NATIONAL OIL COMPANIES CONFERENCE 2014
BEYOND THE HORIZON – MANAGING THE NEXT
FRONTIER OF RISK
18-20 MARCH 2014
Evolving C...
MARSH 113 May 2014
Agenda
Evolving Cyber Security – A wake up call ….
• Cyber Security Introduction and History…
• Cyber S...
MARSH
Cyber Security Introduction
• What is Cyber Security?
– Protection of mission and business critical assets in the fo...
MARSH
Cyber Security Introduction
• Information Security Investment
– From Luxury to Necessity …
– The perception needs to...
MARSH
Cyber Security Threat Landscape – (R) evolution…..
413 May 2014
MARSH
Cyber Security Threat Landscape – Sophistication of Attacks
513 May 2014
MARSH
Cyber Security in the Energy Sector
613 May 2014
• Some Statistics….
– US ICS-CERT is the only organized public foru...
MARSH
Cyber Security in the Energy Sector
713 May 2014
Source: ICS-CERT (256 reported security incidents) – how many go un...
MARSH
….. Industrial Malware Timeline …..
813 May 2014
Slammer
•Davis-Besse Nuclear Plant
•Plant monitoring offline for 5-...
MARSH
…. Industrial Malware Geo-Infections ….
913 May 2014
STUXNET FLAME
Source: Kaspersky Labs
MARSH
…. Industrial Malware Geo-Infections ….
1013 May 2014
MARSH
Critical Infrastructure / Energy Sector – Security Attacks on SCADA Networks
1113 May 2014
MARSH
Critical Infrastructure / Energy Sector – Impact
1213 May 2014
• Can you imagine what can go wrong….
Power Blackout ...
MARSH
Critical Infrastructure / Energy Sector – Ease of Exploitation
1313 May 2014
• SCADA Systems are “in-secure by desig...
MARSH
DISCLAIMER –
What is connected to the @
1413 May 2014
WEBCAMS
H2O FUEL CELL WINDFARMS
HVAC / HOME AUTOMATION
(SPEAKE...
MARSH
• Exploits readily available on the Internet – AppStore style availability of vulnerability
exploits against SCADA d...
MARSH
Critical Infrastructure – Enterprise and Process Control Network Convergence
1613 May 2014
MARSH 17
External Network
Control LAN
Plant Network
Office LAN
Internet
 Infected
Laptops
Infected Remote
Support

Mis-C...
MARSH
So how are we going to secure the critical infrastructure….
1813 May 2014
MARSH
So how are we going to secure the critical infrastructure….
• Follow Industry Best Practices in the Security Field
–...
MARSH
Establish a Cyber Security Governance Group
2013 May 2014
What is the role of a governance group?
• Strategic: setti...
MARSH
Cyber Security - Policies, Standards and Compliance
2113 May 2014
Policies establishes the boundaries for action and...
MARSH
Cyber Security - Policies, Standards and Compliance
2213 May 2014
Internal Standards provide a consistent organizati...
MARSH
Cyber Security – Risk Assessment Methodologies
2313 May 2014
MARSH
Asset Lifecycle Challenges specific to ICS Security;
2413 May 2014
• Capital projects
• Greenfield
• Existing assets...
MARSH
Cyber Security – Embedding Security Technical Assurance in Project Lifecycle
2513 May 2014
MARSH
Contractors and Suppliers
• Develop standards and implementation guidelines for suppliers – especially important for...
MARSH
Cyber Security Project Assurance Levels
2713 May 2014
MARSH
Cyber Security Framework Development
2813 May 2014
• Security Policies Development
• Security Procedures and Standar...
MARSH
Cyber Security Operations Center
2913 May 2014
MARSH
Technical Cyber Security Implementation
3013 May 2014
• Security Architecture Review and Re-Engineering
• Network Se...
MARSH 3113 May 2014
Registered in England and Wales Number: 1507274, Registered Office: 1 Tower Place West, Tower Place, London EC3R 5BU.
Mars...
of 33

National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Call....

Shah Sheikh - Presentation at the National Oil Conference 2014 in Dubai organized by Marsh. Evolving Cyber Security - A Wake Up Call.....
Published on: Mar 3, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Call....

  • 1. NATIONAL OIL COMPANIES CONFERENCE 2014 BEYOND THE HORIZON – MANAGING THE NEXT FRONTIER OF RISK 18-20 MARCH 2014 Evolving Cyber Security - A wake up call… Shah H Sheikh MEng CISSP CISA CISM CRISC CCSK (shah@dts-solution.com) Co-Founder / Sr. Security Consultant @ DTS Solution INTERCONTINENTAL HOTEL FESTIVAL CITY, DUBAI
  • 2. MARSH 113 May 2014 Agenda Evolving Cyber Security – A wake up call …. • Cyber Security Introduction and History… • Cyber Security for SCADA / Critical Infrastructure and Enterprises • Attacker and Actors Profile and Objectives • Cyber Security Risk Management Framework
  • 3. MARSH Cyber Security Introduction • What is Cyber Security? – Protection of mission and business critical assets in the form of logical security controls (this is not physical security) to ensure no adverse impact of any kind to the business. • Why is it important? – Globalized Digital Data – Every organization has digital information data, many enterprises trade and carry business transactions online, each and every enterprise is connected to the internet in one form or another – cyber security threats can materialize from external and internal boundaries. Critical Infrastructure needs to be protected…. Many important government level discussions in 2013 cited Cyber Attacks and Digital Spying as a major concern for national security … 213 May 2014
  • 4. MARSH Cyber Security Introduction • Information Security Investment – From Luxury to Necessity … – The perception needs to change and needs to be driven at top management level with clear governance and steering committee. • The future of Cyber Security and Risk…. – There is little doubt that the race for arms is cyber warfare… – State sponsored cyber attacks are a common place and very evident in Y2013 – Financial reward makes organized Cyber Crime very prevalent – Geo-Political Expression of Opinion – Ease of Attack Tools and Availability – …. The list goes on …… 313 May 2014
  • 5. MARSH Cyber Security Threat Landscape – (R) evolution….. 413 May 2014
  • 6. MARSH Cyber Security Threat Landscape – Sophistication of Attacks 513 May 2014
  • 7. MARSH Cyber Security in the Energy Sector 613 May 2014 • Some Statistics…. – US ICS-CERT is the only organized public forum for Industrial Control Systems Security – Computer Emergency Response Team – 18 x Critical Infrastructure Sectors Identified by DHS • Concerted effort is required amongst organizations and governments alike to increase awareness of cyber security across critical infrastructure…..
  • 8. MARSH Cyber Security in the Energy Sector 713 May 2014 Source: ICS-CERT (256 reported security incidents) – how many go unreported 
  • 9. MARSH ….. Industrial Malware Timeline ….. 813 May 2014 Slammer •Davis-Besse Nuclear Plant •Plant monitoring offline for 5-6 hours Night Dragon •Oil and Gas Majors •Sensitive Information Stolen Stuxnet •USB infection •Natanz Facility •Controller Sabotage 2003 2009 2010 Shamoon •Oil and Gas in GCC •30K+ Devices Wiped 20122011 DuQu •Stuxnet Variant •Backdoor Rootkit Flame •Keystroke Logger •Screenshot •Cyber Espionage •Mainly in Middle East Some Malware Self-Replicating and Propagates….. (dropper and replicate, overwrite and wipe) Mahdi •Malicious PDF/PPT •Cyber Espionage •Mainly in Middle East Red October •Malicious PDF/PPT •Cyber Espionage •Swiss Knife of Malware 2013 Operations Aurora •APT •Target Hi-Tech •Defense •Source Code •Originated from CN
  • 10. MARSH …. Industrial Malware Geo-Infections …. 913 May 2014 STUXNET FLAME Source: Kaspersky Labs
  • 11. MARSH …. Industrial Malware Geo-Infections …. 1013 May 2014
  • 12. MARSH Critical Infrastructure / Energy Sector – Security Attacks on SCADA Networks 1113 May 2014
  • 13. MARSH Critical Infrastructure / Energy Sector – Impact 1213 May 2014 • Can you imagine what can go wrong…. Power Blackout Contamination Loss in Production • http://www.securityincidents.org/ - global repository of industrial control security incidents. • Database of known ICS security incidents …
  • 14. MARSH Critical Infrastructure / Energy Sector – Ease of Exploitation 1313 May 2014 • SCADA Systems are “in-secure by design” – PLC / RTU non-hardened Operative System – Commercial of the Shelf Hardware – Legacy Industrial Control Protocols without authentication or authorization – No form of confidentiality – encryption – Security is still immature in SCADA / ICS networks unlike IT Enterprise • Control Engineers and Field Operators have little understanding of Cyber Security • Threats are multi-dimensional; – Internet Connectivity (www.shodanhq.com) all kinds of SCADA systems from HVAC to Web Cams – 3rd Party Remote Access – USB Infected Removable Media – Insecure SCADA devices (vulnerabilities) – Enterprise IT Business LAN connected to Control Systems Network – no air gap… – Legacy Windows Based Operating System (XP, NT etc…) – highly vulnerable systems
  • 15. MARSH DISCLAIMER – What is connected to the @ 1413 May 2014 WEBCAMS H2O FUEL CELL WINDFARMS HVAC / HOME AUTOMATION (SPEAKERS) HEAT PUMP EMERGENCY TELCO GEAR MASSIVE COOLERS STOPLIGHTS / JUNCTIONS
  • 16. MARSH • Exploits readily available on the Internet – AppStore style availability of vulnerability exploits against SCADA devices….. 1513 May 2014 Critical Infrastructure / Energy Sector – Ease of Exploitation
  • 17. MARSH Critical Infrastructure – Enterprise and Process Control Network Convergence 1613 May 2014
  • 18. MARSH 17 External Network Control LAN Plant Network Office LAN Internet  Infected Laptops Infected Remote Support  Mis-Configured Firewalls  Unauthorized Connections  Modems   3rd Party Issues USB Drives  Security Threats on the Plant Floor
  • 19. MARSH So how are we going to secure the critical infrastructure…. 1813 May 2014
  • 20. MARSH So how are we going to secure the critical infrastructure…. • Follow Industry Best Practices in the Security Field – Many different Security Standards and Regulations exist for the ICS environment; - ISA-99 / IEC-62443 - NERC-CIP - NIST 800-82 - ISO27001:2013 – Begin by developing a Cyber Security Framework that incorporate Risk Management into this. – Ensure the Cyber Security Framework is going to have top management level backing….. 1913 May 2014
  • 21. MARSH Establish a Cyber Security Governance Group 2013 May 2014 What is the role of a governance group? • Strategic: setting the process control security policy and initiating the process control security programme. • Tactical: implement the process control security programme, provide process control security awareness and training advice, and policy and standards compliance monitoring. Setting and approving budgets. • Operational: forming and liaising with the ICS Security Run & Maintain Team which monitors, analyses and responds to alerts and incidents. Monitoring risk exposure. Output – Deploy & Manage Policies, Standards, Monitoring Awareness & Training Continuity & Response Capability Definition & Creation - Governance Group Operations Safety/Risk Engineering IT Regulatory Exec Sponsor Inputs - Business Risks Threats Regulations/Standards Technologies Business Impact
  • 22. MARSH Cyber Security - Policies, Standards and Compliance 2113 May 2014 Policies establishes the boundaries for action and is driven by the business’ appetite for risk Policy statements communicate the following: • Clear commitment to ICS security principals and practices endorsed by senior leadership • Clear statement of policy intent to provide a basis for consistent decision-making and prioritization Typical policy characteristics : • Widespread application • Change infrequently and expressed in broad terms • Are not technical documents • Based on statements of “What” and/or “Why” • Guide and determine present and future decisions Policies should include: • Statement of intent • To what or whom the policy applies to • Who owns the policy • The exception criteria process
  • 23. MARSH Cyber Security - Policies, Standards and Compliance 2213 May 2014 Internal Standards provide a consistent organizational interpretation to achieve the desired quality of the defined policy. Typical standards characteristics : • Narrow in application • Change more frequently due to implementation feedback or system environment • Described in detail including some technical or vendor specific detail • Include statements of “How” , “When” and possibly “Who” • Describes related processes Standards documents should include: • The policy statements to which the standards applies • Intended audience • To what or whom the standard applies • Who owns the standard and information on the update cycle • The exception criteria process
  • 24. MARSH Cyber Security – Risk Assessment Methodologies 2313 May 2014
  • 25. MARSH Asset Lifecycle Challenges specific to ICS Security; 2413 May 2014 • Capital projects • Greenfield • Existing assets • Brownfield • Contractors and suppliers • Workforce Development • Raising Cyber Security Awareness
  • 26. MARSH Cyber Security – Embedding Security Technical Assurance in Project Lifecycle 2513 May 2014
  • 27. MARSH Contractors and Suppliers • Develop standards and implementation guidelines for suppliers – especially important for 3rd party vendors • Work with key suppliers to develop standard toolkits for future projects and upgrades • Set high expectations for suppliers and contractually obligate them successfully deliver a secure solution 2613 May 2014
  • 28. MARSH Cyber Security Project Assurance Levels 2713 May 2014
  • 29. MARSH Cyber Security Framework Development 2813 May 2014 • Security Policies Development • Security Procedures and Standards Development • Control System Asset Management • Risk Assessment for ICS/SCADA • Gap Analysis for ICS/SCADA • Business Continuity Planning • Incident Response Plan • Security Architecture Blueprint • Workforce Training and Development • Security Controls Mapping to Industry Standards • SCADA Network Traffic Analysis • Security Operations Center (SOC) for SCADA
  • 30. MARSH Cyber Security Operations Center 2913 May 2014
  • 31. MARSH Technical Cyber Security Implementation 3013 May 2014 • Security Architecture Review and Re-Engineering • Network Segmentation • Security Zoning and Conduits • One Way Diode Firewall • Overlay Encryption • Patch Management • Endpoint Security • Application Whitelisting • Vulnerability Management for Control System • SIEM for the ICS/SCADA Environment • 3rd Party Remote Access
  • 32. MARSH 3113 May 2014
  • 33. Registered in England and Wales Number: 1507274, Registered Office: 1 Tower Place West, Tower Place, London EC3R 5BU. Marsh Ltd is authorised and regulated by the Financial Conduct Authority.

Related Documents