Transcript Cascade Natural Presentation

Cyber Security
Douglas DiJulio
Director – Enterprise Operations Application Support
Cascade Natural Gas
• MDU Resources – Parent Company
 8,689 employees / Operating in 48 states
 Regulated electric and natural gas utilities
•
•
•
•
Cascade Natural Gas Corporation
Great Plains Natural Gas Co
Intermountain Gas Company
Montana-Dakota Utilities Co
 Natural gas pipelines and related services
 Diesel refining
 Construction materials and services
Electric and Natural Gas Utilities
Cyber Security
1
2
1. Perimeter Controls
3
4
5
6
2. People, Policies, Procedures
7
4. Strong Access Control
(card key access, fences and locks)
(CyROC, User Education, Sensitive Data Policy)
Cyber Access Control
3. Network Architecture
(Firewalls, Routers, Switches, VPNs)
(Active Directory, Domain Security, alerting)
5. Host Security
(Operating Systems of Servers/Workstations)
6. Application Security
(SCADA, CIS, Database, Web, and others)
7. Unique Security Requirements
for what is being protected
(PLCs, RTUs, Plant Equip)
Adopted Cyber Security Framework
• 20 Critical Security Controls (CSCs)
Center for Internet Security
 Lists 20 controls that organizations can use to improve their security
posture and reduce the risk of cyber threats
• Prioritized, Specific and Actionable
• Critical Security Controls 1-5 have been known to stop 85-90%
of attacks against organizations today
CIS Critical Security Controls
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Device
Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Controlled Use of Administrative Privileges
6. Maintenance, Monitoring, and Analysis of Audit Logs
7. Email and Web Browser Protections
8. Malware Defenses
CIS Critical Security Controls
9. Limitation and Control of Network Ports, Protocols, and Services
10. Data Recovery Capability
11. Secure Configurations for Network Devices such as Firewall Routers,
and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
CIS Critical Security Controls
16. Account Monitoring and Control
17. Security Skills Assessment and Appropriate Training to Fill Gaps
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises





Security Assessment
Network Traffic Analysis
External Penetration Test
Internal Penetration Test
Social Engineering
Corporate Policies
•
•
•
•
•
•
•
•
CORP 211 - Cloud, Third Party, and Outsourcing Policy
CORP 212 - Database Security Policy
CORP 213 - Mobile Device Security and Acceptable Use Policy
CORP 214 - Server Security Policy
CORP 216 - Workstation Security Policy
CORP 226 - Network Security Policy
CORP 227 - Remote Access Policy
CORP 228 - Wireless Security Policy
Corporate Policies
•
•
•
•
•
•
•
•
CORP 236 - Business Applications Security Policy
CORP 237 - Software Development Policy
CORP 241 - Business Continuity and Disaster Recovery Policy
CORP 242 - Certification and Accreditation Policy
CORP 243 - Change Management Policy
CORP 244 - Control Exception Policy
CORP 247 - Software Update and License Policy
CORP 248 - Training, Education, and Awareness Policy
Corporate Policies
•
•
•
•
•
•
•
•
CORP 256 - Access Control and Authorization Policy
CORP 257 - Account and Identity Management Policy
CORP 258 - Anti-Malware Policy
CORP 259 - Authentication Policy
CORP 260 - Data Backup and Archiving Policy
CORP 261 - Encryption Policy
CORP 262 - Logging and Monitoring Policy
CORP 263 - Removable Media Policy
Corporate Policies
•
•
•
•
•
•
CORP 264 - System Decommissioning and Data Destruction Policy
CORP 271 - Email Security and Acceptable Use Policy
CORP 272 - Internet Security and Acceptable Use Policy
CORP 281 - Penetration Testing Policy
CORP 282 - Vulnerability Management Policy
CORP 283 - Cyber Risk Management Policy
Cyber Security Posture
• Corporate Firewall
• Internet website blocker – Websense
• Anti-Virus Protection (auto update daily)
• Online learn the law IT security training
• EMS & SCADA isolation
• Leadership Conference IT lunch and learn
• Password protected corporate network
and applications
• Corporate based Security Team
• Password protected mobile devices
• Quarterly NESSUS Perimeter Scan
• Screensaver password locks
• DDOS with AT&T
• Firewall log monitoring
• Domain admins - least privilege
• Email spam blocking - Postini
• Cisco managed wireless standards
• CyROC team
Cyber Security Posture
• LANDesk - vulnerability scans & patching
• GFI Languard - Server scans & patching
• Two-factor Authentication Required
 System Admins
 VPN Access
• Internal auditing involvement / Lead
• Homeland Security Portal
• Homeland Security Alerts
• Security subscription services
GAS SCADA
• The Gas SCADA Network
 Separate private network, Isolated from all other corporate networks.
 Security & High Availability
• Compliance
 NIST Special Publication 800-82
 Guide to Industrial Control Systems (ICS) - R2 (May 2015)
• Equipment and Service Providers
 CenturyLink - Transport
 Cisco Systems – Routers and Switches
 Check Point Software Technologies Inc. – Firewalls
Enclave Cyber Security Assessment
• Contracted with “Enclave Security” to perform Cyber Security
Assessments
 2014
 2015 (79% increase)
 2016 - June 20th
 Interviews
 Reviewing technical systems
 Results of the scores are directly communicated to the Audit
Committee during their Board of Directors meeting.
RSA Security Analytics Test
• Contracted with RSA Security Analytics to capture & analyze
network traffic at the primary network ingress/egress point
(2-week capture engagement)
 Analyze data traffic traversing the entire network
 Identify potential malicious or anomalous network behavior:
• Suspicious activity or files
• Non-standard network traffic
• Traffic to potentially
suspicious destinations
• Active malware
•
•
•
•
•
Shadow IT activity
Commoditized crime ware
Non-standard DNS traffic
Clear-text credentials
Known exploits
Technology Penetration Test
• Contracted with “OPTIV” to perform a Cyber Security
Penetration Test - Jan thru March 2016
• Identify security weaknesses
 Attempt to gain access to the network
 Identify security threats, vulnerabilities, mitigation strategies
• Test Series
 Perimeter penetration testing
 Internal penetration testing
 Social Engineering
Perimeter Penetration Testing
• Conducted from the perspective of an attacker originating from
the Internet
 Assessors did not identify any vulnerabilities that lead to directly
accessing sensitive data
• Issues were identified with lack of configuration standards
• Issues were identified indicating not all Web servers were
configured using best practices
• Issues found in this assessment require minimal level of effort to
remediate
Internal Penetration Test
• Conducted to find vulnerabilities identified internal
to the network
 Multiple instances were found of end-of-life software that no longer
receives vendor patches to address security flaws
 Legacy protocols were found that can be exploited by an attacker to
gain valid domain credentials and unauthorized access to the network
 Password deficiencies, were found including, but not limited to,
weak/default passwords and unprotected files shares
Social Engineering - Phishing
• Conducted to evaluate the security awareness and technical
controls in place to detect or prevent a social engineering attack
 Target Groups
• IT
• HR
• Accounting & Executives
 1,100 emails were sent
 115 users’ actions allowed the assessor inside the network
 Help Desk was notified within 5 minutes of suspicious email being sent
Social Engineering – Media Drop
• Conducted to evaluate security awareness and technical
controls in place
 Weaponized USB devices when plugged in reported back to the
assessor
• Two devices were plugged into computers on the
corporate network; one device was taken off network
and plugged in remotely
• Assessor was not able to compromise network
with this assessment
Cyber Security – Mutual Aid Agreements
• Exists between our 4-brands
• American Gas Association (AGA) - Mutual Assistance Program
Master Operations Assistance Agreement (MOAA)
I. NW Companies – Regional
II. AGA Expanded NW Region
III. National Attention
• Annual Mock Drill
• IT Requests
 Back Office Support, IT Infrastructure, Facilities, Wiring, Communications
 Limited access capabilities depending on situation
Cyber Security
• NG – Gas Transmission Operators
 No direct connection
 Gas Quality and Volume information is exchanged between parties via
secure FTP
Questions