Honeywell.

com

Cyber Security & Remote Services

December 2011

Frans van der Scheer

Page: 1
Honeywell Proprietary
Year: 2011

Honeywell.com

Agenda
Cyber Security
Multiple aspects / considerations, Standards & certificates
Remote Services
Service Node
Private Remote Service Center
Virtual Patching (if time allows)

Safety and Security >> We need both

Safety is protection against accidental events
Security is protection against intentional damage / theft
Example: A path can be safe because there is no risk of falling however
the same path in Afghanistan will be safe if also secured by military troops

We cant work safe without security controls to protect people and organizations against
hazards and e.g. intellectual property theft. (access control, authentication, etc.)
Despite security systems, people create (unintended) unsafe conditions (like sharing
information, later used in some form of physical / cyber attack)
Page: 2
Honeywell Proprietary
Year: 2011

Honeywell.com

Organizing security to create safety

Organizing Security means considering:
Process aspects (designing policies / procedures,
security management system and ready for 4)
People aspect (awareness, training, check / Control &
Safety
corrections of employees, etc.) System
Technology aspects (Various security systems) Cyber

Electronic

Physical
Security is built by a Defense in Depth Strategy
Multiple layers, each containing multiple security
solutions
Total defense to be in line with acceptable risk profile
Detect security incidents timely and handle before
harmed >>> Be Prepared

Page: 3
Honeywell Proprietary
Year: 2011

Honeywell.com

Process aspects in security

Example: Lockerbie

When processes not

properly working,
our safety is at stake

Just before Christmas 1988, Pan Am Flight 103 was blown up over Scotland, killing the
259 passengers and crew members on their way from London to New York and 11
people on the ground

From the evidence it has been proved that the primary suitcase containing the
explosive device was dispatched from Malta, passed through Frankfurt and was loaded
at Heathrow.

The absence of an explanation as to how the suitcase was taken into the system is a
major difficulty
Page: 4
Honeywell Proprietary
Year: 2011

Honeywell.com

People / behavioral aspects in security

How people use security
systems / behave is essential

General security precautions Examples Cyber related

It is unwise to leave door keys under a Password written down on the

flowerpot, mat, in a letterbox or similar back of the keyboard, too simple,
hiding place. Burglars find them. everywhere identical
Items left lying around such as ladders,
tools, gardening implements, Sloppy with documentation /
lawnmowers and bicycles, can attract a network drawings of the system,
criminal onto the property, and some of back-ups easily accessible,
the items may be used to gain entry. tooling PCs left unguarded.
Open garage doors and open windows
can also be attractive to criminals.
Some passwords always working
Windows should have security fittings,
in each system (backdoors)
particularly if left open.
Page: 5
Honeywell Proprietary
Year: 2011

Honeywell.com

Honeywells Security Solutions

REMOTE ASSETS PERIMETER PERIMETER LIGHTING ACCESS CONTROL
Pipeline/Land/Marine Deterrent/Visual Intruder Detection Deterrent/Visual Smart Cards &
Extended Boundaries Boundaries Monitoring Biometrics
Surveillance
Accountability

CYBER SECURITY LAN/WAN

CCTV / DVM VISITOR

Surveillance & MANAGEMENT
Assessment Contractors-Visitors
Visual Security Contractor Management

Safety
Control Systems
Systems

Page: 6
Honeywell Proprietary
Year: 2011
 >300 open (unknown to

Honeywell.com
public) vulnerabilities
requiring patches
Cyber security in the news daily Security Institutes paying
NIGHT DRAGON >1500 people to find new
vulnerabilities
Steal information (financial
documents related to field
exploration and bidding and
even data from SCADA
systems)
Target: Global oil, energy,
and petrochemical
companies

STUXNET
Sophisticated
virus
Specifically
targets industrial
control systems Students will walk out of this class knowing how to find
and exploit bugs in software. This is useful to both
4 zero-day developers and hackers.
attacks The exploit component will teach each common bug type
including: stack overflows, function pointer overwrites,
Spreads by USB heap overflows, off-by-ones, FSEs, integer errors,
uninitialized variable attacks, heap spraying, and more.
keys
Page: 7
Honeywell Proprietary
Year: 2011

Honeywell.com

The 5D security model

A comprehensive approach to security follows the 5D model
Deter Banners, awareness campaigns (legal)
Deny Take care of access control filters, both ingress
and egress. (Stop it at the front door)
Delay Create a defense in depth protection (Multiple layers)
Physical, Cyber, Control & Safety systems
D
Detect Guarantee a timely detection of a successful breach
Destroy Guarantee an adequate response to stop the attack
(security incident handling)

Remote versus non-remote dilemma

Not connected systems are vulnerable as well as so far 99% of incidents in
DCS systems today are started from the inside
Connected systems can be updated immediately against new cyber threats to
protect against outside + inside attacks
Page: 8
Year: 2011 Remote to protect against threats from Remote Honeywell Proprietary

Honeywell.com

Cyber Security ; Best Practices for Open Systems

Protect perimeter of the PCN against intrusion Avoid unwanted entrance
Firewalls, proxy servers, IDS/IPS, etc.
Harden PCs / Servers Reduce attack surface
Remove services not required
Do not install unneeded software applications
Close all communication ports if not required
Design / Implement secure networks (architecture) Reduce risks by design
Multiple layers / zones (If problems occur, contain it)
Interfaces / OPC / sub-networks (restrict data flow)
Site Policies / Procedures / what if scenarios documented Reduce Operational risks
Login / Password access / usage
USB drives / laptops avoid incidents
Back-ups confidentiality / availability
Patch systems frequently for known vulnerabilities Cope with known problems
Balance effort against risk (consider virtual patching)
Protect against viruses by up to date signature files
Protect against threats from outside of PCN +
Protect for unwanted effects from USB drives / laptops
Manage PCN security (who, what, why, when recording) Prove still compliant
Proper change management implemented
Page: 9
Year: 2011 We have the knowledge, skills and experience to support you ! Honeywell Proprietary

Honeywell.com

What can Honeywell do to help ?

Audit / Assessments
Network, Security, Domain, Back-up & Restore
Consultancy Services
Support development of Security Management System, Incident
responds
Training / workshops
Design / redesign networks / domains
Defense in depth, Virtualization, BCC, NAS/SAN concepts
On-site Implementation / commissioning
(Remote) Services
Virus Protection
Patch Delivery
System Monitoring
Page: 10
Honeywell Proprietary
Year: 2011

Honeywell.com

Cyber Security Standards & Certificates

Page: 11
Honeywell Proprietary
Year: 2011

Honeywell.com

ISA Standards - ISA99 is the standard for cyber security

The International Society of Automation (ISA) is a non-profit technical society for
engineers, technicians, businesspeople, educators and students. ISA members are able to
gain input from professionals around the world. ISA professionals work in numerous fields
and provide expertise in diverse areas.

ISA Standards helps automation professionals streamline processes and improve industry
safety, efficiency, and profitability. Honeywell is strong proponent of standards and as such
actively participates in standards groups such as providing leadership to ISA99 / IEC62443
through co-chairmanship of WG4.

Honeywell is a founding member of the ISA Security Compliance Institute (ISCI). The ISA
Security Compliance Institute developed the ISASecure certification within the framework of
the ISA99 security standards ;
ISASecure certification is an international standard
ISASecure certification provides asset owners security assurances INDEPENDANT
ISASecure certification intended as requirement in procurement documents

Companies like Exida can execute audits based on this, like audits for ISO 9000 are done by
Veritas, Lloyds

Page: 12
Honeywell Proprietary
Year: 2011

Honeywell.com

ISASecure certificate SM

Page: 13
Honeywell Proprietary
Year: 2011

Honeywell.com

Achilles certificate

ISA-99, ITIL, WIB org.

companies and
Achilles certification
Require processes
in place to deliver
secure systems
Shell not ordering
after 2011 if DCS
vendors not certified
by Wurldtech
Achilles bronze level
for starters
Page: 14
Honeywell Proprietary
Year: 2011

Honeywell.com

How to get started to improve cyber security ?

Honeywell is chairing the ISA99 / IEC
62443 WG4 international committee
where vendors jointly with customers and
industry experts define the guidelines for
cyber secure systems in our industries
ISA 99 Framework for DCS
Not all chapters are published yet

Security Audit
Check policies, procedures against requirements ISA99
Perform GAP analyses between desired and actual Security Assurance Level (SAL 1-4)
levels by comparing 7 essential security principals for each security layer / zone

Security Assessments
Verify actual situation conform company policies / procedures
Site interviews & verification,
Testing and ethical hacking (under strict regulations can be part )
Report and Recommendations
Page: 15
Year: 2011 Start: Understand the gaps to fix the problems Honeywell Proprietary

Honeywell.com

Remote Services

Page: 16
Honeywell Proprietary
Year: 2011

Honeywell.com

Business Benefits when using Remote Services

Service level increase as PCN support can
be remotely provided 24/7 (instead of only
when an engineer is at site)
Saves waiting time (e.g. visa) + cost to
travel to sites
Allows highly specialized engineers like
TAC, OSS, APC to provide support when
required
Less in-depth IT skills required in customer
organization as more complex IT-part can
be handled remotely by Honeywell
specialists
Allows remote engineering of small add-ons
/ changes, etc. (quicker / cheaper to
implement)
Page: 17
Honeywell Proprietary
Year: 2011

Honeywell.com

Remote Connectivity ; What do you get ?

Provides remote access to mission critical systems

For the delivery of

Reactive services (i.e. manual diagnostics, troubleshooting)
Pro-active services (i.e. automatic monitoring & alerting)
Remote engineering (i.e. Projects, APC, 3rd party)

Secure network access available

Honeywell customers
Customer approved 3rd parties
Authenticated Honeywell engineers

Connection is secured by
Firewalls, proxy / relay servers, VPN tunnels, encryption
two factor authentication (what you know + what you have)
Recordable & auditable
in full control of the site (kind of built-in permit system)

Page: 18
Honeywell Proprietary
Year: 2011

Honeywell.com

Service Node
Enterprise Switch
Proxy
Pair of DELL Server Class devices
Level 4
Server residing within the PCN
Firewall Full PCN view of all connected
Terminal Patch Anti
eServer
Relay devices
Srvr Mgmt Virus Server
Level 3.5 DMZ
Domain ESF PHD Service
Srvr Srvr
Experion EAS 3RD Party App Subsystem
Facilitates secure connectivity
Srvr Node
Srvr
Control Interface
Access completely controlled by
Customer
Level 3
Router Optional HSRP Router Receives and manages patches, AV
ESC ESF ACE Experion EST ESVT Safety Terminal Domain
files and updated scripts
Srvr Manager Srvr Controller
Transfers data, files and alerts
Facilitates all Honeywell remote
Level 2
offerings
Qualified Cisco Switches

Level 1
Captures predictive system
health/performance parameters
Analyzes and alerts, requests more
data or performs actions
Captures standard IT parameters
from 3rd party PCN devices
Page: 19
Honeywell Proprietary
Year: 2011

Honeywell.com

Request Access !

Terminal
Server
Allow?

Page: 20
STOP
Honeywell Proprietary
Year: 2011

Honeywell.com

Honeywell
qualified AV
signature files
(daily updates) Automated
Multi-stage
Deployment

Page: 21
STOP
Honeywell Proprietary
Year: 2011

Honeywell.com

BeCyberSecure Honeywells Cyber Security website

McAfee signature file testing /
qualifying
Daily new updates
Multiple systems tested like TPS,
Experion, PHD
Multiple Releases (actual release -
2)
Preferred AV solution
Paid Service

Symantec signature file testing /

qualifying
Not yet

Whitelisting coming in future

releases (pilot end of 2011)

Page: 22
Honeywell Proprietary
Year: 2011

Honeywell.com

Automated
Delivery
Honeywell
Qualified patches
(per system & Manual
per release) Deployment

Honeywell
Service
Engineer

Page: 23
STOP
Honeywell Proprietary
Year: 2011

Honeywell.com

Patch Info for Honeywell systems

Page: 24
Honeywell Proprietary
Year: 2011

Honeywell.com

Analyze, check
trends, create
reports &
recommendations

Supervisory system
collects performance
info from Controllers

Page: 25
STOP
Honeywell Proprietary
Year: 2011

Honeywell.com

Private Remote Service Center

(Alternative for large/multi site customers)

Page: 26
Honeywell Proprietary
Year: 2011

Honeywell.com

Private Remote Service Center

Page: 27
Honeywell Proprietary
Year: 2011

Honeywell.com

Private Remote Service Center - Conceptual

All in-
in-company connections between
customers sites globally
Remote Access to all sites
Technical support during incidents
Systems performance monitoring

+ other collaboration opportunities

Page: 28
Honeywell Proprietary
Year: 2011

Honeywell.com

Private RSC Technology allowing collaboration

* for Illustration only

* for Illustration only

* for Illustration only

Training / OTS
Monitoring ; Support
Test Lab & * for Illustration only
Remote Operations

APC Optimization &

new developments

Private
Remote
Service
Center * for Illustration only

Central Infrastructure
Private clouds
Off--site Back
Off Back--up / BCC
Page: 29
Honeywell Proprietary
Year: 2011

Honeywell.com

Thank you

Q&A
Page: 30
Honeywell Proprietary
Year: 2011

Honeywell.com

Malware contamination

No Malware contamination

Malware communication
is stopped while other
communication continues

Page: 31 STOP
Honeywell Proprietary
Year: 2011