College of Technology
A recipe for success Securing Control Systems Must utilize security principles Must recognize system constraints Must understand system components
Recent Paths Ad Hoc Insert specific magic pixie dust here Reuse IT guidance It is an IT system after all (NOT) Tie to NIST or 20 top controls Combinations A little of each of the above
What is wrong with? Securing Control Systems A structured approach, like we have used for all preceding efforts tailored to Control Systems Hard Requires cooperation between control systems and IT security Only real path to success
Why IT best practices don t work out of the box Top 20 security controls Designed on premise of elements available in IT Authentication Access Control Automation Designed for modern IT, not legacy anything
Basic Approach Securing Control Systems Not a new method, we have done this before Basis for all solid original solutions Avoids the church of appliancology Built on security and system fundamentals Solution is one you control
Steps Systems Network Data flows Processes, People and Technology Management
Security Security is defined by objectives, not rules Rules are used to achieve objectives
Threat Modeling Securing Control Systems Structured assessments of all threats Communication tool to evaluate all threats and mitigations Utilizing Data Flows...
Data Flows What data goes where Network architectures do that
A beginning Who needs to talk to whom? HMI Historian OPC PLCs Engineering Workstation Corporate data needs
News Flash In today s world we don t get to control who is on the network
Network Ins and Outs Securing Control Systems Define what should come in Define what should go out Use firewalls designed for control systems Block everything else (explicit deny) Use an IDS to detect any variations
Quiz Network Architectures Network architectures exist to: A. Provide something for network architects to do
Quiz Network Architectures Network architectures exist to: A. Provide something for network architects to do B. Enable hyperconnectivity allow everything to talk to everything
Quiz Network Architectures Network architectures exist to: A. Provide something for network architects to do B. Enable hyperconnectivity allow everything to talk to everything C. Enforce security objective related communications
Quiz Network Architectures Network architectures exist to: A. Provide something for network architects to do B. Enable hyperconnectivity allow everything to talk to everything C. Enforce security objective related communications D. Give meaning to all the wires connecting things
Quiz Network Architectures Network architectures exist to: A. Provide something for network architects to do B. Enable hyperconnectivity allow everything to talk to everything C. Enforce security objective related communications D. Give meaning to all the wires connecting things
Network Architectures Think locally, not globally Securing Control Systems Global addressing is an unacceptable risk Define zones and conduits Define who needs to talk with whom Must have accurate network map of all connections Physical security Audit for correctness/rogue connections
Controlling Ins and Outs Mediate all ins and outs Securing Control Systems Firewalls (must be control system cognizant) Unidirectional gateways (when high security matters) IDS (employ to see who is actually talking) Monitor and audit Loss Prevention How do we know if data is leaving the system Accounts are not a panacea Should the CFO be able to perform critical transactions from the lobby?
Devices Inventory of all devices Only authorized code runs Software and versions (dependencies) White listing Configuration Control No default passwords Services and ports
Devices (continued) Securing Control Systems Access control define even if you can t enforce Admin privilege control Harden everything Anti virus USBs power only Physical access control Backups Logs collect and review
Systems Configuration Control Updates and patching No default passwords No un necessary services, ports or apps Only authorized code runs Software and versions (dependencies) White listing Auditing
Systems Access control define even if you can t enforce Admin privilege control Harden everything Anti virus USBs power only Physical access control Backups Logs collect and review
Why software matters Securing Control Systems Know all systems and dependencies Heartbleed Bash
Policies, Procedures and People These govern: IT Control systems All work for that matter They should differ between IT and Control System security functions Details matter here
Specific policies and Procedures Configuration management Specific to control systems, not IT systems Updates and patches No defaults Incident Response posture DRP/BCP for the control system Training Audits/pen tests
People Controls system people are from Mars IT security people are from Venus Would a sysadmin do X on a critical system? Would a control system engineer even know?
Management Support risk based security Controls system resources Control system cybersecurity operations Culture is everything Think Target, Home Depot And not enough JP Morgan Chase Plans for when fail comes to your doorstep
Recap Your system, you defined it as critical Understand it Understand its implications Own it, control it Details matter
What matters Network Devices Systems Policies and procedures Management This is how we have been securing systems since day 1
Questions Contact Art Conklin College of Technology waconklin@uh.edu
We are Technology