Presentation is loading. Please wait.

Presentation is loading. Please wait.

It’s just security. Jack Whitsitt | |  I am NOT representing.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "It’s just security. Jack Whitsitt | |  I am NOT representing."— Presentation transcript:

1 It’s just security

2 Jack Whitsitt | Sintixerr@gmail.com | http://twitter.com/sintixerrSintixerr@gmail.comhttp://twitter.com/sintixerr  I am NOT representing my employer in any way, shape, or form  I’m not a critical energy sector expert in particular  Why am I here then?  Started writing talk by answering panel questions ◦ Got stuck on question 1

3  I have no idea what they are – don’t really care ◦ This is where I got stuck!  But I’ve seen instead: ◦ Phishing ◦ USB drives ◦ Common Development Errors ◦ Change Management Screw-ups ◦ Lack of visibility  Energy uses COTS and GUI systems for control ◦ Why would bad guys burn something dedicated when they can use common stuff? ◦ Maybe a pertinent answer is a question: Why can they still use common stuff?

4  The oil and gas industry breaches….Marathon Oil, ExxonMobil, and ConocoPhillips – occurred in 2008, until the FBI alerted them that year and in early 2009  “We’ve seen real, targeted attacks on our C-level [most senior] executives,” says one oil company official…  Penetrated their electronic defenses using a combination of fake e-mails and customized spyware programs  Antivirus software misses more than 20 percent of the Trojans in my testing,”  “What I’m saying to you is that it’s not just the oil and gas industry that’s vulnerable to this kind of attack: It’s any industry that the Chinese decide they want to take a look at,” says an FBI source. “It’s like they’re just going down the street picking out what they want to have.”

5  We are doing things over and over again we know we shouldn’t  Examples: ◦ WEP device attached to vendor network. ◦ Previously unknown networks or connections to the internet – not in architecture. ◦ Password-less Smart Meters found in a search engine. Whoops. ◦ Lack of human awareness: “Let me click that link”  These aren’t even “cyber security” specific failures  But they’re what the bad guys use  None should have happened: Errors made at a high, largely uncontrolled rate ◦ Everyone makes them

6  Infinite Trust Chains and No Perimeters  Examples: ◦ HMI hardware out of box. Host file was already compromised ◦ Embedded Web Server vulnerability in HMI gear ◦ No responsibility or authority, made worse by support models

7

8  Attack Surface Increasing  At a MINIMUM because of increasing interconnections  Even without new technology  Tactical response won’t help:  Not fixing one vulnerability  Not fixing ten vulnerabilities  Not fixing a thousand SCADA vulnerabilities  Must slow the flow, reduce error rate  Cant keep up if we don’t: We don’t have the resources  Already can’t: Compromise at-will  Key will be Language and Communication & Awareness  Currently, we cant even consistently discuss goals in term of common safety and operational and business priorities much less derive strategic solutions

9  Architecture diagrams are never true. Ever. ◦ If you want to know where your vulnerabilities are, look for where your reality is different from your expectation ◦ This might not be a manually maintainable process; Possible subject for research  Cyber Security efforts without solid change control and management is like asking an ancient Roman God for rain. It’s not science, it’s faith  Number one failure of cyber security

10  Now that you know what you have…what exactly are you DOING? ◦ “Securing the infrastructure” not good enough – it doesn’t mean anything  Need an “Algebra of security” that ◦ Allows consistent comparable expressions of goals ◦ Assures line of sight between strategic risks FROM cyber systems and tactical risks TO cyber systems  Until then, we’re talking at each other, not to each other, and hoping to get lucky

11  Use the algebra to create energy-specific definitions of success ◦ What do we mean by secure energy infrastructure?  Techies cant answer this for you  Create a definition that can be consistently understood across all players  Separate out priority valuation of goals and commonly understood goals ◦ If you cant answer that question, how can you talk about how to build it? ◦ If you cant answer that question and compare it to what you have to find gaps, how do you know where to start?

12  Based partially on Sandia Incident Classification Model: Http://www.cert.org/research/taxonomy_988667.pdf Http://www.cert.org/research/taxonomy_988667.pdf  Based partially on SABSA Enterprise Security Architecture model  Uses Business Threat Trees to ◦ Define strategic cyber security requirements for long term planning ◦ Identify Tactical technical issues that impact long term objectives ◦ Allow independent parties to use same language to express cyber security, even with different priority levels ◦ Create framework which security service architecture can be validated

13

14  Cede the network ◦ At least in terms of using network level controls as the first means of data/access/action control at the application layer ◦ Putting a box around it is not, and will never be granular enough ◦ Can’t do it anyway, it’s really, really big. This is a last resort ◦ Next steps of research: Small unit test cases from data/behavior transition from one step to the next  Focus on Gracefully Handling Compromise ◦ If we assume we’ve lost already and defense might be too expensive, are there alternatives? ◦ We all live with bacteria inside of us, can the energy infrastructure?  Don’t throw good money after bad ◦ Antivirus, Firewalls, IPS’s, and patching have failed IT, don’t blindly invest in them

15 Jack Whitsitt | sintixerr@gmail.com |http://twitter.com/sintixerrsintixerr@gmail.com

Download ppt "It’s just security. Jack Whitsitt | |  I am NOT representing."

Similar presentations

Building Secure Mashups D. K. Smetters PARC Usable.

Building Secure Mashups D. K. Smetters PARC Usable.
Computer Security: Myths and Mistakes

Computer Security: Myths and Mistakes
Turnaround Interview® Turn off your people problems, not your people.

Turnaround Interview® Turn off your people problems, not your people.
Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk email o Over 70% of email traffic  Bugs ---

Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk o Over 70% of traffic  Bugs ---
The Scaling IQ Test: When Dev and Admin Collide Richard Campbell Strangeloop Networks.

The Scaling IQ Test: When Dev and Admin Collide Richard Campbell Strangeloop Networks.
Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.

Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.
Computer Maintenance & Safety Spring 2014. Internet Safety Keeping your computer safe What is a computer virus? A computer program that can copy itself.

Computer Maintenance & Safety Spring Internet Safety Keeping your computer safe What is a computer virus? A computer program that can copy itself.
UT Wing Civil Air Patrol. Objective Identify network and cyber vulnerabilities and mitigations Social Media/Metadata/Exfil data MITM Attacks Malware Social.

UT Wing Civil Air Patrol. Objective Identify network and cyber vulnerabilities and mitigations Social Media/Metadata/Exfil data MITM Attacks Malware Social.
Cyber Metrics in the DoD or How Do We Know What We Don’t Know? John S. Bay, Ph.D. Executive Director.

Cyber Metrics in the DoD or How Do We Know What We Don’t Know? John S. Bay, Ph.D. Executive Director.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.

Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.
Applications: History to Future Why end-to-end shouldn’t be dead Pete Resnick Protocol standards bonehead Qualcomm Technologies, Inc.

Applications: History to Future Why end-to-end shouldn’t be dead Pete Resnick Protocol standards bonehead Qualcomm Technologies, Inc.
(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)

(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)
(c) 2005 - Andy Berry (www.tof.co.uk) SOA – Benefits and Risks Presentation to ESUG 2005 Conference Andy Berry – www.tof.co.uk.

(c) Andy Berry ( SOA – Benefits and Risks Presentation to ESUG 2005 Conference Andy Berry –
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.

Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.

Similar presentations

Ads by Google