Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Industrial Cybersecurity in a Cloud and Mobile First World
Presented by: Saadi Kermani
Property of Schneider Electric
A little history
• Security was not a priority at the time of
introduction for Industrial Control Systems (ICS)
• Original...
However, things changed
• The PC revolution hit
• Windows became a standard IT stack used in ICS
systems
• The internet ha...
However, things changed
• Ethernet connected devices became the norm
• Virtualization became a de-facto standard (leading
...
However, things changed
• Cloud services are everywhere, easy to leverage
and consume
• IoT is the next big thing – an evo...
Suddenly …
Assumptions that were held about accessing and
potentially controlling ICS systems became outdated
• Isolated p...
Suddenly …
• Security, CyberSecurity and Cyber-Physical security
concepts was thrust into the spotlight and became a
top (...
Initial cybersecurity defensive posture
• As ICS Systems became (permanently) connected
(intentionally or not) we added fi...
Kaspersky Labs Data Sheet – 5 myths
1. Myth - Industrial control systems are not
connected to the outside world.
2. Myth -...
Kaspersky Labs Data Sheet – 5 myths
1. Fact: Most industrial control systems have eleven
connections to the Internet.
2. F...
Best Practices
• Network Segregation
• Demilitarized Zone (DMZ), Bastion Host, Proxy Host
• Electronic Access Point Access...
Best Practices
• Malicious Software Prevention | Anti-Virus
• Device Control/ Inventory
• Patching Server, Back ups
• Logg...
Best Practices
• Intrusion Prevention/ Detection (IPS/IDS)
• Deep Packet Inspections
• Implement “Next Generation Firewall...
Best Practices
• Well documented system/network architecture
• Patching Server / Patching Plan
• Backups / Tested and Docu...
Best Practices
Awareness of Common Attack Vectors
• External/Removable Media: Attack executed from removable media, such a...
Where to get guidance – Old Friends
• DHS and NIST ICS
• NERC/ CIP
• ISA/IEC 62443
• ISO 27001/2
Where to get guidance – New Friends
Where to get guidance – General Tools
• Shared Assessments
Complete organizational risk assessment
https://sharedassessmen...
Where to get guidance – Google for ICS
• Shodan “IoT” public search engine
• RISI database of public ICS attacks
Credit: Alexander Open Systems (AOS)
Source: Check Point Software Technologies – Security Report 2015
Source:
Top used cloud
apps in enterprise
networks
Key cyber-concepts relevant today
• Layered architecture techniques
• Cover all the reasonable bases
• Defense in Depth – ...
Key cyber-concepts relevant today – A holistic approach
• People, Policies and Procedures, Technologies
People
Training
Po...
Organizational Commitment
•CyberSecurity Officer (CSO)
•First in our space to achieve SDLA certification
•Dedicated Indust...
Development Practices Commitment
• Adherence to the Microsoft Security Development
LifeCycle (SDL)
• Penetration Testing, ...
Third-party validation Commitment
•Periodic engagement with third-party professional
services company’s for external cyber...
Industry Standards Commitment
• RESTful, secured APIs over TCP/IP
• XML data structures where applicable
• oData interface...
Industry Best Practices Commitment
• Encryption for Data in Motion (SSL/TLS)
• Encryption for Data at Rest
• Defense in De...
Industry Best in Class Commitment
• Enterprise partner with Microsoft as our Cloud Service Provider
(CSP) based on the Mic...
Source: Check Point Software – Security Report 2015
Domain Expertise Commitment
• Schneider Electric and its associated power brands including
Wonderware, Foxboro and Avantis...
Wonderware SmartGlance
Monitor asset and production metrics from any source on any mobile device
Page 53Confidential Prope...
quick
summary
view
long-press on
any tag to set
an alert, view
more info
Download Wonderware SmartGlance today!
Wonderware Online
Time-series based storage, trend & analysis informational client as a service
Page 58Confidential Proper...
https://online.wonderware.com
Browser Client
https://online.wonderware.com
Mobile & Wearable
Clients
InTouch
InTouch
Machine Edition (ME)
Historian SDKHistorian Tier-1
sign up
free demo
live chat
False dichotomy's
• Us vs Them (OT vs IT)
• OT is isolated from IT
• Inside vs Outside
• internal is more secure than exte...
Saadi Kermani - Product Manager
Wonderware SmartGlance, Wonderware Online
https://ca.linkedin.com/in/skermani
http://www.W...
Thank you.
Property of Schneider Electric
Overview – Services, Support, Partners & Training
A Truly Global Reach
Property of Schneider Electric
150+
Support Profess...
Services Support Training
Ecosystem
Partners
• Business Value Consulting
• Supervisory Control Consulting
• Operations and...
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Industrial cybersecurity in a cloud and mobile first world
Upcoming SlideShare
Loading in …5
×

Industrial cybersecurity in a cloud and mobile first world

162 views

Published on

With the proliferation of smart phones and tablets in our work spaces along with the desire of our IT organizations to leverage cloud-based solutions, the need to understand security as it applies to these kinds of applications is critical for manufacturing and industrial customers. How can you safely leverage these important technologies while ensuring the safety and integrity of your systems against security attacks?
Please review the slide deck to learn about the changing landscape of cyber security in the mobile first, cloud first world and how it affects your industrial control systems and what you need to do about it. Saadi Kermani will introduce you to what Wonderware is doing with its latest cloud offerings to stay ahead. Subscribe to our blog at http://blog.wonderware.online to stay informed. Subscribe for a free trial of solution at https://online.wonderware.com. Visit our corporate marketing website at http://www.wonderware.com to learn more.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Industrial cybersecurity in a cloud and mobile first world

  1. 1. Industrial Cybersecurity in a Cloud and Mobile First World Presented by: Saadi Kermani Property of Schneider Electric
  2. 2. A little history • Security was not a priority at the time of introduction for Industrial Control Systems (ICS) • Originally optimized to help automate simplistic production tasks to produce product and increase yield • Everything was bounded (fixed) and was physically connected
  3. 3. However, things changed • The PC revolution hit • Windows became a standard IT stack used in ICS systems • The internet happened • Wireless devices and wireless communication became the norm
  4. 4. However, things changed • Ethernet connected devices became the norm • Virtualization became a de-facto standard (leading to software defined resources a.k.a. “SDx”) • Mobile devices including in the broader sense Laptops, USB sticks, mobile phones and most recently, wearable devices became the norm
  5. 5. However, things changed • Cloud services are everywhere, easy to leverage and consume • IoT is the next big thing – an evolving story
  6. 6. Suddenly … Assumptions that were held about accessing and potentially controlling ICS systems became outdated • Isolated physically bounded systems became a set of interoperable boundless virtual systems (software defined, logically contained)
  7. 7. Suddenly … • Security, CyberSecurity and Cyber-Physical security concepts was thrust into the spotlight and became a top (US national) priority following the 2010 Stuxnet attack • Proprietary systems and protocols became blurred. (Common protocols based on TCIP/IP, or Ethernet connected, Common IT infrastructure based on Windows/COTS – the IT/OT convergence)
  8. 8. Initial cybersecurity defensive posture • As ICS Systems became (permanently) connected (intentionally or not) we added firewalls to reinforce control • Between air gapped networks and firewalls, both of these approaches were based on the assumption that if nothing got in – we were “safe” (from the inside too right?) • It also helped by coincidence that the ICS world – at first – was distinctly different from most other IT solutions at the time both in terms of protocols and systems and technology.
  9. 9. Kaspersky Labs Data Sheet – 5 myths 1. Myth - Industrial control systems are not connected to the outside world. 2. Myth - We are safe because we have a firewall. 3. Myth - Hackers don't understand SCADA. 4. Myth - We are not a target. 5. Myth - Our safety systems will protect us.
  10. 10. Kaspersky Labs Data Sheet – 5 myths 1. Fact: Most industrial control systems have eleven connections to the Internet. 2. Fact: Most firewalls allow "any" service on inbound rules. 3. Fact: More and more hackers are specifically investigating this area. 4. Fact: Stuxnet proved ICS are targets. note: Stuxnet defeated “air gap” 5. Fact: Safety and control likely using same O/S with the same vulnerabilities.
  11. 11. Best Practices • Network Segregation • Demilitarized Zone (DMZ), Bastion Host, Proxy Host • Electronic Access Point Access Controls (port hardening, ingress/egress) • User Access Controls (Role Based Access Control - RBAC via MS AD and even extend to Azure AD or similar IAM) • With complex passwords policy • Multi-factor Authentication • Least Privilege
  12. 12. Best Practices • Malicious Software Prevention | Anti-Virus • Device Control/ Inventory • Patching Server, Back ups • Logging Server (SIEM - Security information and event management) • System Hardening (least required)
  13. 13. Best Practices • Intrusion Prevention/ Detection (IPS/IDS) • Deep Packet Inspections • Implement “Next Generation Firewalls” (NGFW) • Anti-malware • Performance Monitoring and Alerting • Switch Performance, HD Performance • Centralized Cyber Management • Management Server
  14. 14. Best Practices • Well documented system/network architecture • Patching Server / Patching Plan • Backups / Tested and Documented Recovery Plan • Standardized Systems • Knowledge of System Baseline • Malicious Software Prevention - Anti-Virus / Whitelisting • Device Control / Inventory • System Hardening (least required) • Cyber Security Training and Awareness Program
  15. 15. Best Practices Awareness of Common Attack Vectors • External/Removable Media: Attack executed from removable media, such as USB drive, CD or a peripheral device. • Attrition: Attack that employs brute force methods to compromise, degrade, destroy systems, networks, or services. • Web: Attack executed from a website or web-based application. • Email: An attack executed via an email message or attachment; phishing. • Improper Usage: Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user. • Loss or Theft of Equipment: Loss or theft of a computing device or media used by the organization; a laptop or smartphone.
  16. 16. Where to get guidance – Old Friends • DHS and NIST ICS • NERC/ CIP • ISA/IEC 62443 • ISO 27001/2
  17. 17. Where to get guidance – New Friends
  18. 18. Where to get guidance – General Tools • Shared Assessments Complete organizational risk assessment https://sharedassessments.org/ • Open Security Architecture SP-023: Industrial Control Systems http://www.opensecurityarchitecture.org
  19. 19. Where to get guidance – Google for ICS • Shodan “IoT” public search engine • RISI database of public ICS attacks
  20. 20. Credit: Alexander Open Systems (AOS)
  21. 21. Source: Check Point Software Technologies – Security Report 2015
  22. 22. Source: Top used cloud apps in enterprise networks
  23. 23. Key cyber-concepts relevant today • Layered architecture techniques • Cover all the reasonable bases • Defense in Depth – a holistic view • Not just a technology problem • Need to include people (culture) and process (continuous habits) • Mobile Device Management (MDM)
  24. 24. Key cyber-concepts relevant today – A holistic approach • People, Policies and Procedures, Technologies People Training Policies SOP’s and Tools Technology
  25. 25. Organizational Commitment •CyberSecurity Officer (CSO) •First in our space to achieve SDLA certification •Dedicated Industrial Control Systems Cybersecurity Incident Response Team (CSIRT) • Professional Services group for ICS Consulting • Appointed CyberSecurity Advisors to support R&D Cybersecurity practices
  26. 26. Development Practices Commitment • Adherence to the Microsoft Security Development LifeCycle (SDL) • Penetration Testing, OWASP Scoring, Fuzz testing, Application Threat Modeling, Surface Attack Vector analysis • Internal audits by Cybersecurity auditors • Adoption of Agile, DevOps practices with capacity for rapid release
  27. 27. Third-party validation Commitment •Periodic engagement with third-party professional services company’s for external cybersecurity audits with specialization in Industrial Control Systems (ICS) and Critical Infrastructure and Key Resource (CIKR) security. •Gold Certified Microsoft ISV Partner with regular architectural review and design sessions surrounding cybersecurity principles for managed solutions
  28. 28. Industry Standards Commitment • RESTful, secured APIs over TCP/IP • XML data structures where applicable • oData interface for secure data retrieval • OpenID Connect , oAuth 2.0 Authentication end points • SSL/TLS encryption for all channels on the well known Port 443 • Native support for modern browsers based on HTML5 • Native mobile O/S for our mobile apps • Transparent Data Privacy, Data Ownership and Data Protection policies • Support for Hybrid deployment models (ex: on-premises to cloud)
  29. 29. Industry Best Practices Commitment • Encryption for Data in Motion (SSL/TLS) • Encryption for Data at Rest • Defense in Depth architectural layers based on least privilege • Support for federated Active Directory (Azure Active Directory) • Embedded Privacy Controls • Secured APIs • Status Dashboard for critical and transparent incident reporting (https://status.wonderware.com) • Planned support for: • 2-Factor Authentication (2FA)/ Multi-factor Authentication (MFA) – something you know ; something you have; something you are • Audit Logs
  30. 30. Industry Best in Class Commitment • Enterprise partner with Microsoft as our Cloud Service Provider (CSP) based on the Microsoft Azure platform. • Microsoft Azure has 24 data centers deployed globally with 20+ compliance certifications availability across their cloud services and data centers (including HIPPA, PCI, ISO/IEC 27018:2014) • Cloud Security Alliance (CSA) STAR Registrant • Capacity to respond to Data Residency laws in geo-political zones • United States | Canada • Australia • European Union • India | China
  31. 31. Source: Check Point Software – Security Report 2015
  32. 32. Domain Expertise Commitment • Schneider Electric and its associated power brands including Wonderware, Foxboro and Avantis bring over 175 years of Industrial Automation experience. • Schneider Electric and the Wonderware software portfolio offer customers the industry’s most advanced industrial software platform with available modules covering most industries • NERC/CIP requirements experience for Power and Energy verticals • NIST aligned architecture • ISA/IEC 62443 voting board member
  33. 33. Wonderware SmartGlance Monitor asset and production metrics from any source on any mobile device Page 53Confidential Property of Schneider Electric |
  34. 34. quick summary view long-press on any tag to set an alert, view more info
  35. 35. Download Wonderware SmartGlance today!
  36. 36. Wonderware Online Time-series based storage, trend & analysis informational client as a service Page 58Confidential Property of Schneider Electric |
  37. 37. https://online.wonderware.com Browser Client
  38. 38. https://online.wonderware.com Mobile & Wearable Clients
  39. 39. InTouch InTouch Machine Edition (ME) Historian SDKHistorian Tier-1
  40. 40. sign up free demo live chat
  41. 41. False dichotomy's • Us vs Them (OT vs IT) • OT is isolated from IT • Inside vs Outside • internal is more secure than external • On-premises vs Cloud • In-house is more secure than outsourced
  42. 42. Saadi Kermani - Product Manager Wonderware SmartGlance, Wonderware Online https://ca.linkedin.com/in/skermani http://www.Wonderware.com @SaadiKermani http://blog.wonderware.online https://online.wonderware.com
  43. 43. Thank you. Property of Schneider Electric
  44. 44. Overview – Services, Support, Partners & Training A Truly Global Reach Property of Schneider Electric 150+ Support Professionals 200+ Training Offerings 3900+ Ecosystem Partners (SIs) 160+ Technology Partners Partner Ecosystem Stats • 3900+ Ecosystem Partners (SIs) • 160+ Product Partners • 12000+ individual product certifications • 3800+ Certified Developers SI Partners Distributor Presales TrainingSupport 360 1500 1170 140 29 35 29 7
  45. 45. Services Support Training Ecosystem Partners • Business Value Consulting • Supervisory Control Consulting • Operations and Asset Management • Asset Performance Consulting • Enterprise Manufacturing Intelligence • Manufacturing Execution Systems Implementation • Mobile Solutions Professional • Workflow Services • SimSci Customer Support • Wonderware Customer Support • Global Customer Support (GCS) Site • WonderwareTraining • IntelaTrac Training • Classroom Training • eLearning • Technology Partners • Partner Locator • Authorized Distributors Schneider Electric Services, Support, Partners & Training Property of Schneider Electric

×