Rethinking Cyber Security for Industrial Control Systems (ICS)

Transcription

1 Rethinking Cyber Security for Industrial Control Systems (ICS) Bob Mick VP Emerging Technologies ARC Advisory Group 1

2 Rethinking Cyber Security We Now Have Years of Experience - Security is Complex Are we on the Right Track? What are the Emerging Opportunities? Are We Investing in the Right Security Activities? 2

3 Introduction Cyber Security Services Certification and Testing Panel (30 minutes) Energy Industry Roadmap Break Chemical Industry Roadmap Panel (30 Minutes) 3

4 What Stimulates Cyber Security Activity? For Industrial Control Systems (ICS) Risk Management Business: Safety, Environmental, Reliability, Financial National: Terrorism, Rapidly emerging Cyber Warfare Regulation & Compliance (Must Do) Government, Customers, Partners, Suppliers Cost Reduction People & Infrastructure Skills & Practices Cyber Security is a National, Business and Personal Issue 4

5 Risk Management - A Fundamental Driver Risk Escalation is Real and Continuing Cyber Warfare Viruses More Integration More Connectivity Diverse Sophisticated Combination Attacks Criminals & Insider Th Threats t Businesses Will Get More Help in Defining Risk 5

6 Address National Level Risks US Department of Homeland Security and Friends Sector Specific Agencies Chemical SSA NERC CIP Energy DHS is Driving Industry Specific Activities 6

7 The Penalty for Not Complying (in the US) Required Practices, Reporting, Responding, Violations Energy Chemicals Up to $25,000/day ~$750,000/Month S Source: CFATS Mi Minutes t y y Practices are Not Good Cyber Security Optional for Critical Infrastructure Industries 7

8 Security Is Not a One-time Investment Practices are Maturing - It Is Difficult Skills Shortage? New Business Initiatives Acquisitions Partners Regulations Cost Pressures Applications Systems New Technologies Architectures Practices Design Assess Renovate Audit Test Monitor Mitigate Adapt New Vulnerabilities Threats Patches People Organizations Governments Cyber Security is a Very Dynamic Activity Continued Investment is Required 8

9 The Cost of Cyber Security is Significant Various IT Analysts Estimates of Global IT Spend Global IT Spend $1.5-3 trillion Security (3-6%) ~$120 billion Business Systems Operations Management Remote Users Engineering Automation Laboratories Manufacturing and Utilities $600 billion Security Includes Hardware Software Services For Servers, networking, security appliances, laptops, desktops Applications, technology platform, monitoring Consulting, design All Corporate IT and some of Engineering, Labs, Operations ~$25 billion Does not Include Hardware Control Systems, embedded system Software Automation software, DCS, PLC, HMI, SCADA Services Systems Integration, consulting, managed services... for Industrial Control Systems Big IT Spend Big Security Spend Big Losses 9

10 Explore a Few of Today s Opportunities ARC Advisory Group Forum 2010 This afternoons Topics Day 2 - Tuesday Afternoon - Track 4 10

11 Opportunity: Utilize Security Services External Resources Objectives Cut costs, Cut risks, Improve Security Audit Design Assess Activity Assessments Design Practices for ICS Help readily available Commonly outsourced Monitor Renovation Commonly outsourced Mitigate Operation Seldom outsourced Adapt Auditing Should be outsourced Renovate Tom Good, DuPont Perspective 11

12 Security Certification and Testing Know That You Are Secure And Remain Secure Objective Improve Security, Avoid Deterioration Strengthen ICS Components Verify System Effectiveness Activity Define Standards Certification Robustness Testing Systems Testing Practices for ICS Standards bodies Independent Organizations Test Tools and Services Penetration Testing Patch Testing Problem of Timing Johan Nye, ExxonMobil Perspective 12

13 Opportunity: Cross Industry Sharing Industry Activities, Government Activities Objectives Leverage practices and experiences Accelerate progress and avoid duplication p of efforts Keith i h Stouffer, ff NIST Eric Cosman, Dow 18 Critical Infrastructure Industries 13

14 Let s Get Started For more information, contact [email protected] or visit 14

15 Security In Manufacturing, Utilities Business, Engineering, Laboratories Business Systems ERP, SCM, CRM, EAM, BI Lab Systems, Engineering Systems Remote Access Networking Software Servers Business Systems Remote Users Operations Management Networks Intelligences, Analytics, Integration Historians, Recipe Management, User Interface Networks HMI DCS Trending SCADA Operations Management Engineering Automation Systems Network Unit Controllers, PLCs, Devices Automation Laboratories Network Model Security Zone Model Simple Operations-Centric Perspective 15