2015 Honeywell Users Group
Europe, Middle East and Africa
Breakthrough Cyber Security Strategies: Introducing
Honeywell Risk Manager
Eric Knapp, Honeywell
About the Presenter
Eric D. Knapp
@ericdknapp
2
•
Global Director of Cyber Security Solutions and
Technology for Honeywell Process Solutions
•
Over 20 years of experience in Information Technology;
Over 10 years dedicated to Industrial Cyber Security
•
Specializing in cyber security for ICS, security analytics,
risk, and advanced cyber security controls
•
Patents pending for risk management metrics and
methodologies
•
Author of Industrial Network Security and Applied Cyber
Security and the Smart Grid
© 2015 Honeywell International All Rights Reserved
What is (cyber security) Risk?
“…the potential that a given threat will exploit vulnerabilities of an
assett or group off assets
t and
d thereby
th b cause harm
h
t the
to
th organization.”
i ti ”
(ISO)
“…a
a function of the likelihood of a given threat
threat-source’s
source s exercising a
particular potential vulnerability, and the resulting impact of that
adverse event on the organization” (NIST)
3
What is the Cyber Security Risk Manager?
A tool that continuously monitors for indicators of cyber security risk
i e Threats & vulnerabilities that could impact the ICS
i.e.
4
Measurements & Methodologies
Risk is an indication of Threat, Vulnerability and Impact
• Many methodologies: ISA-99 / 62443, ISO27005:2011, etc.
– Likelihood
Lik lih d x Impact
I
t (R = L x I)
– Threat x Vulnerability x Consequence (R = T x V x C)
• Determining what “V” “I” and “C” are is the hard part
– These can be subjective without standards and precise
th d l i !
methodologies!
5
Measurements & Methodologies
6
Measurements & Methodologies
How do we quantify “Consequence?”
• C is derived from knowledge of system functionality,
dependencies and conditions
Consequence
“magnitude of harm that
could be caused by a
threat’s exercise of a
vulnerability”
lnerabilit ”
(NIST SP800-30)
(in memory of Rube Goldberg)
7
Practice Quiz
What are the consequences (C),
(C) threats (T) and
vulnerabilities (V) in this process?
8
Quiz Time!
Level 4
Business Network
A
Level 3.5
Level 3
Level 2
Level 1
9
DMZ
Advanced Control
Supervisory Control
B
PC “A” is a print server. It will
not impact anything if
compromised.
PC “B” is an
Operators workstation. If
compromised it could directly
impact production
Q: What option would you
choose for PC “A” from the
following?
Understanding Consequence
• Risk Manager understands impact within an ICS
10
Measurements & Methodologies
If R = L x I … How do we determine “Likelihood?”
• L is a function of both Vulnerability and Threat
Vulnerability
y
Threat
“A vulnerability does not
cause harm itself …”
“A threat has the potential
to harm assets … e.g.
unauthorized actions,
physical damage, technical
failures” (ISO27005:2011)
(ISO27005:2011)
11
Measurements & Methodologies
If R = L x I … How do we determine “Likelihood?”
• L is a function of both Vulnerability and Threat
Vulnerability
12
Countermeasure
Threat
(specific)
Threat
(actor)
Assess the Vulnerability of the ICS
• “Vulnerability” can be a broad or focused lens:
– Each asset needs to be assessed
– The entire system needs to be assessed
– You need to understand threat to understand vulnerability
• Example:
p
– If HMI software is susceptible to a buffer overflow, this is a very specific
vulnerability of a specific software asset.
– However, if the HMI can be used to directly impact the entire system, it is
also a systemic vulnerability
– This is because malicious control of the HMI is equivalent to having a bad
guy at the console, and you can easily gain control of an HMI over the
network (understanding the threat)
13
1
Assess the Vulnerability of the ICS
• Perform Vulnerability Assessments, but do them carefully
– Slow scans
– Redundant pairs
– Passive methods
– No exploits!!!
• Understand the limits
– Aggressive scans tell you a lot
… but they aren’t safe to use
– Less-aggressive scans are safer
… but they tell you less
– No scan can tell you everything
… you can’t scan for zero-days
• Enlist assistance from someone qualified and experienced in assessment ICS systems
14
Quiz Time!
Level 4
Business Network
X
Level 3.5
DMZ
Z
Level 3
PC “X” and “Z” are both
scanned by a VA scanner and
6 critical vulnerabilities are
found on each.
Advanced Control
PC “Z” is patched fully, but
PC
C “X” is
s left
e t as is.
s
Level 2
Level 1
15
Supervisory Control
Q: Which of the
machines is vulnerable?
Identify Threats Against the ICS
• What are cyber threats?
– Malware (viruses,
(viruses trojans,
trojans RATs,
RATs APTs,
APTs etc)
– Hackers (script kiddies, semi-professionals, disgruntled employees,
professionals, hacker-for-hire, cyber crime, nation-state)
– Accidents (insider / employees, outside / unintentional incidents)
16
Identify Threats Against the ICS
– You need to understand vulnerability to understand threat
…wait? Which came first?
(just don’t
don t hide
from the truth)
17
Quiz Time Again!
You have some credible threat statistics here …
Q: What’s the biggest threat?
18
What Does Risk Manager do with all of this?
Risk Manager evaluates indicators of risk using patented
algorithms to generate accurate risk scores in line with
industrial risk management standards
19
Assess Your Cyber Security Posture
How risky is my system from
a security perspective?
Has something happened that
I need to act on?
Where do I start?
How can I show that we are
improving our security posture?
Is my control system up to date?
Am I following best practices?
When something goes wrong,
wrong
what should I do?
20
At-a-glance Indication of Current Risk Levels
21
Quickly Identifies What’s Causing Risk
22
Finds the Root Cause, to the Node Level
23
Trend Risk over Time
24
Summary Reports on Risk Posture and Progress
25
Introducing the Cyber Security Risk Manager…
See it Live in the
Demo Room
26