Keeping the Lights On

Similar documents
Holistic View of Industrial Control Cyber Security

What Risk Managers need to know about ICS Cyber Security

Resilient and Secure Solutions for the Water/Wastewater Industry

Network Security Infrastructure Testing

AURORA Vulnerability Background

CONCEPTS IN CYBER SECURITY

OPC & Security Agenda

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

Why you should adopt the NIST Cybersecurity Framework

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Why you should adopt the NIST Cybersecurity Framework

Standard CIP 007 3a Cyber Security Systems Security Management

ISACA rudens konference

How to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager

Using Tofino to control the spread of Stuxnet Malware

Building Insecurity Lisa Kaiser

State of the State of Control System Cyber Security

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

How To Protect Power System From Attack From A Power System (Power System) From A Fault Control System (Generator) From An Attack From An External Power System

Security Testing in Critical Systems

Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems. Enzo M. Tieghi

Meeting the Cybersecurity Standards of ANSI/ISA with Data Diodes

SCADA Security: Challenges and Solutions

An International Perspective on Security and Compliance

TRIPWIRE NERC SOLUTION SUITE

Effective Use of Assessments for Cyber Security Risk Mitigation

How Secure is Your SCADA System?

New Era in Cyber Security. Technology Development

NERC CIP Version 5 and the PI System

Energy Cybersecurity Regulatory Brief

The State-of-the-State of Control System Cyber Security

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

U.S. Cyber Security Readiness

Standard CIP Cyber Security Systems Security Management

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Testing Control Systems

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Cyber Security. Protecting the UK water industry

Utility of the Future Virtual Event Series Monthly Virtual Studio Event Series for Utilities

White Paper. 7 Steps to ICS and SCADA Security. Tofino Security exida Consulting LLC. Contents. Authors. Version 1.0 Published February 16, 2012

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Cybersecurity in a Mobile IP World

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

The State of Industrial Control Systems Security and National Critical Infrastructure Protection

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

NERC CIP VERSION 5 COMPLIANCE

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications

Verve Security Center

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

SCADA City of Raleigh. Martin Petherbridge, CPA, CIA Internal Audit Manager Shirley McFadden, CPA, CIA Senior Internal Auditor

How To Protect Water Utilities From Cyber Attack

FERC, NERC and Emerging CIP Standards

Safe Network Integration

The Importance of Cybersecurity Monitoring for Utilities

Down the SCADA (security) Rabbit Hole. Alberto Volpatto

SCADA Security Training

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Cyber-insurance: Understanding Your Risks

Feature. SCADA Cybersecurity Framework

SCADA. The Heart of an Energy Management System. Presented by: Doug Van Slyke SCADA Specialist

Waterfall for NERC-CIP Compliance

Cyber Security Compliance (NERC CIP V5)

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Rethinking Cyber Security for Industrial Control Systems (ICS)

Open Enterprise Architectures for a Substation Password Management System

NERC CIP Compliance with Security Professional Services

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

Effective OPC Security for Control Systems - Solutions you can bank on

Professional Services Overview

Protecting Organizations from Cyber Attack

What is Cyber Liability

Transcription:

Keeping the Lights On Fundamentals of Industrial Control Risks, Vulnerabilities, Mitigating Controls, and Regulatory Compliance

Learning Goals o Understanding definition of industrial controls o Understanding differences between traditional IT networks vs. industrial control networks o Understanding risks and mitigating controls associated with industrial controls o Understanding regulatory compliance and service resilience

What is Industrial Control?

Industrial Control Defined o A system that controls a process o Industrial Control System traditionally a general term defining several types of control systems used in industrial production o Distributed Control System (DCS) o Supervisory Control and Data Acquisition System (SCADA) o Remote Terminal Units (RTU) o Programmable Logic Controllers (PLC)

Why learn about this topic? o Industrial controls are pervasive! o Utilities o Factories o Automobiles o Military o Data Centers o Appliances o Industrial controls are being networked like traditional IT networks.

Industrial Controls that might Surprise You o Environmental controls in your data center o Missiles launched by the military o Assembly line controller in a factory o SCADA systems at utilities o Gasoline pumps at a convenience store

T-shirt Question Can you name an industrial control or application I have not already mentioned?

National Critical Infrastructures o Chemical o Commercial Facilities o Communications o Critical Manufacturing o Dams o Defense Industrial Base o Emergency Services o Energy o Financial Services o Food and Agriculture o Government Facilities o Healthcare and Public Health o Information Technology o Nuclear Reactors, Materials, and Waste o Transportation Systems o Water and Wastewater Systems

Get Involved o Join a Cyber Security or Physical Security Working Group in your Sector. o https://www.dhs.gov/critical-infrastructure-sectors o Join an Information Sharing Analysis Center (ISAC) in your industry. o http://www.isaccouncil.org/memberisacs.html o http://itlaw.wikia.com/wiki/information_sharing_and_an alysis_center

What s important in the industrial space o Life Safety is foremost. o Reliability is a close second. o Integrity and Availability is primary. o Confidentiality is secondary or not important at all.

What can happen o Cyber Security failures have the potential to cause physical consequences. o Cyber Security issues can arise out of supply chain relationships. o Human decisions can cause devastating consequences. o Productivity can be affected.

Cyber Security Implication Physical Consequences o Electric Power Blackouts o September 2007 cyber attack in Brazil o 2003 Northeast blackout o 1999 Southern Brazil blackout o 1965 Northeast blackout o 1979 Three Mile Island Nuclear Plant Accident o 2000 Maroochy Shire cyber event o 2007 Aurora Generator Test o 2009 Stuxnet o 2010 San Bruno natural gas pipeline explosion

Look what happens when

Supply Chain Cybersecurity o Google s headquarters in Sydney, Australia was breached due to building management vendor. o Researchers discovered that they could breach the circuit breakers of a Sochi Olympic arena through their HVAC supplier. o Watering hole attack on a major oil company s network o Major retailer breach due to relationship with HVAC vendor.

What makes an Industrial Control System fragile? o COTS o Microsoft Windows o Use of specialized communications protocols o Modbus o DNP3 (Distributed Network Protocol) o OPC (Open Platform Communications formerly known as OLE for Process Control) o Manufacturers deviating from RFC o Poor software design

Survey of Specialized Communications Protocols

Modbus o Open protocol standard o Moves raw bits or words without placing many restrictions on vendors. o TCP/IP packet may look perfectly normal but the Modbus frame could crafted to carry malicious code.

DNP3 o An Open Standard o Designed to be reliable but not secure. o Header may look perfectly normal but the data payload could crafted to carry malicious code. o No authentication mechanism in basic DNP3. o Secure DNP3

OPC o Based on the OLE, COM, and DCOM technologies developed by Microsoft. o Any vulnerabilities in these technologies is carried into this protocol. o OPC is firewall unfriendly because OPC servers dynamically assign TCP ports. o DCOM and RPC are extremely complicated protocols that can be translated into attack surfaces for malicious actors. o OPC is complicated to setup so some vendors leave exposures in their products.

IT Cyber Security vs. OT Cyber Security

IT Cyber Security vs. OT Cyber Security - Performance Requirements Source: Derived from the NIST 800-82 Standard

IT Cyber Security vs. OT Cyber Security - Availability Requirements Source: Derived from the NIST 800-82 Standard

IT Cyber Security vs. OT Cyber Security - Risk Management Requirements Source: Derived from the NIST 800-82 Standard

IT Cyber Security vs. OT Cyber Security - Change Management Requirements Source: Derived from the NIST 800-82 Standard

IT Cyber Security vs. OT Cyber Security - Unintended Consequences Requirements Source: Derived from the NIST 800-82 Standard

Regulatory Compliance Survey

Regulatory Compliance - Electric o North American Electric Reliability Corporation (NERC) o Transmission and Generation o Critical Infrastructure Protection (CIP) v3 o Requirements CIP-002 to CIP-009 o CIP-003 Security Management Controls o CIP-005 Electronic Security Perimeter(s) o CIP-007 Systems Security Management o CIP v5 is approved and is in effect April 2016 for all High and Medium Assets and April 2017 for Low Assets.

Regulatory Compliance Oil and Natural Gas o US Department of Transportation in conjunction with US Department of Homeland Security s Transportation Security Administration (TSA) o TSA wrote the Pipeline Security Guidelines and published in April 2011. o Section 7 Cyber Asset Security Measures o Baseline Cyber Security Measures o Enhanced Cyber Security Measures o TSA performs audits and reports results to US DOT. o US DOT enforces regulation and levies fines.

Regulatory Compliance - Dams o Federal Energy Regulatory Commission (FERC) has jurisdictional authority, granted by Congress, over non-public hydroelectric dams and facilities. o Provides cyber security guidelines o Cannot levy fines but can stop a company from selling electricity produced by the hydroelectric facility

Regulatory Compliance - Chemical o US Department of Homeland Security developed and released the Chemical Facility Anti-Terrorism Standards in 2007. o Risk-Based Performance Standards (RBPS) o RBPS8 covers cyber security requirements. o RBPS address to primary risks. o Sabotage o Diversion o Heavy fines o Divulging information about a CFATS tiered facility o Divulging information about Security Plans and Procedures o Not meeting RBPS requirements

Avoid Cyber Security Misconceptions o Avoid the Air Gap Myth o We have a firewall! o We re just a small company, we re not a target

Shodan oan industrial control system and network search engine ohttp://www.shodanhq.com/

Shodan

Netsecuris o A leading Managed Security Service Provider specializing in protecting Industrial Control, Financial Services, Healthcare, and Government network environments. o Contact Information o Leonard Jacobs, MBA, CISSP o President/CEO o sales@netsecuris.com o 952-641-1421

Questions and Answers Thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information