SlideShare une entreprise Scribd logo

A modern approach to safeguarding your ICS and SCADA systems

A
Alane Moran

Tempered Networks' presentation at the recent Rockwell Automation Fair 2016 helps viewers understand why it's so challenging and complex to connect and secure industrial IoT and SCADA systems. The future of networking and security must be based on 'host identity' not spoofable IP addresses.

Logiciels
1  sur  29
Télécharger pour lire hors ligne
A Modern Approach to Safeguarding Your Industrial Control Systems and Assets INSTANTLY CONNECT, CLOAK, SEGMENT, PROTECT AND REVOKE ANY IP RESOURCE Marc Kaplan VP Solution Architecture
Cisco mid-year review take away, working it backwards Complexity Makes Us All Less Secure This landscape of increasing regulatory complexity is challenging for commercial enterprises to navigate. Ultimately, complexity makes us all less secure, and attackers can and will exploit division. “Many organizations have reached a tipping point with their Internet infrastructure.... This is their moment to harden security, and enable visibility, throughout their network—and help to reduce the unconstrained time to operate that adversaries currently enjoy.”
Cisco Annual Alerts A FALSE SENSE OF SECURITY ABOUT SECURE CONNECTIONS Secure connections, such as those created by HTTPS connections and SSL certificates, are supposed to give users a sense of security about their online activities. However, a recent increase in vulnerability alerts involving encryption and authentication raises concerns that adversaries can more easily compromise secure connections. The result: connections of questionable security. As shown in the Common Weakness Enumeration (CWE) chart below (Figure 2), authentication issues and cryptographic issues have been on the rise since 2014 and 2015.
Years that Cisco equipment is Vulnerable
Percentage of Devices Running Known Vulnerabilities by Age
How dangerous are the Tools Most recently came the online dump of tools and files of the Equation Group— aka the National Security Agency—by a group calling itself the ShadowBrokers. Experts say the auction of the files by ShadowBrokers is a fake, but the files and tools are real, including tools from the NSA that hacked Cisco, Fortinet, and Juniper firewalls. Security experts say it’s no coincidence the data dump came in the wake of the attacks on DNC, DCCC, and others, by Russia. HOW BAD COULD IT BE
A plethora of API enabled attack tools Router implants, from any vendor in the enterprise space, have been largely believed to be in use. Recent vendor advisories indicate that these have been seen in the wild. Mandiant can confirm the existence of at least 14 such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India.
Easy to find, easy to hack Cisco IOS Software Reverse SSH Denial of Service Vulnerability An unauthenticated, remote attacker could exploit this vulnerability by attempting a reverse SSH login with a crafted username. Successful exploitation of this vulnerability could allow an attacker to create a DoS condition by causing the device to reload. Repeated exploits could create a sustained DoS condition. OR… no security
ICS.. Really easy to find…did we mention the API
BEFORE TEMPERED Ticket submitted to Network IT for new resources addition to corporate network. Design for Routing, Firewall, VPN, and Switching Policies Design Submitted to InfoSec for review and approval Approval of Design by InfoSec Implementation of Design by Network Ops Implementation Review and Sign-Off by InfoSec GO LIVE! Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 AFTER TEMPERED Ticket submitted to Network team for new resource. Day 1 Resource added with explicit trust relationships, segmentation and encryption. Verified by InfoSec. Secure networking time reduced by 97% GO LIVE! Reduce customers time to provision
IDN Value proposition Simple. Fast. Effective. Secure. 25% Improve time to mitigation, revocation, and quarantine up to: 90% Reduce attack surface up to: 1 sec Decrease failover and disaster recovery times to as little as:
Flawed identity, only complexity. Unsustainable. 13 *Inspired by, “An Attack Surface Metric,” Dr. Pratyusa K. Manadhata, Member, IEEE, and Dr. Jeannette M. Wing, Fellow, IEEE, IEEE Transactions on Software Engineering, 2010 Complex firewall and networking rule sets Routing policies, VLANs and ACLS overhead … per networked “thing” VPN access controls for each network DNS and routing updates for failover 100% Network and Security Policies USE IP ADDRESSES as IDENTITY Use IP addresses as identity for policy– This is the root cause of complexity, network security vulnerabilities, poor segmentation, and lack of mobility (clients x resources) x (net & sec policy) x updates = complexity(c x r ) x p = y* n in
R AP I D L Y C O N N E C T , D I S C O N N E C T & R E V O K E M O V E AN Y G L O B AL I P R E S O U R C E W I T H O UT D I S R U P T I O N S E G M E N T E F F O R T L E S S L Y ( M I C R O , M AC R O , AN D C R O S S - B O U N D AR Y ) C L O AK E D AN D E N C R Y P T E D F AB R I C M AK I N G R E S O U R C E S AN D D AT A I N V I S I B L E I N S T AN T AN D V E R I F I AB L E F AI L O V E R What you get with Tempered Networks Identity-Defined Networking: Unified platform for secure networking
IDN Fabric – The cure to IT complexity • Automated orchestration reduces errors • Rapid: 3-click network design • Centralized governance; delegated control • GlobalIPAnywhere – Move any IP address to any network TM
Legacy Identifier & Locator Identifier = who the client is Locator = where client is attached to the network MAC address (00:1C:B3:09:85:15) Host Identity Protocol (HIP) is an Identity Exchange mechanism that enables secure communications with tunneling protocols such as ESP. HIP provides a method of separating the end-point identifier and locator roles of IP addresses. It introduces a new Host Identity (HI) name space, based on public keys, from which end- point identifiers are taken. HIP uses existing IP addressing and forwarding for locators and packet delivery. 128-bit host identify tag (HIT) 2001:15:e156:8a78:3226:dbaa:f2ff:ed06 c6d90a4e31a12b297b00162e7ce87d4eac71f53e032a7088……... bb7af53ff1a61b2186c468e1680d46084af340ee252cb4ce........... Modulus , Signature.. IP Addresses (192.168.16.1) Locator = where client is attached to the network IP Addresses (192.168.16.1) IDENTITY – Legacy and HIP enabled IDN
Identity-Defined Networking (IDN) – the way forward Securely network and orchestrate any thing, anywhere, anytime - instantly. HIPservers HIPswitch Tempered Networks’ IDN Conductor Control based on unique crypto-identity for every networked thing. Seamless deployment, simple policy orchestration and enforcement based on identity. Securely connect, cloak, segment, revoke, move, failover and revoke instantly within the IDN’s encrypted fabric. Public / Corporate Network (No Identity. Untrusted. Unmanageable.) IDN Fabric – Trusted. Cloaked. Segmented. Encrypted. Applications Databases HIPchip PoS / ATMs IP cameras Medical devices Cloud workloads Containers HIPclients
Unique Identity-Defined Overlays (IDO) and Virtual Trust Segments (VTS): Macro and micro-segmentation is based on unique host identity and every IDO is cloaked and hardened. Allowed VTS connectivity and communication is explicit, non-traversal, encrypted and verifiable 18 Building Automation System Applications Building Automation Vendor VTS Databases DBAs Application-Database ID Overlay DBA Admin VTSVendor / 3rd Party ID Overlay Managed Devices Employee ID Overlay Remote Employee ID Overlay Managed Device VTS Unmanaged Network Telemetry/Analytics VTS Web Services VTS Cloud ID Overlay U.S. DevOps VTS IoT Virtual Trust SegmentsIoT Admins VTS IoT ID Overlay Public Cloud-US Public Cloud–KR EU DevOps VTS Public Cloud–DE Corporate Network Korea DevOps VTS
Trusted Identity-Defined Network Fabric Goes Anywhere Flexible, resilient, connectivity options with automated fail-over
Trusted identity-based hardware Serial-over-IP • Secure Management of Routers and Switches • No need to expose SSH / Telnet over the internet • Enable IP on serial based devices such as SCADA or ATM Cellular • Remove the constraints of Ethernet connectivity • Fallback functionality, flip from Ethernet to Cellular automatically Wireless • Move seamlessly between Ethernet and Wifi without reduction of security • HIP over-Wifi, incredibly secure Wifi that can not be brute-forced Secure by Default • No local management • Symmetric policy validation engine • Hardened • Secure High-Available Central Management • Software Defined – RESTful API • Identity Based HIP Networks • Global IP Namespace • Flexible IP transformation Management
The Singular Root Defect That affects all IP security and networking IP Addresses are used as Network and Device Identity • Hacker reconnaissance & fingerprinting via TCP/IP stack • Listening TCP/UDP service ports • All networking and security products use IP addresses for policy Large Attack Surface • IP, TCP/UDP Attacks: every connected thing is an entry point • East / West lateral movement • ACLs and VLANs ≆ segmentation Lack of Mobility and Instant Failover • Policies tied to IP - creates inflexible mobility • IP conflicts • DNS TTL and Routing Convergence Delays Networking and Security Costs • Many distributed, complex VLAN, ACL, VPN, firewall policies • Controlling network routing • IPsec VPN cert management, connection limitations, failover issues • Expense of “next-gen” firewalls deployed on interior WAN / LAN Remote Unmanaged Network Remote Site Managed Network Corporate Network & Resources Device 10 Device 11 Device 12 192.168.10.10 192.168.10.11 192.168.10.12 Device 20 Device 21 192.168.20.20 192.168.20.21 Device 30 Device 31 Device 32 192.168.30.30 192.168.30.31 192.168.30.32 192.168.10.1 192.168.20.1 192.168.30.1 Field Technicians Remote Employees
How we do what we do I D E N T I T Y - D E F I N E D O V E R L AY S H O S T - B AS E D C R Y P T O G R AP H I C I D E N T IT I E S S I M P L E P O L I C Y - B AS E D O R C H E S T R AT I O N E N G I N E H O S T I D E N T I T Y N AM E S P AC E S O F T W AR E - D E F I N E D S E G M E N T AT I O N F AS T , F L E X I B L E D E P L O Y M E N T O F I D N E N D P O I N T S ( H I P S E R V I C E S ) E V E R Y W H E R E V I R T U AL T R U S T S E G M E N T S
A New Identity Networking Paradigm Made Simple WAN / LAN Device 10 Device 11 Device 12 192.168.10.10 192.168.10.11 192.168.10.12 Device 20 Device 21 192.168.20.20 192.168.20.21 Device 30 Device 31 Device 32 192.168.30.30 192.168.30.31 192.168.30.32 192.168.10.1 192.168.20.1 192.168.30.1 CLOAKED, SEGMENTED & MOBILE PROTECTED, SEGMENTED, ENCRYPTED, & MOBILE CLOAKED, SEGMENTED, & MOBILE HIPswitch 192.168.10.100 192.168.30.100 Field Technicians Remote Employees HIPclient 10.0.9.2 Conductor Remote Site Networks & Resources Corporate Network & Resources Unique Host Identity Approach • Host Identity Protocol (HIP): IETF ratified April 2015 • True SDN overlay –little to no changes to network, security, or applications • Unshackles IP from serving as identity - frees IT from complexity • In production since 2006 Rapid Provisioning, Revocation, IP Mobility and Failover • Effortless segmentation & cloaking • One-click orchestration to connect, disconnect, move or failover any “thing” • Less than 1 second failover between any IDN endpoint • Build ID overlays (IDOs) on-demand based on situation Significantly Reduced Attack Surface • No trust? No connectivity. No communication. No data. • VLAN ”segmentation” traversal is now impossible. • Based on explicit device trust- all systems are invisible • 2048 bit Identity-Based connectivity, AES 256 encryption by default Lower Costs, Simpler Environment • CapEx and OpEx decrease • Eliminate or reduce interior “next-gen” firewalls, VPNs, complex policies, ACLs, VLAN complexity, cert mngt
Conductor’s “Visual Trust Map” – Instant Verification Visualize trust relationships between HIP Services and whitelisted endpoints
Availability, Status, Configurations, Versioning – Know the State HIP Services: • Activity • Models • Versions • Static or dynamic config • Current IP address • Gateway • DNS server • Custom routes • Link status • Port configuration [if available] Users may now check which HIP associations (secure tunnels) exist on a HIPswitch and check available bandwidth as well for availability and sizing understanding.
Reduce the Attack Surface 26 Up to: 90% BEFORE TEMPERED AFTER TEMPERED Because of cloaking, identity-based segmentation, non- traversal, automatic encryption, and instant revocation. Attack surface reduction allows greater security focus and depth on the other areas Tempered Networks doesn’t address, like endpoint or code-level security.
Improve Time to Mitigate, Revoke, and Quarantine 27 Time to mitigation, revocation, and quarantine is improved with greater confidence. By: 50% • Revocation of any resource within the IDN fabric is one click or an automated API call from a security analytics system. It can happen instantly, is verifiable, and permanent - until you say otherwise. • Even if a user’s credentials were stolen and still valid, if they’re not on an authorized device – no access. • The alternative? Complexity. Check all VPNs, Firewall rules, ACLs, and directory services. Analyze other policies to ensure that system is in fact quarantined or revoked.
Decrease Failover and Disaster Recovery Time 28 Failover and Disaster Recovery times reduced to as little as one second. To as little as: 1second • Every IDN endpoint or HIP Service is based on unique host identities, not an IP address or host making IP-based failover ’mobile.’ • Failover can be applied from an entire datacenter (represented as a unique host identity), down to a container (represented as a unique host identity). • If one goes down in the IDN fabric, a simple automated API call or one-click manual update to the fabric will reconnect instantly to the designated IDN failover endpoint.
Visit us at booth #310 for a demo THANK YOU

Recommandé

Enabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health DevicesEnabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health DevicesCharalampos Doukas
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9Arvind Tiwary
 
S C A D A Security Keynote C K
S C A D A Security Keynote C KS C A D A Security Keynote C K
S C A D A Security Keynote C KNarinrit Prem-apiwathanokul
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Networkijtsrd
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
Porque cambiar de IPSec a SSL VPN
Porque cambiar de IPSec a SSL VPNPorque cambiar de IPSec a SSL VPN
Porque cambiar de IPSec a SSL VPNaloscocco
 
The Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemThe Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemKaspersky Lab
 

Recommandé

Enabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health DevicesEnabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health DevicesCharalampos Doukas
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9Arvind Tiwary
 
S C A D A Security Keynote C K
S C A D A Security Keynote C KS C A D A Security Keynote C K
S C A D A Security Keynote C KNarinrit Prem-apiwathanokul
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Networkijtsrd
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
Porque cambiar de IPSec a SSL VPN
Porque cambiar de IPSec a SSL VPNPorque cambiar de IPSec a SSL VPN
Porque cambiar de IPSec a SSL VPNaloscocco
 
The Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemThe Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemKaspersky Lab
 
Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014iotisrael
 
ioT-SecurityECC-v1
ioT-SecurityECC-v1ioT-SecurityECC-v1
ioT-SecurityECC-v1Abe Arredondo
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen MillerAVEVA
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinPriyanka Aash
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and MethodsLeonardo De Moura Rocha Lima
 
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudOvercoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudZscaler
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHBlock Armour
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolSylvain Martinez
 
IoT-SecurityECC-v4
IoT-SecurityECC-v4IoT-SecurityECC-v4
IoT-SecurityECC-v4Abe Arredondo
 
Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2Sylvain Martinez
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...Block Armour
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...
Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...
Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...Advantec Distribution
 
Wns rogues wp_1011_v3
Wns rogues wp_1011_v3Wns rogues wp_1011_v3
Wns rogues wp_1011_v3Advantec Distribution
 
Check Point NGFW
Check Point NGFWCheck Point NGFW
Check Point NGFWGroup of company MUK
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscapebayshorenet
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solutionmatthew.maisel
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesCisco Canada
 

Contenu connexe

Tendances

Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014iotisrael
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen MillerAVEVA
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinPriyanka Aash
 
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudOvercoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudZscaler
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHBlock Armour
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolSylvain Martinez
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...Block Armour
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...
Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...
Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...Advantec Distribution
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscapebayshorenet
 

Tendances (20)

Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014
 
ioT-SecurityECC-v1
ioT-SecurityECC-v1ioT-SecurityECC-v1
ioT-SecurityECC-v1
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
 
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
 
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudOvercoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the Cloud
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFH
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
 
IoT-SecurityECC-v4
IoT-SecurityECC-v4IoT-SecurityECC-v4
IoT-SecurityECC-v4
 
Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
 
Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...
Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...
Tired of rogues_-_solutions_for_detecting_and_eliminating_rogue_wireless_netw...
 
Wns rogues wp_1011_v3
Wns rogues wp_1011_v3Wns rogues wp_1011_v3
Wns rogues wp_1011_v3
 
Check Point NGFW
Check Point NGFWCheck Point NGFW
Check Point NGFW
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscape
 

Similaire à A modern approach to safeguarding your ICS and SCADA systems

The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solutionmatthew.maisel
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesCisco Canada
 
A rede como um sensor de segurança
A rede como um sensor de segurança A rede como um sensor de segurança
A rede como um sensor de segurança Cisco do Brasil
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats FasterForce 3
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)Jeff Green
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)Jeff Green
 
Cisco Connect 2018 Malaysia - Secure data center and mobility solutions
Cisco Connect 2018 Malaysia - Secure data center and mobility solutionsCisco Connect 2018 Malaysia - Secure data center and mobility solutions
Cisco Connect 2018 Malaysia - Secure data center and mobility solutionsNetworkCollaborators
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
 
Cisco Security DNA
Cisco Security DNACisco Security DNA
Cisco Security DNAMatteo Masi
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsMehrdad Jingoism
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Lisa Brown
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Amazon Web Services
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 

Similaire à A modern approach to safeguarding your ICS and SCADA systems (20)

The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 
A rede como um sensor de segurança
A rede como um sensor de segurança A rede como um sensor de segurança
A rede como um sensor de segurança
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
 
5691 computer network career
5691 computer network career5691 computer network career
5691 computer network career
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
 
Cisco Connect 2018 Malaysia - Secure data center and mobility solutions
Cisco Connect 2018 Malaysia - Secure data center and mobility solutionsCisco Connect 2018 Malaysia - Secure data center and mobility solutions
Cisco Connect 2018 Malaysia - Secure data center and mobility solutions
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
 
Cisco Security DNA
Cisco Security DNACisco Security DNA
Cisco Security DNA
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypots
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
 

Dernier

Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptrcbcrtm
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 

Dernier (20)

Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.ppt
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 

A modern approach to safeguarding your ICS and SCADA systems

  • 1. A Modern Approach to Safeguarding Your Industrial Control Systems and Assets INSTANTLY CONNECT, CLOAK, SEGMENT, PROTECT AND REVOKE ANY IP RESOURCE Marc Kaplan VP Solution Architecture
  • 2. Cisco mid-year review take away, working it backwards Complexity Makes Us All Less Secure This landscape of increasing regulatory complexity is challenging for commercial enterprises to navigate. Ultimately, complexity makes us all less secure, and attackers can and will exploit division. “Many organizations have reached a tipping point with their Internet infrastructure.... This is their moment to harden security, and enable visibility, throughout their network—and help to reduce the unconstrained time to operate that adversaries currently enjoy.”
  • 3.
  • 4. Cisco Annual Alerts A FALSE SENSE OF SECURITY ABOUT SECURE CONNECTIONS Secure connections, such as those created by HTTPS connections and SSL certificates, are supposed to give users a sense of security about their online activities. However, a recent increase in vulnerability alerts involving encryption and authentication raises concerns that adversaries can more easily compromise secure connections. The result: connections of questionable security. As shown in the Common Weakness Enumeration (CWE) chart below (Figure 2), authentication issues and cryptographic issues have been on the rise since 2014 and 2015.
  • 5. Years that Cisco equipment is Vulnerable
  • 6. Percentage of Devices Running Known Vulnerabilities by Age
  • 7. How dangerous are the Tools Most recently came the online dump of tools and files of the Equation Group— aka the National Security Agency—by a group calling itself the ShadowBrokers. Experts say the auction of the files by ShadowBrokers is a fake, but the files and tools are real, including tools from the NSA that hacked Cisco, Fortinet, and Juniper firewalls. Security experts say it’s no coincidence the data dump came in the wake of the attacks on DNC, DCCC, and others, by Russia. HOW BAD COULD IT BE
  • 8. A plethora of API enabled attack tools Router implants, from any vendor in the enterprise space, have been largely believed to be in use. Recent vendor advisories indicate that these have been seen in the wild. Mandiant can confirm the existence of at least 14 such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India.
  • 9. Easy to find, easy to hack Cisco IOS Software Reverse SSH Denial of Service Vulnerability An unauthenticated, remote attacker could exploit this vulnerability by attempting a reverse SSH login with a crafted username. Successful exploitation of this vulnerability could allow an attacker to create a DoS condition by causing the device to reload. Repeated exploits could create a sustained DoS condition. OR… no security
  • 10. ICS.. Really easy to find…did we mention the API
  • 11. BEFORE TEMPERED Ticket submitted to Network IT for new resources addition to corporate network. Design for Routing, Firewall, VPN, and Switching Policies Design Submitted to InfoSec for review and approval Approval of Design by InfoSec Implementation of Design by Network Ops Implementation Review and Sign-Off by InfoSec GO LIVE! Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 AFTER TEMPERED Ticket submitted to Network team for new resource. Day 1 Resource added with explicit trust relationships, segmentation and encryption. Verified by InfoSec. Secure networking time reduced by 97% GO LIVE! Reduce customers time to provision
  • 12. IDN Value proposition Simple. Fast. Effective. Secure. 25% Improve time to mitigation, revocation, and quarantine up to: 90% Reduce attack surface up to: 1 sec Decrease failover and disaster recovery times to as little as:
  • 13. Flawed identity, only complexity. Unsustainable. 13 *Inspired by, “An Attack Surface Metric,” Dr. Pratyusa K. Manadhata, Member, IEEE, and Dr. Jeannette M. Wing, Fellow, IEEE, IEEE Transactions on Software Engineering, 2010 Complex firewall and networking rule sets Routing policies, VLANs and ACLS overhead … per networked “thing” VPN access controls for each network DNS and routing updates for failover 100% Network and Security Policies USE IP ADDRESSES as IDENTITY Use IP addresses as identity for policy– This is the root cause of complexity, network security vulnerabilities, poor segmentation, and lack of mobility (clients x resources) x (net & sec policy) x updates = complexity(c x r ) x p = y* n in
  • 14. R AP I D L Y C O N N E C T , D I S C O N N E C T & R E V O K E M O V E AN Y G L O B AL I P R E S O U R C E W I T H O UT D I S R U P T I O N S E G M E N T E F F O R T L E S S L Y ( M I C R O , M AC R O , AN D C R O S S - B O U N D AR Y ) C L O AK E D AN D E N C R Y P T E D F AB R I C M AK I N G R E S O U R C E S AN D D AT A I N V I S I B L E I N S T AN T AN D V E R I F I AB L E F AI L O V E R What you get with Tempered Networks Identity-Defined Networking: Unified platform for secure networking
  • 15. IDN Fabric – The cure to IT complexity • Automated orchestration reduces errors • Rapid: 3-click network design • Centralized governance; delegated control • GlobalIPAnywhere – Move any IP address to any network TM
  • 16. Legacy Identifier & Locator Identifier = who the client is Locator = where client is attached to the network MAC address (00:1C:B3:09:85:15) Host Identity Protocol (HIP) is an Identity Exchange mechanism that enables secure communications with tunneling protocols such as ESP. HIP provides a method of separating the end-point identifier and locator roles of IP addresses. It introduces a new Host Identity (HI) name space, based on public keys, from which end- point identifiers are taken. HIP uses existing IP addressing and forwarding for locators and packet delivery. 128-bit host identify tag (HIT) 2001:15:e156:8a78:3226:dbaa:f2ff:ed06 c6d90a4e31a12b297b00162e7ce87d4eac71f53e032a7088……... bb7af53ff1a61b2186c468e1680d46084af340ee252cb4ce........... Modulus , Signature.. IP Addresses (192.168.16.1) Locator = where client is attached to the network IP Addresses (192.168.16.1) IDENTITY – Legacy and HIP enabled IDN
  • 17. Identity-Defined Networking (IDN) – the way forward Securely network and orchestrate any thing, anywhere, anytime - instantly. HIPservers HIPswitch Tempered Networks’ IDN Conductor Control based on unique crypto-identity for every networked thing. Seamless deployment, simple policy orchestration and enforcement based on identity. Securely connect, cloak, segment, revoke, move, failover and revoke instantly within the IDN’s encrypted fabric. Public / Corporate Network (No Identity. Untrusted. Unmanageable.) IDN Fabric – Trusted. Cloaked. Segmented. Encrypted. Applications Databases HIPchip PoS / ATMs IP cameras Medical devices Cloud workloads Containers HIPclients
  • 18. Unique Identity-Defined Overlays (IDO) and Virtual Trust Segments (VTS): Macro and micro-segmentation is based on unique host identity and every IDO is cloaked and hardened. Allowed VTS connectivity and communication is explicit, non-traversal, encrypted and verifiable 18 Building Automation System Applications Building Automation Vendor VTS Databases DBAs Application-Database ID Overlay DBA Admin VTSVendor / 3rd Party ID Overlay Managed Devices Employee ID Overlay Remote Employee ID Overlay Managed Device VTS Unmanaged Network Telemetry/Analytics VTS Web Services VTS Cloud ID Overlay U.S. DevOps VTS IoT Virtual Trust SegmentsIoT Admins VTS IoT ID Overlay Public Cloud-US Public Cloud–KR EU DevOps VTS Public Cloud–DE Corporate Network Korea DevOps VTS
  • 19. Trusted Identity-Defined Network Fabric Goes Anywhere Flexible, resilient, connectivity options with automated fail-over
  • 20. Trusted identity-based hardware Serial-over-IP • Secure Management of Routers and Switches • No need to expose SSH / Telnet over the internet • Enable IP on serial based devices such as SCADA or ATM Cellular • Remove the constraints of Ethernet connectivity • Fallback functionality, flip from Ethernet to Cellular automatically Wireless • Move seamlessly between Ethernet and Wifi without reduction of security • HIP over-Wifi, incredibly secure Wifi that can not be brute-forced Secure by Default • No local management • Symmetric policy validation engine • Hardened • Secure High-Available Central Management • Software Defined – RESTful API • Identity Based HIP Networks • Global IP Namespace • Flexible IP transformation Management
  • 21. The Singular Root Defect That affects all IP security and networking IP Addresses are used as Network and Device Identity • Hacker reconnaissance & fingerprinting via TCP/IP stack • Listening TCP/UDP service ports • All networking and security products use IP addresses for policy Large Attack Surface • IP, TCP/UDP Attacks: every connected thing is an entry point • East / West lateral movement • ACLs and VLANs ≆ segmentation Lack of Mobility and Instant Failover • Policies tied to IP - creates inflexible mobility • IP conflicts • DNS TTL and Routing Convergence Delays Networking and Security Costs • Many distributed, complex VLAN, ACL, VPN, firewall policies • Controlling network routing • IPsec VPN cert management, connection limitations, failover issues • Expense of “next-gen” firewalls deployed on interior WAN / LAN Remote Unmanaged Network Remote Site Managed Network Corporate Network & Resources Device 10 Device 11 Device 12 192.168.10.10 192.168.10.11 192.168.10.12 Device 20 Device 21 192.168.20.20 192.168.20.21 Device 30 Device 31 Device 32 192.168.30.30 192.168.30.31 192.168.30.32 192.168.10.1 192.168.20.1 192.168.30.1 Field Technicians Remote Employees
  • 22. How we do what we do I D E N T I T Y - D E F I N E D O V E R L AY S H O S T - B AS E D C R Y P T O G R AP H I C I D E N T IT I E S S I M P L E P O L I C Y - B AS E D O R C H E S T R AT I O N E N G I N E H O S T I D E N T I T Y N AM E S P AC E S O F T W AR E - D E F I N E D S E G M E N T AT I O N F AS T , F L E X I B L E D E P L O Y M E N T O F I D N E N D P O I N T S ( H I P S E R V I C E S ) E V E R Y W H E R E V I R T U AL T R U S T S E G M E N T S
  • 23. A New Identity Networking Paradigm Made Simple WAN / LAN Device 10 Device 11 Device 12 192.168.10.10 192.168.10.11 192.168.10.12 Device 20 Device 21 192.168.20.20 192.168.20.21 Device 30 Device 31 Device 32 192.168.30.30 192.168.30.31 192.168.30.32 192.168.10.1 192.168.20.1 192.168.30.1 CLOAKED, SEGMENTED & MOBILE PROTECTED, SEGMENTED, ENCRYPTED, & MOBILE CLOAKED, SEGMENTED, & MOBILE HIPswitch 192.168.10.100 192.168.30.100 Field Technicians Remote Employees HIPclient 10.0.9.2 Conductor Remote Site Networks & Resources Corporate Network & Resources Unique Host Identity Approach • Host Identity Protocol (HIP): IETF ratified April 2015 • True SDN overlay –little to no changes to network, security, or applications • Unshackles IP from serving as identity - frees IT from complexity • In production since 2006 Rapid Provisioning, Revocation, IP Mobility and Failover • Effortless segmentation & cloaking • One-click orchestration to connect, disconnect, move or failover any “thing” • Less than 1 second failover between any IDN endpoint • Build ID overlays (IDOs) on-demand based on situation Significantly Reduced Attack Surface • No trust? No connectivity. No communication. No data. • VLAN ”segmentation” traversal is now impossible. • Based on explicit device trust- all systems are invisible • 2048 bit Identity-Based connectivity, AES 256 encryption by default Lower Costs, Simpler Environment • CapEx and OpEx decrease • Eliminate or reduce interior “next-gen” firewalls, VPNs, complex policies, ACLs, VLAN complexity, cert mngt
  • 24. Conductor’s “Visual Trust Map” – Instant Verification Visualize trust relationships between HIP Services and whitelisted endpoints
  • 25. Availability, Status, Configurations, Versioning – Know the State HIP Services: • Activity • Models • Versions • Static or dynamic config • Current IP address • Gateway • DNS server • Custom routes • Link status • Port configuration [if available] Users may now check which HIP associations (secure tunnels) exist on a HIPswitch and check available bandwidth as well for availability and sizing understanding.
  • 26. Reduce the Attack Surface 26 Up to: 90% BEFORE TEMPERED AFTER TEMPERED Because of cloaking, identity-based segmentation, non- traversal, automatic encryption, and instant revocation. Attack surface reduction allows greater security focus and depth on the other areas Tempered Networks doesn’t address, like endpoint or code-level security.
  • 27. Improve Time to Mitigate, Revoke, and Quarantine 27 Time to mitigation, revocation, and quarantine is improved with greater confidence. By: 50% • Revocation of any resource within the IDN fabric is one click or an automated API call from a security analytics system. It can happen instantly, is verifiable, and permanent - until you say otherwise. • Even if a user’s credentials were stolen and still valid, if they’re not on an authorized device – no access. • The alternative? Complexity. Check all VPNs, Firewall rules, ACLs, and directory services. Analyze other policies to ensure that system is in fact quarantined or revoked.
  • 28. Decrease Failover and Disaster Recovery Time 28 Failover and Disaster Recovery times reduced to as little as one second. To as little as: 1second • Every IDN endpoint or HIP Service is based on unique host identities, not an IP address or host making IP-based failover ’mobile.’ • Failover can be applied from an entire datacenter (represented as a unique host identity), down to a container (represented as a unique host identity). • If one goes down in the IDN fabric, a simple automated API call or one-click manual update to the fabric will reconnect instantly to the designated IDN failover endpoint.
  • 29. Visit us at booth #310 for a demo THANK YOU