Más contenido relacionado La actualidad más candente (20) Similar a Gettozero stealth industrial (20) Gettozero stealth industrial2. © 2014 Unisys Corporation. All rights reserved. 2
Industrial Organizations are in the Cross-Hairs of
Cyber-Attacks
Accelerating frequency Greater sophistication
When it comes to critical infrastructure,
there can be no compromise.
You must maintain 100% reliabily, 24/7 operations.
3. © 2014 Unisys Corporation. All rights reserved. 3
Global government
mandates and
regulations
Risk assessments
show high levels of
vulnerability
Act now…
or it will cost
more later
Regulatory are Fueling the Need for Action
© 2014 Unisys Corporation. All rights reserved. 3
4. © 2014 Unisys Corporation. All rights reserved. 4
• Current defenses are
vulnerable and reactive
• Legacy technologies
must continually be
patched and upgraded
• Modernization poses
greater risks in the future
• IP theft is on the rise
Bigger fortresses and air-gaps are
too weak and too costly.
Today’s Security Approach Is Not Good Enough
Industrial organizations need stronger protection.
5. © 2014 Unisys Corporation. All rights reserved. 5
• Protect critical industrial
automation systems
• Secure data-in-motion across
any network
• Prevent multiple threats with
one solution
• Safeguard intellectual property
• Protect the enterprise,
not just SCADA endpoints
There is a more secure and cost-effective way
to protect your data and systems.
Innovative Security Can Help You ‘Get to Zero’
Go invisible. Reduce your attack surface.
Incidents
6. © 2014 Unisys Corporation. All rights reserved. 6
You can’t hack what you can’t see…
Stealth is What Innovative Security Looks LikeWhat a Hacker Sees When Enabled
• Layered security for mission-critical protection
• Scalable and incrementally implemented – with no disruption
• Makes endpoints invisible, tightens access control, protects data-in-motion
7. © 2014 Unisys Corporation. All rights reserved. 7
Stealth is Truly Innovative Security Technology
COMMUNICATING SPLIT
PORTIONS OF A DATA SET
ACROSS MULTIPLE DATA PATHS
WORKGROUP KEY WRAPPING FOR
COMMUNITY OF INTEREST MEMBERSHIP
AUTHENTICATION
GATEWAY FOR SECURING DATA
TO/FROM A PRIVATE NETWORK
SECURING AND PARTITIONING DATA-IN-MOTION
USING A COMMUNITY-OF-INTEREST KEY
INTEGRATED MULTI-LEVEL SECURITY
SYSTEM
SECURING MULTICAST DATA
PATENTS
World-class intellectual propertyUnisys Stealth is protected by more than 60 issued or pending
U.S. patents and patent applications.
8. © 2014 Unisys Corporation. All rights reserved. 8
Crypto-Module
JFCOM JIL
Testbed IO Range
DIACAP – DoD Information Assurance Certification and Accreditation Process
MAC – Mission Assurance Category (Level 1 is Highest)
DISA – Defense Systems Information Agency
EUCOM – European Command
SOCOM – Special Operations Command
JFCOM – JOINT Forces Command
JIL – Joint Intelligence Laboratory
CWID – Coalition Warrior Interoperability Demonstration
JUICE – Joint User Interoperability Communications Exercise
CECOM – Communications Electronics Command (US Army)
GTRI – Georgia Tech Research Institute
DJC2 – Deployable Joint Command and Control
NIST – National Institute of Standards and Technology
NIAP – National Information Assurance Partnership
2005 2006 2007 2008 2009 2010 2011
CWID 08
DISA
CWID 09
DISA
JUICE 09
CECOM
Combined
Endeavour
EUCOM
CWID 05
USAF
CWID 10
SOCOM
GTRI
DJC2 PMO
SPAWAR
Private Lab
SSVT Validation:
Failed to compromise
“Large
Integrator”
Tests and fails
to break Stealth
IV&V
National Center for
Counter-terrorism and
Cybercrime SOCOM
Export License
Dept of Commerce
FIPS 140-2
Certification
NIST
EAL4+
Certification
NIAP
Unisys Stealth
DIACAP MAC-1
Certification
CWID 10
Network Risk Assessment
CWID 05
AF Comm Agency
DIACAP MAC-1
Certification
JFCOM
SOCOM
R&D Prototype
2012
Emerald
Warrior ‘12
SIPRNet
IATT
2013
Independent
Test Client-hired
3rd party: Failed to
compromise
And again…
Different client,
different tester:
Failed to
compromise
And again…
Commercial
& Pub Sector
Stealth Has Been Tested by the Best in the World
9. © 2014 Unisys Corporation. All rights reserved. 9
Mobile
Apps
SCADA
ICS
HMI
How Stealth Protects Industrial Controls
Cloaked Endpoints
256-bit Encryption
Communities of Interest
Reduce Your Attack Surface
You Can’t Hack
What You Can’t See
10. © 2014 Unisys Corporation. All rights reserved. 10
Sample Use Cases: Protect What Matters Most
Manufacturing
Guard ERP and
shop-floor integration
Chemical Processing
Improve safety,
prevent ICS damage
and IP theft
Oil and Gas Production
Keep pipelines,
well heads, IP, and remote
operations secure
© 2014 Unisys Corporation. All rights reserved. 10
11. © 2014 Unisys Corporation. All rights reserved. 11
Business Risk Challenges
• Good Enough
• Non-compliant
• Security profile varied
Business Cost Challenges
• Complex hardware deployment
• Financial impact of breach
• Private networks
Operational Challenges
• Afraid to change anything
• Management by location
• Integrating multiple solutions
Risk Convenience CostSecurity Agility
Cost
Reduction
Stealth Security
• Reduces attack surface
• Facilitates compliance
• Contained compromise
Stealth Cost Reduction Potential
• Leverage cost benefits of cloud
• Prevent rather than remediate
• Significantly reduce IT costs
Stealth Agility
• Software-defined networking
• Incremental, non-disruptive
• No application changes
Why Stealth Now?
© 2014 Unisys Corporation. All rights reserved. 11
12. © 2014 Unisys Corporation. All rights reserved. 12
A non-US department of
defense agency uses Stealth
in a secure virtual desktop
infrastructure solution
A US government agency
uses Stealth for secure
telecommuting
Large science company is
implementing Stealth to protect
its process control environment
and safeguard its IP
A healthcare organization is
using Stealth to verify secure
transmission of data between
multiple hospitals
Industry leader in graphical
processors securing remote
access to virtual desktops,
and segmenting the internal
network with COI to secure
to sensitive data
Brazil service provider to
Public Sector social services
using Stealth to securely
transmit copies of disk images
between multiple sites
PCI DSS compliance for
point of sale environment;
conventional approach buying
new switches and firewalls
was too expensive
Unisys uses Stealth to secure
and protect our high-value
application and database
servers, for secure remote
telecommuting and
regional isolation
Clients with Zero Tolerance for Breaches Use
Stealth
13. © 2014 Unisys Corporation. All rights reserved. 13
Don’t Just Take Our Word For It
“Unisys markets the product with
the tag line, “you can’t hack what
you can’t see,” and we have
to agree with them.”
“Stealth is an interesting product
that might just be a great
way to hide from
hackers.”
- David Strom, editor-in-chief, Network World
Finalist: announcement Sept 2014
Click to view May 2014 Stealth product review
Winner: Cybersecurity Product of the Year 2014
15. © 2014 Unisys Corporation. All rights reserved.
Sub-Vertical Slides
16. © 2014 Unisys Corporation. All rights reserved. 16
How to use this deck
Replace slide #10 of the main presentation (Sample Use Cases)
with the appropriate set of sub-vertical slides
• Industrial has three sub-verticals to choose from :
– Manufacturing
– Chemical Processing
– Oil and Gad Production
17. © 2014 Unisys Corporation. All rights reserved.© 2014 Unisys Corporation. All rights reserved.
Manufacturing Cyber Threats Section
DELETE the Use Case slide from the
Industrial Core PPT Deck and insert the
Manufacturing slides from this deck
18. © 2014 Unisys Corporation. All rights reserved. 18
Top Three Manufacturing Cyber Targets
1. ICS/SCADA:
New controls and all-digital
infrastructures create vulnerabilities
2. Command and control software:
Hackers and malicious code target
Human-Machine Interfaces (HMI) and
Machine Execution Systems (MES)
3. Intellectual property:
Backdoor hacks can steal
valuable industrial assets
19. © 2014 Unisys Corporation. All rights reserved. 19
Recent Events
600%+ increase in ICS/SCADA
vulnerabilities from 2010 to 2013
Over 25% ICS/SCADA
cyber-attacks on Industrial sector in 2013
In 2013, a major ICS/SCADA supplier
infected with malware
20. © 2014 Unisys Corporation. All rights reserved. 20
Command and Control Software Vulnerabilities
HMI and MES Advantages
for Manufacturing
• Can help tie shop floor
visibility to ERP systems
• Result is reduced
time-to-market and greater operational
efficiencies
Vulnerabilities
• Runs on off-the-shelf OSs, known
hacker targets
• MES-Enterprise software gaps
• Hackers and viruses have multiple
entry points
© 2014 Unisys Corporation. All rights reserved. 20
21. © 2014 Unisys Corporation. All rights reserved. 21
• Intelligent Control Circuit (ICC)
• Supervisory Control and Data Acquisition (SCADA)
• Remote Terminal Unit (RTU)
• In field ICS/SCADA: most never designed
for IP-connectivity
• Mixture of old (analog) and new devices in field
• Connectivity to control center via cell, radio,
wireless, Ethernet and fiber
Industrial Control Attack Surfaces
exploitable vulnerabilities
in 1,330 models of
control devices1
More
than
2,600
© 2014 Unisys Corporation. All rights reserved. 211 SCADA and Security of Critical Infrastructure. InfoSec Institute. |
22. © 2014 Unisys Corporation. All rights reserved. 22
Go to the
MANUFACTURING Core PPT Deck
Continue with the Stealth value proposition slides
23. © 2014 Unisys Corporation. All rights reserved.© 2014 Unisys Corporation. All rights reserved.
Chemical Processing Cyber Threats
DELETE the Use Case slide from the
Industrial Core PPT Deck and insert the
Chemical Processing slides from this deck
24. © 2014 Unisys Corporation. All rights reserved. 24
Top Three Chemical Processing Cyber Targets
1. ICS/SCADA:
Increased vulnerabilities as more
and newer devices enter market
2. Command and control
software: Human-Machine
Interface (HMI) and Machine
Execution System (MES) software
targets
3. Theft of intellectual property:
Proprietary processes and
formulas at risk
25. © 2014 Unisys Corporation. All rights reserved. 25
Recent Events
600%+ increase in ICS/SCADA
vulnerabilities from 2010 to 2013
277ICS/SCADA cyber-attacks
voluntarily reported in 2013
48chemical and defense plants
breached with Nitro virus in 2014
26. © 2014 Unisys Corporation. All rights reserved. 26
Command and Control Software Vulnerabilities
Human-Machine Interface (HMI) Programs for
Chemical Processing Command and Control Centers
• Proprietary software (supply chain compromise,
bugs, questionable security measures)
• Runs on off-the-shelf OS, known hacker target
• Must be patched and maintained
© 2014 Unisys Corporation. All rights reserved. 26
27. © 2014 Unisys Corporation. All rights reserved. 27
• Intelligent Control Circuit (ICC)
• Supervisory Control and Data Acquisition
(SCADA)
• Remote Terminal Unit (RTU)
• Mixture of old (analog) and new devices
• Moving from analog to digital systems
Chemical Processing Control Attack Surfaces
exploitable vulnerabilities
in 1,330 models of
control devices1
More
than
2,600
© 2014 Unisys Corporation. All rights reserved. 271 SCADA and Security of Critical Infrastructure. InfoSec Institute. |
28. © 2014 Unisys Corporation. All rights reserved. 28
Go to the
Industrial Core PPT Deck
Continue with the Stealth value proposition slides
29. © 2014 Unisys Corporation. All rights reserved.© 2014 Unisys Corporation. All rights reserved.
Oil and Gas Cyber Threats
DELETE the Use Case slide from the
Industrial Core PPT Deck and insert the
Oil and Gas slides from this deck
30. © 2014 Unisys Corporation. All rights reserved. 30
Pipeline Cyber Attack
“Cyberspies linked to China’s military
targeted nearly two dozen US natural
gas pipeline operators over a recent
six-month period, stealing information
that could be used to sabotage US gas
pipelines, according to a restricted US
government report and a source familiar
with the government investigation.”
– Christian Science Monitor
February 27, 2013
31. © 2014 Unisys Corporation. All rights reserved. 31
Recent Events
600%+ increase in ICS/SCADA
vulnerabilities from 2010 to 2013
Data Theft besieges
Oil Industry
Compromising industrial facilities from
40 milesaway
32. © 2014 Unisys Corporation. All rights reserved. 32
Command and Control Software Vulnerabilities
Human-Machine Interface (HMI)
Programs for Oil and Gas
Production Command and
Control Centers
• Proprietary software (supply chain
compromise, bugs, questionable
security measures)
• Runs on off-the-shelf OSs,
known hacker targets
Mobile Controls
• Remote operation of gas and oil
rigs/well-heads at risk from hacks
and viruses
© 2014 Unisys Corporation. All rights reserved. 32
33. © 2014 Unisys Corporation. All rights reserved. 33
• Intelligent Control Circuit (ICC)
• Supervisory Control and Data Acquisition (SCADA)
• Remote Terminal Unit (RTU)
• In field ICS/SCADA: most never designed
for IP-connectivity
• Mixture of old (analog) and new devices in field
• Connectivity to control center via cell, radio,
wireless, Ethernet and fiber
Oil and Gas Production Control Attack Surfaces
exploitable vulnerabilities
in 1,330 models of
control devices1
More
than
2,600
© 2014 Unisys Corporation. All rights reserved. 331 SCADA and Security of Critical Infrastructure. InfoSec Institute. |
34. © 2014 Unisys Corporation. All rights reserved. 34
Go to the
Industrial Core PPT Deck
Continue with the Stealth value proposition slides
35. © 2014 Unisys Corporation. All rights reserved.
Appendix
Technical Slides
36. © 2014 Unisys Corporation. All rights reserved. 36
Info Dispersal
Algorithm and Data
Reconstitution
Virtual Communities
of Interest (COI)
Cryptographic
Service Module
AES 256 Encryption
You can’t hack what you can’t see…
Protect Data-in-Motion Make Endpoints Invisible
Executes Low in the
Protocol Stack
Stealth Shim
7. Application
6. Presentation
5. Session
4. Transport
3. Network
1. Physical
2. Link
NIC
Stealth: Four Key Elements
37. © 2014 Unisys Corporation. All rights reserved. 37
How We Cloak
TCP UDP
DHCP ARPIP
Stealth Driver credentials
authorized into COI
MAC
Layer 2
Layer 3
Layer 4
Message from COI member processed
Message from COI member discarded
Message from non-Stealth endpoint discarded
Unisys Stealth Endpoint Driver
38. © 2014 Unisys Corporation. All rights reserved. 38
Stealth for Critical Infrastructure
EAL4+ FIPS 140-2
Internet
Control
Bus
Terminal
Bus
Enterprise
Network
HMI
EWS
CCTV ServerHistorianOPC ServerDomain Controller
Plant
Firewall
Corporate
Firewall
Control
Firewall
Alarm
Aggregation
EPA
DatabaseERPRTU
HMI
Application Server
Plant
Bus
Hardwired
Instrumentation
Field Bus to
Instrumentation
Hardwired
Instrumentation
PLC PLC PLC PLC
• Identify the most sensitive endpoints
in the critical infrastructure and who
should have access
• Create compartmentalized security
model based on need-to-access
• Protect and enforce the security
model with strong end-to-end
encryption, properly managed keys
and CLOAKED endpoints
39. © 2014 Unisys Corporation. All rights reserved. 39
Unisys Stealth protects critical app processing
environments through cloaking techniques—
effectively rendering them invisible and providing
protection from internal and external threats
Unisys Stealth for Mobile extends the
protection of these mission-critical
assets to mobile environments—
providing only the right mobile users
access to the right environments
Email
Server
Unprotected Protected
Server
(Phys or VM)
Protected
App
Server
Protected
Database
Server
Mobile Security starts in the
data center and extends out to your mobile devices
Unisys Stealth for Mobile
40. © 2014 Unisys Corporation. All rights reserved. 40
Application
Wrapping Software
Stealth Data Center
Segmentation
Email
Server
Unprotected
Protected
Server
(Phys or VM)
Protected
App
Server
Protected
Database
Server
Stealth for
Mobile Gateway
vDR
vDR
Broker
Wraps individual applications on
a device—enabling fine-grained
security controls to be applied to
individual applications
Provides secure passage for
mobile data to application
processing environments—
connects authenticated mobile
application users into Stealth
Communities of Interest
Compartmentalizes data center
using Communities of Interest
instead of physical infrastructure
Unisys Stealth for Mobile
Three Components
41. © 2014 Unisys Corporation. All rights reserved. 41
Stealth for
Mobile Software
Legal
Finance
Stealth Authorization
Service
Stealth Appliance
VPN Server
DMZ
(Audit, IDS)
Broker
vDR
vDR
Enterprise
Identity Store
Internet
Wrapped applications
Stealth-Enabled Mobile App
• Captures user credentials
• Wrapped for security
IPsec Connection Gateway
• Off-the-shelf IPsec VPN gateway
Mobile Stealth Gateway
• Broker
– Authorizes users
– Manages vDRs’ COIs
• Virtual Device Relay (vDR)
– Relays data between
app and Stealth network
Stealth
Network
DMZ
• Clear-text network segment
• Allows monitoring, firewalling, etc.
Unisys Stealth for Mobile
Architecture