How Can I Sign California Banking Presentation

How can i industry sign banking california presentation secure

good morning everyone my name is Kelly cane and I'm the marketing manager for Wonderware NorCal thank you for attending our webinar today cyber security best practices after the webinar this morning we will be doing a short Q&A please have any questions or comments into the Q&A box the chat box or email us at webinar at NorCal Wonderware calm now I'd like to introduce your presenter for today's presenters for today's webinar your first presenter will be Wonderware NorCal product specialist mic lefthand and your second presenter will be tim johnson the global principal cybersecurity consultant from Schneider Electric so now I'm going to go ahead and turn it over to Mike good morning Mike hi good morning Kelly good morning everyone thanks for joining us for our cyber security best practices webinar we've got a great webinar today and really looking forward to introducing you to Tim Johnson who's a great technical resource from the cyber security team at Schneider Electric so I'm going to present for about 10 minutes just doing a brief overview of one we're in the market plus today and some of the cyber seek security solutions that we offer and then I'll turn it over to Tim Johnson and he'll be talking about best practices for securing industrial control systems so one or today is the global market leader for industrial automation software and we are used in 1/3 of the world's plants and facilities been around since 1987 we are now owned by Schneider Electric another global automation company and whatever is the lowest risk data solution with the best track record for preservation of investment and tremendous amount of resources for support and very scalable allowing you to start small and grow over time and add functional capability as the business requires when we're dark has been your local resources 1992 we provide local training technical support and ongoing education as well as system consulting and sales and we have a large system integrator partner community in local to you to help you with projects at that picture of Daniel Nicholas I'm sure some of you folks that work with Daniel and and again we have a great local support team the first line of defense for answering all your Wonderware technical questions to make sure you get your projects moving in the right direction so I wanted to talk briefly that some of the one where product solutions that we have that relates to cybersecurity one of them being in such access anywhere so in touch is our HMI human machine interface software for monitoring and controlling your plant and what in such access anywhere does is provides a secure remote access solution for accessing your SCADA system remotely so for those folks that need to monitor their plant performance and efficiency and security reliability and health of the plant we need to get that information on the go whether that be on an iPad or an Android a mobile phone or even from a laptop or a desktop computer wherever you are if you need access to your data system in such access anywhere provides a secure solution to access in touch through a web browser so that being Safari Chrome Internet Explorer Firefox and it provides a very easy way to access your skin system but what's really neat is the security behind in touch access anywhere it gives you a secure gateway to place in a DMZ which stands for demilitarized zone and it's an IT best practice for really securing the access to your SCADA system by placing the secure gateway off of the stated control network and basically it acts as a gateway so it's the when somebody wants to access in touch they use their windows credentials to do that against a webpage which is the intouch access anywhere secure gateway and I'm going to show you a demo of this but basically the DMZ sits outside of the SCADA control network and when people want to access the SCADA system they go to a webpage which is in the DMZ once they authenticate with their Windows credentials it then actually launches in touch running on a Windows 2 terminal server on the skater control network so let's just take a quick look at what that looks like from an operator standpoint so I'm going to go ahead and go jump to a web page and I go to my in touch access anywhere web page here and this is a public web page you can actually go to it if you'd like and I'm going to enter my username and password and I'm going to specify the in touch application I want to and this is the webpage that's in the DMZ okay so it's off of this gated control network once I authenticate it's actually going to launch in touch which is running on my scanner network so from an operator standpoint they don't have to understand any of the security that's happening behind the scenes and now I've actually got full in touch running and I can see some of my dashboards here and I can drill down into my HMI and I can see what's going on if I want I can even take control of the plant if I want to typically provide a second level of login into my Wonderware application to actually take something out of read-only mode and put it into a manual mode I can actually have control of the plant if I want to or I can just make it a read-only type application we've got an OEE dashboard but I can see my alarms if I wanted to embed my trending I could have trending embedded it this is full in touch okay without compromise so it's full in touch running within a web browser so again I can access this from any device being a mobile device at laptop a desktop client it does not matter we do also have us going to talk about a couple of best practices documents that are available to to you and these are publicly available documents but we just wanted to share that these are some of the current best practices guides for securing industrial control systems that Tim shared with us one of them being the framework for improving critical infrastructure cyber security by the National Institute of Standards and Technology you can see this is a very current document and then there's another one for securing industrial control systems and securing additional control system security so if anybody would like copies of these documents that were happy to send these to you or send you a download link just go ahead and feel free to request them in the chat panel and we'll get those apps you another cyber security solution we have is our enterprise historian solution so people want don't just need access to their HMI that's typically going to be you know operators and supervisors that are responsible for running the plant real time but for those folks who responsible for actually looking at the analytics of the plants making sure that they've got the reporting from a production reporting standpoint from a regulatory compliance standpoint people need access to historical data and the secure way to give people access to that historical data as by replicating the historian data that's on the SCADA control network to a enterprise to your to historian again in a DMV that same concept that we used in the intouch access anywhere secure gateway you can place that his peer to historian in the DMZ again is the best practice it doesn't have to be a DMZ but from a cybersecurity best practice that is something that is recommended and now anybody on the business network can access that historian data typically with historian client which has our Excel add-in and are trending interface for doing historical trending analysis we have our dream report reporting solution which is a very nice solution for helping folks create reports automate reports not just from the one where historian but also from other third-party reporting sources and databases and then of course we support Microsoft sequel reporting services as well being that the one of our historian is a Microsoft sequel server front end so our enterprise tier-2 historian is a great cybersecurity solution for giving anybody in the organization or even outside of your organization secure access to your your historical plant data so again that's just going to be read-only data data that people use for reporting purposes not to actually control the plant so with that I'd like to go and introduce you to Tim Johnson he's the the global system consultant for the cyber security team on from Schneider Electric Jim great thanks Mike Tim I'm passing the presenter role over to you okay thank you very much okay oh we can see your screens just fine thank you thank you my name is Tim Johnson as I mentioned I'm a global principal consultant for the critical infrastructure and security practice for Schneider Electric so with that I'd like to introduce a few things in with that our team in the North America so the practice has been around for a little over ten years now and we've been specializing in what we like to call operation Technology Solutions in operation technology for us is that technology of getting anything basically from your control networks or your process automation SCADA networks all the different names we call them up and interconnected to the business network along with that is also the things that were just discussed as far as some of these new technologies and things that are coming out how do you get those implemented into your SCADA network or your scaley implementation without affecting your overall security with that and those are the things that our groups have been doing for the past ten years we've worked in various industries all the way across from Poland water water waste water oil and gas refining a lot of energy sector up as well and with our experience with this as you can see here the reason we have this picture up is not necessarily to show our pretty faces off to everyone but to show that this is a living breathing team that's out there as I mentioned this teams been in existence for a little over ten years now and so the things that we discussed and technologies and things we implement have been out in the field for that time as well so these aren't new things that we're trying to bring the market just because cyber security is a hot topic right now and so some of you might be asking you know why is security for industrial control systems a hot topic right now and kind of let me back up for a second I'm you know we're kind of using the term industrial control systems as a catch-all that can be anything from a pure skate of play PLC's distributed control systems any of those so it kind of encompasses that whole area with that and so as we go through this I'm going to say when I say industrial control systems kind of let it flow into what this could be because you know there's a lot of mileage will vary with this another thing I will bring up while we're kind of talking about that right now is we've started with the purchase with the integration with Schneider Electric we're starting to do things with their building management systems and some of their products and the things that we've seen are these approaches and methodologies and strategies that we've been using for Wonderware and try conic safety systems and the Foxboro product lines those things strategies move over to those which was a great thing to see that these concepts we've been doing for last ten years actually go across multiple products again that ties back into the industrial control system statement I made a moment ago those I mention why is it becoming important those we've all seen more and more attacks are happening out in the field you know starting about six or seven years ago we started seeing more taxing industrial control system space we're getting a lot more market penetration a lot more visibility into the world of what's going on with that you know what now leading into that what we're seeing are actual news events now relating to what we're doing and what we're in like I've mentioned I've been with the group almost seven years now and the first two to three years I was with the group we really saw no attacks no market anything about cybersecurity and cyber security really was it that big of an issue for the industrial control system market you know we still had island in systems where you're using legacy protocols things like that but all the sudden things started happening we started getting more attacks and now the sudden it seems like all the time we have attacks popping up all over the place with this and we're getting more and more enough announced each month each week so now the control systems are out on the market there are notice by attackers and they're being attacked so what is this led to okay what is leading to and this is one of probably a lot of you're on the call today is to get an idea what's going on or some of the concepts that are out there so what we've actually seen change in the last five to six years is more compliant more compliance requirements so either regulatory compliance is being pushed down talked about especially the state of wastewater you know there's even rumblings about there might be some compliance or regulatory pushed out to that we're getting more pressure from the corporate level to do some type of basic security on the systems the requirements to reduce environment financial risk again as in the past these systems were isolated no one was releasing an attack from so they were kind of off the grid well now that management has started to see attacks and things our corporation financial risk our operation risk parts of the company are saying there's operational risk we got to evaluate and reduce out there so you're seeing you know these things cascade down the other thing is is we're just flat-out fans you know a decrease in plant safety from this so as these attacks can be taken over our systems viruses things introduced they can actually introduce a risk factor to our plans for plant safety that we used to not see enough to past and in fact like I said seven years ago when I started with this role we actually used to get that as one of the reasons not to do cyber security because you know it's like well if I do sniper I have to reboot I have to do this patching and actually can increase or decrease my plant safety by doing that so it's almost like that is totally flipped now and by not looking at some type of cyber security you can you actually risk the safety of your plant the other thing is just frankly as time has gone on we've started doing more type of interconnectivity between the systems and the business network just like you were looking at a moment ago great solution with the Tier one tier two historians but how do we get those connected securely without decreasing or compromising the security to our SCADA system in our plant how do we do remote access you know like I said in the past there really wasn't a lot of thought to this because we're still this mentality of an island proprietary system so these systems just kind of appeared on the corporate network with that and along with those lines and that's something we'll discuss here in a moment is normally when corporate find out found out about these interconnections did it became corporate protecting themselves from the process side of the network not necessarily protecting process from it so again those are all things that we're seeing and then decrease the network performance and increase downtown so you know these are things as you start to do cyber security or evaluate information security these are positive events from those because part of your cyber security methodology is you know disaster recovery which helps you recover systems and a failure aspect a lot of times as we start to put cybersecurity into network we start to identify things that no one realized were there because we now have the tools and things that weren't ever provided to you in the past to be able to find these things because what we've seen a lot in history was ignoring the infrastructure that carried this new technology for us it was all about the process the PLC's the skaters the different user interfaces those things about that it wasn't necessarily about these technologies that were carrying them so you didn't have a lot of the tools and methodologies in place to even troubleshoot some of these foundations things that were carrying a lot of this technology you were user so this has also led to a change in the market as well so we've started seeing it from the vendor side coming from in Vince's now Schneider and seeing it across a whole multiple set of product lines because now we're also revolves responsible for multiple business units within Schneider seeing responsibility that our customers are asking us as vendors so there's we're getting more requests on wanting additional security features such as file integrity checks on updates that's you know kind of another thing that's a recent event is a vendor site as far as updates with compromised and so when customers were going and downloading updates they were actually downloading trojan executables that we're putting viruses on the system so again our customers are saying what are you doing to guarantee the safety of your side why are you doing the guarantee to help provide that we're getting the proper update files what are you putting into your product to allow us to do cyber security because frankly looks look let's look back you know as soon as six years ago seven years ago it really wasn't much in the product as far as user controls at the operating system level we maybe had something at the user interface level but not at the operating system okay so there's a lot more of being requested as you know patching different things antivirus whitelisting there's all these different things coming in that's the market starting to see and asking the vendor so the vendor you know we owe that to you as a customer to give you those tools so that you have a chance to implement on top of security platform for you at your side and so this statement I like it's not so much about the Stuxnet world and for some of you that might not be familiar with the Stuxnet attack that happen it has tax happened about several years back and what it was was in the Iranian nuclear facility they had a virus they was introduced to their centrifuges and what it did was basically caused the HMOs to report back false values so that the operators thought everything was running in with written parameters of the correct parameters but they were actually doing damage to the centrifuges and it wasn't just like all the sudden BAM it was just a steady eye pack on them running them up running them down doing things to them so they would fail sooner overtime and so it actually came out that they had been going on for years and they had just thought they had they had a quality issue with the centrifuges they were buying so they were just getting multiples to that there's a couple things key to that attack that was one of that's now kind of become known as one of the more government-sponsored attacks which is kind of opened the door for other tax so you've even probably heard in the news this week about how we've had a major breach probably they're saying the largest data breach of US government information to date from a foreign government so it's kind of low opened up warfare a different type of warfare cyber warfare as it's known and again what's that going to lead to is going to lead more pressure to you guys that own critical infrastructure that on this top infrastructure to do something to secure it so but this statement is not so much about the Stuxnet attack as the thing that I like about it is is this start it changed the way we look at cybersecurity and it was about that time when this came out is when we started getting calls a request about doing cybersecurity and adding cybersecurity and so that's really the thing our point of this is that's when the mentality of this market started to change they kind of put cybersecurity on the map for industrial control systems and putting some type of security around those and it also led to this statement which i think is a not statement is it's one thing to say that your system has security vulnerabilities but it's something entirely different to say the system is insecure and the reason this is a nice statement is every system out there every OS out there has security vulnerabilities in it the thing about it is is a lot of systems exist behind the doors because they're not a popular system or there's something out there so they're not getting attacked but as soon as there's found value in attacking them then they become attacked all right so that gets into we acknowledge their vulnerabilities and we're going to fix it we're not going to turn a blind eye to it and just leave it as an insecure product let's experiment we really like that that's product press here so all of that being said what we're going to do and kind of get into right now is discussing a few things around industrial control systems and the goal for this particular discussion today is not to specifically talk about technologies are things like that that are used for cyber security the thing that we found in the past that our customers need and to be successful in this is to put a strategy in place our methodology in place for what you want to do to secure your network with that and so what we're going to do is discuss some levels of strategies and things that can be used or things to start thinking about to get you going down the pathway of introducing cyber security into your infrastructure or into your process world with that so you can kind of see from here this is what our typical customer looks like they're frustrated they're getting all these demands of you know if you need to do cyber security you need to do patching you need to do this you need to do that and there's a lot of frustration in that how do I do this how do I go about that what should I protect actually willing to get some part of what should be protected a lot of times it just there's this concept of overwhelming discouragement because there's so much in the infrastructure it needs to be looked at or identified so there's just a starting point with that and as I mentioned what we're going to kind of do is step through some of the methodologies that we've worked with with other customers but kind of help things get started and this will kind of play into as we go through this you'll start to see even like some concepts that were introduced a moment ago by Mike as far as the remote access of the tier two historians once you get a few of these once you get this method methodology or strategy under your belt and you're working with it you can start to plug in additional components to it fairly easily and go forward with this so let's kind of get into it so the first thing is is you know what do we need to protect and so as part of this we got to go back and look at it so the screen a moment it goes you notice we had red screens we had red circles or boxes around a lot of different things alright so the first step is is we got to go through and identify what's important to us what should be protected because a lot of us have financial resources limits we have staffing limits as far as it so we don't have infinite budgets we don't have infinite resources to take care of everything so and then on the flip side of that not everything deserves the same level of protection all right so part of the process is sitting down and evaluating what's in your network in what is risk of basically risk worthy what is critical what if I lose this what's going to keep me from making product producing energy filtering water just pick your thing so what's critical and what is something that isn't as critical if this goes away we can still continue our process and it's not necessarily essential to what we're doing at the moment again this leg gets into identifying what to protect what is critical what's your risk and what your if you have compliance requirements with them or if you have corporate again sit down and identify what's important and then we start to put something around that as far as what's needed so if we kind of go with that and we start to put it in here so let's say we've gone through and we've identified what we just shown there so our is our key areas now we start to implement Network segregation so we've been identified from the moment of from a moment ago where we were talking about let's identify what's critical we've identified these two areas as critical so now the next phase is are these two areas that we need to protect they might not be the same level of criticality but they need to be protected so now the next thing is is we need the proper network segregation so again back to what Mike showed you a little bit earlier if you remember we had the tier one historian in the tier 2 historian he has at tier 2 and the Dean all right that's getting into Network segregation we won't want things to sit on the same networks whereas in the past you may have had a peer to historian sitting directly on the business network a Tier one historian setting straight on the processed network and there's a communication path directly from those in which in today's star conscious control system world is not really the ideal path for our customer to go down so what we're looking at is creating some type of layered approach all right and so that's where we introduced the dmz for your historian in the US here - historian so we've got the idea of segmentation now so from there we want to put in electronic access points all right so now we've got segregated just as we looked at with the tier 1 and tier 2 historian example a moment ago they need to be able to communicate with each other but we don't want them to have open communication and direct communication on every port we want to control the only the things that are needed all right again this is kind of where we're moving away from the traditional white used to happen in the industrial control world process automation skated those type of products is basically we used to just open up all the ports or have a full communication path now we're trying to limit things so that if we have a compromise in one zone it doesn't have a direct control and access path to another zone so that's what we're introducing electronic access control with that so now what we're doing is controlling the entry point or as we like to call it the ingress or egress points into our control system our process automation networks another thing that you're going to start to get into is some technical control so what we've moved into now or what you would refer to as more of your technical controls all right whereas when we are identifying your network what's important the risk analysis things like that those are more of your methodologies and establishing your program and what's important now once you identify that we've got to move into the technical controls how do we put technical controls in so that's going to be some of the things we're looking at in this section here so system hardening system hardening may be a term a lot of you've heard of and some of you may have n't in a short sentence system hardening is just taking the system and removing all the unneeded items from it all right if any of you bought computers from Best Buy even at Dell for a while you know it comes in and has a ton of extra applications on it that they're trying to market and sell to you okay system hardening goes in you would take and remove all of those so even in a even in an industrial control system space these systems come in with some extra programs are things only that aren't needed so again go through and remove those programs they run some services like a lot an example of a service hardening would be most almost all of our environments have static IP addresses in their hard coded on to the system so you really don't need the DHCP client running which is the dynamic host control protocol client which goes out and grabs an IP from a server so if there's no server to get an IP from you don't need that service so let's turn that service off that's one less attack surface that an attacker would have to compromise your system with so again what what hardening is openly goals to do is is lower the attack surface that someone would have to hit a system with and again this can be switches Hardware servers workstations sequel servers any of those type of items we're wanting to remove extra services and even some of your PLC's and things in today's world you know they're running things on them for example a lot of them run web servers now so that you don't have to let easier to configure well maybe your engineering station directly connects to it and you can configure that so you don't need that web service well what we would do is disable that web service with that select I said a lot of what we're talking about our high-level concepts and mileage will vary but what we want you to get kind of wrapped your head around is this concept of it and with this so after a system hardening we've identified what's important to us but let's look at that one segment so that's what's blowing up right now well that's that one control system network that we were looking at so this could have our user interfaces it could have historians on add engineering workstations multiple things that are actually supporting what we're doing as a process level far is this so we've already identified Network segmentation we've identified what's important so now let's start and adding in some additional technical controls so what we're looking at are some of the basics of why the control system in today's secure environment need to have incorporated into them like I've mentioned a moment ago before we can get to this we have to identify what's important what should be protected so we effectively spend our money and use our resources that's upon that point we move into technical controls and almost everything we're seeing in request for proposals different things now and from the corporate level is you probably even heard it is there wanting role based access controls or our backs and the way we achieve that in a common way is using Microsoft Active Directory and so in what that's ultimately Bolling down to you guys that are owning the systems is traditionally in the market all these systems have been treated as a standalone workstation which means each one is operated and managed separately because the operating system was just a means to get the application the user interface running to do the work for the plant that you're needing to do or the process that you're performing it wasn't about the operating system is about the user interface and the software you're using for that to control the process but what's happened is these operating systems when these host machines and host networks are an intrusion are not an intrusion but the pack vector into the actual process that you're doing so now what's happening is we're having to backup and secure those and then move forward again so what we're talking about is using role based access controls and role based access controls means you only give a person enough privilege to do the job that they're required to do and frankly in our market across all vectors of it SCADA dcs building management all of them have been abuse of users for years it's kind of been you know the concept of user control really wants up there because we knew everyone and the different things around it so really wasn't there but now what we're need to do is control who can log into a system not only at the user interface level but also at the operating system level and that's where ad helps us out the other thing that you're seeing is malicious software prevention being pushed back in there and what we're actually doing with that is actually going to the next level and what we like to call enhanced malware protection an advanced malware protection has several different elements in it one of the biggest being is device control and what that introduces is the ability to control removable media such as the biggest threat to our network a thumb drop a USB drop with that which frankly that's how even in a nuclear environment that was isolated in air-gap that's how they got Stuxnet into that was through a USB Drive and then lack of patching all right so if we have a centralized means to control removable media we're already eliminating one of the biggest threats to to our network with this now also as we move into this what you're going to start seeing is the concept of centralized anagement whereas before when I was talk about earlier we usually had standalone systems standalone workstations it was more of a decentralized process so there really wasn't a centralized way to manage users to manage security on the systems to manage antivirus any of those things we had to go to each machine to manage those in some form or fashion whereas now what we need to do is as we go into cyber security we need a way to centrally manage these things a patching server again how can we we're trying to make this process as easy as we can so we've got a patching server that's out there a lot of different technologies to do that again it really depends on your environment and what you're trying to achieve upstream that you know how these how can you get patches in so there's a lot of different ways to achieve this and that also gets back into your strategy then we're talking about a little bit earlier back up back to what I mentioned a moment ago okay instead of having maybe we'd rather back up here there once a while or we do it to a USB Drive we introduced the concept of centralized backups we can send those back to a centralized server where all the backups reside and then from there we can do a backup to removable or off-site top media and take that out for disaster recovery we use the local storage the local centralized storage for immediate recovery for a something that's happening right there we need to recover our system a file something that got corrupted immediately but in the case of a tragic vid or maybe we lose a building a fire something like that and we need to recover we have off-site to recover even more with again these are kind of starting to put things together starting to formula as a plan one of the last things that we usually talk to customers about or near last is a logging server and what the logging server introduces is there's multiple ones there out there you've probably heard of a theme which is basically logging with correlation and intelligence really pretty expensive to implement and maintain with that down to a logging solution that's a little bit simpler which is one the other we have multiple logging things that we work with with customers to identify what they need down to just a basic logging server that tells you basically enough such as failed logins changed usernames passwords just events and they notify you about it with that so again it's kind of working with your environment and the strategy of what you're trying to get to determines what you have and then I had really hit on it too much yet a lot of these strategies we're talking about and again talking about the methodology and strategy that you put together tie back into resourcing and interaction with corporate so there's certain things from the corporate that makes sense to have them monitor and maintain for you and then there's certain things that make sense for the ICS owners or stakeholders to own and maintain for that and so it's identifying that that good mix for for you and what makes sense and I said that varies from Scots aside and with customer interaction another thing and this gets back to what I talked about earlier as far as network performance going up we introduced several different tools that are actually monitoring switch performance hard drive performance memory performance all these different stats that are running on the infrastructure and the technologies that are hosting these critical infrastructures for you and can give you alerts and performance alerts in the case that something's starting to struggle one of the key things that we like for this is you know we want something has historical data on it right so that we can pull up and say okay this switch ports running a hundred percent utilization but what's it historically do well maybe it's been running that utilization for several months now and it's just now that you've got another problem on the network that you're trying to troubleshoot you see it so instead of looking at a switch and it has a hundred percent utilization you're like oh that's a problem and when it's really not this gives you a tool to track to go back and help you solve problems a lot faster does that just mention a moment ago what we're wanting to actually look at here is more of a concept of as we just noticed a moment ago if I go back to slide you know just introduced you know several servers in one two three four five servers right a lot of customers don't have the money nor the space to introduce five new pieces of hardware so what we're talking about on this slide is actually taking those servers and putting a concept in a centralized cyber management all right and what that means is we're going to what we want to do is introduce what we like to call a management server and the management server is just a concept or term that we use to kind of so we all can agree upon a name of something when we're talking about it and it can be any type of server hardware and os and what it's going to do is host multiple multiple functions for you and so again I kind of like to equate it to an engineering workstation and so you can sit down and take care of multiple tasks from this one system are if you tied into the access anywhere product you can remote into it and do tasks from it as well and controlled manner so what we're going to do is basically go through here and take these different services and hardware and move them over to this one server and now we have a centralized place to go manage the different components of our network and it's easier to do just that it's very similar to an engineering station so that's kind of the technical controls for putting things in place to get up and running like I said those are that kind of quick run-through was what the industry is looking for is basically best practice introduction to putting technical controls into your network what we're going to look at here is just a little scenario right quick on remote access so what we're demonstrating here is again a couple of things is if you're looking at it you'll see that we have some access controls in but we necessarily don't have the right amount of network segregation so if we have a remote user they're coming in from this client maybe to a cloud service or the internets they're allowed through the corporate firewall the thing to keep in mind is and what we're demonstrating through this is network segregation and why it's important is all these firewalls are doing what they're supposed to do they're protecting but what we're doing is coming through here hitting this web server this web application server from the corporate land that's going through and pulling from the database server that's on our our process network on the backside and so that's what we're demonstrating here and everything is working the firewall rules are doing exactly what they want to do but what it allows us to do is introduce through this because we don't have a proper amount of network segregation we're able to introduce a virus into this and it's easy to do no but what we're showing is the concept of hacking and how it works because in a half key environment or when you're compromising a network spell them do you get from A to B you know that's if you get that a to b you hit a bonanza and you're really happy usually it is compromising multiple systems along the way to get to where you're headed so in this case we're actually looking at compromising one system and that's the web server all right because everything is performing the way it wants the remote client can hit the web server web servers making sequel calls back to the historian and all the firewalls are seeing the proper calls so again I'm looking at two types of attack to get in there and then once I'm in there I have an open network to bounce around and do different things with off of this so what we're going to show now is if we had network segregation we would introduce some additional electronic access controls we're going to do our system hardening so what we're going to do in almost step through this rather fast is we put in the same technical controls we had before a user access controls patching server and backups go again what we've done is applied those same technical controls into this system so if you kind of look back to earlier when we identify two zones that were important to us these are those two zones expanded upon and so now in the logging server on here so now in order to get to that historian I would now go through the same firewall hit the web server and the web server would go into a tier 2 historian that's in this area that we just created which would then make a call which would serve up the data and so what we would be doing under a tier 1 tier 2 top scenario is our historian from was fit within the process network is pushing data up to the tier 2 historian so there's really not a direct access to that process network like we had before so we're basically putting a system out there that if it becomes compromised doesn't necessarily give a direct threat to our process Network what that kind of does is bring us to about our team and some of the services we offer as I mentioned we've been doing a Scottish security for industrial control systems for over 10 years now we have a lot of different services all the way from planning strategies assessments gap analysis all of those things all the way into remediation forums so we can kind of step into multiple scenarios if you need to do planning or resourcing we can do that if you've gotten a gap analysis you need some help with remediation we have portions of the team that do that as well on there with all of that that kind of brings me to the end of my portion of it and I'll pass it back over or actually I think Kelly will take it back don't have to do any work on this one in right thank you can forces right so if you do have any questions you can type them into the chat box or the Q&A box we do have a few questions that have come in the first one is what is the first step we need to take to get our cyber project started so there can be multiple steps but multiple is kind of a variable question but in general the first thing is is really just to set up a call and we can sit down and discuss what's going on with your network or what your requirements are or the problems you're trying to solve and ultimately where that ends up going is with a gap gap analysis or a gaps assessment for your network so that we can put that plan and strategy in place that I talked about earlier because the key thing for success on these networks that we've identified over the last ten years is having a plan and strategy going in and trying not to do it at ad-hoc okay thank you another one we have firewalls in our network and are running antivirus what else would we need so that's a great great starting point the thing that ended would you be looking at is kind of a gap analysis and see where you're at as we just demonstrated the thing that you would need to look at is expanding on some more technical controls so do you have the right amount of network segregation in are you doing some of these other technical controls such as hardening antivirus patching things like that so those are great steps and you're going down the right Road and the right path now it's just to look at your other technical controls and how you can expand those okay thank you another one what would the difference be between the firewall into the zone to servers and the firewall between zone 2 and the actual historian ok so I think I'm on understanding that one so what we're looking at and basically what the market has adopted as a best practice and a strategy is it's really frowned on or really not optimal to have a direct communication from the business networks to the process network and what that means is in today's cure environments they want to have some type of stop off zone which is that DMZ that we're talking about the whole purpose of that is is another hot force another hop or another point that has to be compromised to get into the process network so we don't have a direct path in so if that corporate machine becomes compromised then it could possibly open a direct pass into the control network by going to a DMZ host what you're offering is a it's going to serve as the buffer between your process network in the business network and so what we're looking for is that buffer our prot you'll hear it called a lot of different things you'll hear it called Bastion host proxy holes there's different things but ultimately what we're looking for is that intermediate device that can serve as the buffer between the untrusted business networking the trusted process and the premise being to is again we have to open up more firewall ports from the business side to get to that device so we have a little bit more open access control from that whereas from that device down to from the from the DMZ down to the process Network we can really define granular rules and apply a lot more controls to it so again what we're doing is walking down our access and we can possibly the other thing is there's a lot of times in the DMZ or those systems we can patch them more aggressively we can put additional cyber controls on them that we can't put on the systems in the process network so again it just gives us more options great thank you a few more have come in is implementation of PLC password security something you recommend but I mean yeah we always recommend as much security that can be supported and maintained or that will kind of see the hesitation in my voice here is I don't recommend that as a as a mitigation to applying one of the other technical controls and and that's where we see a lot of the books where we see some issues is a lot of times we're looking for that silver bullet and when frankly when it comes to cyber security there's there's not any are very few if any out there so again you want it to have a access control so that people performing that task are authenticated and they are applying the right user level access to that device or those uses you know if they're allowed the program that read it read only different things we guess you want that but as a mission it doesn't take away from the technical controls above it because if I compromised that workstation and I compromised the username and password of network stations and that PLC assumes I'm that person and I'm doing what I'm supposed to be doing even though I'm an ill actor so like I said the thing that we usually stress is don't use something especially we kind of look at the plc in that layer the network usually is lowest level and where is like we want controls in it we want a lot more controls above it because if a hacker gets to that part of the plan we've almost lost a lot of the battle like I said that's great yes i've implemented but i wouldn't use it as a mitigation to any of the other controls okay thank you is data radio a concern with plc communications data radio yes that's what it was typed I don't know if maybe we'll come back to that one if you can clarify your question I think I think what we might be talking about okay one thing we see is Wireless I wonder if that's a wireless communication so yeah it can be again this is kind of an area you know everything you kind of have to when we're talking about this kind of have to take it with a grain of salt because I'm making recommendations without knowing environments but I've been in its purest form what you would want would be a firewall between any wireless access in your PLC's so typically the again this is a spirit and we're all happy and we have unlimited budget world we would have a firewall on each side of that wireless access point so that if that if the segment between if someone attaches to it or gets on that segment we still have access controls to where they're able to go with it so yeah as far as and we do see that especially in in the scalar market a lot of wireless being use just because you know it's a low bandwidth requirement for a lot of these applications and things but like I said traditionally at the core if the wireless networks running opti protocol so if I can manage to get on that access point and I don't have an access ontrol on the other side of it I'm on the network because be it may be a low connection speed but I'm there okay thank you and I think this is the last one I have a question about having people view the workspace text files in Visio inside of our Wonderware bas how dangerous is this I want to store the video files on our document viewer to help in troubleshooting with our HVAC crew yeah so you kind of have again it kind of gets on the layout of where that and it's the thing that you run into just off the top of my head you know is the systems are running Visio on so you're installing Visio where they install that and how are you patching them and how I maintain the patching on it and then you might have some intellectual property things to take care of so you know that a major risk it's probably it's kind of like I said a lot of what we do and gets back to this planning portion it's sitting down and applying risk and part of the risk is you know what's the likelihood and what happens if it happens you know what would happen if they did compromises so I mean if I was again in general mileage terms I would probably say mediums that I'd probably want to as far as the likelihood of someone attacking you with that it's a medium I would kind of put more of a higher level of because where the applications being loaded is there something different we can do the VAD is there especially with a lot of things with the market you can do some publish map so as I said there's a lot of things that go around it but to me the things that kind of poke just from not seeing knowing very much about it would be you know what all systems are Vizio getting loaded on what are your intellectual property risk to it in what words the files where these files that they're being stored into it and who gets access to oment and looking at some network paths would be things that I would probably be interested in okay we have a couple more minutes and a couple more questions so the next one is can you go over the picture that showed the use of corporate VPN for the remote access to the local resources I guess it's this one right here but basically what we're introducing here it's on may be missing the heart of the question but really what we're introducing what we're trying to get to is avoiding the situation to where we don't have a DMZ just like I was talking about a moment ago when you start talking about remote access and you know it's kind of one most curlier it's like oh well you know you from your phone you can access the plan as a security person that's when I start kind of cringing inside okay how we going to secure this so again it what we're wanting to in today's world is we don't want to have what's up on the screen now where we don't have a buffer between our remote access and even if you were looking at this even from assets on the inside this is not a good practice because you know I have direct access to this web server and I really don't have a buffer between my control system or my process networks land right here and what's going on in the outside world so you know that's what we refer to a lot of times as a flat deployment which is everybody like I said this is there's going to be most the majority of everyone out here is going to have this type of deployment it just comes with the nature of the beast that we've we've raised over those over the years it just hasn't been there network segregation is probably the biggest offender of things when we go out to work with customers and look at customers cause these networks have just kind of evolved and they're kind of what we like to call a Field of Dreams Network someone built it in they they came so someone put a switch in at some point and people started plugging into it that's usually a lot of these networks gets built off of here so like I said a lot of times they're flat network so segregation is splitting networks up as one of the things we do is actually that's the very first thing we do when we work with customers is splitting up the networks of what we want is internal or from remote access we want this buffer zone to be built out right there that I'm showing and that could be you know I'm showing four servers and I didn't really put names to them but you know examples of this would be your Tier two historians your access anywhere server and you would even put those in different DMZ right so just don't say okay I'm gonna put all these in one do DMZ that's why we're kind of showing things in here so your your mode access server would be in a different DMZ than your tier one because you're using them for different things now let's say you had two or three different types of remote access servers those could possibly live in the same zone because they're the same level or the same application top so again you kind of want to not stack things on top of each other with it but that's really what we are demonstrating with this is you know that this likelihood of this attack from outside world is possible but it would be a targeted attack and as we just demonstrated those are going on in the world but to help cover yourself and protect yourself from that is introducing this extra layer of DMZ isn't stuff and if kind of come out of this talk about two things that we see in the market is flat networks getting segmented out in multiple layers and the DMZ of a proxy host Bastion host being applied those are two of the biggest trends or the biggest things that customers are trying to moving to to secure plants and actually that's who the bigger things that corporate is asking them to do is add in that extra layer of buffer zone between the control the process network in the business network and I think this question is related to what you're discussing now is it on meridian with access control Meridian with access control right that's the question if we need clarification then since we can get back to you on this one we need to clarify that one further yeah so when so there's really two types of access control that we usually talk about one is electronic access control which is which is a fancy word for firewalls and those can be host-based firewalls our hardware based firewalls then we have user based access controls on there and when it comes to user based access controls those usually split out to two tops which would be user interface-based and operating system based on those and like I said it really when you start talking about products and things along those lines it's a balanced act of you know how far can I go and locking things down with that and that kind of gets back to what we've seen as vendors because you know frankly as vendors everybody used to wrap stuff so it's like well we'll just make them a local administrator because that's guaranteed to make everything run so there's really been a push over - you know last ten years to stop that practice and actually put user can you know the big things run with the least amount of privilege with that so those are kind of I may have answered or may not if we didn't let us know and we'll send up a follow-up question but this kind of general guidance we would give them around okay and we'll go ahead make this our last question since I just have a couple minutes remaining since legacy devices weren't really designed with security in mind do you recommend machines like Tofino to protect them how about creating an authentication scheme requiring handshake in between this gate HMI and the PLC's so there's two separate questions I guess yeah and I mean that's kind of a question we hear a lot about in and I wouldn't get wrapped around the axle too much between the PLC and your user interface because like I said there's a lot of things above that that need to be taken care of that could go wrong if you've got all the technical controls around things in under hand then it's like okay let's address how the user interface or an engineering workstation talks to a PLC with that because I said there's there's Network segregation it needs to go in above it with that so like you said the one thing that we're actually doing quite a bit with and McAfee is actually doing this they have a new product again what we try to advocate is centrally managed alright so that you can manage these devices and there's pros and cons with controlled managed as well but what we're looking at for this conversation is the pro of you don't have to hire a bunch of people necessarily to manage your security for a plant because we have resourcing issues when we're consulting with you guys that we got to account for and they have a bump and a wire product and the nice thing about the bump and wire product is they also McAfee has what's called a policy Orchestrator Symantec has it as well but basically it's a centralized interface where you can manage you know your scanning your antivirus update policies exclusion policies but it also with be policy has interface for device control and things like that but where I'm headed with it is off of that one interface they have a bump and a wire product which basically you can set in front of legacy products and it's basically it's a firewall but the trick deal to it is is the firewall positi policy Orchestrator and so you can manage the rules and things from it so from that one a policy Orchestrator you could turn on the firewall rules on your user interfaces on the historians and things like that so you could actually set up a policy to where they only communicate within each other and you'll be able to manage it from that one interface kofi no does basically it does the same thing is just manage a little bit differently but yeah putting a toughy know I said don't necessarily get wrapped around the axle with that because again the when you put a firewall such as a casino or even the bump and a wire in there you're putting a rule in that says let a talk to the PLC be and use these ports okay the ednan so if a becomes compromised it starts talking to be PLC it's using the proper ports its use some proper handshake so as far as the firewall is concerned everything's legit so again you have to back it up a layer and say okay am i protecting this user interface content and with the tickle controls in place on it but it kind of gets back to don't use these other things as a mitigation to not do these other sides of the house because really if you're spending money on some of those things you might be better off spent money on doing technical control for patching antivirus user access controls and things like fats first and then spending your money on that access control between the two so that's general got it you may not have any money you may lose this and that's the best bang for the buck it's but like I said in the general thing don't donate don't ignore your technical controls for things above and just put one between there okay great well thank you Tim and thank you Mike and that was a great webinar very informative so that wraps up our webinar this webinar was recorded and a recording will be available on our web site NorCal Wonderware comm later this afternoon so if you'd like to share it with colleagues you can also if you have any additional questions about the webinar you can email us at webinar at NorCal dot wonder where comm and that wraps us up so thanks everyone for attending this morning and have a great weekend thanks everybody thank you for attending everyone