GettingPhysicalwithSecurity,Risk andCompliance

MarkL.Feldman,Ph.D. AlertEnterprise,Inc.

2011 ISACA. All rights reserved.

DaffyDuck Syndrome

2011 ISACA. All rights reserved.

PopQuiz
What is the difference between Risk & Uncertainty? So what?
Too many locations, targets, points of entry and threats Too much data Too fast Too many sources Too many distributed assets Too many data silos Too little context - All of the time

Hazards: Safety, Security, Revenue, Cost, Reputation, Operator Confidence

2011 ISACA. All rights reserved.

NoGorillas!

2011 ISACA. All rights reserved.

TheMadHatterResponse

2011 ISACA. All rights reserved.

WhatsMissing?
The Big Picture
Context not only what, but what else Real-time interaction across systems Physical IT Industrial control Safety and environmental Automated, rules-based prevention of access and authorization violations

2011 ISACA. All rights reserved.

WhyItsImportant
Blended Threats At the Simplest Level
Logged in remotely & physically Active online after badging out After hours physical access Violation of segregation of physical / logical access Account sharing Disgruntled employees/contractors

2011 ISACA. All rights reserved.

WhyItsImportant
Blended Threats: A Path to.
Sensitive Asset Diversion
Dangerous Chemicals, Pathogens, Nuclear material

Cyber Attacks
Utilities (Water, Power, Gas), Smart Grid, Transportation

Terrorism
Chemicals stolen to make explosives

Bio Terrorism
Food & Beverage, Consumer Products

2011 ISACA. All rights reserved.

Threats&Responsesare IncreasinglyComplex
Up against Organized and State Sponsored Crime Often invisible and distant and zealots Geographically distributed assets/locations Guards with guns? Technology challenges - weather Mobile assets Remote monitoring and response challenges Is it natural, mechanical or man-made Weather, equipment failure, deliberate acts Fast AND informed response Interoperable systems Correlated data and rules
2011 ISACA. All rights reserved.

TopTargets

2011 ISACA. All rights reserved.

WhyCriticalInfrastructure?

Large Targets
Highly Visible Targets

Control Systems
Not Designed with Security in mind

Linkage To Corporate Networks

Integration with business creates more vulnerability

Dispersed Assets
Gates, Guns and Guards not effective over thousands of miles

2011 ISACA. All rights reserved.

WhyCriticalInfrastructure?
Creating catastrophic incident is possible

Impact Large Populations

Gain Attention

Loss Of Public Confidence In Government

Instill Fear
2011 ISACA. All rights reserved.

BioTerror SystemsDisabled, MaterialAlteredandContaminated

CREDIBLE THREAT

Highlights Adjusted Production Cycle via inventory system After-Hours Physical Intrusion Control System production settings changed

FoodProcessingPlant Contaminated

Late night intruders entered plant, A accessed inventory system and adjusted the food production control system to remove preservatives. Result: Economic loss and health risks to consumers

Why it happened

No correlated event monitoring Physical security teams received no signal of systems tampering Control systems do not have access security

2011 ISACA. All rights reserved.

BhopalTragedy DeliberateDisablingofSafetySystem
CREDIBLE THREAT Highlights

Deliberate Disabling of Safety System

Poisonous gas flooded Bhopal, India the night a refinery water tank ruptured. Citizens woke to burning sensation in lungs. Thousands died immediately and many trampled in the panic. Result: Loss of life, high economic and reputational cost
2011 ISACA. All rights reserved.

Large amount of water entered Tank containing 42 metric tons of methyl isocyanate. Exothermic reaction raised pressure to level tank was not designed to withstand.
Why it happened

Primary safety system turned off by staffer to save cost Poor maintenance and compliance status not visible Changes to SCADA configurations and privileged user actions not visible to security.

TexasCity,TXExplosion UnauthorizedOverride,SlowResponse
CREDIBLE THREAT Highlights

Explosive vapor causes Refinery Explosion

Major explosion in isomerization unit at Texas City Why it happened Refinery, 3rd Operator actions not monitored largest in US. No adequate authorization or Explosion killed 15, injured over 170. process controls No audit trail to determine who, Result: Loss of life, high economic what, when, so no determination legal and reputational cost. of malicious or unintentional

Unauthorized action leads to tank overfill, exceeding pressure limits Tank ruptures at top, creating pool of combustible liquid A running truck ignites vapor cloud above the liquid.

2011 ISACA. All rights reserved.

GovernmentRegulatorsPressing Physical/CyberSecurity
Government Agency Homeland Security Critical Infrastructure Information technology Telecommunications Chemicals Transportation systems (mass transit, aviation, maritime, ground/surface, and rail and pipeline systems), Emergency services, Postal and shipping services Agriculture, food (meat, poultry, egg products) Public health, healthcare, and food (other than meat, poultry, egg products) Drinking water and waste water treatment systems

Agriculture Health and Human Services EPA

2011 ISACA. All rights reserved.

GovernmentRegulatorsPressing Physical/CyberSecurity
Government Agency Energy Critical Infrastructure Energy, including the production refining, storage, and distribution of oil and gas, and electric power Banking and finance National monuments and icons Defense industrial base Commercial nuclear power facilities and storage & transport of nuclear materials (in coordination with DOE & DHS)

Treasury Interior Defense Nuclear Regulatory Commission

2011 ISACA. All rights reserved.

RegulatoryRorschach

2011 ISACA. All rights reserved.

SituationalIntelligence
Sorting out simultaneous events to understand
relationships between objects, functions and events in real-time
Operating status Out-of-band performance Unscheduled physical access Weather conditions other natural events Online chatter - activism Unauthorized use of resources Performance history Port scans

Unauthorized systems access Configuration changes Policy changes User access to assets Incident alerts Error conditions Non-privileged access KPIs Maintenance history

2011 ISACA. All rights reserved.

TwoBigChallenges
Reduce risk & uncertainty by
accelerating INFORMED action-taking and event resolution; AUTOMATING compliance documentation of adherence to policies, procedures and regulations

2011 ISACA. All rights reserved.

Solution
Accelerate informed decision-making, action-taking and compliance
Integrate real-time data on access, authorization and changes to physical, logical and control systems Execute rules-based correlation Add information on external context (what else? Natural? manmade?) Automate online action scripts Automated audit trail for documentation for regulatory compliance, audit,

Benefits Security, Safety, Revenue protection, Cost-Reduction, Regulatory Compliance

2011 ISACA. All rights reserved.

IntegrateThreatSignalsAcrossITSystems, PhysicalSecurityandControlSystems
Risk analysis across all three domains Identify and eliminate risks before they manifest, from threats, sabotage and terrorism

Detect
Incident management with built-in programmed remediation

Prevent
Policy Based (Compliance to various regulations / policies)

Respond

Comply

2011 ISACA. All rights reserved.

TerminatedEmployeehas PhysicalAccesstoSubstation

Terminated user has Physical access to Critical Cyber Assets

2011 ISACA. All rights reserved.

PredictiveAnalyticscanIdentifyRisks

2011 ISACA. All rights reserved.

AutomatedRemediatedandPrevention

2011 ISACA. All rights reserved.

DashboardwithRealTimeMonitoring andActivePolicyEnforcement

2011 ISACA. All rights reserved.

SituationalAwareness:ConvergedDashboard forOil&GasIndustry

User Based Risk Analysis

Well Trend

2011 ISACA. All rights reserved.

AirportSecurity: IntegratingIdentityData withPhysicalSecurityInformation

2011 ISACA. All rights reserved.

DetectUnauthorizedAccessAttempt

2011 ISACA. All rights reserved.

AutomatingIncidentManagement andResponse

Identify&Confirm InitiateNotificationWorkflow InitiateLockdown NotifyFirstRespondersforDispatch

2011 ISACA. All rights reserved.

GeospatialviewofSubstation

2011 ISACA. All rights reserved.

Highseverity drilldownfordetail

2011 ISACA. All rights reserved.

Substation Sabotagerisk!

2011 ISACA. All rights reserved.

AccessLiveVideoand InitiatePhysicalLockdown

2011 ISACA. All rights reserved.

RecommendationtoProtect CriticalInfrastructure
CreateanIntegratedViewofIncidents
Physical Logical IndustrialControls ExternalFactors

Correlatedatainrealtime&logactiontaken
Rulesbased Automatedaudittrailfordocumentedcompliance

MonitorInsiderswithPrivilegedAccess
MonitorRisksbyStatus/SeverityLevel SegregationofAccess Establishmitigatingcontrolswithspecialaccess
2011 ISACA. All rights reserved.

AboutAlertEnterprise:TruePreventionof Theft,SabotageandActsofTerrorism
Flagship Customers
Florida Power & Light Oklahoma Gas & Energy Coca-Cola Cisco TSA

Most Innovative Company Awards

RSA Security Conference 09 Security Summit 09 Demo Jam at SAP TechEd 08 ASIS Top 10 Award 09 Gartner Cool Vendor 2010

Special Projects
NERC Monitoring of unmanned critical assets Smart Grid Cyber Security pilot with top utilities Nuclear Cyber Security

Key Partners
SAP, Cisco, HP, IBM PwC, Deloitte, SAIC Physical Security: GE, JCI, Lenel Plant Security: OSIsoft, Matrikon

Experienced Team with Unparalleled Track Record

Founded Application Security Company Virsa (now SAP GRC)

Unique Differentiators
Security Convergence Active policy Enforcement True prevention of theft, sabotage, terrorism Eliminating Silos (IT, Physical, Operational Systems)

2011 ISACA. All rights reserved.

AlertEnterprise Confidential Information

NoGorillas!

ThankYou!
MarkL.Feldman,Ph.D. AlertEnterprise mark@alertenterprise.com

2011 ISACA. All rights reserved.