Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey

Slides:

Advertisements

Similar presentations

©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 25 Slide 1 Chapter 25 Process Improvement.

Advertisements

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.

© 2011 IBM Corporation Improving Reliability and Making Things Cheaper to Run Tuesday 20th September James Linsell-Fraser, Senior Architect & Client Technical.

Facilitating a Dialog between the NSDI and Utility Companies J. Peter Gomez Manager, Information Requirements, Xcel Energy.

Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 2 Slide 1 Socio-technical Systems.

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Network security policy: best practices

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

November 2009 Network Disaster Recovery October 2014.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Lessons Learned in Smart Grid Cyber Security

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Summary Device protocols tied intimately to applications. A need to significantly reduce critical data update times. Current network bandwidth consumption.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.

Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

Best Practices: Aligning Process, Culture and Tools Michael Jordan Senior Project Manager - Microsoft Consulting Services

18 September Licensing for Next Generation Signalling Buddhadev Dutta Chowdhury 27 th April 2012.

E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

David N. Wozei Systems Administrator, IT Auditor.

Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.

Paul King Director, Threat Intelligence CiscoSystems.

Sandra C Security Advisor Energy Dan B Security Advisor Water

K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.

FLEET MANAGEMENT – A CONTINUING CHALLENGE Nigel Trotman, Business Relationship Manager, Whitbread Plc.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Frontline Enterprise Security

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

LAN of Milk and Honey: Ensuring safe networks through virtualisation Suné von Solms.

SAM for SQL Workloads Presenter Name.

INFORMATION SECURITY AWARENESS Whose Job is it Anyway? Ron Freedman Ron Freedman Vice President VCampus Corporation Scott Wright Scott WrightPresident.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Role Of Network IDS in Network Perimeter Defense.

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA.

IS3220 Information Technology Infrastructure Security

Information Security tools for records managers Frank Rankin.

Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING.

Security and Resilience Pat Looney Brookhaven National Laboratory April 2016.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

A Layered Solution to Cybersecurity Dr. Erfan Ibrahim Cyber-Physical Systems Security & Resilience Center National Renewable Energy Laboratory.

Best Cyber Security Practices for Counties An introduction to cybersecurity framework.

Serving IT up with ITIL By Thane Price. IT is the laboratory’s pit crew  Goal : Make technology transparent while accomplishing valuable internal customer.

QAD in the Consumer Products and Food & Beverage Industries Today Stephen Dombroski Senior Manager, Consumer Verticals, QAD.

Figure 1. Current Threat Landscape Sentiment From: ESG Research Report: Cyber Supply Chain Security Revisited. Source: Enterprise Strategy Group, 2015.

Figure 1. Current Threat Landscape Sentiment

Security and resilience for Smart Hospitals Key findings

Principles Identified - UK DfT -

Society for Maintenance and Reliability Professionals (SMRP)

Cybersecurity - What’s Next? June 2017

Leverage What’s Out There

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

I have many checklists: how do I get started with cyber security?

Security Essentials for Small Businesses

How to Mitigate the Consequences What are the Countermeasures?

NSX Data Center for Security

Cybersecurity Framework For Energy Sector

The CYBERWISER.eu project

GRC - A Strategic Approach

Modernizing Risk Management to Support Evolution of IT

Presentation transcript:

Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey

Agenda ● Personal Introduction ● What is an Industrial Control System and why should I care? ● Evolution of control systems and their security ● Why is ICS Cyber Security difficult? ● What do you need to do to make it work? ● What impact will quantum technology have on ICS systems?

Personal Introduction ● Studied Chemistry and Theoretical Chemistry at Manchester ‘79-85 – Absorption of far IR by water clusters ● Quantum mechanics knowledge a little rusty now! ● Worked on Industrial Control Systems (ICS) since then – Variety of companies, industries and roles – Main focus on security since 2004

What are Industrial Control Systems and why should I care? 4 An equation (of sorts) ICS=SCADA=DCS=OT(Operational Technology)=Any other acronym for a control/automation system Much of the Critical National Infrastructure (CNI) we rely on daily relies on an ICS e.g. Power, water, oil and gas, transport, chemicals, pharmaceuticals Non-CNI too: Breweries, distilleries, chocolate factories, CERN If the systems controlling these processes stop, everyday life stops with it We live in an ever more interconnected world IoT has been developing for a while

How does ICS work? 5

Evolution of Control Systems 1985 – Systems mostly bespoke, running on obscure OS, isolated 1990 – COTS now significant. Drive for OT/IT connectivity – Windows NT 3.51/4 makes it a serious contender. IP for connectivity – Windows established. Increasing commoditization. Post 9/11 – Realization of the criticality and vulnerability of ICS

Typical (Simplified) ICS Lifecycle Initial specification / vendor selection Detailed Design Build (inc factory test) Commissioning (on site) Run and maintain ‘Refresh’ 1-2 years 5-15 years

Evolution of Control System Security ● Hard to draw a graphic showing steady evolution ● Common practice – Firewalls (between IT/OT networks, further segmentation less common) – AV on Windows systems ● Less common practice – Centralised alert logging (SEM/SIEM) – Host and/or Network IDS/IPS – System hardening – Configuration monitoring/management(including patches/updates) – Application whitelisting or other software controls – Network Access Control (NAC) – Accurate network architecture drawings and inventories – Strong governance, policies, training – More...

So what has been achieved? ● The short answer: “It’s patchy.” ● Security is not the new safety ● Coffee cups and hand rails ● Some companies have good programmes in place ● What does ‘good’ look like? – Security (especially architecture) has evolved over time – Budget for security (time as well as products) is available annually – There are staff who have security as at least a part of their ‘day job’ – Incidents detected, responded to, reported on, lessons are learned

Indications that all is not well ● Security is not part of the ‘day job’ ● Relying on heroic efforts ● Lack of involvement from stakeholders ● Security which is difficult to use or gets in the way – Anything which slows down operator actions is a risk ● Lack of security awareness amongst ‘users’

Why is ICS Cyber Security so difficult? ● System longevity, diversity and complexity – Threat landscape evolves more quickly than systems ● Requirement evolution ● Ecosystem complexity ● Business justification/ROI

Requirement Evolution ● Systems have many new requirements in their lifetimes ● Today’s systems will likely have to cope with – Wireless, Mobile devices, Virtualization, Cloud – Other things nobody has thought of yet /article/46490/Mobile-SCADA- increases-staff-efficiency-in- logistics-operation-by-15--and- cuts-support-call-costs-by-60-.aspx /article/46335/SCADA- virtualisation-delivering-real- benefits-.aspx

● System Operators ● System Engineers ● Instrument Technicians ● Corporate IT ● Vendors ● System Integrators ● Outsource Providers ● Communication suppliers ● Management/Investors ICS Cyber Security Ecosystem ● Academia ● 11 UK universities ● RITICS ● Government ● Standards bodies ● Consumers

Business justification/ROI ● Notoriously difficult – Risk quantification very difficult – Energy companies denied insurance cover 1 ● Few attacks are ICS specific and fewer still aim to cause physical damage – Arguably Stuxnet is the only example ●Google “To kill a centrifuge” to learn more about Stuxnet ● Leaning heavily on FUD may have caused damage here ● However, a single cyber event can easily cost more than several years’ security expenditure 1.

What needs to be done to secure ICS? ● NIST think they have the answer ● Framework for Improving Critical Infrastructure Cybersecurity – 1.0 Feb 2014 ● Seems abstract unless you’ve been through the pain ● C2M2 – Cybersecurity Capability Maturity Model ● Understand that governance, training and behavioural issues are as important as technology ● ‘Mind the Gaps’ ● Integration with physical, personnel and traditional IT security is vital ● Security needs to be simple or invisible at point of use ● Learn through other people’s successes and failures across multiple verticals and geographies

Quantum technology and ICS systems ● Threat to PKI and possible alternative of QKD will impact ICS ● PKI may be dead at just about the time it is fully embraced by ICS ● SCADA in the cloud is on its way ● Quantum clocks could remove the reliance of ICS on GPS/NTP/radio clocks ● Anything else?

Questions? Dr. Ian Buffey