
  31. 31. MARSH Technical Cyber Security Implementation 3013 May 2014 • Security Architecture Review and Re-Engineering • Network Segmentation • Security Zoning and Conduits • One Way Diode Firewall • Overlay Encryption • Patch Management • Endpoint Security • Application Whitelisting • Vulnerability Management for Control System • SIEM for the ICS/SCADA Environment • 3rd Party Remote Access
  32. 32. MARSH 3113 May 2014
  33. 33. Registered in England and Wales Number: 1507274, Registered Office: 1 Tower Place West, Tower Place, London EC3R 5BU. Marsh Ltd is authorised and regulated by the Financial Conduct Authority.

×