Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey

Published byLarry Allton Modified over 9 years ago

Similar presentations

Presentation on theme: "Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey"— Presentation transcript:

1 Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey ian.buffey@atkinsglobal.com ian.buffey@atkinsglobal.com

2 Agenda ● Personal Introduction ● What is an Industrial Control System and why should I care? ● Evolution of control systems and their security ● Why is ICS Cyber Security difficult? ● What do you need to do to make it work? ● What impact will quantum technology have on ICS systems?

3 Personal Introduction ● Studied Chemistry and Theoretical Chemistry at Manchester ‘79-85 – Absorption of far IR by water clusters ● Quantum mechanics knowledge a little rusty now! ● Worked on Industrial Control Systems (ICS) since then – Variety of companies, industries and roles – Main focus on security since 2004

4 What are Industrial Control Systems and why should I care? 4 An equation (of sorts) ICS=SCADA=DCS=OT(Operational Technology)=Any other acronym for a control/automation system Much of the Critical National Infrastructure (CNI) we rely on daily relies on an ICS e.g. Power, water, oil and gas, transport, chemicals, pharmaceuticals Non-CNI too: Breweries, distilleries, chocolate factories, CERN If the systems controlling these processes stop, everyday life stops with it We live in an ever more interconnected world IoT has been developing for a while

5 How does ICS work? 5

6 Evolution of Control Systems 1985 – Systems mostly bespoke, running on obscure OS, isolated 1990 – COTS now significant. Drive for OT/IT connectivity. 1995 – Windows NT 3.51/4 makes it a serious contender. IP for connectivity. 2000 – Windows established. Increasing commoditization. Post 9/11 – Realization of the criticality and vulnerability of ICS

7 Typical (Simplified) ICS Lifecycle Initial specification / vendor selection Detailed Design Build (inc factory test) Commissioning (on site) Run and maintain ‘Refresh’ 1-2 years 5-15 years

8 Evolution of Control System Security ● Hard to draw a graphic showing steady evolution ● Common practice – Firewalls (between IT/OT networks, further segmentation less common) – AV on Windows systems ● Less common practice – Centralised alert logging (SEM/SIEM) – Host and/or Network IDS/IPS – System hardening – Configuration monitoring/management(including patches/updates) – Application whitelisting or other software controls – Network Access Control (NAC) – Accurate network architecture drawings and inventories – Strong governance, policies, training – More...

9 So what has been achieved? ● The short answer: “It’s patchy.” ● Security is not the new safety ● Coffee cups and hand rails ● Some companies have good programmes in place ● What does ‘good’ look like? – Security (especially architecture) has evolved over time – Budget for security (time as well as products) is available annually – There are staff who have security as at least a part of their ‘day job’ – Incidents detected, responded to, reported on, lessons are learned

10 Indications that all is not well ● Security is not part of the ‘day job’ ● Relying on heroic efforts ● Lack of involvement from stakeholders ● Security which is difficult to use or gets in the way – Anything which slows down operator actions is a risk ● Lack of security awareness amongst ‘users’

11 Why is ICS Cyber Security so difficult? ● System longevity, diversity and complexity – Threat landscape evolves more quickly than systems ● Requirement evolution ● Ecosystem complexity ● Business justification/ROI

12 Requirement Evolution ● Systems have many new requirements in their lifetimes ● Today’s systems will likely have to cope with – Wireless, Mobile devices, Virtualization, Cloud – Other things nobody has thought of yet http://www.controlengeurope.com /article/46490/Mobile-SCADA- increases-staff-efficiency-in- logistics-operation-by-15--and- cuts-support-call-costs-by-60-.aspx http://www.controlengeurope.com /article/46335/SCADA- virtualisation-delivering-real- benefits-.aspx

13 ● System Operators ● System Engineers ● Instrument Technicians ● Corporate IT ● Vendors ● System Integrators ● Outsource Providers ● Communication suppliers ● Management/Investors ICS Cyber Security Ecosystem ● Academia ● 11 UK universities ● RITICS ● Government ● Standards bodies ● Consumers

14 Business justification/ROI ● Notoriously difficult – Risk quantification very difficult – Energy companies denied insurance cover 1 ● Few attacks are ICS specific and fewer still aim to cause physical damage – Arguably Stuxnet is the only example ●Google “To kill a centrifuge” to learn more about Stuxnet ● Leaning heavily on FUD may have caused damage here ● However, a single cyber event can easily cost more than several years’ security expenditure 1. http://www.bbc.co.uk/news/technology-26358042http://www.bbc.co.uk/news/technology-26358042

15 What needs to be done to secure ICS? ● NIST think they have the answer ● Framework for Improving Critical Infrastructure Cybersecurity – 1.0 Feb 2014 ● Seems abstract unless you’ve been through the pain ● C2M2 – Cybersecurity Capability Maturity Model ● Understand that governance, training and behavioural issues are as important as technology ● ‘Mind the Gaps’ ● Integration with physical, personnel and traditional IT security is vital ● Security needs to be simple or invisible at point of use ● Learn through other people’s successes and failures across multiple verticals and geographies

16 Quantum technology and ICS systems ● Threat to PKI and possible alternative of QKD will impact ICS ● PKI may be dead at just about the time it is fully embraced by ICS ● SCADA in the cloud is on its way ● Quantum clocks could remove the reliance of ICS on GPS/NTP/radio clocks ● Anything else?

17 Questions? Dr. Ian Buffey ian.buffey@atkinsglobal.com ian.buffey@atkinsglobal.com

Download ppt "Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey"

Similar presentations

©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 25 Slide 1 Chapter 25 Process Improvement.

©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 25 Slide 1 Chapter 25 Process Improvement.
© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.
© 2011 IBM Corporation Improving Reliability and Making Things Cheaper to Run Tuesday 20th September James Linsell-Fraser, Senior Architect & Client Technical.

© 2011 IBM Corporation Improving Reliability and Making Things Cheaper to Run Tuesday 20th September James Linsell-Fraser, Senior Architect & Client Technical.
Facilitating a Dialog between the NSDI and Utility Companies J. Peter Gomez Manager, Information Requirements, Xcel Energy.

Facilitating a Dialog between the NSDI and Utility Companies J. Peter Gomez Manager, Information Requirements, Xcel Energy.
Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.

Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 2 Slide 1 Socio-technical Systems.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 2 Slide 1 Socio-technical Systems.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Network security policy: best practices

Network security policy: best practices
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
November 2009 Network Disaster Recovery October 2014.

November 2009 Network Disaster Recovery October 2014.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Lessons Learned in Smart Grid Cyber Security

Lessons Learned in Smart Grid Cyber Security
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Summary Device protocols tied intimately to applications. A need to significantly reduce critical data update times. Current network bandwidth consumption.

Summary Device protocols tied intimately to applications. A need to significantly reduce critical data update times. Current network bandwidth consumption.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.
Isdefe ISXXXX-090000-1XX 5.10.2010 Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.
Best Practices: Aligning Process, Culture and Tools Michael Jordan Senior Project Manager - Microsoft Consulting Services

Best Practices: Aligning Process, Culture and Tools Michael Jordan Senior Project Manager - Microsoft Consulting Services

Similar presentations

Ads by Google