College of Technology

College of Technology

A recipe for success Securing Control Systems Must utilize security principles Must recognize system constraints Must understand system components

Recent Paths Ad Hoc Insert specific magic pixie dust here Reuse IT guidance It is an IT system after all (NOT) Tie to NIST or 20 top controls Combinations A little of each of the above

What is wrong with? Securing Control Systems A structured approach, like we have used for all preceding efforts tailored to Control Systems Hard Requires cooperation between control systems and IT security Only real path to success

Why IT best practices don t work out of the box Top 20 security controls Designed on premise of elements available in IT Authentication Access Control Automation Designed for modern IT, not legacy anything

Basic Approach Securing Control Systems Not a new method, we have done this before Basis for all solid original solutions Avoids the church of appliancology Built on security and system fundamentals Solution is one you control

Steps Systems Network Data flows Processes, People and Technology Management

Security Security is defined by objectives, not rules Rules are used to achieve objectives

Threat Modeling Securing Control Systems Structured assessments of all threats Communication tool to evaluate all threats and mitigations Utilizing Data Flows...

Data Flows What data goes where Network architectures do that

A beginning Who needs to talk to whom? HMI Historian OPC PLCs Engineering Workstation Corporate data needs

News Flash In today s world we don t get to control who is on the network

Network Ins and Outs Securing Control Systems Define what should come in Define what should go out Use firewalls designed for control systems Block everything else (explicit deny) Use an IDS to detect any variations

Quiz Network Architectures Network architectures exist to: A. Provide something for network architects to do

Quiz Network Architectures Network architectures exist to: A. Provide something for network architects to do B. Enable hyperconnectivity allow everything to talk to everything

Quiz Network Architectures Network architectures exist to: A. Provide something for network architects to do B. Enable hyperconnectivity allow everything to talk to everything C. Enforce security objective related communications

Quiz Network Architectures Network architectures exist to: A. Provide something for network architects to do B. Enable hyperconnectivity allow everything to talk to everything C. Enforce security objective related communications D. Give meaning to all the wires connecting things

Quiz Network Architectures Network architectures exist to: A. Provide something for network architects to do B. Enable hyperconnectivity allow everything to talk to everything C. Enforce security objective related communications D. Give meaning to all the wires connecting things

Network Architectures Think locally, not globally Securing Control Systems Global addressing is an unacceptable risk Define zones and conduits Define who needs to talk with whom Must have accurate network map of all connections Physical security Audit for correctness/rogue connections

Controlling Ins and Outs Mediate all ins and outs Securing Control Systems Firewalls (must be control system cognizant) Unidirectional gateways (when high security matters) IDS (employ to see who is actually talking) Monitor and audit Loss Prevention How do we know if data is leaving the system Accounts are not a panacea Should the CFO be able to perform critical transactions from the lobby?

Devices Inventory of all devices Only authorized code runs Software and versions (dependencies) White listing Configuration Control No default passwords Services and ports

Devices (continued) Securing Control Systems Access control define even if you can t enforce Admin privilege control Harden everything Anti virus USBs power only Physical access control Backups Logs collect and review

Systems Configuration Control Updates and patching No default passwords No un necessary services, ports or apps Only authorized code runs Software and versions (dependencies) White listing Auditing

Systems Access control define even if you can t enforce Admin privilege control Harden everything Anti virus USBs power only Physical access control Backups Logs collect and review

Why software matters Securing Control Systems Know all systems and dependencies Heartbleed Bash

Policies, Procedures and People These govern: IT Control systems All work for that matter They should differ between IT and Control System security functions Details matter here

Specific policies and Procedures Configuration management Specific to control systems, not IT systems Updates and patches No defaults Incident Response posture DRP/BCP for the control system Training Audits/pen tests

People Controls system people are from Mars IT security people are from Venus Would a sysadmin do X on a critical system? Would a control system engineer even know?

Management Support risk based security Controls system resources Control system cybersecurity operations Culture is everything Think Target, Home Depot And not enough JP Morgan Chase Plans for when fail comes to your doorstep

Recap Your system, you defined it as critical Understand it Understand its implications Own it, control it Details matter

What matters Network Devices Systems Policies and procedures Management This is how we have been securing systems since day 1

Questions Contact Art Conklin College of Technology waconklin@uh.edu

We are Technology