Cyber security. Ideal logo position here

Transcription

1 Cyber security Ideal logo position here

2 Cyber security Cundall IT and audio visual Setting the scene UK construction industry Computer networks Ethical hacker Case studies Summary Final thoughts

3 IT and audio visual - services Lifecycle, consultancy led Strategy and business case support Concept and detailed design Procurement and implementation Key areas Revenue generation / cost reduction Audio Visual and collaborative technology IP data networks (Wired/Wireless/Mobile) Main projects (large IT / audio visual influence) Offices and data centres Schools, colleges, universities Hotels, sports venues

4 Cundall sectors Critical Systems Education Government Healthcare Industrial Lifestyle Masterplanning and infrastructure Residential Retail Workplace

5 Sample projects Workplace Education Residential Deloitte London Campus ENI Saipem Antofagasta Sussex Coast College Sevenoaks School Lycee Francais School One Hyde Park Smart Home Porto Dubai Critical Systems Lifestyle Healthcare Confidential clients Cobalt Data Centre Kingfisher Twickenham Stadium Lingfield Racecourse Dubawi Island Northern Island Telephony Hospices The London Clinic Sussex Coast College, Hastings and Ore, United Kingdom New Street Square (Deloitte HQ) London, United Kingdom Lingfield Park redevelopment Surrey, United Kingdom Porto Dubai Island Dubai, United Arab Emirates

6 Cyber security

7 Setting the scene

8 Setting the scene

9 Setting the scene National Cyber Security Programme Investment ( ) 2% Department for Business, Innovation and Skills, working with the private sector and improving resilience 2% 10% 10% Home Office, tackling cyber crime 10% 14% 5% 59% Single Intelligence Account, building cross cutting capabalities, including Information Assurance 59% Cabinet Office, co ordinating and maintaining a view of operational threat 5% Ministry of Defence mainstreaming cyber in defence 14% Government ICT, building secure online services 10%

10 Setting the scene CESG Communications Electronics Security Group: UK Government's National Technical Authority for Information Assurance (IA).

11 Setting the scene Cyber Security: Protection of business systems Applications IP networking (computer networks) Operating systems SCADA or similar building control networks (i.e. BMS) Telecommunications

12 UK construction industry What is the construction industry doing about cyber security

13 UK construction industry Most don t know they have a problem: If they do, few understand it What is the problem: Computer systems and networks increasingly control buildings/estates/cities Compromise the networks, compromise the buildings Solution?: no networks Answer: NO! No benefit to clients

14 UK construction industry Benefit verses risk. Understand risk understand technology and how it can be abused Construction industry is a slow moving industry Best practice? Often what was done last time (and before ) Technology adoption 5-10 years - Inertia is problem Designs often obsolete when constructed Supply chain not up to the job (IT companies moving in) What the industry needs is a very public security breach of a building to raise profile (not advertised ).

15 UK construction industry Examples of compromising a building : Take control (or just turn off) security and building management systems: De-activate cameras, delete CCTV footage (theft) Change access control permissions (theft) Lighting control (nuisance, cost) BMS (change, parameters, alarm handling) Nuisance? Mission critical lead to downtime Remote power management turn devices or even building off (downtime, death?)

16 Computer networks Need to understand technology and design building computer networks and systems that deliver benefits to clients but mitigate against security risks. Networks are multi-layer, from applications to bits & bytes

17 Computer networks

18 Computer networks A few simple steps to improving security: Think holistically Have a policy Educate Staff Control who has access Manage passwords Patch and update systems Deploy firewalls and intrusion detection Leave programmable systems in run mode not programme mode

19 Ethical hacker You have designed secure networks/systems for buildings, how do you commission and prove the configurations are correct? Penetration testing

20 Case study - bank BMS and lighting network Financial trading environment Global IT standards Network design reviewed by client IT Part of network traverses Corporate network

21 Case study large campus Multi million lifecycle network All services run over multiple virtual networks Architecture allows for multiple 3rd parties to operate securely External and internal threats considered Users and devices authenticated Technology such as Intrusion detection, filtering, cryptography designed in Architecture appropriate for a large campus, hospital, airport

22 Summary Cyber security Design development benefit v risk Multi-layer problem, multi-layer approach required Different mind-set for commissioning Don t forget people and policy!

23 Some final thoughts Question Is a computer network more or less secure if it has wireless?

24 Some final thoughts Answer Depends you can use wireless access points to detect rogue wireless access points (You need to consider the risk that someone has attached an unauthorised wireless device to the network and is broadcasting information outside of the building or locally to a receiving device. You also get the benefit of having wireless!)

25 Some final thoughts Question Is the following good practice? Set the BMS password at the head-end to 0, it will be easy to remember then

26 Some final thoughts Answer No!

27 Some final thoughts Question Is this following a sufficient performance specification for a network: Provide a network for corporate, security and BMS use. Deliver 1 gigabit to the desk performance.

28 Some final thoughts Answer No! Has not addressed any of the multi-layer design issues

29 Some final thoughts Question Is the following good practice? Have separate physical data networks for corporate, security, BMS and other services?

30 Some final thoughts Answer it depends Risk assessment Ownership and maintenance Every client will have different requirements

31 Some final thoughts Question Is the following good practice? we have a separate network, it is not connected to the internet or other networks, we don t need IT security

32 Some final thoughts Answer No If you ask them do they use laptops during maintenance and fault finding, the answer is likely to be yes. Therefore, network is vulnerable. Stuxnet Trojan that attacked (re-programmed) Siemens PLCs N.B. Traverses networks not connected to the Internet/other networks

33 THROUGH INNOVATION WE CREATE CHANGE IN THE WORLD