Professional Documents
Culture Documents
MarkL.Feldman,Ph.D. AlertEnterprise,Inc.
DaffyDuck Syndrome
PopQuiz
What is the difference between Risk & Uncertainty? So what?
Too many locations, targets, points of entry and threats Too much data Too fast Too many sources Too many distributed assets Too many data silos Too little context - All of the time
NoGorillas!
TheMadHatterResponse
WhatsMissing?
The Big Picture
Context not only what, but what else Real-time interaction across systems Physical IT Industrial control Safety and environmental Automated, rules-based prevention of access and authorization violations
WhyItsImportant
Blended Threats At the Simplest Level
Logged in remotely & physically Active online after badging out After hours physical access Violation of segregation of physical / logical access Account sharing Disgruntled employees/contractors
WhyItsImportant
Blended Threats: A Path to.
Sensitive Asset Diversion
Dangerous Chemicals, Pathogens, Nuclear material
Cyber Attacks
Utilities (Water, Power, Gas), Smart Grid, Transportation
Terrorism
Chemicals stolen to make explosives
Bio Terrorism
Food & Beverage, Consumer Products
Threats&Responsesare IncreasinglyComplex
Up against Organized and State Sponsored Crime Often invisible and distant and zealots Geographically distributed assets/locations Guards with guns? Technology challenges - weather Mobile assets Remote monitoring and response challenges Is it natural, mechanical or man-made Weather, equipment failure, deliberate acts Fast AND informed response Interoperable systems Correlated data and rules
2011 ISACA. All rights reserved.
TopTargets
WhyCriticalInfrastructure?
Large Targets
Highly Visible Targets
Control Systems
Not Designed with Security in mind
Dispersed Assets
Gates, Guns and Guards not effective over thousands of miles
WhyCriticalInfrastructure?
Creating catastrophic incident is possible
Gain Attention
Instill Fear
2011 ISACA. All rights reserved.
Highlights Adjusted Production Cycle via inventory system After-Hours Physical Intrusion Control System production settings changed
FoodProcessingPlant Contaminated
Late night intruders entered plant, A accessed inventory system and adjusted the food production control system to remove preservatives. Result: Economic loss and health risks to consumers
Why it happened
No correlated event monitoring Physical security teams received no signal of systems tampering Control systems do not have access security
BhopalTragedy DeliberateDisablingofSafetySystem
CREDIBLE THREAT Highlights
Large amount of water entered Tank containing 42 metric tons of methyl isocyanate. Exothermic reaction raised pressure to level tank was not designed to withstand.
Why it happened
Primary safety system turned off by staffer to save cost Poor maintenance and compliance status not visible Changes to SCADA configurations and privileged user actions not visible to security.
TexasCity,TXExplosion UnauthorizedOverride,SlowResponse
CREDIBLE THREAT Highlights
Major explosion in isomerization unit at Texas City Why it happened Refinery, 3rd Operator actions not monitored largest in US. No adequate authorization or Explosion killed 15, injured over 170. process controls No audit trail to determine who, Result: Loss of life, high economic what, when, so no determination legal and reputational cost. of malicious or unintentional
Unauthorized action leads to tank overfill, exceeding pressure limits Tank ruptures at top, creating pool of combustible liquid A running truck ignites vapor cloud above the liquid.
GovernmentRegulatorsPressing Physical/CyberSecurity
Government Agency Homeland Security Critical Infrastructure Information technology Telecommunications Chemicals Transportation systems (mass transit, aviation, maritime, ground/surface, and rail and pipeline systems), Emergency services, Postal and shipping services Agriculture, food (meat, poultry, egg products) Public health, healthcare, and food (other than meat, poultry, egg products) Drinking water and waste water treatment systems
GovernmentRegulatorsPressing Physical/CyberSecurity
Government Agency Energy Critical Infrastructure Energy, including the production refining, storage, and distribution of oil and gas, and electric power Banking and finance National monuments and icons Defense industrial base Commercial nuclear power facilities and storage & transport of nuclear materials (in coordination with DOE & DHS)
RegulatoryRorschach
SituationalIntelligence
Sorting out simultaneous events to understand
relationships between objects, functions and events in real-time
Operating status Out-of-band performance Unscheduled physical access Weather conditions other natural events Online chatter - activism Unauthorized use of resources Performance history Port scans
Unauthorized systems access Configuration changes Policy changes User access to assets Incident alerts Error conditions Non-privileged access KPIs Maintenance history
TwoBigChallenges
Reduce risk & uncertainty by
accelerating INFORMED action-taking and event resolution; AUTOMATING compliance documentation of adherence to policies, procedures and regulations
Solution
Accelerate informed decision-making, action-taking and compliance
Integrate real-time data on access, authorization and changes to physical, logical and control systems Execute rules-based correlation Add information on external context (what else? Natural? manmade?) Automate online action scripts Automated audit trail for documentation for regulatory compliance, audit,
IntegrateThreatSignalsAcrossITSystems, PhysicalSecurityandControlSystems
Risk analysis across all three domains Identify and eliminate risks before they manifest, from threats, sabotage and terrorism
Detect
Incident management with built-in programmed remediation
Prevent
Policy Based (Compliance to various regulations / policies)
Respond
Comply
TerminatedEmployeehas PhysicalAccesstoSubstation
PredictiveAnalyticscanIdentifyRisks
AutomatedRemediatedandPrevention
DashboardwithRealTimeMonitoring andActivePolicyEnforcement
SituationalAwareness:ConvergedDashboard forOil&GasIndustry
Well Trend
DetectUnauthorizedAccessAttempt
AutomatingIncidentManagement andResponse
GeospatialviewofSubstation
Highseverity drilldownfordetail
Substation Sabotagerisk!
AccessLiveVideoand InitiatePhysicalLockdown
RecommendationtoProtect CriticalInfrastructure
CreateanIntegratedViewofIncidents
Physical Logical IndustrialControls ExternalFactors
Correlatedatainrealtime&logactiontaken
Rulesbased Automatedaudittrailfordocumentedcompliance
MonitorInsiderswithPrivilegedAccess
MonitorRisksbyStatus/SeverityLevel SegregationofAccess Establishmitigatingcontrolswithspecialaccess
2011 ISACA. All rights reserved.
AboutAlertEnterprise:TruePreventionof Theft,SabotageandActsofTerrorism
Flagship Customers
Florida Power & Light Oklahoma Gas & Energy Coca-Cola Cisco TSA
Special Projects
NERC Monitoring of unmanned critical assets Smart Grid Cyber Security pilot with top utilities Nuclear Cyber Security
Key Partners
SAP, Cisco, HP, IBM PwC, Deloitte, SAIC Physical Security: GE, JCI, Lenel Plant Security: OSIsoft, Matrikon
Unique Differentiators
Security Convergence Active policy Enforcement True prevention of theft, sabotage, terrorism Eliminating Silos (IT, Physical, Operational Systems)
NoGorillas!
ThankYou!
MarkL.Feldman,Ph.D. AlertEnterprise mark@alertenterprise.com