The State-of-the-State of Control System Cyber Security

Similar documents
What Risk Managers need to know about ICS Cyber Security

State of the State of Control System Cyber Security

SCADA Security Training

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

CYBER SECURITY. Is your Industrial Control System prepared?

Cyber Security nei prodotti di automazione

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

This is a preview - click here to buy the full publication

Holistic View of Industrial Control Cyber Security

SCADA Security: Challenges and Solutions

OPC & Security Agenda

Keeping the Lights On

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Understanding SCADA System Security Vulnerabilities

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

Energy Cybersecurity Regulatory Brief

N-Dimension Solutions Cyber Security for Utilities

Critical IT-Infrastructure (like Pipeline SCADA systems) require cyber-attack protection

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

What is Cyber Liability

William Hery Research Professor, Computer Science and Engineering NYU-Poly

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

ICS Cyber Attacks: Fact vs. Fiction and Why it Matters

Innovative Defense Strategies for Securing SCADA & Control Systems

Protecting Organizations from Cyber Attack

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Down the SCADA (security) Rabbit Hole. Alberto Volpatto

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

Security Testing in Critical Systems

Security in SCADA solutions

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

What is Really Needed to Secure the Internet of Things?

Network Cyber Security. Presented by: Motty Anavi RFL Electronics

Verve Security Center

A 360 degree approach to security

Security Issues with Integrated Smart Buildings

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Process Solutions. Mitigating Cyber Security Risks in Legacy Process Control Systems. White Paper

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

SCADA SYSTEMS AND SECURITY WHITEPAPER

Dr. György Kálmán

Feature. SCADA Cybersecurity Framework

SCADA City of Raleigh. Martin Petherbridge, CPA, CIA Internal Audit Manager Shirley McFadden, CPA, CIA Senior Internal Auditor

Industrial Control Systems Vulnerabilities and Security Issues and Future Enhancements

The Importance of Cybersecurity Monitoring for Utilities

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

May/June Integrating DCS I/O Embedded vision Multigenerational systems Mobile user interfaces Flow spotlight.

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

Incident Response 101: You ve been hacked, now what?

I N T E L L I G E N C E A S S E S S M E N T

DeltaV System Cyber-Security

The State of Industrial Control Systems Security and National Critical Infrastructure Protection

The Four-Step Guide to Understanding Cyber Risk

SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios

Effective Defense in Depth Strategies

Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems. Enzo M. Tieghi

Beyond the Hype: Advanced Persistent Threats

Session 14: Functional Security in a Process Environment

Industrial Cyber Security 101. Mike Spear

Cybersecurity. Are you prepared?

CONCEPTS IN CYBER SECURITY

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Effective Use of Assessments for Cyber Security Risk Mitigation

Microsoft Technologies

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Ernie Hayden CISSP CEH GICSP Executive Consultant

IT Security Incident Management Policies and Practices

PLC Security for Water / Wastewater Systems

67% 61% STATE OF CLOUD SECURITY BULLETIN. Information Security in the Energy Sector. Summer 2013 FROM APR SEP 2012

Securing Industrial Control Systems Secure. Vigilant. Resilient. May 2015

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

Introduction to Cyber Security / Information Security

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

Seven Strategies to Defend ICSs

SCADA/ICS Security in an.

Cyber Security Implications of SIS Integration with Control Networks

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Information Technology Policy

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

Capabilities for Cybersecurity Resilience

Transcription:

The State-of-the-State of Control System Cyber Security Prepared for HTCIA September 19, 2012 Joe Weiss PE, CISM, CRISC, ISA Fellow (408) 253-7934 joe.weiss@realtimeacs.com

Summary Control systems are different than IT Control system cyber forensics and logging is minimal at best so you don t know when there has been a cyber event There will probably be a cyber Pearl Harbor but you won t know it is cyber because of the lack of control system cyber forensics Cyber threats to control systems are not just the network but insecure engineering designs/features that cannot be patched (see Stuxnet and Aurora) A good attacker wanting to cause damage will go after the engineering features Securing control systems is a trade-off between performance and security where performance must win The issue is by how much It takes control system experts that understand the domain and IT experts that understand security working together to secure control systems

What are Industrial Control Systems Industrial control systems (ICSs) operate power, water, chemicals, pipelines, military systems, etc ICSs include SCADA/EMS, DCS, PLCs, RTUs, IEDs, smart sensors and drives, emissions controls, equipment diagnostics, AMI (Smart Grid), programmable thermostats, building controls, Focus is reliability and safety

Control Systems Basics Slide courtesy of Anixter Proprietary 04-2009

Where is ICS Technology Going More intelligence Intelligence moving closer to the process More interoperability With ICS and IT More networking Inside and outside the plant More on-line interactions Affecting control and safety Cyber!

ICSs are Different than IT The Internet and Microsoft are not necessarily the biggest ICS cyber threats External malicious threats are not necessarily the biggest concerns Firewalls and VPNs may not be adequate IDS will probably not identify ICS attacks Field devices have been hacked Default passwords and backdoors are not uncommon Many ICSs have hardware configurations that are cyber vulnerable and cannot be patched or fixed Patching is difficult and can have unintended consequences Cyber forensics and logging may not exist

What has happened recently Brazilian control system network infections Russian Sayano Shushenskaya Dam failure ExxonMobil Yellowstone River gasoline pipeline break China bullet train crash BART computer failure San Bruno Illinois water SCADA hack? South Houston water SCADA hack ICS metasploits now available Polish train crash Digital camera shuts down nuclear plant Asian power plant with loss of control logic Iranian paper on Stuxnet

ICS Security Expertise Lacking ICS Security Experts IT Security ICS Engineering

Cyber Incident Definition An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. (FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System, March 2006.) What is important about this definition Intentional or unintentional Actual or potential compromise of CIA Violation or imminent threat to CIA Why care about unintentional If it can be done unintentionally, it can probable be done intentionally

Turbine overstress due to systems incompatibility

Complete loss of all DCS logic with plant at power

Broadcast storm shutting down main coolant pumps

Forced scram due to unknown interconnections

Pipeline Ruptures June 1999 Bellingham, WA September 2010 San Bruno, CA

DC Metro Train Crash

Possible Aurora Attack Aurora Demonstration - INL Iranshahr Power Plant - Iran Common thread- Coupling failures

What Needs to be Done Obtain senior management buy-in Include security as part of the design basis Understand what you have and that it is a lifecycle issue Recognize potential reliability and safety issues with digital systems Treat plant security as an engineering issue, not a compliance game Include IT and operations as a team

Conclusions Can not fully secure ICSs Worry about intentional and unintentional Need to be able to recover Threats are real Lack of forensics complicates root cause analysis Need appropriate knowledge and coordination Security needs to be considered This isn t IT but we need IT

Why attend the conference? Learn details of the most recent control system cyberincidents, from people on the front-lines, Exchange best practices with peers and control system users from various industries, Become part of the solution by analyzing root-causes and working with vendors to resolve them, Expand your network of industrial control system users and solution providers. A unique and much-needed event The conference is focused on the specific cyber-security challenges of industrial control systems. In recent years, hopes of achieving security through obscurity and isolation were dashed by the increased connection of control systems to the internet and contagion from outside elements such as USB thumb-drives. Control systems differ from IT systems in key aspects communication protocols & OS, memory & processing capacity, accessibility, lifespan as well as in their purpose and priorities physical world interaction, availability above all else, etc. Despite those differences, cyber-security discussions lump ICSs into Enterprise and Cloud IT and as a result, ill-fitting security processes and products leave large parts of these particular, complex and impactful systems exposed. The conference pursues three objectives: To inform, through the sharing of cyber-vulnerability accounts, in the trusted setting of the conference. To explain, by analyzing adverse events on ICSs and understanding the interaction of their components To improve the status quo, by allowing users to be informed and discuss their needs with vendors of control systems and of security solutions in a constructive environment. More information and registration at www.icscybersecurityconference.com Applied Applied Control Control Solutions Solutions Proprietary Proprietary Information Information 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information