COMPANY PROFILE

Our customer, a major U.S.-based petrochemical company with more than $13 billion in revenue, operates more than 30 chemical plants in the United States and around the world and is a major producer of olefins, polyolefins and specialty chemicals from natural gas and other petroleum components. It also serves the oil industry with a variety of oilfield fluids to improve productivity of new wells and restoring old ones. It relies heavily on Microsoft products and a heterogeneous mix of distributed control systems (DCS) that manage its global operations.

THE SITUATION:

 

The industrial control systems for production facilities in eight countries from North America to Asia were being managed locally at each site, with no standardized components or corporate view. Reporting on the security status of these systems relied heavily on manual processes and often was not reliable. System data was not always logged and was not always accurate. In the face of increasing risks in the cyber-threat landscape in which industrial control systems were operating, a standardized way to manage these critical systems was needed. Safety is a core value in the petrochemical industry, and the essence of safety in industrial processes is stability. Safety in Operational Technology is a continuous process of improvement that depends on patience and planning. Yet in an increasingly networked and automated environment, cyber security is critical to safety and real time visibility into control system configuration and security status is necessary. The company’s Industrial Control System (ICS) security manager does not control the plants’ control systems, but focuses exclusively on the systems’ security. Coming from the IT side of the business, which traditionally focuses attention on up-to-date software patching, antivirus and backup, he understood the need for a solution that addresses the challenges of both IT security and Operational Technology (OT) safety.

 CUSTOMER REQUIREMENTS

 

• Manage an existing heterogeneous control environment, providing a standardized view across systems from a variety of DCS vendors including Yokogawa, ABB, Honeywell, Schneider, Emerson, Rockwell and others.
• Achieve an automated, real-time view of the status and configuration of networks and servers, as well as provide change management, so that threats can be identified and mitigated in a timely manner.
• Enable rapid, coordinated response to security incidents when a breach or other problem is identified.
• Protect networks and servers in industrial and process control systems without compromising the stability and uptime critical in OT environments.f
• Address looming regulatory frameworks. Although the Chemical Facility Anti-Terrorism Standards (CFATS) were published by DHS as interim rules in 2007 and other industry standard are under consideration, the company wanted a solution that could support possible future regulations.

“We saw the [threat] landscape becoming more complex and the risks increasing.”

THE RESULT: IMMEDIATE VALUE AND VISIBILITY, RAPID DEPLOYMENT

 

After full implementation, the company had a single, unified view of the configuration of networks and servers in the OT environment, both at the site level and centrally. Immediately the customer was able to identify several network and server configuration issues. For the first time security managers are able to log in to remote locations on a site-by-site basis and get a standardized view of conditions.

“The Industrial Defender team had on-site techs who understood OT and IT, enabling rapid deployment at 7 sites.”

As part of a three year project bridging IT and OT asset owners, the implementation of ASM was swift and efficient. Seven sites were deployed in 9 months on a range of DCS platforms from Yokogawa, ABB, Honeywell, Schneider, Emerson, and Rockwell. The customer also noted that the project helped to advance collaboration between IT and OT staff.After more than a year with Industrial Defender in operation, the security team is pleased to report that no significant security incident has occurred. ASM is being used proactively to ensure that systems are up-to-date and running with the visibility needed to minimize the risk of a security-related disruption. The customer is highly satisfied with their ASM deployment and plans to expand to 10 sites.

COMPANY PROFILE

The international company profi led plays a role in every aspect of the energy industry, from exploration, to production and distribution of crude oil and natural gas, to the development of future energy resources. The company has 80,000 employees worldwide and is committed to a long-term strategy of growing its reserves and production while ensuring sustainability and improving profi tability.

THE SITUATION: COLLABORATION OF GEOGRAPHICALLY DISPERSED SOC TEAMS

The company has an extensive, global security operations center (SOC) team to protect critical missions. Around-the-clock incident response teams reside in three locations around the world, and include an investigation and forensics team as well as a senior analyst team for reviews and escalated intrusions. Communication with teams focused on the perimeter fi rewall, email infrastructure, and network operations help to implement mitigations or steps to thwart intrusions.The need for many geographically dispersed teams to work together made it diffi cult to determine the state of alerts and mitigations across the system. Every analyst had a different system of recording analyses, and efforts were often duplicated because they had no way to share their work. They lacked clear understanding of the distribution of work, and team members did not have a clear line of sight for what tasks needed to be completed.

GOAL & CHALLENGES

• Improve communications for a geographically dispersed SOC team
• Protect operations from emerging threats

SOLUTION: THE PALISADE PLATFORM

An evaluation of numerous security tools and management platforms designed to gather and aggregate data from disparate sources led the company to invest in Palisade software. This intelligence management application develops and stores multisourced cyber intelligence to use in combatting advanced threats. The Palisade solution is not just an intelligence ingest engine or broker—it’s a tool for analysts to create an adaptive network defense. The Cyber Kill Chain® Solution uses a phased, sevenstep process to help defenders understand the objectives, profi les, and behaviors of adversaries. A kill chain model describes the phases of intrusion, allowing defenders to align their enterprise defense to the specifi c processes an adversary uses to target them. The seven phases of the Cyber Kill Chain suite process are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action on objectives. Intruders succeed if, and only if, they reach step seven in the cyber threat model.A defender’s goal is to understand the aggressor’s actions. Understanding is intelligence. The Palisade platform ensures analysts have actionable intelligence to thwart attacks before the adversary reaches step seven.

RESULT: A VIRTUAL, COLLABORATIVE ENVIRONMENT FOR GLOBAL SOC TEAMS

The establishment of queue work groups and external assignee groups via the Palisade implementation allowed security operators to set up a virtual collaborative environment with a fl exible workflow. Team members were now able to communicate and work in partnership within the system to build a central repository of intelligence information using customizable classifications, alert metadata, mitigations, and notifications.

"No matter where a team Member is located or what Their specifi c job function, They can easily log into the Palisade application and get a Consolidated view of incidents And remediations across the Enterprise."

-SOC Team Member The Palisade platform can also measure analysts’ work so SOC managers can track them over time and monitor improvement. Viewing shift reports and Palisade charts helps managers better understand current system output, distribution of events, time to closure of events, and distribution of indicators by confi dence and number of occurrences. This means management has a better understanding of the progress made toward more effi cient and effective analyst teams.