Emerson’s Adam Boeckmann presented the Power and Water Cybersecurity Suite at the 2017 Ovation Users Group conference. He opened describing the team that formed over the last several years that now supports more than 200 sites in the U.S. alone.
He shared the story of the recent Wannacry/WannaCrypt ransomware cyber-attack. In March of 2017, Microsoft released a patch. A month later, the National Security Agency (NSA) toolkit was leaked. Microsoft released a patch for Windows XP and Windows Server 2003 in May. This ransomware encrypted the files on a PC and demanded payment in Bitcoin to unencrypt.
A Ukraine cyber-attack, crash override, was designed once into a system, established a backdoor, and download a program for activities to happen on the next day. It would modify the control code and ultimately crash the system and render the PCs unable to reboot—basically an inhibit, modify and crash malware program. A solid backup plan with periodic testing to verify that the backup works in one way to recover from these types of attacks.
With NERC CIP, standards exist for low, medium and high risks. Standards organizations help to drive regulations and best practices and processes to help maintain defenses from these types of attacks. The Power and Water Cybersecurity Suite provides technologies and programs to meet the standards and help to apply best practices. Every plant has different requirements based on their expertise and regulatory requirements in the markets in which they operate. The Cybersecurity Suite is modular to be able to provide the modules required.
The suite includes scheduled security services, security assessments, compliance services, network services, incident response services, on-demand consulting and unplanned on-site security services. Technologies in the suite include antivirus protection, patch management, application control, device control, security incident & event management (SIEM), system backup and recovery, vulnerability assessment, network intrusion detection, rogue system detection, and change management.
Adam contrasted blacklisting from whitelisting. Blacklisting is a list that excludes known malware from running. It must be known to be added to the list. On the other hand, whitelisting is putting all the known good applications in a list and preventing anything not in the list from running.
He described rogue detection intrusion where it sniffs out and records all the connected devices and builds and asset inventory of network connections. It looks for changes outside of normal communications to alert users or service providers to users of this software. Tripwire manages changes in configuration files from the integrity of these files, notifies users of file changes and runs autonomously.
Here’s a link to find out more about ICS cybersecurity with the Power and Water Cybersecurity Suite.