Reduce Vulnerability to Cyber Attacks? - Schneider Electric CZ, s.r.o.

More documents

Recommendations

Info

1 – Introduction slowed to the point where the system is unusable. Another type of DoS attack floods the network with traffic such as TCP SYN, affecting network response times to the point where legitimate use is severely impacted. 1.7. Accidental Events Experts attribute more than 75% of network-related system outages to accidental events. Causes of these accidents can include poor network design, programming errors, improperly functioning network devices, non-compliance with procedures, or human error such as accidentally connecting network cables in wrong ports. Many of the security features and processes discussed in this document can also mitigate accidental events. In many cases, contractors contribute directly to system design, commissioning, or maintenance. Operational procedures should be refined so that contractors cannot introduce malware or vulnerabilities into the control network. For instance, automatically scan contractor equipment for malware infection before allowing access to any control network equipment. USB keys are another common source of malware infection and should be carefully screened before permitting their use. Individuals who inadvertently connect a network cable into the wrong port on a multi-port switch can create outages or broadcast storms that could disable the network or severely affect its performance. In general, the cause might be accidental, but the features, practices, and procedures used for cyber security work equally well against accidental system outages. Whether an incident is an accident or deliberate attack, preparation is essential. Incident recovery methods should be developed and tested so that recovery from an outage or other events can be quickly and reliably managed. High availability and redundant architectures play a role in this area when even short system outages cannot be tolerated. © 2012 Schneider Electric All Rights Reserved 24
1 – Introduction 1.8. NERC Top Ten Control System Vulnerabilities The Control System Security Working Group of the North American Electric Reliability Corporation (NERC) publishes a report identifying the top 10 vulnerabilities of control systems. The list is published as follows: 1. Inadequate policies, procedures, and culture that govern control system security: • Clash between operational culture with modern IT security methods. • IT often does not have an understanding of operational requirements of a control system. • Lack of overall awareness and appreciation of the risk associated with enabling the networking of these customized control systems. • Absence of control system information security policy. • Lack of auditing, enforcing, or adhering to control system information security policy not adhered to, enforced, or audited. • Lack of adequate risk assessment. 2. Inadequately designed control system networks that lack sufficient defense-in-depth mechanisms: • Network security of control system devices were not adequately considered when originally designed. These systems were designed with availability and reliability in mind. • Control systems may not be capable of secure operation in an Internet or intranet working environment without significant investment to reengineer the technology so it is in accordance with appropriate risk assessment criteria. 3. Remote access to the control system without appropriate access control: • Inappropriate use of dial-up modems. • Use of commonly known passwords or no use of passwords. • Implementation of non-secure control system connectivity to the corporate Local Area Network (LAN). • Practice of un-auditable and non-secured access by vendors for support. 4. System administration mechanisms and software used in control systems are not adequately scrutinized or maintained: • Inadequate patch management • Lack of appropriately applied real time virus protection. • Inadequate account management. • Inadequate change control. • Inadequate software inventory. 5. Use of inadequately secured wireless communication for control: • Use of commercial off-the-shelf (COTS) consumer-grade wireless devices for control network data. • Use of outdated or deprecated security or encryption methods. 6. Use of a non-dedicated communications channel for command and control and/or inappropriate use of control system network bandwidth for non-control purposes: • Internet-based Supervisory Control and Data Acquisition (SCADA). • Internet or Intranet connectivity initiated from control system networks: • File Sharing • Instant Messaging 7. Insufficient application of tools to detect and report on anomalous or inappropriate activity: • Underused intrusion detection systems. • Under-managed network system. 25 © 2012 Schneider Electric All Rights Reserved
Page 1 and 2: How can I … Reduce Vulnerability
Page 3 and 4: WARNING WARNING indicates a potenti
Page 5 and 6: OPERATION AND ADJUSTMENTS The follo
Page 7 and 8: This document discusses cyber secur
Page 9 and 10: Table of Contents 1. Introduction 1
Page 11 and 12: 12. Appendix 98 12.1. Glossary 98 1
Page 13 and 14: 1 - Introduction 1. Introduction 1
Page 15 and 16: 1 - Introduction • Script kiddies
Page 17 and 18: 1 - Introduction 1.5.2. Supplier Ac
Page 19 and 20: 1 - Introduction 1.5.5. Database Li
Page 21 and 22: 1 - Introduction 1.6.1. Control of
Page 23: 1 - Introduction 1.6.4. Man-in-the-
Page 27 and 28: 2. Schneider Electric Defense-in-De
Page 29 and 30: 3 - Assess, Plan, and Train 3. Risk
Page 31 and 32: 3 - Assess, Plan, and Train The sec
Page 33 and 34: 4 - Network Separation/DMZ Servers
Page 35 and 36: 5 - Network Segmentation 5.1. Virtu
Page 37 and 38: 5 - Network Segmentation • Host F
Page 39 and 40: 5 - Network Segmentation Ports that
Page 41 and 42: 6 - Firewalls and Services 6. Firew
Page 43 and 44: 6 - Firewalls and Services Figure 1
Page 45 and 46: 6 - Firewalls and Services 6.4.2. F
Page 47 and 48: 6 - Firewalls and Services Figure 2
Page 49 and 50: 6 - Firewalls and Services NAT maps
Page 51 and 52: 7 - System Access Control 7. System
Page 53 and 54: 7 - System Access Control 7.1.2. RA
Page 55 and 56: 7 - System Access Control Commonly
Page 57 and 58: 7 - System Access Control • Attac
Page 59 and 60: 7 - System Access Control 7.3.2. NI
Page 61 and 62: 7 - System Access Control After ena
Page 63 and 64: 7 - System Access Control NAC syste
Page 65 and 66: 8 - Device Hardening The following
Page 67 and 68: 8 - Device Hardening 8.3. Hardening
Page 69 and 70: 8 - Device Hardening Hardening of s
Page 71 and 72: 8 - Device Hardening 8.6. Hardening
Page 73 and 74: 8 - Device Hardening • Methods of
Page 75 and 76:
Maintenance 9 - Monitoring & 9. Mon
Page 77 and 78:
Architecture 10 - PSx Security 10.
Page 79 and 80:
Architecture 10 - PSx Security Figu
Page 81 and 82:
Architecture 10 - PSx Security For
Page 83 and 84:
Architecture 10 - PSx Security 10.6
Page 85 and 86:
Architecture 10 - PSx Security •
Page 87 and 88:
11 - Methods of Attack 11. Methods
Page 89 and 90:
11 - Methods of Attack Figure 37: I
Page 91 and 92:
11 - Methods of Attack Figure 38: T
Page 93 and 94:
11 - Methods of Attack Figure 40: L
Page 95 and 96:
11 - Methods of Attack replies. Leg
Page 97 and 98:
11 - Methods of Attack Figure 46: U
Page 99 and 100:
12 - Appendix Term field network ga
Page 101 and 102:
12 - Appendix Term Description Devi
Page 103:
Altivar, ConneXium, Unity, Vijeo ar
show all

Reduce Vulnerability to Cyber Attacks? - Schneider Electric CZ, s.r.o.

Create successful ePaper yourself

Delete template?

Save as template?