Belden
Cybersecurity in an
Interconnected World
Dhrupad Trivedi
November 2015
© 2015 Belden Inc. | belden.com | @BeldenInc
Introduction
Dhrupad Trivedi has been with Belden since Jan 2010
and is currently the President of Industrial IT and
Network Security platforms. Prior to that, he was
responsible for Corporate Development and Strategy
function at Belden. Earlier, he was President, Trapeze
Networks. Before joining Belden, he was responsible
for General Management and Corporate Development
roles at JDS Uniphase. He has 20 years of experience
in the Networking and Communications industry.
Dhrupad has an MBA from Duke University and a
Ph.D. in Electrical Engineering from University of
Massachusetts, Amherst.
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
2
Key Takeaways
•
Cybersecurity has moved from an IT issue to an Enterprise risk issue.
•
The notion of “critical” assets has changed with mobile devices and promise of
integrated networks.
•
Industrial infrastructure requires unique solutions that address their risk profile and
needs of uptime, productivity.
•
As threats become more sophisticated and pervasive, companies need to evolve
their tools and techniques to manage this risk.
•
Regulation and Compliance are drivers for some industries – but the real driver is
Business Impact.
•
Understand your situation, choose the next steps based on business need, have an
emergency response plan and adopt best practices. The right next step may be a
small one.
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
3
A Rich Heritage
•
•
•
Founded by Joseph Belden
in 1902 in Chicago
A long history of innovation for
communications technologies
Early customers
included Thomas Edison
Belden Today
•
•
•
•
•
•
•
John Stroup, CEO
Headquartered in St. Louis, MO
6,900 employees
NYSE: BDC
Operations in North and South America,
Europe, Middle East, Africa and Asia Pacific
Revenue $1.84B
20+ Sales Offices; 25+ Manufacturing Facilities
Delivering highly engineered signal transmission
solutions for mission-critical applications in a
diverse set of global markets
Radio in the
1920s
Joseph Belden
TV in the
1950s
Computer Networking
in the 1980s and 1990s
Business Platforms
Applications
Vertical Markets
Data
Industrial
Sound
Enterprise
Video
Broadcast
Thomas Edison
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
4
Belden’s Business Transformation and Profile
Portfolio
Expansion
Market and
Geographic
Footprint
Talent/
Leadership
Consistent
Financial
Performance
Belden
TODAY
2015
POSITION
For Accelerated
Value Creation
BUILD
2012
The Foundation
Belden Business System
2008
Strategy, Culture and Values
2005
SCALE THE BUSINESS
PLATFORMS AROUND
THE CUSTOMER
Belden’s transformation has resulted in a…
Global Signal Transmission Solutions Company
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
5
Five Business Platforms Delivering
Innovative Connectivity Solutions
Broadcast
•  Routers and Interfaces
Industrial
Connectivity
Enterprise
Industrial IT
Solutions
•  Industrial and I/O
Connectors
•  Ethernet Switches
•  Broadcast Connectors
•  Copper and Fiber
Connectivity
•  Broadband Connectivity
•  Racks and Enclosures
•  Industrial Cable
•  Routers and Gateways
•  Multi-Viewers and
Monitoring and Control
Systems
•  Ethernet, Fiber Optic
and Coaxial Cabling
•  Distribution Boxes
•  Security Devices
•  Customized
Connectivity Solutions
•  Network Management
Software
•  Playout Systems
•  Custom Infrastructure
Solutions
© 2015 Belden Inc. | belden.com | @BeldenInc
•  Wireless Systems
CONFIDENTIAL
Network
Security
•  Vulnerability
Assessment
•  Security Configuration
Management
•  Log Intelligence
•  Analytics and
Reporting
6
As Internet of Things Proliferates…
Cybersecurity Becomes Crucial
Billions of Sensors, Smart Machines
and Intelligent Systems
Connecting to Create High Value IP-based
Networks of Mission-Critical Applications
All Potentially Vulnerable
to Cyberthreats
© 2015 Belden Inc. | belden.com | @BeldenInc
SECURITY around these highly
valuable, mission critical networks is
essential to make the promise of the
Internet of Things a secure reality
CONFIDENTIAL
7
Security Is Now A Boardroom Topic
This is a Business issue, not an IT issue
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
8
Connecting the Infrastructure to the Boardroom and
Using Metrics
CONNECT
Make security results visible,
measurable and accountable
PROTECT
Dynamically protect the systems your
business depends upon and defend
your objectives
DETECT
Detect leading indicators of security problems
across the dynamic enterprise – before they cause
damage
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
9
Industrial Security is Big News
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
10
But Industrial Cybersecurity Is Much More than Hackers
•
<10% of issues are related
to hackers
•
Top risk is software or
device flaws bringing down
the system (closely followed
by human error)
Ø  A
more secure system is a
more reliable system
Ø  A
more secure system is a
more resilient system
Ø  A
more secure system is a
safer system
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
11
The traditional model for IT-oriented Security is
not enough
+ Safety
I.T. Security
C
I
A
ONFIDENTIALITY
NTEGRITY
VAILABILITY
© 2015 Belden Inc. | belden.com | @BeldenInc
I.C.S. Security
A
I
C
VAILABILITY
NTEGRITY
ONFIDENTIALITY
CONFIDENTIAL
12
Industrial Internet Of Things (IOT) – biggest growth
inhibitors are cybersecurity, ease of use and “ROI ”
As more devices and
machines get connected, it
creates a complex network
with potential for economic
gains
The Promise:
Challenges
Improved information and
analytics
-  Tracking capabilities
-  Situational awareness
-  Sensor-based analytics
-  Big data, cloud
Security
- Information
- Infrastructure
Automation and Control
-  Process optimization
-  Resource management
-  Complexity management
Best Practices for Critical
Infrastructure
Think infrastructure vs. devices
Complexity - Embedded
- Number of connections
- Scalability
- Cost tradeoffs (e.g. sensors)
Take steps to improve security
from current situation.
Use existing frameworks and
recommendations (e.g. SAN20,
NIST)
Ease of Use
Crisis response preparedness
Mobility – Wireless
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
13
Cyberthreats Moving to Critical Infrastructure and
Creating Physical Damage
®  DHS Warns U.S.
®  Hackers Target
Utility Was Hacked
German Steel Mill As
Cyber Warfare Gets
Physical
®  Cyber Attackers Caused
Pipeline Explosion in Turkey
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
14
Industrial Control Systems are Being Increasingly
Connected and Also Become More Vulnerable
ICS security advisories
Most common attack vector
used in ICS breaches
800
Unable to
Determine
245
Reported ICS security
incidents in last year
55%
% of ICS attacks involving
APTs
Source: ICS-CERT
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
15
Major Categories of Critical Infrastructure
Critical Infrastructure Sectors
Agriculture and Food
Dams
Information Technology
Banking and Financial
Services
Defense Industrial
Base
Nuclear Reactors,
Materials and Waste
Chemical
Emergency Services
Transportation
Systems
Commercial Facilities
Energy
Water and Wastewater
Systems
Communications
Government Facilities
Critical Manufacturing
Healthcare and Public
Health
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
16
Increasing Sophistication of Attacks Make them Harder to
Detect and Resolve Without New Techniques
Detection and Resolution can be complex
229 days
to detect a significant threat
on a corporate network
>123 days
to resolve a malicious
data breach
>350 days
to detect and resolve
cybersecurity breaches
Creating complexity to effectively manage the risk
Advanced attacks
are harder to detect
Traditional networks
and endpoint security
fail to detect and respond
in real-time
© 2015 Belden Inc. | belden.com | @BeldenInc
Source: Mandian, Ponemon
CONFIDENTIAL
Too many alerts that
are uncoordinated and do
not provide business risk
prioritization
17
Security Issues in Control Networks
§
“Soft” targets
§  PCs
run 24x7 without security updates or even antivirus
§  Controllers are optimized for real-time I/O, not for robust networking
connections
§
Multiple network entry points
§  The
majority of cyber security incidents originate from secondary points
of entry to the network
§  USB keys, maintenance connections, laptops, etc.
§
Poor network segmentation
§  Many
control networks are “wide-open” with no isolation between
different sub-systems
§  As a result problems spread rapidly through the network
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
18
CSX Train Signaling System
Event: Aug, 2003 Sobig computer
virus was blamed for shutting down
train signaling systems
Impact: The virus infected the
computer system at CSX Corporation’s
Jacksonville, Florida, headquarters,
shutting down signaling, dispatching,
and other systems
Specifics: Ten Amtrak trains were
affected
Recovery time:
§  Train service was shut down or
delayed for six hours
© 2015 Belden Inc. | belden.com | @BeldenInc
Lessons learned:
§  Critical patches and Anti-Virus
needs to be applied and
updated regularly
§  Defense-in-depth strategies,
Firewalls
§  Isolate control networks from
corporate networks
CONFIDENTIAL
19
DaimlerChrysler
Event: Aug, 2005 Internet worms infect
DaimlerChrysler’s systems
Impact: Workers were idle as infected
Microsoft Windows systems were
patched
Specifics: A round of Internet worms
knocked 13 of DaimlerChrysler’s U.S.
automobile manufacturing plants offline
Recovery time:
§  Took manufacturing plants offline
for one hour
© 2015 Belden Inc. | belden.com | @BeldenInc
Lessons learned:
§  Critical patches need to be
applied
§  Provide adequate network
segmentation between control
and business networks
§  Place controls between
segments to limit congestion
and cascading effects
CONFIDENTIAL
20
Power Plant and Water Treatment facility
Event: Two circulation pumps at Unit 3
of the nuclear power plant failed
Impact: The unit had to be shut down
manually
Specifics: The failure of the pumps
was traced to excessive traffic on the
control system network, possibly
caused by the failure of another control
system device
Recovery time:
§  SPDS – 4hours 50 minutes
§  PPC – 6 hours 9 minutes
Lessons learned:
§  Provide adequate network
segmentation
§  Place controls on multiple
segments to limit congestion
and cascading effects
§  Provide active network
monitoring tools
© 2015 Belden Inc. | belden.com | @BeldenInc
Event: More than 750,000 gallons of
untreated sewage intentionally released into
parks, rivers, and hotel grounds
Impact: Loss of marine life, public health
jeopardized, $200,000 in cleanup and
monitoring costs
Specifics: SCADA system had 300 nodes
(142 pumping stations) governing sewage
and drinking water
§ Used packet radio communications to RTUs
§ Used commercially available radios and
stolen SCADA software to make laptop
appear as a pumping station
§  Caused as many as 46 different incidents
over a 3-month period (Feb 9 to April 23)
Lessons learned:
§  Suspend all access after
terminations
§  Investigate anomalous system
behavior
§  Secure radio and wireless
transmissions
CONFIDENTIAL
Source: DHS
21
Cybersecurity is Critical and Specialized as We Manage
the Intersection of IT and OT
Level 4
Business Planning & Logistics
Plant Production Scheduling,
Operational Management, etc
Level 3
Manufacturing
Operations & Control
Dispatching Production, Detailed Production
Scheduling, Reliability Assurance, ...
Levels
2,1,0
Batch
Control
Continuous
Control
© 2015 Belden Inc. | belden.com | @BeldenInc
Discrete
Control
CONFIDENTIAL
22
ICS Security Have Unique Needs and Priorities
Recommended Best Practices from ICS-Cert
1.
2.
3.
4.
5.
Develop policies and review them periodically
Block access to resources and services (Firewall)
Detect malicious activity (Change Management)
Mitigate possible attacks for known risks
Fix core problem – Architecture approach, know what you have and then protect it
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
23
A Perimeter Defense is Not Enough
•
We can’t just install a firewall at the edge of the network and forget
about security
•
The bad guys will eventually get in
•
Many problems originate inside the plant network
•
We must harden the plant floor
•
We need Defense in Depth
•
Identify the ISA99 ‘Zones’ and ‘Conduits’
in the network (now ANSI/ISA-62443)
Allow only minimum required network
traffic to pass between zones
•  Generate alarms when traffic blocked
•
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
24
Belden Solution is to Maximize Network Availability At All
Layers Where Failures Can Occur
Deep Packet
Inspection
Zone &
Endpoint
Firewalls
Routers &
Perimeter
Firewalls
3%
Application
7%
Presentation
8%
Session
10 %
Transport
12 %
Network
Switches
25 %
Data Link
35 %
Physical
Source: Datacom, Network Management Special
Cable
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
25
Belden’s 1-2-3 Approach
Industrial
Network
Industrial
PCs
•  Segmentation
•  Zoning
•  Monitoring
•  Secure wireless access
•  Intrusion radiation protection
•  Inventory connected assets
•  Identify unauthorized &
malicious change
•  Identify vulnerable &
exploitable systems
•  Ensure proper configurations
© 2015 Belden Inc. | belden.com | @BeldenInc
Industrial
Controls
CONFIDENTIAL
• Detect and respond to
attacks
• Identify unauthorized &
malicious change
• Identify vulnerable &
exploitable controls
26
A Closer Look at Energy Industry
•
Energy grid is a potential target for cyber threats
from local and foreign sources as well as
unintentional disruptions
•
Shows impact of cybersecurity in digital and
physical assets within a single Enterprise
•
One of the early industries to mandate
compliance requirements with fines and
economic impact – Companies required to show
compliance with prescribed requirements
•
Pressing Compliance Deadlines
•
•
•
Two new Compliance Requirements in CIPv5
•
•
•
April 1, 2016 – NERC CIPv5 Audit Compliance for
High & Medium Impact Cyber Assets
April 1, 2017 – NERC CIPv5 Audit Compliance for
Low Impact Cyber Assets
CIP-010 – Configuration Change Management &
Vulnerability Assessments
CIP-011 – Information Protection
Fines in 2013 in excess of $150M
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
27
Interesting Case Study: Windows XP End of Service
Windows XP is an operating system that runs a large number of mission-critical, ruggedized industrial
applications.
When Microsoft announced end of service, companies were faced with a difficult choice…especially
as it is related to security of their installed base.
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
28
Making Cybersecurity a Business Need and Simplifying it
with Expertise
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
29
Enterprises Have to Think in Terms of Prevention,
Detection and Response
Detection Gap
Time between actual
breach and discovery
Prevention Gap
Time to put
preventative
measures in place to
avoid future attacks
Can we avoid this
from happening
again?
Have we been
breached?
PREVENTION
GAP
DETECTION
GAP
Response Gap
Time between
discovery to
remediation to limit
damage
RESPONSE
GAP
How bad is it?
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
30
Belden’s Tripwire Adaptive Threat ProtectionTM – An
Example of Integrating All the Pieces
Threat
Intelligence
Vulnerability
Intelligence
Threat Analytics
Zero-Day
Detection
Adaptive
Threat
Protection
Endpoint
Intelligence
Forensics
Threat
Response
Log & Event
Intelligence
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
31
Cybersecurity Reference Framework
CCS
Council on
CyberSecurity
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
32
Evolving Industrial Standards and Best Practices
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
33
Sample Security Metrics
•
Configuration Quality:
−
% of configurations compliant with target security standards (risk-aligned)
§
•
•
i.e. >95% in Critical; >75% in Medium
−
% of unauthorized or undocumented changes
−
patch compliance by target area based on risk level
§
i.e. % of systems patched within 72 hours for Critical;
§
…within 1 week for Medium, etc.
Control effectiveness:
−
% of incidents detected by an automated control
−
% of incidents resulting in loss
−
mean time to discover security incidents
−
% of changes that followed change process
−
% of incidents detected by each control or process
Security program progress:
−
% of staff (by business area) completing security training
−
average scores (by business area) for security recall test
−
% of employees (by business area) who responded to “phishing tests”
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
34
Key Takeaways
•
Cybersecurity has moved from an IT issue to an Enterprise risk issue.
•
The notion of “critical” assets has changed with mobile devices and promise of
integrated networks.
•
Industrial infrastructure requires unique solutions that address their risk profile and
needs of uptime, productivity.
•
As threats become more sophisticated and pervasive, companies need to evolve
their tools and techniques to manage this risk.
•
Regulation and Compliance are drivers for some industries – but the real driver is
Business Impact.
•
Understand your situation, choose the next steps based on business need, have an
emergency response plan and adopt best practices. The right next step may be a
small one.
© 2015 Belden Inc. | belden.com | @BeldenInc
CONFIDENTIAL
35