INDUSTRIAL

CYBERSECURITY
FOR A DIGITAL AGE
 TIMELINE OF KEY EVENTS IN INDUSTRIAL CYBER
December 23, 2015, Ukraine experienced
a blackout . The country's electricity went
out after cyber attacks on the electricity
grid. Hackers (hackers) succeeded in
holding the information system so that
mass blackouts occurred in the
community. 230 thousand people without
electricity for up to six hours.
A few months ago, Venezuela claimed that
its power plant had been attacked by a
hacker, leaving parts of the country,
Trisis/Triton including Caracas, in a five-day outage.
Schneider e.

On July 25, City Power, an electricity

company in Johannesburg, South Africa,
was also sent ransomware by hackers.
The attack was carried out by hackers The power grid was cut off. Residents
"Sandworm" was allegedly from Russia because itscreaming on Twitter related to the
30k PCs wiped refers to the internet protocol used. blackout.

2
 CYBER RISK IS EVOLVING, COMPLEX &
UNCONTROLLED
Desired Outcomes: CHALLENGES STATUS QUO SOLUTIONS
• Prevent incidents across OT-IT 1 Point Solutions
Cost Little/no asset visibility,
• Mitigate cyber risks on grid, wifi Point solutions requiring multiple
s monitoring & alerting interfaces & vendors to meet OT
• Lower cybersecurity labor costs
& • Automation and Orchestration
cybersecurity needs; lack of
Protecting assets, integration reduces time to threat
Risk • Avoid non-compliance fines operations & people detection & increases cost
• BSSN etc( 118 – CISSP in ID )
OT complexity: 2 Limited Visibility
proprietary & legacy Limited visibility into OT assets
• Best in Class showcase increases cyber vulnerabilities &
devices & systems
• Improve productivity risk; lack of cyber expertise expands
• Safely connect operations OT cybersecurity problem
Competitive• Upgrade OT cybersecurity skills skills shortage 3 Site Specific
Advantage Increasing company Existing solutions lack true enterprise
& regulatory OT cybersecurity capabilities; limits
ability to help ensure more consistent
compliance
protection across sites

Current Solutions add Complexity to OT Cybersecurity Challenge

3
 BACK OFFICE

Central
GIS Email CRM Billing WFM AMS MDMS
Messaging

DISTRIBUTED ENERGY RESOURCES

Energy Manager
ESB
Solar Consumer Customer Program

CUSTOMER
Embedded Heat Portal Management Management

METER COM
& Power AMI HES
Mobile App
Battery Manager
Consumer DERMS
Inverter Manager Reports SYSTEM Meter
Settlement

Operations
Analytics
Management

3RD PARTY IT
Weather
Services Gateway

DEVICES
TRACKING SYSTEMS Broadband
Internet Smart
Command Central Call Center
Thermostat

A Typical Step by Step Cyber Kill Chain in Critical Infrastructure - Utilities

Honeywell Connected Enterprise – May 14, 2019 4
SOLVING OT CYBERSECURITY PROBLEMS
• Backup and Recovery
• Incident Response Planning
• Incident Response:
On Site & Remote
• Forensics & Analysis
• Continuous Monitoring
• Asset Inventory & Management
• Threat & Vulnerability
Identification (SIEM/IDS)
• Compliance & Reporting
• Awareness & Training
• OT Red/Blue Team Training
• Advanced Threat Intelligence
• HON Forge Cybersecurity
Platform
• Vulnerability & Risk Assessments
• Network & Wireless Assessments
• Cybersecurity/Compliance Audits
• OT/Industrial Penetration Testing
• Current State Analysis
• Secure Design and Optimization
• Zone & Conduit Separation
• Policy and Procedures
• Secure Network Refresh
• Firewall, Next Gen Firewall
• Intrusion Detection & Prevention
• Access Control
• Industrial Patching & Anti-Virus
• Industrial Application Whitelisting
• End Node Hardening
• SMX Portable Media/USB Security
5
 WHY HONEYWELL IND. CYBERSECURITY Demonstrated
Customer Value

• Reduce labor required to manage patching updates $1.2M per year in

• Unify the most commonly-needed OT security capabilities in
savings
1 Simplify Cybersecurity •
•
one software platform
Simplify multi-site, multivendor cybersecurity connections
Reduce number of vendors - similar cybersecurity software
(cost of manual patching effort
required at 40 sites by European
requires applications from over 6 different companies based oil and Gas company)

• Start with Secure Remote Access and grow as your cybersecurity

Scale Cybersecurity needs evolve
2 Investments as Needed • Invest only in the modules needed today to ensure compliance,
add new modules as needed
$10M in savings
(fine imposed to Duke Energy for
non compliance in 2019)

• Reduce time and cost to identify cyber vulnerabilities $200K+ in savings

Improve Cybersecurity
3 Performance
• Increase efficiency of data aggregation and compliance reporting
(customers have experienced increased performance and security
by 35% and improved time-to-resolution by 90%)
per year
(cost of asset/vulnerability discovery
one site – German refinery)

• Protect people, processes and assets from cybersecurity

Reduce Cybersecurity
4 Risk and Ensure •
Operational Uptime
threats and reduce cyber risk
Avoid cost of a cyber attack - recent cyber attacks in past few $75M+ in savings
months have cost as much as $75M (Norsk Hydro) and $300M (avoidance of a cyber attack)
in past few years (Maersk)
7
 WHY CUSTOMER CHOOSE HONEYWELL
Complete Portfolio of Cybersecurity Solutions for Industrials
Industrial Security Consulting
• Industrial security program development
• Assessment services
• Architecture & design
• Implementation & systems integration
• Operational service & support
• Compliance audit & reporting
Integrated Security Technology
• Whitelisting
• Antivirus
• Next-generation Firewall
• IDS & IPS
• Security Information & Event Management (SIEM)
• Threat Intelligence
Managed Security Services
• Managed Security Services
• Secure remote access, patch & AV
• Continuous monitoring & alerting
• Threat & vulnerability identification via SIEM & IDS analytics
• Incident response & recovery/backup
• Security device management
• Hosting & mgmt of HON Forge Cybersecurity Platform
• OT SOC management & operations
Cybersecurity Software
• Honeywell Forge Cybersecurity Platform for cybersecurity
operations and asset management at a single site or across
multiple sites
• Secure Media Exchange (SMX)
• Advanced Threat Intelligence
• Industrial assessment software & tools
GRASSROOTS-LEVEL OT CYBER SECURITY ISSUES
Remote employees, control system
Partial coverage of security vendors,
essentials 3rd party vendors, contractors

• Multiple access points

• Partial data on assets & events
• No proper hardening
• No proper monitoring
• No proper governance
• No proper planning & accountability

9
FRAMEWORK MAPPING
ICS Shield

Honeywell Honeywell Honeywell Honeywell Honeywell

Complies Complies Complies Complies Complies

NIST Cybersecurity Framework (CSF)

Defines controls to improve information system security and ICS availability, reliability and security
Gaining adoption across many industries
ISA/IEC 62443 (formerly ISA-99) & ISO/IEC 27000 Standard
Built from the ground up to define procedures for implementing electronically secure Industrial Automation and Control
Systems (IACS)
NERC-CIP Regulation
Facilitated by North American Electric Reliability CorporationCritical Infrastructure Protection (CIP) provides guidance
10 of
zone-based network segmentation as well as system centric controls
 Industrial Security Managed Security
Consulting Services

Cybersecurity
Integrated Software
Security • SMX
Technology • Forge Cybersecurity

HONEYWELL FORGE
CYBERSECURITY PLATFORM

12
HONEYWELL FORGE CYBERSECURITY PLATFORM

Cybersecurity Operations Management

+ Cybersecurity Asset Management

• Safely connect to OT assets to improve security and • Safely inventory OT assets to comply and secure
performance across multiple sites • Safely monitor OT networks for cybersecurity issues
• Safely move and use OT-centric data for analytics and more • Safely update OT assets to comply and secure
• Detect threats in files transferred from one location to another • Safely uncover security vulnerabilities to manage risks

Improve OT Cybersecurity Performance Across your Enterprise

HONEYWELL FORGE CYBERSECURITY –
Security Operations Management
Secure Remote Connectivity
Safely connect to OT assets to
improve security and performance
• Simplify access to cross-vendor assets
• Centralize control over all remote access
sessions enterprise-wide
• Supervise and audit sessions
• Control via role-based and device-
specific access permissions and
privileges
Secure Content Transfer
Safely move & use OT-centric
data for analytics and more
• Reduce data leaks – securely
distribute files within/in/out of OT
• Detect threats in files
• Analyze and act on insights -transfer
logs and performance data to SIEM
• Improve recovery time sending large
files to/from file backup and restore
14
 HONEYWELL FORGE CYBERSECURITY –
Asset Discovery
& Inventory
Safely inventory OT assets
to comply & secure
• Accurately identify assets:
hardware, software, service
configurations
• Visualize security status and
asset characteristics
• Enforce security policies
• Address non-compliance
Monitoring & Alerting
Safely monitor OT
networks for cyber issues
• Proactively manage OT
networks
• Automate data collection of
key cybersecurity indicators
• Automate notifications specific • Control update timing, approach,
to your organization and staff
Software Patch &
AV Management
Safely update OT assets to
comply & secure
• Reduce vulnerabilities - centrally
manage software updates
• Comply with standards - patch
Windows systems (WSUS)
configuration to protect uptime
Risk & Compliance
Management
Measure & manage OT
cybersecurity risks
• Standardize risk status in one view
for operations, IT & leadership
• Easily identify related actions to
improve ICS security posture
• Automate and prioritize risk-
mitigating work
 WINDOWS MACHINE
Gathers machine inventory using WMI
Gathers the following machine information:
Security Parameters Status Parameters Performance Parameters

o Event Logs o OS Information o CPU

o Installed Software o Asset Information o System Memory
o Windows Services o Last Boot Up Time o Process Memory
o Network Configuration o Local Date and Time o Storage Benchmarks
o Network Ports o Pending Reboot o Network Benchmarks
o AV Information o Availability o Connectivity Check
o Local Users o EBR Services Status
o Guest Accounts o SQL Server
o Backup Files o Video Adapter
o QPL o Connected Monitors
o Group Policies o Storage
o USB Devices
 LINUX MACHINE
Gathers machine inventory using SSH
Linux machine policy gathers the following machine information:
Security Parameters Status Parameters Performance Parameters

o Logs o OS Information o CPU

o Installed Software o Asset Information o System Memory
o Network Configuration o Last Boot Up Time o Process Memory
o Network Ports o Local Date and Time o Storage Benchmarks
o USB Devices o Pending Reboot o Network Benchmarks
o AV Information o Availability o Connectivity Check
o Users o Storage
o Users Passwords
o Backup Files
o Boot Folder
Permissions
o Firewall Status
o SSH Settings
 NETWORK EQUIPMENT
Gathers machine inventory using SNMP
The Network device currently gathers the following information:
Security Parameters Status Parameters Performance Parameters

o Firmware Revision o Running Config o Memory Utilization

o Hardware Revision o Startup Config o CPU Utilization
o Access Lists o Interfaces List o Bandwidth Utilization
o IP Routes o Availability o Error Counts
o Ports Security o SNMP Configuration o Collisions
o Ports Status o SSH Configuration o Packets Rates
o Users and Roles o Last Boot Up Time
o Passwords Policy o Local Date and Time
o Remote Access o Availability
o Storage
o Firewall Mode
o MAC Address Table
o OSPF Settings
 CONFIGURATION DATA FOR DEVICES
Supported Protocols
• SCADA protocols:
o Modbus TCP o CDA (Experion) o IEC 60870-5-104 o C37.118
o DNP3 o FTE (Experion) (IEC104) (Synchrophasor)
o Ethernet/IP o OPC-DA o BACnet o MDLC
o S7Comm o Profinet o MMS o GOOSE
o ICCP
• General and application based protocols:
o Ethernet o DNS o SNMP o TPKT
o ICMP o NetBIOS o DHCP,DHCPv6 o COTP
o ARP o NBNS o MYSQL o TNS
o IPv4 o SMB o Browser o TDS
o TCP o UDP o HTTP

• Routing and network discovery protocols

o CDP o RIP o EIGRP
o LLDP o IGRP
 Industrial Security Managed Security
Consulting Services

Cybersecurity
Integrated Software
Security • SMX
Technology • Forge Cybersecurity

SMX - SECURE MEDIA EXCHANGE

USB and Removable Media Security Solution

20
Industrial USB Attacks are Increasing

Operation Copperfield: Other Industrial Examples:

• December 2017 Removal Media (e.g. USB)

• Critical infrastructure facility in Considered #2 ICS Threat
the Middle East
• Caused by an operator
watching a movie loaded from
a USB during his shift

Source: http://www.isssource.com/ics-alert-usb-malware-attack/

90%
Open USB ports Of employees & service providers
28 Contract workers on
site on any given day* 259 in oil refinery rely on removable media

*All data estimated by Honeywell Security Services Team

21
 22
SMX PROTECTS AGAINST ADVANCED USB THREATS

• Manipulation of USB firmware.

BadUSB • USB device will act as a HID - Human Interface Device (e.g. a keyboard),
and can execute scripts.
Increasing Threat Complexity

• A keystroke injection tool disguised as generic USB drive.

• Computer recognizes the USB as a “normal” keyboard and automatically executes Rubber
the preprogrammed rubber ducky scripts. Ducky
• Execution speed around 1000 words per minute!

• A fully featured Linux computer with the ability to execute all Rubber ducky scripts, as well
Bash as more complex attacks leveraging data connections (e.g. Ethernet over USB or
Ethernet control model - ECM)
Bunny
• Can also impersonate mass storage or serial devices

SMX Provides Protection from Attacks Others in the Industry Cannot

SMX – 3 Main Components

1 The SMX Intelligence Gateway

Honeywell’s
Threat
Intelligence
2

Private connection to Honeywell’s Threat

Intelligence for constant detection
updates, patches, etc.

No connection required to the customer’s

network if cellular option chosen.

3 SMX USB Driver Protected Computers

23
SMX WINS INDUSTRY AWARD

2019 BIG FORTRESS

CYBERSECURITY AWARD
SMX recognized for world leading “threat detection” capabilities

24
The Future is
What we Make It.
Make it Secure.

MORE INFORMATION:
Kelvin.Chin@honeywell.com
25