Presentation on theme: "Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey"— Presentation transcript:
Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey
Agenda ● Personal Introduction ● What is an Industrial Control System and why should I care? ● Evolution of control systems and their security ● Why is ICS Cyber Security difficult? ● What do you need to do to make it work? ● What impact will quantum technology have on ICS systems?
Personal Introduction ● Studied Chemistry and Theoretical Chemistry at Manchester ‘79-85 – Absorption of far IR by water clusters ● Quantum mechanics knowledge a little rusty now! ● Worked on Industrial Control Systems (ICS) since then – Variety of companies, industries and roles – Main focus on security since 2004
What are Industrial Control Systems and why should I care? 4 An equation (of sorts) ICS=SCADA=DCS=OT(Operational Technology)=Any other acronym for a control/automation system Much of the Critical National Infrastructure (CNI) we rely on daily relies on an ICS e.g. Power, water, oil and gas, transport, chemicals, pharmaceuticals Non-CNI too: Breweries, distilleries, chocolate factories, CERN If the systems controlling these processes stop, everyday life stops with it We live in an ever more interconnected world IoT has been developing for a while
How does ICS work? 5
Evolution of Control Systems 1985 – Systems mostly bespoke, running on obscure OS, isolated 1990 – COTS now significant. Drive for OT/IT connectivity – Windows NT 3.51/4 makes it a serious contender. IP for connectivity – Windows established. Increasing commoditization. Post 9/11 – Realization of the criticality and vulnerability of ICS
Typical (Simplified) ICS Lifecycle Initial specification / vendor selection Detailed Design Build (inc factory test) Commissioning (on site) Run and maintain ‘Refresh’ 1-2 years 5-15 years
Evolution of Control System Security ● Hard to draw a graphic showing steady evolution ● Common practice – Firewalls (between IT/OT networks, further segmentation less common) – AV on Windows systems ● Less common practice – Centralised alert logging (SEM/SIEM) – Host and/or Network IDS/IPS – System hardening – Configuration monitoring/management(including patches/updates) – Application whitelisting or other software controls – Network Access Control (NAC) – Accurate network architecture drawings and inventories – Strong governance, policies, training – More...
So what has been achieved? ● The short answer: “It’s patchy.” ● Security is not the new safety ● Coffee cups and hand rails ● Some companies have good programmes in place ● What does ‘good’ look like? – Security (especially architecture) has evolved over time – Budget for security (time as well as products) is available annually – There are staff who have security as at least a part of their ‘day job’ – Incidents detected, responded to, reported on, lessons are learned
Indications that all is not well ● Security is not part of the ‘day job’ ● Relying on heroic efforts ● Lack of involvement from stakeholders ● Security which is difficult to use or gets in the way – Anything which slows down operator actions is a risk ● Lack of security awareness amongst ‘users’
Why is ICS Cyber Security so difficult? ● System longevity, diversity and complexity – Threat landscape evolves more quickly than systems ● Requirement evolution ● Ecosystem complexity ● Business justification/ROI
Requirement Evolution ● Systems have many new requirements in their lifetimes ● Today’s systems will likely have to cope with – Wireless, Mobile devices, Virtualization, Cloud – Other things nobody has thought of yet /article/46490/Mobile-SCADA- increases-staff-efficiency-in- logistics-operation-by-15--and- cuts-support-call-costs-by-60-.aspx /article/46335/SCADA- virtualisation-delivering-real- benefits-.aspx
● System Operators ● System Engineers ● Instrument Technicians ● Corporate IT ● Vendors ● System Integrators ● Outsource Providers ● Communication suppliers ● Management/Investors ICS Cyber Security Ecosystem ● Academia ● 11 UK universities ● RITICS ● Government ● Standards bodies ● Consumers
Business justification/ROI ● Notoriously difficult – Risk quantification very difficult – Energy companies denied insurance cover 1 ● Few attacks are ICS specific and fewer still aim to cause physical damage – Arguably Stuxnet is the only example ●Google “To kill a centrifuge” to learn more about Stuxnet ● Leaning heavily on FUD may have caused damage here ● However, a single cyber event can easily cost more than several years’ security expenditure 1.
What needs to be done to secure ICS? ● NIST think they have the answer ● Framework for Improving Critical Infrastructure Cybersecurity – 1.0 Feb 2014 ● Seems abstract unless you’ve been through the pain ● C2M2 – Cybersecurity Capability Maturity Model ● Understand that governance, training and behavioural issues are as important as technology ● ‘Mind the Gaps’ ● Integration with physical, personnel and traditional IT security is vital ● Security needs to be simple or invisible at point of use ● Learn through other people’s successes and failures across multiple verticals and geographies
Quantum technology and ICS systems ● Threat to PKI and possible alternative of QKD will impact ICS ● PKI may be dead at just about the time it is fully embraced by ICS ● SCADA in the cloud is on its way ● Quantum clocks could remove the reliance of ICS on GPS/NTP/radio clocks ● Anything else?