What Risk Managers need to know about ICS Cyber Security EIM Risk Managers Conference February 18, 2014 Joe Weiss PE, CISM, CRISC, ISA Fellow (408) 253-7934 joe.weiss@realtimeacs.com
ICSs What are they and where are they used ICSs are critical to operating industrial assets including power, refineries, pipelines, chemicals, manufacturing, water, military systems, medical systems, etc ICSs include Distributed Control Systems DCS, Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLC), Remote Terminal Units (RTU), Intelligent Electronic Devices (IEDs) ICSs monitor and control physical processes in real time Focus is reliability and safety
Brief History of ICS 20 years ago Isolated systems, with non-networked cyber dumb devices 10 years ago Emergence of network integration, with more capable intelligent cyber-vulnerable devices Today Combination of modern, integrated networks interoperating with legacy systems creating increasingly cyber-vulnerable networks 10 years from now Who knows? Expect further convergence of networked legacy, intelligent, and newer technologies, with even more cyber vulnerability
Control Systems Basics Internet ERP MES Data Ware house Support Systems Internet
Big Push for Smart Grid Utility Back Office Communications Servers Communications Servers Communications Servers Remote Access My focus Customer Premise Utility Substation AMI Meter SCADA
Why is there so Little Understanding of ICS Cyber Security ICSs are not mainstream Culture issues between Operations, IT, and Forensics Lack of understanding by IT and Forensics Minimal ICS cyber forensics or logging Don t know when an event can be cyber
ICS Security Expertise Lacking ICS Security Experts IT Security ICS Engineering
What is a Cyber Incident Cyber Incident - An occurrence that actually or potentially jeopardizes the Confidentiality, Integrity, or Availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional or unintentional. (FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System, March 2006.) What is important about this definition Intentional or unintentional Actual or potential compromise of CIA Violation or imminent threat to CIA
What are the Limitations of ICS Cyber Security ICSs are resource-limited, purpose-built systems designed to accomplish specific tasks in a safe, reliable manner for many years IT cyber security technologies generally are not resource limited and expect to be changed frequently Protecting ICSs takes rocket science to not impact performance It is expected that a well-designed ICS cyber security program can protect ICSs from unintentional and intentional threats that are not at the targeted nation-state level. That is, you can t protect against a Stuxnet-like attack you need to be able to detect it and have appropriate recovery mechanisms in place.
ICS Cyber Security Concerns For ICS it is Mission Assurance not Information Assurance System of Systems Existing policies and technologies may not be adequate ICS cyber logging and forensics may not be adequate Physical impacts Destroy equipment Environmental spills Personal safety Duration Many months Cascading impacts One industry can affect other industries
Cyber Breach Discovery Target hack - what does that mean to ICSs Ostensibly had significant cyber security Came from external connection From Mandiant - average time to discover a cyber breach on the enterprise network is 416 days what does this mean to ICSs All systems had updated security software and followed recommended procedures
ICS Cyber Threats are Real >325 actual ICS cyber incidents to date Ranged from significant discharges to significant equipment damage to deaths Very few ICS-specific cyber security technologies, training, and policies >1,000,000 ICS devices directly connected to the Internet (and counting)
What has Happened Recently ICS honeypot Loss of control of a turbine BART computer failure affecting train operation Israeli tunnel hack Iranian Stuxnet paper and translation of Project Shine Project Shine discoveries Utility test beds New Aurora testing and hardware mitigation programs Continuing issues: IT and ICS disconnect Lack of security focus by many in the ICS community Disclosure issues
Legislation, Regulation, Standards NERC CIPs V3 and V5 (non nuclear) NEI 08-09, Regulatory Guide 5-71 (nuclear) Executive Order (NIST) Framework ISA99 (ICS Cyber security standards) Several bills being introduced
What does this mean to NERC CIP NERC CIP is compliance-based NERC CIP has numerous exceptions to eliminate most utility assets NERC CIPs would not have prevented major grid cyber incidents that have already occurred
Risks to Consider Olympic Pipeline company declared bankruptcy PG&E spent >$590Million to date on San Bruno (similar situation to Olympic Pipeline) Loss of control of turbine connected to major industrial installation Aurora affects EVERY electric substation Already been 4 major cyber-related outages in the US NERC advisories and Lessons Learned are not adequately addressing cyber Inadequate risk assessments Inadequate ICS cyber security training and awareness
What Needs to be Done Senior management acknowledge and address the problem ICS, IT Security, and Forensics work together Technology changes Improve security of legacy ICSs New ICSs with security as part of initial design Policy and other changes Resilience and recovery ICS cyber security training Appropriate information sharing Appropriate insurance coverage Demonstrations (Utility test beds)
Utility Test Bed Utility with typical legacy systems (generation, substations, SCADA) from multiple vendors Utility test bed to evaluate ICS cyber security technologies for impacts on ICS performance and over-all system reliability Utility test bed to document results and provide lessonslearned Utility test bed to develop training for secure systems What needs to be done beyond what is already being done
What should you take from this ICS cyber is real It is not clear what is a cyber incident Cyber incidents have real costs You need to make sure your ICS cyber assessments are adequate and complete Cyber can affect keeping lights on from 2 aspects Malicious threat Unintentional that often comes from trying to keep the bad guys out
What should you ask How will you identify your mission critical control system assets? What will you do about procuring more secure control systems? How will you address training and awareness specifically for your control system assets? How will you perform outreach on ICS cyber security inside your company and to your customers and suppliers?
Conclusions ICSs are cyber vulnerable ICS cyber security is a major risk to your mission and your bottom line Need to assure insurance is appropriate to the risk Stuxnet made ICSs a legitimate target Securing ICSs requires ICS-specific approaches Appropriate training and certification
Mark your calendar for the 14 th ICS Cyber Security Conference week of October 20 th at Georgia Tech in Atlanta www.icscybersecurityconference.com