Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda Control systems defined

Published byDylan Caldwell Modified over 6 years ago

Similar presentations

Presentation on theme: "Agenda Control systems defined"— Presentation transcript:

1 Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004

2 Agenda Control systems defined
Control systems cyber security threats are real Address the issue: It makes good business sense Productivity improvements Response to security threats Reliability Regulatory compliance Liability

3 What’s a Control System?
SCADA/EMS DCS PLCs RTUs/IEDs Meters Enterprise applications for utility operations

4 Successful Attacks With Damage
Electric Utility 100 – 150 hits/day on control network 17 Intrusions 2 Denial of Service (DOS) Events 3 Loss of Control Events Switchgear controller Boiler Deaerator controls Wastewater Utility Wireless hack by disgruntled ex-SCADA supplier employee Release of millions of liters of sewage

5 Hackers Starting to Look at SCADA
- Brumcon Report “It was a detailed breakdown of the RF systems used by water management authorities in the UK and how these systems can be abused, interfered with and generally messed. The live demonstration included how to monitor the un-encrypted water management systems and create a DOS attack. It was clear that additional communication channels using dial up connections would kick in automatically in the event of an attack.”

6 Business Drivers Need for productivity improvements
Customer service Financial impact Response to security threats Reliability: High visibility Regulatory compliance Liability

7 Need for productivity improvements
Technology Advances Enabling On-line maintenance (RCM) System optimization Wide access to system data Centralized data analysis Security solution Standards organizations: Lack of coordination Policies Procedures Control systems architecture Develop security policies ISO not adequate

8 Productivity Improvement: Examples
Major Oil/Gas Company ~90% of control systems world-wide are networked IED Supplier Systems require dial-up access PLC Supplier Systems have default passwords hardcoded into firmware

9 Response to security threats
Current responses NERC Presidential decision directive DHS/DOE National Plan to secure cyber space Industry/standards organizations Solution Conduct vulnerability and risk assessment Develop recovery plans Address IT/Operations gap Provide training programs

10 SCADA Cyber Assessment
Test conducted following factory acceptance test Most secure possible case Vendor knew we were coming All patches installed No outside connections Penetration complete within 2 working days

11 Misidentification Penetration test performed by organization without significant control system expertise Identified unauthorized access of plant DCS Engineer’s Workstation Control system assessment Confirmed identified workstation was not DCS Engineer’s Workstation Additional walkdown identified vulnerabilities not found by traditional penetration testing Non-IP vulnerabilities

12 Reliability: High Visibility
Cyber security/reliability connection Cyber events have impacted reliability of utility control systems Fixes to improve reliability can impact cyber security Control systems role in preventing and/or mitigating future blackouts Solution Include cyber security in reliability upgrades

13 Example: Substation Automation/EMS Upgrade
Includes cyber security considerations Industry proven specifications Remote access Data communications/protocols Vendor access Training

14 Regulatory compliance
Current compliance issues NERC Presidential decision directive AGA EPA Solution Vulnerability and risk assessment Policies and procedures IT strategy and plan

15 NERC Urgent Action Standard 1200 SAR Control Center Only
Substantial compliance by March 2004 16 tasks Some require additional work SAR In ballot process Includes power plant controls and substation equipment

16 Homeland Security Presidential Directive 7
HSPD-7 December 17, 2003 National goal: Protect critical infrastructure from physical and cyber attacks DHS Lead Agency DOE responsible for Energy Require a strategy to identify, prioritize, and coordinate protection of critical infrastructure By July 2004, develop plans for protecting critical infrastructure

17 Liability Why liability is an issue Solution
This is not an unforeseen event Insurance will have exclusions for cyber Insurance may not cover company executives SEC may require status of cyber in filings Solution Perform due diligence Move toward industry accepted program

18 National SCADA Test Bed
Developing new tools Determine vulnerabilities Large scale assessments Testing and validating Industry products Safe and secure test bed Full scale testing Computer controls Communications Field Systems Substations and RTU’s

19 Conclusion Cyber security threats are real
Cyber security is not just a regulatory or national infrastructure issue; it makes good business sense Technology will continue to evolve to meet demands for productivity and reliability improvements Security requirements need to keep pace with technology advancements There are workable near-term solutions We need to work toward Addressing the gap between IT and operations Long-term technology changes

Download ppt "Agenda Control systems defined"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Xanthus Consulting International Smart Grid Cyber Security: Support from Power System SCADA and EMS Frances Cleveland

Xanthus Consulting International Smart Grid Cyber Security: Support from Power System SCADA and EMS Frances Cleveland
Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce
WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.

WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Prepared: October, 2005 1 Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Lessons Learned in Smart Grid Cyber Security

Lessons Learned in Smart Grid Cyber Security
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Similar presentations

Ads by Google