Automation, Process Control and SCADA Systems in Critical Infrastructures Future Threats and Requirements
|
|
- Abner Hubbard
- 7 years ago
- Views:
Transcription
1 Automation, Process Control and SCADA Systems in Critical Infrastructures Future Threats and Requirements Hans Honecker Federal Office for Information Security SCADA and Process Control Security Summit
2 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 2
3 Brief Introduction Federal Office for Information Security (BSI) The BSI at a glance Focus of activities Co-operations Slide 3
4 The BSI at a Glance Independent and neutral authority for IT security High level federal public agency within the area of responsibility of the Federal Ministry for the Interior Founded in 1991 unique as a public agency in comparison to other European establishments Staff: around 500 employees Budget: 60 million Slide 4
5 Focus of Activities Internet security Secure e-government IT baseline protection National / international security co-operation Cryptographic innovation Biometrics Security from eavesdropping Awareness campaign on IT security Certification and approval Protection of critical infrastructures Slide 5
6 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 6
7 Critical Infrastructures... Critical Infrastructures are organisations and facilities of major importance to the community whose failure or impairment would cause a sustained shortage of supplies, significant disruptions to public order, or other dramatic consequences (2006) In short: Critical infrastructures provide indispensable and essential goods and services to society and economy. Slide 7
8 Critical Infrastructure Sectors 1. Transportation 2. Energy 3. Hazardous materials 4. IT and telecommunications 5. Finance and insurance 6. Services (incl. health care, emergency and rescue services) 7. Public administration and justice system 8. Other (e.g. media, buildings) Slide 8
9 Overall-Experience Pizza Otto Stagioni Services Finance and Insurance Transportation Public Administration Hazardous Materials Energy Other IT and Telecommunications Slide 9
10 ... and Critical Processes Critical Infrastructures provide indispensable and essential goods and services to society and economy by running Critical Processes. These processes are indispensable for society and economy heavily (and growing) interdependent and complex at risk by - by technical or human failure natural disaster attacks breakdown or failure of critical processes of other infrastructures Slide 10
11 Interdependent Processes Infrastructure Sectors public administration, justice IT and telecommunications hazardous materials other finance and insurance energy transportation services and supply Slide 11
12 Interdependent Processes Infrastructure Sectors public administration, justice IT and telecommunications hazardous materials other finance and insurance energy transportation services and supply Slide 12
13 ... and Critical Processes Critical infrastructures provide indispensable and essential goods and services to society and economy... by running Critical Processes. These processes are indispensable for society and economy heavily (and growing) interdependent (through their process infrastructure) at growing risk by - by technical or human failure natural disaster attacks breakdown or failure of critical processes of other infrastructures Critical Processes need to be kept robust and resilient Slide 13
14 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 14
15 Critical Processes and IT-based Automation Technologies (1) Critical processes need to be kept robust and resilient... Holistic approach necessary All critical processes dealing with physical process objects use automation, process control and/or SCADA technologies (we will use SCADA for all three in this talk) [ SCADA = Supervisory Control And Data Acquisition] All critical processes depend on electricity - most very straight - which in turn depends on SCADA technology SCADA -technologies as archetype for discussion of challenges on process and infrastructure layers, proposals for future developments Slide 15
16 Critical Processes and IT-based Automation Technologies (2) SCADA -technologies are present in electricity generation and distribution gas and water supply many process infrastructures of other critical infrastructures used in a wide range and different layers of processes production processes distribution processes control processes with extremely different process objects tangible goods energy (electricity, gas, oil,...) measurement data, information,... AND make extensive use of components based on information technology Slide 16
17 IT-based Automation ( SCADA ) Technologies Operating Conditions compared to standard information technology: IT-based Automation Technology Standard Information Technology (local use) Continuous operation Operation during business hours Top priority for availability Top priority for confidentiality and integrity (Physical) process has priority Information security has priority Patching difficult or impossible Patching state of the art Specialised IT serves to control Standardised IT serves to physical processes process data and information Slide 17
18 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 18
19 Future Threats To be considered for planning of, building or rebuilding CI (Critical Infrastructures) important from the viewpoint of CI Protection (CIP) (possible consequences of failures or malfunctions) growing interconnection between process infrastructures of same type (e.g. electricity distribution grids) increasing dependencies and interdependencies of different critical processes increasing complexity of critical processes DISCLAIMER: We do not (or less) consider current threats (in this talk!) We assume state of the art (2008) IT-security implemented Slide 19
20 Category: Technical Failures and Human Errors Technical failures / malfunctions in general: Malfunctions of process specific IT can totally screw up processes (e.g. hardware, software or configuration errors) Example: Programming errors in a DCS added to the heaviness of US Blackout 2003 malfunctions on the network layer endanger process infrastructures (be it malfunctions specific to SCADA or not) side effects (e.g. reduced functionality modes on any layer) backfiring patches or updates (if patching feasible at all) Human errors operating errors Example (continued): Human Errors also added to the heaviness of US Blackout 2003 Example: Human Errors added to the EU Blackout November 2006 Slide 20
21 Category: Disasters and Natural Phenomenons Increase in number and weight / heaviness Side effects with cumulative impact e.g. long lasting heat and drought cooling problems in energy generation and operation of IT shortage in energy supply AND higher demand Flooding, earth quakes, volcanoes... e.g. Japanese nuclear power plant Yellow Stone National Park? Maria Laach? Far-fetched threats? E.g., what about solar activity? What about a direct hit by a solar storm? Loss of communication means (satellite and terrestrial communication)? Loss or temporary unavailability of electricity grid? Slide 21
22 Category: Attacks Risk of external cyber attacks hacking (e.g. successful external pen test of a US-based electricity provider straight through into the control system) attacks by Trojan horses targeted to Process Control Network (PCN): worst, if successful untargeted: high risk of collateral damage attacks through maintenance channels (notebooks, connections) collateral damage of untargeted attacks Risk of internal attacks disgruntled employees, subcontractors or maintenance personnel attacks through hacked systems of process partners backdoors on SCADA, network, or server hardware layer side effects of security testing Slide 22
23 Category: Dependencies Reminder: Critical Processes need to be kept robust and resilient Critical Processes depend on other Critical Processes all: on energy, information- and telecommunications processes many: on financial processes, transportation processes almost all: on some interconnected processes on process layer? Can today s Critical Processes sufficiently handle malfunctions or failures of processes they depend on? Critical Processes should handle dependency issues run core functionality as long as possible (graceful degradation) swiftly recover full functionality after failures in connected processes Slide 23
24 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 24
25 Future Requirements (all Layers) New or further development of technologies for use in CI Aspects to be considered at all layers of technology and integration technologies: long term maintenance and service; open migration paths robustness and resilience as important design criteria options for minimisation (for security issues and for...)... inbuilt graceful degradation (keep up core functionality) minimisable energy consumption (to operate during blackouts) avoid functionality which can endanger process and automation infrastructures or do not contribute to the process! explicit suitability for specific use in Critical Processes and automation infrastructures (at least qualified by manufacturers)!!!!!! Slide 25
26 Future Requirements Layers of technology to be considered for future use of SCADA technologies in Critical Process Infrastructures: process specific applications and applications software standard software (databases, analysis, visualisation,...) operating systems (on servers, terminals, process specific hardware,...) hardware (servers, terminals, process specific,...) network technology and architecture organisation and process architecture (not discussed further) (many efforts have to be mirrored on organisational layer) (some processes might gracefully degradate to manual operation or organisational driven process backups) Slide 26
27 Future Requirements Application Layer Process specific applications and application software should be largely platform independent (with regard to operating systems and database layer) ensure robustness and resilience of processes, inter alia against failures or malfunctions provide modes for operation during crisis or under extreme conditions (graceful degradation) completely document any communication relationship needed or used by the application be open to independent analysis of security, safety and correctness (in particular with regard to availability) Slide 27
28 Future Requirements Standard Software Standard software for databases, data analysis or visualisation etc. should provide secure installation (e.g. no standard passwords) be minimisable (only install needed functionality) no functionality not needed for specific processes e.g. no DRM, multimedia, hidden databases,... no reduced functionality modes feasible and configurable patch and update mechanisms communication strictly restricted to the process needs inter alia: only to explicitly specified systems, no phone home offering needed standard functionality without security risks many more Slide 28
29 Future Requirements Operating Systems Servers, most terminals are / many process specific hardware is running on an operating system layer. We need functionality minimisable to systems needs feasible methods for system hardening and patching long term availability (corresponding to lifetime of the infrastructure of the Critical Process, might be decades) no functionality that could put Critical Processes at risk no phone home, no DRM, hidden services, multimedia,... no reduced functionality mode (yes, I know I repeat myself :-) many more In short: Operating systems customisable to infrastructure requirements Slide 29
30 Future Requirements Hardware Servers, terminals, process specific hardware etc. used in SCADA systems running Critical Processes should be physically robust (where necessary) against industrial (e.g. electromagnetic) environment environmental or external influence (e.g. solar storms, EMP...) provide hardware based modes for minimised operation low power consumption (for crisis and long term energy shortage) battery buffered or emergency (low) power supply operation support graceful degrading the process to core functionality mode long term availability easy replacement (e.g. for quick disaster recovery) many more Slide 30
31 Future Requirements Network Technologies (1/2) Network architectures based on standard network technology often provide the communication infrastructure of SCADA based process infrastructures (this is the N in PCN) Architectural view: SCADA systems may be attacked using network layer Network connects at least partly unpatched systems Failures on network layer endanger SCADA systems Network defence is necessary for higher layers! strict separation of SCADA networks from other networks! restriction of communication to necessary connections Slide 31
32 Future Requirements Network Technologies (2/2) Network defence necessary for higher layers! strict separation of SCADA networks from other networks! restriction of communication to necessary connections? What about technology? Future requirements to network technologies: restrictive network operation as an (additional?) basic network operation principle (including simple hardware layer and port based approach) feasible management of restrictive network operation (easy configuration of necessary connections, deny all other) including restrictive switching, port security... Slide 32
33 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 33
34 Transfer to other IT-supported Technology Areas 1. Many requirements can be transferred to other technology areas where IT is used for operating Critical Processes, inter alia: Process specific applications: platform independence, resilience, graceful degradation, known communication,... Operating systems: minimisable functionality and feasible system hardening, long term availability, no phone home,... Network layer: defence of Critical Processes on network layer, restricted communication as network operation principle; feasible management of restricted network operation, hardware features 2. Many future requirements seem also valid for less critical processes. Slide 34
35 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 35
36 Conclusions Today s process infrastructures can (at large) be built as secure, safe and resilient as necessary. To keep up with increasing threats and growing complexity and interconnection of CI, we need to enhance robustness and inbuilt resilience security characteristics of all technology areas and layers. We can only achieve this in co-operation between process owners and operators, integrators of technologies, manufacturers, distributors and vendors. Slide 36
37 Contact Federal Office for Information Security (BSI) Hans Honecker Godesberger Allee Bonn Tel.: +49 (0) Fax: +49 (0) Slide 37
The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationSecuring VoIP Networks using graded Protection Levels
Securing VoIP Networks using graded Protection Levels Andreas C. Schmidt Bundesamt für Sicherheit in der Informationstechnik, Godesberger Allee 185-189, D-53175 Bonn Andreas.Schmidt@bsi.bund.de Abstract
More informationSecurity for. Industrial. Automation. Considering the PROFINET Security Guideline
Security for Industrial Considering the PROFINET Security Guideline Automation Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures
More informationfor Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs
for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs EXECUTIVE SUMMARY Supervisory Control and Data Acquisition (SCADA) systems are used for remote
More informationCritical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION
Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION ALBERTO AL HERNANDEZ, ARMY RESERVE OFFICER, SOFTWARE ENGINEER PH.D. CANDIDATE, SYSTEMS ENGINEERING PRESENTATION
More informationEEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project
EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies
More informationSecuring Industrial Control Systems on a Virtual Platform
Securing Industrial Control Systems on a Virtual Platform How to Best Protect the Vital Virtual Business Assets WHITE PAPER Sajid Nazir and Mark Lazarides sajid.nazir@firstco.uk.com 9 Feb, 2016 mark.lazarides@firstco.uk.com
More informationOCR LEVEL 3 CAMBRIDGE TECHNICAL
Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY
More informationUnderstanding Sage CRM Cloud
Understanding Sage CRM Cloud Data centre and platform security whitepaper Document version 2016 Table of Contents 1.0 Introduction 3 2.0 Sage CRM Cloud Data centre Infrastructure 4 2.1 Site location 4
More informationDisaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery
Disaster Recovery 1.1 Introduction Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and
More informationAUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005
AUDITOR GENERAL S REPORT Protection of Critical Infrastructure Control Systems Report 5 August 2005 Serving the Public Interest Serving the Public Interest THE SPEAKER LEGISLATIVE ASSEMBLY THE PRESIDENT
More informationCourse: Information Security Management in e-governance. Day 2. Session 5: Disaster Recovery Planning
Course: Information Security Management in e-governance Day 2 Session 5: Disaster Recovery Planning Agenda Introduction to Disaster Recovery Planning (DRP) Need for disaster recovery planning Approach
More informationCRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE
1 CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE Gavin McLintock P.Eng. CISSP PCIP 2 METCALFE POWER STATION 16 April 2013 Sophisticated physical attack 27 Days outage $15.4 million
More informationHACKING RELOADED. Hacken IS simple! Christian H. Gresser cgresser@nesec.de
HACKING RELOADED Hacken IS simple! Christian H. Gresser cgresser@nesec.de Agenda About NESEC IT-Security and control Systems Hacking is easy A short example where we currently are Possible solutions IT-security
More informationWhy Plan B DR? Benefits of Plan B Disaster Recovery Service:
Benefits of Plan B Disaster Recovery Service: Very Fast Recovery your critical systems back in around 30 minutes. Very simple to set-up it only takes about 20 minutes to install the Plan B DR appliance
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationBusiness Continuity Planning Assessment
Business Continuity Planning Assessment www.cheshirefire.gov.uk Every business is at risk of disruption from a variety of threats, as well as fire, these threats can include flood, loss of power or even
More informationSecurity in the smart grid
Security in the smart grid Security in the smart grid It s hard to avoid news reports about the smart grid, and one of the media s favorite topics is security, cyber security in particular. It s understandable
More informationCPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
More informationICASAS505A Review and update disaster recovery and contingency plans
ICASAS505A Review and update disaster recovery and contingency plans Release: 1 ICASAS505A Review and update disaster recovery and contingency plans Modification History Release Release 1 Comments This
More informationDecision on adequate information system management. (Official Gazette 37/2010)
Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)
More informationSection A: Introduction, Definitions and Principles of Infrastructure Resilience
Section A: Introduction, Definitions and Principles of Infrastructure Resilience A1. This section introduces infrastructure resilience, sets out the background and provides definitions. Introduction Purpose
More informationE-Commerce Security Perimeter (ESP) Identification and Access Control Process
Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American
More informationDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...
More informationOracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationPublic Private Partnerships and National Input to International Cyber Security
Public Private Partnerships and National Input to International Cyber Security 10 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington,
More informationHow To Manage Risk On A Scada System
Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives (Revised March 2012) Disclaimer: To the extent permitted by law, this document
More informationSymphony Plus Cyber security for the power and water industries
Symphony Plus Cyber security for the power and water industries Symphony Plus Cyber Security_3BUS095402_(Oct12)US Letter.indd 1 01/10/12 10:15 Symphony Plus Cyber security for the power and water industries
More information2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationOn the European experience in critical infrastructure protection
DCAF a centre for security, development and the rule of law On the European experience in critical infrastructure protection Valeri R. RATCHEV ratchevv@yahoo.com @ratchevv DCAF/CSDM 1 This presentation
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationOil & Gas Industry Towards Global Security. A Holistic Security Risk Management Approach. www.thalesgroup.com/security-services
Oil & Gas Industry Towards Global Security A Holistic Security Risk Management Approach www.thalesgroup.com/security-services Oil & Gas Industry Towards Global Security This white paper discusses current
More informationCode of Practice for Cyber Security in the Built Environment
Brochure More information from http://www.researchandmarkets.com/reports/3085299/ Code of Practice for Cyber Security in the Built Environment Description: This code of practice explains why and how cyber
More informationCourse: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
More informationClaes Rytoft, ABB, 2009-10-27 Security in Power Systems. ABB Group October 29, 2009 Slide 1
Claes Rytoft, ABB, 2009-10-27 Security in Power Systems October 29, 2009 Slide 1 A global leader in power and automation technologies Leading market positions in main businesses 120,000 employees in about
More informationNuclear Plant Information Security A Management Overview
Nuclear Plant Information Security A Management Overview The diagram above is a typical (simplified) Infosec Architecture Model for a nuclear power plant. The fully-developed model would, for example,
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationGE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems
GE Measurement & Control Top 10 Cyber Vulnerabilities for Control Systems GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used
More informationWhite Paper. April 2006. Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks
White Paper April 2006 Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks According to a recent Harris Interactive survey, the country s leading business executives consider
More informationInformation Technology Strategy
Information Technology Strategy ElectraNet Corporate Headquarters 52-55 East Terrace, Adelaide, South Australia 5000 PO Box, 7096, Hutt Street Post Office, Adelaide, South Australia 5000 Tel: (08) 8404
More informationConstructing a successful business continuity plan
Constructing a successful business continuity plan By Alan Berman Alan Berman Being prepared is the cornerstone of having a business continuity plan regardless of the size of a company. Ultimately, getting
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationCompany profile secunet Security Networks AG
Company profile secunet Security Networks AG Profile in brief secunet is one of the leading German providers of high-quality IT security. Over 380 experts work in the areas of cryptography, e-government,
More informationNational Plan for Information Infrastructure Protection
National Plan for Information Infrastructure Protection www.bmi.bund.de Contents 1 Introduction 2 1.1 Germany s information infrastructures 2 1.2 Threats and risks to our information infrastructures 3
More informationHybrid Risk Management for Utility Networks
Hybrid Risk Management for Utility Networks Hermann de Meer hermann.demeer@uni-passau.de Computer Networks and Computer Communications Lab (CNACC) University of Passau CNACC: Introduction People Prof.
More informationSECTION 15 INFORMATION TECHNOLOGY
SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP) 15.1 PURPOSE The Navajo County
More informationCONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT
Energy Research and Development Division FINAL PROJECT REPORT CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT Prepared for: Prepared by: California Energy Commission KEMA, Inc. MAY 2014 CEC
More informationEmerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP
Emerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP July 25, 2014 Topics Improved 4G Communications Mobile Devices Cyber Security Threats Cyber Security Guidance
More informationResilient and Secure Solutions for the Water/Wastewater Industry
Insert Photo Here Resilient and Secure Solutions for the Water/Wastewater Industry Ron Allen DA/Central and Steve Liebrecht Rockwell Automation Detroit W/WW Team Leader Your slides here Copyright 2011
More informationAdapting to a changing climate and energy future
Adapting to a changing climate and energy future Our policy position: Yarra Ranges Council acknowledges scientific advice concerning climate change and the need to mitigate and adapt to its impacts. Council
More informationFeature. SCADA Cybersecurity Framework
Feature Samir Malaviya, CISA, CGEIT, CSSA, works with the Global Consulting Practice-GRC practice of Tata Consultancy Services and has more than 17 years of experience in telecommunications, IT, and operation
More informationNetwork Security Guidelines. e-governance
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationMAXIMUM PROTECTION, MINIMUM DOWNTIME
MANAGED SERVICES MAXIMUM PROTECTION, MINIMUM DOWNTIME Get peace of mind with proactive IT support Designed to protect your business, save you money and give you peace of mind, Talon Managed Services is
More informationCloud Computing for SCADA
Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry
More informationOhio Supercomputer Center
Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationPlain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationAgenda. Introduction to SCADA. Importance of SCADA security. Recommended steps
Agenda Introduction to SCADA Importance of SCADA security Recommended steps SCADA systems are usually highly complex and SCADA systems are used to control complex industries Yet.SCADA systems are actually
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationA dual redundant SIP service. White paper
A dual redundant SIP service White paper Ian Colville, Product Manager, Aculab Introduction The Session Initiation Protocol (SIP) eco-system: a unit of interdependent protocols functioning together within
More informationWhitepaper - Security e-messenger
Whitepaper 1 Security e-messenger Contents 1. Introduction Page 3 2. Data centre security and connection Page 3 a. Security Page 3 b. Power Page 3 c. Cooling Page 3 d. Fire suppression Page 3 3. Server
More informationINFORMATION TECHNOLOGY PROGRAM DESCRIPTIONS OPERATIONAL INVESTMENTS
EB-0-0 Exhibit D Schedule - Page of INFORMATION TECHNOLOGY PROGRAM DESCRIPTIONS OPERATIONAL INVESTMENTS SCADA SECURITY, GOVERNANCE AND OPERATIONS Program Overview Within THESL s operations, there is a
More informationPATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
PATCH MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationCENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT
CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
More informationCritical IT-Infrastructure (like Pipeline SCADA systems) require cyber-attack protection
Critical IT-Infrastructure (like Pipeline SCADA systems) require cyber-attack protection Tobias WALK ILF Consulting Engineers GmbH Germany Abstract Pipeline Supervisory Control And Data Acquisition (SCADA)
More informationUniversity of Central Florida Class Specification Administrative and Professional. Network Operations Manager (Enterprise)
Network Operations Manager (Enterprise) Job Code: 2552 Manage enterprise networks. Oversee the monitoring, testing, and trouble shooting of all network components (network software and hardware and network
More informationGE Measurement & Control. Cyber Security for NERC CIP Compliance
GE Measurement & Control Cyber Security for NERC CIP Compliance GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationDisaster recovery planning.
Disaster recovery planning. Disaster recovery planning is the creation of a process to follow in the event of a disaster. The development and the maintenance of a disaster recovery plan isn t something
More informationSecurity Whitepaper: ivvy Products
Security Whitepaper: ivvy Products Security Whitepaper ivvy Products Table of Contents Introduction Overview Security Policies Internal Protocol and Employee Education Physical and Environmental Security
More informationContinuity of Business
White Paper Continuity of Business SAS Continuity of Business initiative reflects our commitment to our employees, to our customers, and to all of the stakeholders in our global business community to be
More informationWhite Paper: Librestream Security Overview
White Paper: Librestream Security Overview TABLE OF CONTENTS 1 SECURITY OVERVIEW... 3 2 USE OF SECURE DATA CENTERS... 3 3 SECURITY MONITORING, INTERNAL TESTING AND ASSESSMENTS... 4 3.1 Penetration Testing
More informationTriangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace
Triangle InfoSeCon Alternative Approaches for Secure Operations in Cyberspace Lt General Bob Elder, USAF (Retired) Research Professor, George Mason University Strategic Advisor, Georgia Tech Research Institute
More informationSecure SCADA Summit. Dan Mintz, CTO. Civil Health Services Group dmintz@csc.com. Twitter: technogeezer, December 2009
Secure SCADA Summit Dan Mintz, CTO Civil Health Services Group dmintz@csc.com Twitter: technogeezer, December 2009 For 50 years, CSC Has Helped Clients Ride Every Major Business- Driven Technology Wave
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationProtecting Critical Infrastructure
Protecting Critical Infrastructure SCADA Network Security Monitoring March 20, 2015 Table of Contents Introduction... 4 SCADA Systems... 4 In This Paper... 4 SCADA Security... 4 Assessing the Security
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationCDK Cloud Hosting HSP (Hardware Service Provision) For your Dealer Management System (DMS)
CDK Cloud Hosting HSP (Hardware Service Provision) For your Dealer Management System (DMS) First things first. Ask yourself these questions: Question 1: If your DMS was suddenly unavailable, could you
More informationBCP (Business Continuity Plan)
(Translation) BCP (Business Continuity Plan) September 26, 2008 Tokyo Financial Exchange Inc. Tokyo Financial Exchange Inc. ( TFX ) has been committed in establishing a system which ensures stable and
More informationSCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards
SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which
More informationAttachment G.18. SAPN_PUBLIC_IT Enterprise Information Security Business Case Step Change. 03 July, 2015
Attachment G.18 SAPN_PUBLIC_IT Enterprise Information Security Business Case Step Change 03 July, 2015 Table of contents 1 Executive summary... 3 2 SA Power Networks Original Proposal... 11 2.1 Summary...
More informationChallenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG 2015. All rights reserved
Siemens AG - Corporate Technology - IT Security Challenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG 2015. All rights reserved Not a single
More informationA 360 degree approach to security
June 2012, issue 1-1 SCADA communications A 360 degree approach to security Contents 1. The need for 360 degree security 2 2. Considerations in a 360 degree approach 3 3. Implementing a 360 degree approach
More informationThe Internet of Things (IoT) and Industrial Networks. Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015
The Internet of Things (IoT) and Industrial Networks Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015 Increasingly Everything will be interconnected 50 Billion Smart Objects
More informationICT Disaster Recovery Plan
7 Appendix A ICT Disaster Recovery Plan Definition of a Disaster A computer disaster is the occurrence of any computer system or associated event which causes the interruption of business, leading in the
More informationICT & Communications Services Disaster & Recovery Plan
ICT & Communications Services Disaster & Recovery Plan Advanced IT Services with George Spencer Academy www.aitn.co.uk Advanced IT Services - Arthur Mee Road, Stapleford, Nottingham. NG9 7EW Email: info@advanceditservices.co.uk
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationEnergy Cybersecurity Regulatory Brief
Energy Understand the regulations that impact the energy industry and accelerate information security initiatives. Contents Overview 3 A Highly Vulnerable Energy Industry 4 Key Regulations to Consider
More informationMECOMS Customer Care & Billing As A Service
MECOMS Customer Care & Billing As A Service MECOMS As A Service. Your pay as you grow meter-to-cash solution. Introducing MECOMS As A Service, an innovative customer management and billing solution for
More informationComputer System Security Updates
Why patch? If you have already deployed a network architecture, such as the one recommended by Rockwell Automation and Cisco in the Converged Plantwide Ethernet Design and Implementation Guide (http://www.ab.com/networks/architectures.html),
More informationIs Penetration Testing recommended for Industrial Control Systems?
Is Penetration Testing recommended for Industrial Control Systems? By Ngai Chee Ban, CISSP, Honeywell Process Solutions, Asia Pacific Cyber Security Assessment for Industrial Automation Conducting a cyber-security
More informationDeltaV System Cyber-Security
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
More informationSETTING UP AND USING A CYBER SECURITY LAB FOR EDUCATION PURPOSES *
SETTING UP AND USING A CYBER SECURITY LAB FOR EDUCATION PURPOSES * Alexandru G. Bardas and Xinming Ou Computing and Information Sciences Kansas State University Manhattan, KS 66506 bardasag@ksu.edu, xou@ksu.edu
More informationAdvancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development
Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC) 3 12 February 2015 Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching,
More information