Professional Documents
Culture Documents
Chet Namboodri
2
Typical SCADA Components are Vulnerable
Operational Technology deficiencies: PLCs and RTUs are low computational computers built for
controlling physical components such as valves, pumps, motors, etc.
3
Market Realities
ICS Cybersecurity: Making the Headlines
A Worm in the Centrifuge- Stuxnet The Ukraine’s Power Outage Was a Cyber Attack
30 Sept. 2010 18 Jan. 2017
An unusually sophisticated cyber-weapon is A power blackout in Ukraine's capital Kiev last month was
mysterious but important. A new software caused by a cyber attack and investigators are trying to
“worm” called Stuxnet … trace other potentially infected computers.
A Cyberattack Has Caused Confirmed Industroyer; A Cyberweapon can disrupt Power Grids
Physical Damage 12 June 2017
30 Sept. 2015 Hackers allied with the Russian government have devised a
Massive damage by manipulating and cyberweapon that has the potential to be the most disruptive
disrupting control systems at German steel mill yet against electric systems that Americans depend on for
daily life, according to U.S. researchers.
U.S. Finds Proof: Cyberattack on Ukraine Hackers halt plant operations in watershed cyberattack
Power Grid 15 Dec. 2017
3 Feb. 2016 Schneider confirmed that the incident had occurred and that
Almost immediately, investigators found it had issued a security alert to users of Triconex, which
indications of a malware called BlackEnergy. cyber experts said is widely used in the energy industry,
including at nuclear facilities, and oil and gas plants.
What are the top three threat vectors you are most concerned with? Rank the top three, with
“First” being the threat of highest concern.
Source: SANs: The 2017 State of Industrial Control System Security: July 2017
6
2017 SANS Survey: Security Technologies In Use
What security technologies or solutions do you currently have in use? What new technologies
or solutions would you most want to add for control system security in the next 18 months?
Source: SANs: The 2017 State of Industrial Control System Security: July 2017
7
Capabilities Required of an Integrated Solution
8
Fabric-Ready ICS Cybersecurity
The Fortinet / Nozomi Networks Integrated Solution
Nozomi Networks’ Solution Architecture
10
Comprehensive Security for ICS
Selected threats SIEM SOC Corporate
Firewall
detected
Level 4
• Monitoring of remote access connection to networks www
• ConnectionProduction
to Internet\corporate network DMZ
• Scheduling
MITM & Scanning Attacks (Port, Network)
Remote
• Unauthorized cross level communication
Access
• IP conflicts
• Authentication to PLCs
Level 1
• PLC actions (Start, Stop, Monitor, Run, Reboot,
Direct PLCs RTUs PLCs RTUs PLCs RTUs
Program, Test) Control
Level 0
• Fieldbus I/O monitoring
Field Level
Site #1 Site #2 Site #N
11
SCADAguardian with FortiGate
Automatically learns ICS Behavioral Security Policy Flexibility to enforce security policies
behavior and detects
Analysis Enforcement with different degree of granularity
suspicious activities
12
Fortinet / Nozomi Networks Integrated Solution
13
Responding to Threats in Real Time
Monitor
1 A threat is detected by SCADAguardian
and an alert is generated
2
2 Detect
User-defined policies are examined
and the appropriate corresponding
action is triggered
Valve
Fan 3 Protect
Pump
FortiGate responds according to the user-
1
configured action (Node Blocking, Link
Blocking, or Kill Session) in order to
mitigate the issue
14
Three Use Case Scenarios: Blocking Attack Vectors
1 2 3
Blocking Reconnaissance Blocking Advanced Malware or
Blocking Unauthorized Activity Zero Day Attack
Activity
New unknown node joins trusted Node in trusted networks issues SCADA Master changes process
control network (or process a command to reprogram a PLC in subtle way towards a critical
network) state
SCADAguardian detects anomaly
SCADAguardian detects it and and triggers alert to FortiGate SCADAguardian detects anomaly
triggers alert to FortiGate and triggers alert for FortiGate
FortiGate enforces policy and
FortiGate enforces policy and blocks communication FortiGate enforces policy and
blocks node from all access blocks SCADA Master from all
access
15
Real-time Visibility - IT/OT Convergence
HMI
Local
SCADA
HMI
Firewall Local
Switch SCADA Central
Management
Firewall Console (CMC)
Firewall Switch
RTU
RTU
Historian
RTU
PLC SIEM
DNS Web
PLC
Patching
PLC Server
Replicated Remote
Historian Access
16
Real-time Visibility - Support Multi-tenant Deployments
HMI
Local
SCADA
HMI
Firewall Local
Switch SCADA Central
Management
Firewall Console (CMC)
CMC
Firewall Switch
RTU
RTU
Area 2
Historian
RTU Control Room
Onshore
PLC SIEM
DNS Web
PLC CMC
Patching
PLC Server
Control Room
Jump Control Room
Box Corporate
Firewall
Area 1
Control Room
CMC Replicated Remote
Historian AccessOnshore
17
Nozomi Networks: Fortinet Fabric Ready for ICS
MANAGEMENT-ANALYTICS
18
Questions?
Nozomi Networks: Leading ICS Cybersecurity
FOUNDED Since Oct 2013 ~$24m invested
SERVING VERTICALS
21