Incorporating Cyber Security into Water Utility Master Planning
Thomas House – Rockwell Automation NJ AWWA Fal Meeting September 2018
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 2 NotPetya brings down operations
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 3 You don’t have to be the target to be a victim
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 4 CHALLENGES FACING INDUSTRIAL INFRASTRUCTURE
IT/OT Convergence Skills Gap Vulnerability Inflexibility
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 5 INDUSTRIAL CYBER RISK EQUATION
Vulnerabilities Threats Consequences
Countermeasures Basic Industrial Cyber Advanced Countermeasures Hygiene
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 6 ICS-Focused Campaigns, Attacks, Frequency
2010 2011 2012 2013 2014 2015 2016 2017
STUXNET NIGHT SHAMOON RED HAVEX BLACKENERGY BLACKENERGY NOTPETYA Worm Targeting DRAGON OCTOBER Industrial Control Virus Targeting Cyber-Espionage Malware Injected into SCADA and Modifying System Remote Malware Injected into Ransomware Malware Advanced Persistent Energy Sector Malware Targeting Ukrainian Power Power Company PLCs Access Trojan & Based Threat Targeting Largest Gov’t & Research Company Network, Network, Attackers Cut On Stolen NSA Global Energy Wipe Attack Organizations Information Stealer Cut Power to the Power to the Affected Exploits that Impacted Affected Region. Region. ICS Systems OPERATION FLAME AURORA DUQU HEARTBLEED Virus use for Security Bug and APT Cyber Attack on Worm Targeting ICS Targeted Cyber Vulnerability 20+ High Tech, Information OP GHOUL INDUSTROYER Espionage in the Exploited Security & Defense Gathering Middle East Spear-phishing Companies and Stealing by Attackers Campaign Malware Targeting Targeting Middle Electric Utility – Used GAUSS in 2016 Ukraine Grid East Industrial Attack Information Stealer Organizations Malware
WANNACRY
General ransomware which impacted ICS ICS CERT INCIDENT COUNT Systems **Only Reported Incidents in U.S. 295 290 257 245 197 140
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 7 ICS THREAT VECTORS
IT Network Direct Attack via IT Network
DMZ Insider Threat OT Network
Direct Attack on Plant Network
VPN Device
ICS Supply Chain USB Indirect Attack External Remote Maintenance On-Site Maintenance Adversaries (Compromised VPN) (Compromised Device)
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 8 OT vs. IT Priority is Priority is availability confidentiality
Architectures are Architectures are proprietary ubiquitous
End-points are End-points are of heterogeneous, task homogenous, multi- specific with long purpose with short lifespans lifespans
Outcomes are physical Outcomes are digital
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 9 PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 10 Attack Continuum
BEFORE DURING AFTER
cybersecurity framework PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 11 Architectures Overview
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 12 Networking Standards
IT Core Switch Enterprise Zone: Levels 4-5 and Firewall
Industrial Zone: Levels 0-3
Level 3 – Site Operations OT Core Switch
Level 2 – Area Supervisory Control
Level 1 - Controller Control System Machine
Level 0 - Process Cell
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 13 Build a Secure Network Infrastructure - IDMZ
Enterprise Zone: Levels 4-5
Industrial Demilitarized Zone (IDMZ)
IDMZ Firewalls Industrial Zone: Levels 0-3
Level 3 – Site Operations
Level 2 – Area Supervisory Control
Level 1 - Controller Control System Machine
Level 0 - Process Cell
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 14 Rockwell Automation and Cisco Segmentation and Best Practices Converged Plant-Wide Ethernet (CPwE)
Enterprise Zone: Levels 4-5
Industrial Demilitarized Zone (IDMZ) Proxy Services
Industrial Zone: Levels 0-3
Industrial Firewall Control System Machine
Cell
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 15 Asset Management
Proxy Services
FT Asset Centre and Claroty
Industrial Firewall
Control System Machine
Cell
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 16 Patch Management
Microsoft Patch Release
RA Azure WSUS
Proxy Services
Plant WSUS FT Asset Centre and Claroty
Industrial Firewall
Control System Machine
Cell
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 17 Authentication and Authorization
Microsoft Patch Release
RA Azure WSUS
Security Services Proxy Services
Plant WSUS FT Asset Centre and Claroty
Active Directory FactoryTalk Security
Secure Remote Access Industrial Firewall
Control System Machine
Cell
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 18 Computer and Endpoint Protection
Microsoft Patch Release
RA Azure WSUS
Security Services Proxy Services
Plant WSUS FT Asset Centre and Claroty
Active Directory FactoryTalk Security Secure Remote Access Industrial Firewall
Control System Machine
Anti-Virus – Anti-Malware Cell Application Whitelisting
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 19 Threat Detection Services
Microsoft Patch Release
Threat Detection Platform RA Azure WSUS
RA Remote Support Services
Security Services Proxy Services
Plant WSUS FT Asset Centre and Claroty
Active Directory FactoryTalk Security Secure Remote Access Industrial Firewall
Threat Detection Platform Control System Machine
Anti-Virus – Anti-Malware Cell Application Whitelisting
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 20 A PROACTIVE APPROACH TO INDUSTRIAL NETWORK & CYBER SECURITY NIST Attack Continuum
BEFORE DURING AFTER
Identify & Protect Detect Respond & Recover
Asset Inventory Real-Time Threat Backup and Recovery Services Detection Services Solutions BUILD A SECURE, ROBUST, FUTURE-READY NETWORK FOR YOUR CONNECTED ENTERPRISE
Qualified Patch Remote Monitoring and Management Administration Services
Vulnerability and Incident Handling Risk Assessments ASSESS DESIGN IMPLEMENTand Response MONITOR
ICS Security Zone and Incident Response and Disaster Countermeasure Recovery Planning Services Deployment
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 21 Questions?
www.rockwellautomation.com
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.