Joe Howland,VC3
Network/Cyber Security
SCAMPS Annual Meeting 2015
Source: http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes
Security Breaches
Several small, mostly rural, police and sheriff offices-Targeted
by company they had investigated. Computer systems hacked, websites defaced, sensitive information exposed, (emails, tips on suspected crimes and profiles of gang members)
$200,000 theft of electronic fund transfers for schools and
cities in a county
Wastewater management system hacked by computer expert
rejected for city job
SCDOR SS Numbers of 3.6 million SC residents 40 million customer’s credit and debit card data stolen
The Security Challenge
Topic can be overwhelming Concepts are confusing Seen as purely an IT issue Ignore until an event occurs
Rapidly changing technology and tactics Large time investment to remain current
Areas of focus
Perimeter Security Device Security Monitoring Change control Testing User training Incident Response SCADA/ICS SpecificPerimeter Security
Physical security Firewalls Network segmentation - VLANs
Implement DMZs to contain any Internet facing services Wireless Networks
Intrusion Detection Systems (IDS) Identify malicious traffic and notify Intrusion Prevention Systems (IPS)
Identify malicious traffic and act
Protecting your networks from directed attacks
Device Security
Patch management (Servers,Workstations)
Code management (Firewalls, switches, appliances)
Lifecycle management – Ensure security from deployment to
decommission
Anti-Virus Anti-Spam
Mobile Device Management Data Encryption Remote wipe capabilities
Network Access Control
Preventative Maintenance
7
Monitoring
IDS/IPS – Need to know an event has happened
Log and Event Management Systems (LEMS) Managed Security Services
3rdParty Monitoring
Do you know what’s leaving your network?
Malicious traffic
Confidential documents and information
Tracking your security state
8
Change Control
IT environments change constantly Change introduces new risk
New systems brought online without current security patches
Removal of legacy equipment leaves vulnerabilities Make sure your decommission process is complete!
Does your change control process account for
security?
Testing
Vulnerability scans External & Internal Periodic review of access rights
Terminated employees
Process audits Third party reviews
Scans & Audits
10
End Users
Consider using a password management tool (forces regular change, authentication)
Grant access rights on an as needed basis Don’t click on links in emails/texts
Don’t open attachments unless you are expecting them
Don’t click on email or pop-up messages that ask for personal or financial information
Don’t download and install software
Don’t email personal or financial information
Your #1 Security Risk
11
End Users
Implement encryption on laptops and mobile devices Exercise caution when accessing public hotspots Avoid risky sites (gambling, foreign, etc.)
Install a comprehensive security suite Limit use of the Administrator account
Don’t ever share your password!!!! Implement dual factor authentication
Your #1 Security Risk
End User Training
“Education is the first line of
defense”
Explain the ramifications of a breach
Start with basics as simple as
password policies
Document rules for various situations Expose your employees to real world
scenarios
Employee Termination
Change password and disable users account
Remote access Vendor sites Partner sites
Mobile devices
Hosted services
Take the necessary steps
14
Incident Response Plan
Assess and categorize impact Engage your Incident Response team
Roles should be pre-defined
Nature of incident dictates which roles are required
Containment – Stop the spread
Eradicate – Remove the cause of the incident
Recovery – Return to normal operation Lessons learned – How did it happen? Complete Incident Report
How will you react when the inevitable occurs?
Security and SCADA
Blocked or delayed
information flow
Unauthorized changes Instruction sets, controls,
alarm thresholds
Inaccurate information
ICS systems infected with malware
Impact to safety systems
ICS / SCADA Specific Risks
16
Homeland Security Policy
Security policies, procedures, training and educational
Addressing security throughout the lifecycle of the ICS
Implementing a network topology for the ICS that has multiple
layers
Employing a DMZ network architecture
Ensuring that critical components are redundant and are on redundant networks
Disabling unused ports and services on ICS devices
Restricting physical access to the ICS network and devices Restricting ICS user privileges to only those that are required to
perform each person’s job
17
Homeland Security Policy
Separate authentication mechanisms and credentials for users of the ICS network and the corporate network
Using modern technology, such as smart cards for Personal Identity Verification (PIV)
Implementing security controls such as intrusion detection
software, antivirus software and file integrity checking
Applying security techniques such as encryption and/or
cryptographic hashes to ICS data storage
Expeditiously deploying security patches after testing all patches
under field conditions on a test system if possible
Tracking and monitoring audit trails on critical areas of the ICS http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
Practical Steps
Isolate your SCADA networks Encrypt network traffic if possible Grant access to only those that need it
Do not mix administrative and SCADA systems Implement dual factor authentication Define strict policies and procedures Leverage independent audits
Joe Howland,VCIO
joe.howland@vc3.com (803) 978.2714
Larry Mattox,Account Executive
larry.mattox@vc3.com (803) 978.2725