Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integrated Factory Acceptance Test (IFAT) as Security Best Practice 10/27/2015FoxGuard Solutions1 Larry Alls, Security Engineering Manager FoxGuard Solutions.

Published bySteven Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "Integrated Factory Acceptance Test (IFAT) as Security Best Practice 10/27/2015FoxGuard Solutions1 Larry Alls, Security Engineering Manager FoxGuard Solutions."— Presentation transcript:

1

2 Integrated Factory Acceptance Test (IFAT) as Security Best Practice 10/27/2015FoxGuard Solutions1 Larry Alls, Security Engineering Manager FoxGuard Solutions

3 Good Afternoon  Brief History of Threats  Security Myths  Layered Defense  Implementing a layered defense in the Industrial Controls System (ICS) network  Factory Acceptance Testing  IFAT – Questions to ask – Helpful hints – Lessons learned – Outcome – Benefits 10/27/2015FoxGuard Solutions2

4 Evolution of Security Challenges 10/27/2015FoxGuard Solutions3 GLOBAL Infrastructure Impact REGIONAL Networks MULTIPLE Networks INDIVIDUAL Networks INDIVIDUAL Computer Target and Scope of Damage Rapidly Escalating Threat First Gen  Boot viruses Weeks Second Gen  Macro viruses  Denial of Service Days Third Gen  Distributed Denial of Service  Blended threats Minutes Next Gen  Flash threats  Massive “bot”- driven DDoS  Damaging payload worms Seconds 1980s1990s TodayFuture

5 Evolution of Threats and Exploits 10/27/2015FoxGuard Solutions4 Packet Forging/Spoofing Password Guessing Self Replicating Code (WORM) Password Cracking Vulnerability Scanning Audit Disablement Back Door Exploits Session Hijacking Sniffers Stealth Diagnostics High Low Pulsing Zombies Self Installing Root Kits Time Dynamic Capabilities Intelligent Bots Complexity Expertise Required Mitnick or Wozniak Script Kiddies ~90s Today

6 Think about it…  Implementing security on control systems at power plants is becoming more and more critical for the reliability of our electric sector.  Why is that? – Because NERC says so? – Because of terrorist threats?  What does this mean to the plant and the plant operators?  How do we take the IT best practice of layered defense and apply it to a control system environment?  What is the impact of installing security on a control system?  How does it affect the plant, the vendor, and the integrator? 10/27/2015FoxGuard Solutions5

7 Common Security Myths  Only specific users have access to my systems and I know who they are  We air-gap the ICS network so it’s not exploitable  Our firewall is bulletproof  What’s the worst that can happen? 10/27/2015FoxGuard Solutions6

8 Worst-Case? 10/27/2015FoxGuard Solutions7

9 Repeat After Me! Disregard Security and your network:  Is vulnerable  Is exploitable  And someone will access it 10/27/2015FoxGuard Solutions8

10 Why? 10/27/2015FoxGuard Solutions9  Control systems use IT systems and networking technologies – NIST Special publication 800-82 is riddled with information about the addition of IT technologies and how they pose threats to the ICS system, and what needs to be done to mitigate these threats.  Control systems may have implemented IT based solutions, but they have not kept up with IT technology. – ICS was designed to last 15 – 20 years – Lifecycle for typical IT system is 3 - 5 years – Combined with the security myths and the ever growing IT threats, it’s time to act

11 Implementing Security in the ICS  Challenging due to different vendors  Can you integrate these solutions into a single solution  Vendors don’t usually integrate their systems with one another  Some power providers are toying with the idea of managing their security from a single management layer, but are finding it challenging because of the different vendor solutions  This type of solution calls for some network designing and extensive testing prior to deployment 10/27/2015FoxGuard Solutions10

12 Factory Acceptance Testing  TEST, TEST, and TEST AGAIN!!!  The answer for integrating anything into the ICS has always been a Factory Acceptance Test (FAT)  Implementing security is no exception  Integrated Security Factory Acceptance Test (IFAT) – Vendors, customer and integrator come together prior to installation to “work out” site specific issues and test every facet of the security install – These issues would normally have to be dealt with during the outage – This process saves the plant considerable time during the outage as it relates to the cyber-security installation – They can then concentrate on other upgrades that are being performed knowing that the added security is not going to impact start-up 10/27/2015FoxGuard Solutions11

13 Questions to Ask  What vendors will be integrated into this plan?  Are they willing to work with the other vendors in a neutral environment?  To what extent will they cooperate?  Who will integrate this solution?  Who will write the test plans and oversee the IFAT?  What facilities are needed to accommodate the vendors?  What onsite security will be required by each vendor?  How can we maintain secure data transactions?  How can NDAs be handled between vendors? 10/27/2015FoxGuard Solutions12

14 Top 5 Things to Remember 1.Communicate early, honestly, and thoroughly 2.Manage expectations on all sides 3.Not all the vendors will participate equally 4.Expect surprises that were not anticipated 5.Have clear definitions for Success and Failure 10/27/2015FoxGuard Solutions13

15 Lessons Learned  Get complete requirements from all vendors and set up well in advance  Run at least two mock IFATs prior to having the real IFAT  Have clear applicable test plans and procedures  Keep personnel limited  Allow ample time for complete testing 10/27/2015FoxGuard Solutions14

16 Closing the IFAT  Intangible product: Confidence – Confidence that the system to be delivered meets expectations. This confidence is built from a long process consisting of several major milestones, one of which is the IFAT; another being the successful installation and execution of “real” science on the system.  Tangible product: The certification of a formal agreement – A signed agreement detailing what passed, what failed, and the remediation plan for each failure/deficiency. If the remediation plan cannot be fully addressed at the IFAT, then a deadline for presenting this plan to the customer should be set. If another IFAT is required, this should be part of the remediation plan. In the worst case, the remediation plan may include how the system will be corrected on site, after installation at the customer facility. 10/27/2015FoxGuard Solutions15

17 Who Benefits? 10/27/2015FoxGuard Solutions16  The Vendor This approach validates all the hard work that the vendor has put into its system Reduced loss / cost due to false expectations Improved customer relations / confidence  The Customer Confidence in the systems Minimal impact during installation Reduced implementation costs Reduced costs due to non-compliance  The Integrator Expectations of delivery are clear Increased success rate of implementations Reduced losses due to false expectations

18 Questions? Larry Alls, Security Engineering Manager FoxGuard Solutions lalls@foxguardsolutions.com FoxGuard Solutions provides cyber security, including HMI patching and updates, to industrial control systems. www.foxguardsolutions.com 10/27/2015FoxGuard Solutions17

Download ppt "Integrated Factory Acceptance Test (IFAT) as Security Best Practice 10/27/2015FoxGuard Solutions1 Larry Alls, Security Engineering Manager FoxGuard Solutions."

Similar presentations

Chapter 3: Planning a Network Upgrade

Chapter 3: Planning a Network Upgrade
Life Science Services and Solutions

Life Science Services and Solutions
Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:

Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Increasing customer value through effective security risk management

Increasing customer value through effective security risk management
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
CS351 © 2003 Ray S. Babcock Software Testing What is it?

CS351 © 2003 Ray S. Babcock Software Testing What is it?
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
SE is not like other projects. l The project is intangible. l There is no standardized solution process. l New projects may have little or no relationship.

SE is not like other projects. l The project is intangible. l There is no standardized solution process. l New projects may have little or no relationship.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
Release Management and Rollout A very brief overview.

Release Management and Rollout A very brief overview.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Introduction to Network Defense

Introduction to Network Defense
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

Similar presentations

Ads by Google