ICS Cyber Security Briefing

About John Ballentine

John Ballentine

Director of Cyber

Security &

Compliance

• Assists HPI customers by reducing their cyber security risk in industrial control system environments.

• Develops programs that identify, manage and mitigate

compliance and regulatory risks.

Who is John Ballentine?

Over 20 years of experience in the energy industry, including corporate and consulting roles managing cyber security and regulatory compliance at power generation facilities in North America.

CISSP

Certified Information Systems Security Professional

CISA

Certified Information Security Auditor

CCEP

Certified Compliance and Ethics Professional

GLEG

Certified Information Law Specialist

CSSA

Certified SCADA Security Architect

Industry service includes:

• Board of Director of North America Generator Forum (NAGF)

• US Department of Homeland Security- Cyber Emergency Response Team

Security, Security, Security

They Strike Again (Really!)

California Power Station Attacked in 2013 is Struck Again

Back Up Attack

By Matthew L. Wald

August 28, 2014 MATTHEW L. WALD AUG. 28, 2014

Back Up Attack

The Silicon Valley power substation that was attacked by a sniper in April 2013 was hit by thieves early Wednesday morning, according to the Pacific Gas and Electric Company, despite increased security.

The substation, near San Jose, Calif., is the source of energy for thousands of customers, and the idea that it was the target of a well-organized attack, and that it might have been disabled for an extended period, raised anxieties about the possible broader vulnerability of the grid. The attack this week did not involve gunfire, and it did not seem intended to disable the facility.

Early Wednesday, an unknown number of thieves cut through a fence and made off with power tools, a pipe bender and ground compactors used to smooth out dirt after excavations, said Keith F. Stephens, a spokesman for Pacific Gas and Electric. The substation has an alarm system, but the “fence alarms that went on overnight were not reacted to or addressed in an appropriate manner,” Mr. Stephens said. He added that the problem was a result of “human error.” The company has not determined the value of the items taken. The intruders did not appear to try to damage operating equipment, Mr. Stephens said.

In the 2013 attack, shots were fired into the radiators of giant transformers, disabling but not destroying them. Two manhole covers were removed, and communications lines were cut. The utility said damages came to $15.4 million. Some of the transformers were repaired using components borrowed from other utilities; others had been nearing retirement anyway and were replaced.

Security as a Governance and Practical Matter

Security- whether cyber or physical- impacts

how energy companies plan, manage and

maintain their business objectives.

Executives and managers face increasing

challenges managing the threats and potential

impacts from security issues.

HPI’s customers typically operate facilities that

are vulnerable to attack-and can ill afford

business interruption.

Our customers need effective strategies to properly

design, plan, implement and maintain a security

program to meet the modern challenges they face.

Distributed Control System (DCS) and Process

Control Systems

• A group of computers and/or smart field devices networked together to monitor and control industrial processes with direct feedback control.

• Control systems operate in near real-time and are used in critical sectors such as power generation, oil and gas refining, water treatment, chemicals, etc.

• May consist of HMI, PLC’s, standalone power electronic controllers, microgrid controllers, and substation automation systems

Supervisory Control and Data Acquisition

(SCADA) System

• Normally applied to systems connected to devices over a larger area including multiple buildings or even many miles away.

• Operative word is SUPERVISORY, used in critical sectors such as electrical transmission and distribution, oil and gas pipelines, water/sewer and transportation.

Power System ICS Footprint

Generator Control

Systems

SmartGrid Control and

_{Automation Systems}

Utility Monitoring and

_{Control Systems}

Supervisory Control and

_{Data Acquisition}

(SCADA) Systems

• Transmission and distribution

• Fuel Management Systems

• Power Quality and UPS Systems

• Renewable Energy Control Systems

Information vs. Operations Technologies

Security Focus: Confidentiality, Integrity

People/Equipment Ratio: Number of people ~=# equipment Object Under Protection: Information

Risk Impacts: Information disclosure (privacy), economic, legal liability for damages

Availability Requirements: 95-99% year (moderate acceptable downtime) System Lifetime: 3-5 year replacement cycles

Main Protected Target : Central servers (CPU, memory) and PCs Operating Systems: Windows

Software: Consumer software on PCs

Protocols: Well known (HTTP over TCP/IP), web-based Main Actors: IBM, SAP, Oracle

Security Focus: Availability

People/Equipment Ratio: Few people, many types of equipment Object Under Protection: Industrial process

Risk Impacts: Safety (life), health, environment, loss of production, downtime, repairs

Availability Requirements: 99.9-99.999%/year (no acceptable downtime) System Lifetime: 15-30 years

Main Protected Target: Servers, distributed systems, sensors, PLCs Operating Systems: Windows and proprietary

Software: Specific, customized configurations Protocols: Industrial TCP/IP, vendor specific, polling Main Actors: ABB, Siemens, Honeywell, Emerson

Security Threats from Every Direction

Blunders, errors and omissions

Curiosity and ignorance, recreational

and malicious hackers

Disgruntled employees, insiders

Industrial and foreign espionage and

information warfare

Fraud and theft, criminal activity

Malicious code

Loss of View

Manipulation of View

Denial of Control

Manipulate Control Total Loss of Control

Attack Modes for ICS

There are many variations of passages of Lorem Ipsum available but the suffered

Cyber Intrusion Sequence

Surveillance

System Mapping

Initial Infection

Information Exfiltration

Pen Test Incident Detection/Response

Attack Sources

External threats/ hacktivism

Insider exploits or other internal

activities

Security policy violations, malware and email

phishing

Industrial espionage

4.

1.

3.

2.

Attack Vectors

Method of Compromise

2%

Web Management

Console

Missing patches

Weak passwords

Social Engineering

4%

10%

22%

62%

File Upload

Attack Vectors

12%

Less than

1 Hour

18%

1-4 Hours

29%

4-8 Hours

41%

8-16 Hours

Time to Break-In

Attack Vectors

Level of Compromise

External

Admin

Access

Internal

User

Access

Internal

Admin

Access

External

User

Access

Complete

Internal

Compromise

SECURITY PLAN AND

APPROACH

Framework Core

Restore impaired capabilities

or CI services from a cyber

security event

Recover

Safeguards to ensure delivery

of CI services

.

Protect

Take action (address) a

detected cyber security

event

Respond

Institutional understanding

to manage cyber security risk

Identify

Identify the occurrences of a cyber

security event

Keys to Securing Your Operations Technology

Assess existing systems,

and document policies

and procedures.

Train personnel and

contractors.

Segment the control

network, and control

system access.

Harden system

components. Monitor

and maintain system

security.

Importance of Establishing ICS Security Policies

Demonstrates Support

Company Protection

Sets Expectations

Demonstrates management support and

direction.

Protects the company and preserves

management options in the event of a

security incident.

Provides guidance/communicates

expectations to employees and suppliers.

Technology Independent

Structure Analysis

Stays as technology independent as

possible

Outlines what to achieve, not how to achieve

it.

Cyber Security Vulnerability Assessment

Expert analysis of control system to identify actual and potential security

vulnerabilities

Network architecture diagrams

Network component and host device configurations

Access control strategies

Software and firmware versions

Policies and procedures

Security Network Design Goals

•

Unauthorized physical access to

components could cause serious

disruption of the ICS’s

functionality.

A combination of physical access

controls should be used- such as

locks, card readers, and/or

guards

.

Restrict physical access to the ICS

network and drives

•

This includes using a

demilitarized zone (DMZ)

network architecture with

firewalls to prevent network

traffic from passing directly

between the corporate and ICS

networks, and having separate

authentication mechanisms and

credentials for users of the

corporate and ICS networks. The

ICS should also use a network

topology that has multiple layers,

with the most critical

communications occurring in the

most secure and reliable layer.

Restricting logical access to the

ICS network and network activity

Evaluate, test and

deploy

patches prudently

Monitor system logs

Maintain Phase

Security countermeasures must be monitored and maintained

Plan and prepare

incident response

Steps to Improve Cyber Security of SCADA Networks

Identify all connections to

SCADA networks. Disconnect

unnecessary connections

.

Evaluate/strengthen security of

any remaining connections to

SCADA network. Harden SCADA

networks by removing

unnecessary services

Don’t rely on proprietary

protocols to protect the

system. Implement security

features provided by device

and system vendors.

Establish strong controls over

any medium used as a

backdoor into the SCADA

network. Implement internal

and external intrusion

detection systems and

establish 24-hour incident

monitoring.

Perform technical audits of

SCADA devices and networks,

and any other connected

networks to identify security

concerns. Conduct physical

security surveys and assess

all remote sites connected to

the SCADA network to

evaluate their security.

Establish SCADA “Red

Teams” to identify and

evaluate possible attack

scenarios. Clearly define

cyber security roles,

responsibilities, and

authorities for managers,

system administrators and

users.

Document network architecture and

identify systems that serve critical

functions or contain sensitive

information requiring additional

protection.

Establish a rigorous, ongoing risk

management process. Establish a network

protection strategy based on principle of

defense- in-depth. Clearly identify cyber

security requirements

Establish effective configuration

management processes. Conduct

routine self-assessments.

Establish system backups and

disaster recovery plans

Senior leadership should establish

expectations for cyber security performance

and hold individuals accountable for their

performance. Establish policies and train to

minimize the likelihood that personnel will

disclose information regarding the SCADA

system, operations or security controls.

HPI Security Approach: Prevent, Detect & Recover

Whether you need a full compliance or security solution, or are preparing for an audit or internal control review, HPI’s experience as operators

will maximize your return on investment.

Prevention

•

People- trained and

alert

•

Technology-managing systems

•

Processes-mitigating risks

Detection &

Notification

•

Network access

monitoring

•

Anomaly detection

•

Active intrusion

monitoring

Recovery &

Restoration

•

Back-up restoration

management

•

Annual compliance

testing

There IS a starting and end point to get your company optimized to face the threats and reduce the likelihood of

interrupting your business:

Assessment and

Risk Benchmarking

Systems and Network Risk

Assessment;

Cyber Vulnerability

Assessment (NERC CVA);

Standards-based Audits

Applicability Assessments;

Controls and Policies

Reviews;

Mock Audits

Mitigation and

Design Services

Security Architecture;

Operations Network

Security Upgrade;

Remediation and recovery

Plans

Compliance Mitigation

Plans;

Compliance Filings with

Govt Agencies;

Overall Compliance

Program Design

Implementation and

Monitoring

Security System

Conversion;

Hardware and Software

Monitoring;

System Restoration

Corp Compliance Program

Implementation;

Install GRC Software and

Configure for Monitoring;

Compliance-as-a-Service

Cyber Security

Compliance

Defense in Depth Focus Areas

HPI subscribes to the “Defense in Depth” approach of the cyber security professional community

Defend the computing environment

•

End-user environment

•

Application security

Defend the network and infrastructure

•

Backbone network availability

•

Wireless network security

•

System interconnections

Defend the enclave boundary

•

Network access protection

•

Remote access

Bridging the ICS Security Specialization Skill Gap

Many organizations substitute Information

Technology/Network Specialists

for

Information Security Specialists.

Most IT/Network personnel possess few of

the security skills needed to harden a

network. Even less have the capability to

secure an ICS network.

HPI has cyber security skills in the energy

industry ICS- the rarest and most sought

after skill set in the industry.

IT Professionals

Cyber security

professionals

Control system

_{professionals}

Control System

Cyber Security

Independent Architect and Audit Services

Need temporary personnel to fill a missing internal link? We can deploy on short notice

to help out. Already have an ICS cyber security team, and just need to “fill the gaps”?

HPI has you covered:

Security designs

(physical and cyber)

Program implementation

assessments

_{analysis; Mock audits}

Compliance gap

and gap closures

Self-reports and

Training and Compliance Monitoring

Services

TRAINING SOLUTIONS

Most clients have broad compliance and

security programs with prescribed goals that

often require training to achieve objectives.

HPI has teamed with online training delivery

systems, and can have your course up and

running in weeks.

COMPLIANCE SERVICES

Whether you’re in need of frequent

determinations or updates on your compliance

status or regulatory due diligence on potential

acquisitions, HPI has you covered.

HPI designs, builds, operates, controls, maintains and repairs

power generation facilities- its in our DNA.

Generic security consultants cannot match our comprehensive

understanding of how those areas link together and form an

aligned approach.

Unlike vendors that sell newfangled technology solutions or

pre-packaged systems , HPI customizes security solutions at

significantly reduces risk.

Every area of HPI is completely aligned to the cyber security

challenge as the key to protecting our client’s assets.

-

Hal Pontez,

HPI President & CEO

“HPI

customers must be secure

so that they can focus on their

core business of efficiently

producing power to the grid.”

The HPI Differentiator

Why work with us?

HPI designs, builds , operates, controls, maintains and repairs power

generation facilities –it’s in our DNA.

Generic security consultants cannot match our comprehensive

understanding of how those areas link together and form an aligned

approach.

Unlike vendors that sell newfangled technology solutions or pre-packaged

systems , HPI customizes security solutions at significantly reduces risk.

Every area of HPI is completely aligned to the cyber security challenge as

the key to protecting our client’s assets.

Contact Us

OFFICE: 713.457.7500 CELL: 512. 705.7242

EMAIL: [email protected]

https://www.facebook.com/hpillc

@hpienergy

https://www.linkedin.com/company/hpi-llc/