Schneider Electric provides a comprehensive approach to cyber security for critical infrastructure. They recognize cyber attacks have expanded from disrupting IT systems to endangering physical assets and human life. The document outlines Schneider's investments in security technologies and services to protect customers across industries. It describes their defense-in-depth strategy including secure product design, testing, compliance with standards, and security services to monitor, detect, and respond to threats. The goal is to help customers comply with regulations and mitigate risks through an integrated portfolio.
2. 2
Why Pay Attention to Cybersecurity
●Protecting assets against computer or network threats (CIA triad)
● Confidentiality: protect against unauthorised data disclosure
● Integrity: Ensure data and routines has not been modified or tampered
● Availability: Promote system uptime and operational capability
●Cyber attacks have “jumped the gap” from virtual to physical
world resulting in real physical damage to critical assets
●Cyber attacks can now put people at risk, cause production
downtime, create financial loss and can ex-filtrate sensitive data
3. 3
Why Schneider Electric cares
Focus of attacks has shifted from the IT world towards critical
infrastructure. Schneider Electric’s customers may be in the cross hairs of
many groups looking to harm infrastructure
● Cyber warfare
● Criminal activities
● Revenge
● Maliciousness
● Send a political message or
build street creds in the hacker
community
IT Security
Confidentiality &
Integrity first
Availability important
Thousands of
devices
Cross industry
regulations
Transaction model
OT Security
Human Safety &
Reliability first
Integrity important
Millions of devices
Industry-specific
regulations
Real-time model
4. 4
Key benefits
Key Trends & Drivers
Terrorism
Extortion
650% increase in cyber threats
during the last year
Successfully attacking best guarded
organizations
Terrorism
Extortion
Espionage
IT – Information Technology
OT – Operations Technology
Regulatory compliance is in a constant state of flux
Increasing budgetary pressures & fewer resources
Rapid pace of technology evolution – IT/OT convergence
5. 5
DamageMethod
Source: TrendMicro – 12 Security Predictions for 2012
To: Control Room Operators
From: Help Desk
Please apply the latest
patches to ensure safety of
computer systems, click here
for the updates.
Shamoon
Stuxnet
Duqu
Scan the Internet
Spear phishing
Inject Malware
Motive
Rapid Evolution of Threat
Threat Landscape
6. 6
Case in Point – The Shamoon Virus
Goal: Cyber Espionage and Damage.
Initially targeted oil and gas operations
in the Middle East
● Currently considered the most destructive
attack in the business sector
● More than 30,000 computers at an oil
company replaced
● Used to attacked a natural gas firm a few
days later
● Included a routine coded to self-execute,
replacing crucial system files with an
image of a burning U.S. flag
● Overwrote all real data on the machines
with garbage data
7. 7
- Restrict access
- Comply with
regulations
- Assess Threat systems
- Protect equipment
- Secure local
and hosted sites
- Harden products
and architectures
- Comply with
regulations & standards
- Define regulations
- Mandate security
- Drive collaboration
Industry Suppliers
ICT, energy, transportation &
service providers
Planners & Developers
Real estate developers &
urban planners
Governments
National, regional and local
city officials
Utilities
City and private electric,
water & gas utilities
NGO’s & Associations
Local organizations:
citizens, businesses & NGOs
Other Infrastructure
Internet & MAN
providers, banks and
transportation
Smart Cities Require Comprehensive Security
People & Communities
Responsible stakeholder action & collaboration is a must
8. 8
Compliance & Reporting Architecture
Information sharing Monitoring
Increasing Resiliency - Key Focus Areas
Connectivity
Third Party/Agnostic
• Compliant with current
standards
• Assessing upcoming
regulations
• Follow internal policies & best
practices
• Uniform security across
products
• Reinforce weakest link
• Tackle security at core of
product
• Secure communications
among products
• Use strong authentication to
access critical systems
• Vendors to disclose security
vulnerabilities to utilities
• Utilities to disclose critical
breaches to US Government
• Prevent, detect and react to
breaches in real-time
• Automatic monitoring tools &
human-driven solutions
• Vendors cannot create all
technology layers
• Fully test third party modules
to be safe from breaches
9. 9
Value Proposition
• Threats surged 17x in 2 years due to devices interconnectivity, IT networks convergence &
heterogeneous architectures
• Operational networks with many unpatched legacy systems, making them as resilient as weakest link
• High levels of awareness and scrutiny by regulators and general public
Problem - Cyber Security & Change Management
• Schneider Electric to provide a secure & reliable core offering with additional security products & services
• Allow customers to have control over security and compliance, while enhancing operational
effectiveness, through an extended set of integrated solutions
Positioning
Schneider Electric – Our Differentiation
Best of Breed Certified Solutions
IT/OT Expertise &-
Domain Knowledge
10. 10
Key Benefits
• Protect human life
• Avoid loss of service
• Avoid loss of productivity
• Avoid brand damage
• Mitigate and reduce impact on assets
• Limit damage on image and society
11. 11
Listen to customer expectations,
analyze regulatory mandates and
translate into documented security
requirements and implement within
our offers
Develop using proper
security principles:
• Secure by design
• Threat model and risk
analysis
• Security features are
implemented properly
• Secure coding principles
applied
• Mature SDL program with
metrics
Secure Product Testing
• Robustness & Fuzz testing
• Vulnerability Scanning
• Penetration Testing
• Security feature validation
Document how to securely
install, commission, maintain,
decommission products to
manage a secure system
Security: Built in, not Bolted on..
Building secure products and solutions
12. 12
Most Resilient SCADA Solution in the Market
• Last 15 years, invested ~$20M on security on OASyS
• Currently, investing around $1M yearly on security activities
• Dedicated security team
● Throughout the years, Schneider Electric has committed to security, by investing over
$20 million dollars, to provide safe, resilient and compliant products
● We are recognized within the industry as a real-time and secure solutions company
• Only firm providing solutions with secure & rapid escalation
• Best in class 3rd party integration model (SCADA)
• Ability to access external data in a secure manner
• World class security technology throughout all our products
• Anti-virus support
• Separation of Duties support
• Multi-factor authentication
• We meet and exceed main security standards in the market
• NERC Critical Infrastructure Protection (CIP)
• NIST Industrial Control Systems Security (SP 800-82)
Commitment
Capabilities
Key Technologies
Standards
Partnerships
13. 13
Incident Response Plan is Crucial
●Objectives:
● Respond to events & customer’s concerns
● Rapidly & effectively address disclosures
●Types of Incidents:
● Intentional - deliberate attack on a customer’s
system
●Steal customer’s sensitive information
●Disrupt customer’s operations
● Unintentional - misuse of a customer
operation using the system
● Vulnerability disclosure; only reported as a
vulnerability; no evidence of disruption of a
customer operation
IRP Simplified Conceptual Flow
Vulnerability/ Incident
Reported
Analyze & Report
Action Plan &
Contain
Communicate &
Publish
Mitigate & Resolve
Communicate
Resolution & Close
14. 14
DIACAP Lifecycle
DIACAP:: DoD Information Assurance Certification & Accreditation Process
Required for all DoD projects
Meeting Customer Requirements
15. 15
Comprehensive Approach to Security
Consulting, Integration and Managed Security Services
Monitoring, Compliance, Change Management, Whitelisting, Big Data Security, Firewalls
Oil & Gas Electric WWW Transportation MMM
Schneider Electric’s Core OfferingSecure coding, Encryption, Access, Authorization & Authentication, etc.
Security
Services
Security
Products
Schneider Electric stands by a safe, reliable and secure core offering
Cyber security products & services, increasing prevention, detection & response
Providing portfolio of services through recognized Schneider Electric’s consulting arm & local players
A Defense in-Depth approach offering a combination of physical controls, monitoring and analytics
Built-in
Security
16. 16
Industrial DMZ
Boundaries Control Room
Operation
Business Systems
Control Network
Operation Network
Enterprise Network
Device Network
MES, WMS, DMS, LMS…
SCADA, DCS, Controllers, Local & Remote
Communications Network Devices…
Instruments and Controls, Distributed IO, …
Enterprise
Performance
Systems
Field Devices
Core Offering
Cyber Security Products & Services
Security Products – Partnership Ecosystem
Monitoring
Compliance
Management
Change
Management
Application
Whitelisting
Intrusion
Detection
System
Firewalls
Outsourcing:ManagedServices,Maintenance&Cloud
Cyber Security Services
Integration
Consulting:Assessment&Design
20. Schneider Electric 20- Infrastructure Business – Rodrigo Kaschny – March 2012
Key Terms
DIACAP:
DoD Information
Assurance Certification &
Accreditation Process
CoN:
Certificate of
Networthiness
DISA:
Defense Information
Systems Agency
ICS-CERT:
Industrial Control System
Cyber Emergency
Response Team; A part of
the U.S. Dept. of
Homeland Security US-
CERT Organization
IA:
Information Assurance
DAA:
Designated Approval
Authority
STIG’s:
Security Technical
Implementation Guides
IRP:
Incident Response Plan
Notes de l'éditeur
What is Cybersecurity:Threats attack vulnerabilities and caninclude: Internal threats External threatsPotential risks: Safety of personnel (injury, fatality) Production and financial loss Loss of sensitive dataKey Security Principles:Confidentiality – Prevent disclosure of private information. Integrity – Data cannot be modified without authorization. Availability – The information must be available when it is needed.
Hackers are not sitting still, as new mitigations are put in place, hacker find a new pathway inPeople/Employees can be a vulnerability soft spot – a trained and aware person is a less vulnerable person
Effective Cybersecurity cannot be addressed as an afterthought
Schneider Electric’s IRP is defined as a Corporate Directive and ProcedureIRP Tools: 8 Disciplines (8D) used to determine root cause Common Vulnerability Scoring System (CVSS) is used to prioritize the vulnerabilitiesIRP Tracking of activities:Issue to Prevention (I2P)Incorporates the 8D process