ПАРТНЕРСКИЙ ФОРУМ WONDERWARE 2017

Видение ЛК индустриальной безопасности, а также портрет и актуальные проблемы заказчиков в области защиты индустриального

интернета вещейДмитрий Фешин

Руководитель глобальных проектов

АО «Лаборатория Касперского»Page 1

ВОПРОСЫКибер-риски - видение ЛК

О чем говорят руководители стран и корпораций, говоря об этой теме

АСУ ТП – мифы и реальность в эру 4-ой промышленной революции

Концепции 4.0RU (Практический пример «Цифровой безопасной экономики

Портрет пользователей и актуальные проблемы

ЛИДЕРЫ СТРАН И ОСНОВАТЕЛИ КОРПОРАЦИЙ

Source: Marsh Global Risk Report

ИХ ОБЩЕЕ МНЕНИЕ

Source: Marsh Global Risk Report

НОВАЯ ТЕМА ДЛЯ ОБСУЖДЕНИЯ

ТОП 10 РИСКОВ ДЛЯ БИЗНЕСА - 2017

Источник: Allianz Risk Barometer 2017

2016 – 3 2015 – 5 2014 - 82013 - 13

Непрерывность бизнеса

Кибер угрозы

Source: Allianz Risk Barometer 2016

CxOИТ, ИБ ИНЖЕНЕР

CIA - ДАННЫЕ AIC - НЕПРЕРЫВНОСТЬ

ИТ, ИБ

ФОКУС

ПРИНЯТИЕ РЕШЕНИЙ

ОБЪЕКТЫ ДЛЯ ЗАЩИТЫ

PC, SERVER, MOBILE PLC, HMI, IND. PROTOCOLS, ETC

CxO

IT и ОТ домены: найдите 3 отличия

0,5-48 часов 2-4 часа 2-6 часов 8-24 часа 0.5-2 часа ИНЦИДЕНТ

Нарушитель предпринимает последовательность действий в попытке завладеть управлением элементами АСУ ТП .

Получение доступа к сети

Сбор информации об

АСУ ТП

Подбор пароля ПЛК

Выгрузка и анализ деталей проекта из ПЛК

модификация логики

управления

Физический ущерб

С «МЫШКОЙ» НА НПЗ...

НЕФТЕГАЗОВАЯ ОТРАСЛЬ. ИСТОРИЯ ВОПРОСА.

ФИНАНСОВЫЕ ПОТЕРИ: $5M/ДЕНЬ , ~$1B – ОБЩИЕ ПОТЕРИ STATE OIL EXPORT COMPANY

Baku-Tbilisi-Ceyhan (BTC) pipeline near the eastern Turkish city of Erzincanon Aug. 7, 2008

ФИНАНСОВЫЕ ПОТЕРИ: 17 ДНЕЙ ВНЕПЛАНОВАЯ ОСТАНОВКА ОТГРУЗКИ,

Saudi Aramco suffered the worst hack in world history in 2012.

SHAMOON 2.0 вернулся в декабре 2016 !!!

ИСТОЧНИК : https://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar

ИСТОЧНИК : http://www.reuters.com/article/us-saudi-cyber/saudi-arabia-warns-on-cyber-defense-as-shamoon-resurfaces-idUSKBN1571ZR

НОВЫЕ ТРЕНДЫ И ВЛИЯНИЕ НА БИЗНЕС

RANSOMEWARE

Блокировка работы оператора

АСУ ТП

РИСК ОСТАНОВКИ

УДАЛЕННЫЙ ДОСТУП

Изменение штатного режима работы РСУ и ПАЗ

ПОТЕРЯ ИНВЕСТИЦИЙ

КОМПРОМЕНТАЦИЯ ЦЕПОЧКИ ПОСТАВОК

Незапланированный останов контура первичной очистки

УХОД КЛЮЧЕВЫХ КЛИЕНТОВ

ПЕРЕДАЧА РИСКА

Оговорка CL380 - исключает покрытие вреда, нанесенного использованием ИТ-систем. То есть исключаются любые кибератаки, оставляя компанию без покрытия.

Исключение 9 по Терроризму T3 LMA3030 исключает кибератаки, имеющие террористическую мотивацию (по аналогии с CL 380).

Исключение Electronic Data Exclusion NMA2914 is как правило применяется в большинстве видов страхования имущества и перерыва в производстве

ПОЛИС КИБЕРСТРАХОВАНИЯ НЕ ВКЛЮЧАЕТ ДАННЫЕ РИСКИ

Люди – главный фактор

ЛЮДИ

ЛК . Инициатива ICS CERT.

Источник : ics-cert.kaspersky.ru

ПРОЦЕССЫ

ЗАЩИТА МОЖЕТ ИМЕТЬ РАЗЛИЧНЫЙ УРОВЕНЬ ЗРЕЛОСТИ

ТРЕНИНГИ

РАССЛЕДОВАНИЕ ИНЦИДЕНТА

РЕШЕНИЕ ЕСТЬ(KICS)

АНАЛИЗ ЗАЩИЩЕННОСТИ

МОДЕЛИРОВАНИЕ

“НУЖНО БОЛЬШЕ ИНФОРМАЦИИ О РИСКЕ”

“ХОЧУ ПОНИМАТЬ МОДЕЛЬ УГРОЗДЛЯ МОЕЙ АСУ ТП”

“Я ЗНАЮ, ЧТО НАДО ЗАЩИЩАТЬ”

“Oops!! I МЕНЯ КАЖЕТСЯ…”

Кибер риски – важная часть Цифровой Экономики

Защита финансовых систем

Экспертные сервсы

Защита центров обработки данных

Защита изолированных сетей

Кибербезопасность компаний любого размера и любой

отрасли

# ЦИФРОВОЙ # IIoT \ 4.0 - ПОЛНЫЙ ВПЕРЕД !!!

Мировое исследование –покупатель безопасности – кто он и

что ему нужно?

Methodology

11 in depth interviews with:

- 8 ICS cybersecurity Practitioners - 3 ICS cybersecurity Consultants (such as system

integrators or IT security consultancy firms)

359 interviews with ICS cybersecurity

practitioners

Phase 1: Qualitative Phase 2: Quantitative

In-depth qualitative interviews conducted by telephone with ICS cybersecurity practitioners and consultants across:

• UK• Germany• Spain• Australia• India

Online survey with ICS cybersecurity practitioners across the following regions:North America - USA

• Europe • North America• Latin America• Middle East• APAC

Fieldwork was conducted in February – April 2017

Note: in the quant phase, both ICS and OT terminology was used in all questions –in reporting we have used only ICS for ease of reading

22

Quantitative Phase – Sample Profile

21Interviews across countries 359

Wide Geographical Coverage

North AmericaEurope APAC

USAFrance

Germany

Italy

Russia

Spain

UK

Argentina

Brazil

Mexico

China

India

Indonesia

Japan

Malaysia

Philippines

South Korea

Singapore

Middle East

Oman

Saudi Arabia

UAELatin America

Mixture of Industry Sectors

1%

2%

4%

4%

6%

8%

3%

4%

6%

19%

3%

5%

6%

6%

8%

8%

8%

20%

Defence

Hospitality/leisure/restaurants

Real estate / property / building…

Government/public sector

Utilities & energy

Transportation and logistics

Oil & Gas: Refining & Processing

Oil & Gas: Transportation,…

Oil & Gas: Extraction

Construction and engineering

Manufacturing: food & beverage

Manufacturing: Primary products

Manufacturing: Pharmaceuticals

Manufacturing: High-tech…

Manufacturing: Chemicals

Manufacturing: Automotive

Manufacturing: Consumer…

Manufacturing: Industrial products

S1. In which country are you based?S2. Which industry sector does your organization operate in?Base: Total sample=359

North America -

USA7%

Europe (UK, France,

Germany, Spain, Italy)

30%

Russia6%Middle East

10%Japan

8%

APAC (excluding

Japan)30%

LATAM (Mexico, …

Ma

nu

factu

rin

g -

56

%O

il&G

as –

11

%

of the sample are Manufacturing companies56%

*Total greater than 100% as multiple answers possible

23

Range of business priorities seen across companies: risk management considered a priority by half

• Product and service quality and risk management were the two key priorities for the next 12 months for half of the organizations interviewed

33%

36%

37%

38%

39%

39%

41%

47%

50%

51%

Complying with our customer requirements

Better complying with regulations and requirements

Accelerating digital business

Acquiring new customers

Improving our customer experience

Reducing costs

Improving our products / services differentiation

Improving our ability to innovate

Managing risks

Improving our products / services quality

24

• A quarter of the respondents report such an attack is very likely to happen to their organizations: this likelihood increases with the size of the organization to almost half in companies of 5000+ employees

Three quarters of companies believe an ICS cybersecurity attack to be likely to happen: particularly true in larger companies

Very likely25%

Quite likely49%

Not very likely22%

Not at all likely4%

Q4. How likely is it that your organization could become the target for a cybersecurity attack on OT/ICS or industrial control network?Base: Total sample=359

Rises to 38% in Middle East, lower in Europe (18%) –overall likelihood similar

across regions

25

• No one challenge stands out as a key priority: finding skilled employees and partners to meet ICS cybersecurity needs are most important overall

• Budget is of particular concern in the Middle East, whilst lack of available resources is the biggest key priority in South America

Challenges of managing ICS cybersecurity focus on skilled personnel

Q3. What are the top 3 challenges related to managing organization’s OT/ICS cybersecurity?Base: Total sample=359*Total greater than 100% as multiple answers possible

15%

14%

14%

14%

13%

11%

9%

9%

50%

43%

39%

35%

48%

32%

31%

22%

Hiring ICS cybersecurityemployees with the right skills

Increasing interconnectednesswith corporate/enterprise IT

Lack of security awarenessamong asset owners and…

Complexity of ICSenvironment/industrial network

Finding reliable partners whocould implement ICS…

Unavailability ofproducts/services that fit our…

Priority of ICS Cybersecurity islow for senior management

Lack of budget

Main priorityEmerging knowledge / understanding of this field, and a need for a business strategy to guide company process, emerge qualitatively as key issues, reflecting the need for skilled personnel:

“I think we are at the strategic discussion stage, what we are doing is we are looking at the bigger picture and see how we can apply this kind of technology to our business and how it can help. I think the main challenge at the moment is to come up with the strategy for the company. I am sure, once we got through that

stage, we will start to look at the implementation stage.”(Machine Tool Manufacturer – UK)

“Training of the manpower and getting right people are the biggest challenges and also updating their knowledge as this is a very dynamic field so a lot of training is

required.”(Oil & Gas: Extraction & Processing – India)

• Slightly higher levels of incidence are seen in larger companies

• Just under half have not experienced any such issues

Half of companies have experienced between 1 and 5 cybersecurity incidents with their ICS and/or control system network in the past 12

months

Q18.How many times did your organisation experience any cybersecurity incidents with OT/ICS and/or control system network in the past 12 months?Base: Total sample=359

1%

3%

12%

21%

17%

46%

11 to 25 times

6 to 10 times

3 to 5 times

Twice

Once

We have not experienced anyincidents/breaches in the past 12

months

50%

27

• 8 in 10 organizations are not required to report industrial security breaches to any regulatory bodies – this is significantly lower in North America, where more reporting is required

• Two thirds, however, feel that this reporting should be mandated

Generally, the majority of companies are not required to report ICS security incidents to regulatory bodies

38%

3%

3%

7%

9%

10%

13%

16%

Other

Don't Know

Ministry of Industry and…

ISAC

CERT

ISO – Various

Government Agency

Federal/State AgencyRequired19%

Not required

81%

Q15. Is your organization required to report industrial security breaches and incidents to any regulatory bodies (government or industry such as CERT/ISAC) Base: Total sample=359. If so, What regulatory body? Base: Those required to report=68Q16. Do you agree that the governments should mandate the reporting of OT/ICS breaches or security incidents? Base: Total sample=359

reported to…

• When asked for the costs of dealing with incidents, both overall and specifically broken down by cost type, costs are generally lower in the Middle East, and higher in North America and Europe

Average financial loss caused by consequences of ICS cybersecurity incidents is over $92,000

Q22. Could you please estimate the overall financial cost of those consequences caused by all the OT/ICS cybersecurity incident to your organization in the past 12 months?Q23. In response to a breach experienced, businesses will often invest in additional staff, training or technology in order to avoid further incidents. Did your organization make any such efforts in response to the breaches you experienced in the last 12 months? If so, could you estimate how much has been spent to date on the measures? Base: Those who experienced incidents=195

$65 114

$82 269

$107 966

$92 254

Average additional training cost

Average additional staffing cost

Average additionalsoftware/infrastructure cost

Average cost of consequences

$255,349 Total average additional costs

(Excluding Consequences)

“The cost of an attack can be enormous.Loss of human life, loss of natural

resources are just some aspects, the actual cost can be very, very high.

There will be fines and penalties as well imposed on the company as per the

guidelines of the government. ”(Oil & Gas: Extraction + Processing

– India)

All Companies experiencing an incident in the last 12 months

• The majority of these larger companies (71%) have experienced between 2 and 5 cybersecurity incidents in the last 12 months

Average financial loss caused by consequences of ICS cybersecurity incidents in companies with 500+ employees is $147,053

Q22. Could you please estimate the overall financial cost of those consequences caused by all the OT/ICS cybersecurity incident to your organization in the past 12 months? Base: Companies with 500+ employees = 94Q23. In response to a breach experienced, businesses will often invest in additional staff, training or technology in order to avoid further incidents. Did your organization make any such efforts in response to the breaches you experienced in the last 12 months? If so, could you estimate how much has been spent to date on the measures? Base: Companies with 500+ employees who experienced incidents=94

$89 444

$104 212

$156 388

$147 053

Average additional training cost

Average additional staffing cost

Average additionalsoftware/infrastructure cost

Average cost of consequences

$350,044 Total average additional costs

(Excluding Consequences)

Companies with 500+ employees experiencing an incident in the last 12 months

• Traditional antivirus vendors such as Symantec and McAfee are also associated with ICS cybersecurity solutions, although to a lesser extent

• There is some association with consulting companies such as NextNine

7%

2%

2%

2%

3%

3%

3%

3%

4%

4%

10%

11%

12%

19%

24%

None

Avast

NextNine

SANS

Dell

FireEye

Oracle

SAP

HP

McAfee

Norton/Symantec

Kaspersky Lab

Microsoft

Cisco

IBM

Accenture

BMC

Bull

Dr Web

Eset

Factory Systems

Fujitsu

Honeywell

Huawei

ICL-KPO VS (Russia)

Intel

Range of single mentions:

Kaspersky Lab is among the most frequently mentioned providers associated with ICS cybersecurity solutions, behind IBM, Cisco and Microsoft

Leet Security

OCN

OTICS

Palo Alto

RSA

Samsung

SCADA

Tata Communications

Trend Micro

Waterfall

Q10. What OT/ICS cybersecurity solution providers, if any, are you aware of?Base: Total sample=359*Total greater than 100% as multiple answers possible

Significantly higher awareness of Kaspersky Lab in the Middle East

Благодарим за внимание!

www.wonderware.ru