Presentation is loading. Please wait.

Presentation is loading. Please wait.

K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.

Published byVictoria Powell Modified over 8 years ago

Similar presentations

Presentation on theme: "K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005."— Presentation transcript:

1 K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005 Jay Abshier, CBCP CISSP KEMA, Inc. jay.abshier@kema.com

2 K E M A, I N C. 2 Copyright KEMA Inc. Proprietary Information 2 Ten Steps To Secure Control Systems n Threats? n Why take action? n What Can You Do Now? -The Ten Steps n NERC Standards n Questions

3 K E M A, I N C. 3 Copyright KEMA Inc. Proprietary Information 3 Threats – In Order of Decreasing Probability n Worms and Viruses n Internal – Acts of Omission n Internal – Acts of Commission n External – Acts of Commission

4 K E M A, I N C. 4 Copyright KEMA Inc. Proprietary Information 4 Why Take Action? n If a vulnerability is exploited, in most cases the impact is a negative effect on the primary function of the control system – a failure. n A failure of one component of a system increases the probability of another component failure occurring or of becoming a critical factor. n Most catastrophic failures involve two or more components of a system. Frequently, one of the failed components is either a human action/inaction or the control system.  “Reliability @Risk: A New Paradigm for Assessing Reliability”, December 2004, The Electricity Journal

5 K E M A, I N C. 5 Copyright KEMA Inc. Proprietary Information 5 Why Take Action? n Improved Reliability n Increased Safety

6 K E M A, I N C. 6 Copyright KEMA Inc. Proprietary Information 6 Ten Steps To Secure Control Systems 1. Governance 2. Security Awareness & Training 3. Policies & Procedures 4. Change Management 5. Secure Architecture 6. Remote Access 7. Vulnerability & Risk Assessments 8. Incident Response 9. Configuration & Patch Management 10. Monitoring

7 K E M A, I N C. 7 Copyright KEMA Inc. Proprietary Information 7 Ten Steps To Secure Control Systems 1. Governance 2. Security Awareness & Training 3. Policies & Procedures 4. Change Management 5. Secure Architecture 6. Remote Access 7. Vulnerability & Risk Assessments 8. Incident Response 9. Configuration & Patch Management 10. Monitoring Paper and Presentation discussing all ten available on request. Our Focus

8 K E M A, I N C. 8 Copyright KEMA Inc. Proprietary Information 8 What Can You Do Now? n 5. Secure Architecture  Identify your critical assets.  Define the electronic perimeter for your control environment that includes those assets  Isolate the control environment using firewall(s) and DMZ(s).  No access by default.  All Communications terminate at the DMZ.

9 K E M A, I N C. 9 Copyright KEMA Inc. Proprietary Information 9 Secure Architecture Plant Information Network (PIN) Plant Control Network (PCN) Real time Historian Relational Database Users HistorianOperator Displays Application Server Other Plant Information Servers To Corporate Network Firewall DMZ Database Web Server Terminal Server

10 K E M A, I N C. 10 Copyright KEMA Inc. Proprietary Information 10 What Can You Do Now? n 5. Secure Architecture (cont’d)  Don’t allow browsing of the internet from the control environment.  Don’t allow email into the control environment.  Sending email out will be ok.  Take steps to keep unauthorized devices out.  Avoid wireless

11 K E M A, I N C. 11 Copyright KEMA Inc. Proprietary Information 11 What Can You Do Now? n 5. Secure Architecture  Wireless  WEP is useless  WPA –Good encryption. Device Authentication available. –Vulnerable to DOS attack. –Devices capable of WEP should be upgradeable to WPA with firmware upgrade.  Think of wireless as remote access.

12 K E M A, I N C. 12 Copyright KEMA Inc. Proprietary Information 12 What Can You Do Now? n 5. Secure Architecture  Wireless  802.11i is best solution, but requires new hardware if you already have wireless installed.  AES encryption, device authentication available, supposed to not be vulnerable to DOS attack.  Cisco calls 802.11i WPA2.  www.wi-fiplanet.com/tutorials

13 K E M A, I N C. 13 Copyright KEMA Inc. Proprietary Information 13 What Can You Do Now? n 6. Remote Access  Should be severely restricted.  Try to never allow devices on the outside to become part of Control Network  DMZ Application Servers  Terminal Servers and Citrix are good choices for access.

14 K E M A, I N C. 14 Copyright KEMA Inc. Proprietary Information 14 Remote Access Plant Information Network (PIN) Plant Control Network (PCN) Real time Historian Relational Database Users HistorianOperator Displays Application Server Other Plant Information Servers To Corporate Network Firewall DMZ Database Web Server Terminal Server

15 K E M A, I N C. 15 Copyright KEMA Inc. Proprietary Information 15 What Can You Do Now? n 6. Remote Access  VPNs  IPsec VPNs using 3DES or AES encryption are good choice if DMZ App servers and Terminal Servers not available.  Be Aware that the Client computer becomes part of the Control Environment.  Do not allow split tunneling.  Try to require anti-virus and personal firewalls.  Try to enforce patch levels on software.

16 K E M A, I N C. 16 Copyright KEMA Inc. Proprietary Information 16 What Can You Do Now? n 6. Remote Access  Modems  Avoid auto answer dial in modems.  Dial back modems and encrypting modems are ok alternatives if modems are unavoidable.

17 K E M A, I N C. 17 Copyright KEMA Inc. Proprietary Information 17 What Can You Do Now? n 7. Vulnerability and Risk Assessments  Vulnerability assessments try to identify all the known vulnerabilities in a device or architecture.  Risk assessments try to prioritize these vulnerabilities and assess the impact.

18 K E M A, I N C. 18 Copyright KEMA Inc. Proprietary Information 18 What Can You Do Now? n 7. Vulnerability and Risk Assessments  Vulnerability assessments often involve scans, which can cause problems in the control environment.  Good probabilities for risk assessments are not available, but vulnerabilities can be prioritized using accurate relative probabilities for Threats.

19 K E M A, I N C. 19 Copyright KEMA Inc. Proprietary Information 19 What Can You Do Now? n 7. Vulnerability and Risk Assessments  Risk assessments are a good way to involve the stakeholders in the process and get buy- in.  Risk can be calculated as:  Probability of Threat Occuring * Probability of Existing Controls Preventing Threat * Impact if Threat succeeds

20 K E M A, I N C. 20 Copyright KEMA Inc. Proprietary Information 20 What Can You Do Now? n 7. Vulnerability and Risk Assessments  Use a good methodology  Which To Use?  For Systems, use one focused on assessing the risk that a vulnerability can be exploited by a threat.

21 K E M A, I N C. 21 Copyright KEMA Inc. Proprietary Information 21

22 K E M A, I N C. 22 Copyright KEMA Inc. Proprietary Information 22

23 K E M A, I N C. 23 Copyright KEMA Inc. Proprietary Information 23 What Can You Do Now? n Bottom Line  Tool or tools will not keep you secure. No one can guarantee your system or network is “secure”.  Daily due diligence and comprehensive security program is only viable “solution”.

24 K E M A, I N C. 24 Copyright KEMA Inc. Proprietary Information 24 NERC Permanent Standard Jan 17 – Feb 17 Post Draft 2 and Comment period Feb 2Webcast on Draft 2 Feb 18 – Apr 15Resolve comments on Draft 2 and prepare Draft 3 Apr 15 – May 31Post Draft 3 and Comment period June1 – 30Resolve comments on Draft 3 and prepare for Ballot July 1 – 3130 day posting prior to Ballot Aug 1 – 30 2 rounds of Ballots August 13NERC 1200 expires Sept 1 – 3030 day posting prior to NERC Board adoption October 1NERC Board adopts standards November 1Standards become “Effective” 1 st Quarter 2006Self Certification and Audit begins

25 K E M A, I N C. 25 Copyright KEMA Inc. Proprietary Information 25 NERC Permanent Standard n CIP–002–1 Critical Cyber Assets n CIP–003–1 Security Management Controls n CIP–004–1 Personnel and Training n CIP–005–1 Electronic Security n CIP–006–1 Physical Security n CIP–007–1 Systems Security Management n CIP–008–1 Incident Reporting and Response Planning n CIP–009–1 Recovery Plans

26 K E M A, I N C. 26 Copyright KEMA Inc. Proprietary Information 26 NERC Permanent Standard n What it covers  SCADA/Control Center  Power plant control systems  Many exceptions  Transmission substations n What it doesn’t  Many power plants  Distribution  Telecom  Requirement for understanding control systems

27 K E M A, I N C. 27 Copyright KEMA Inc. Proprietary Information 27 Ten Steps To Secure Control Systems Questions? For more information: Jay Abshier, CBCP CISSP 713.240.4146 (mobile) 832.717.3072 (office) jay.abshier@kema.com

Download ppt "K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005."

Similar presentations

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.

WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.
Cyber Security 2005 ERCOT COMPLIANCE ROLLOUT Lane Robinson Reliability Analyst.

Cyber Security 2005 ERCOT COMPLIANCE ROLLOUT Lane Robinson Reliability Analyst.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Cyber Security Standard Workshop Status of Draft Cyber Security Standards Larry Bugh ECAR Standard Drafting Team Chair January 2005.

Cyber Security Standard Workshop Status of Draft Cyber Security Standards Larry Bugh ECAR Standard Drafting Team Chair January 2005.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Similar presentations

Ads by Google