• No results found

College of Technology

N/A
N/A
Protected

Academic year: 2021

Share "College of Technology"

Copied!
33
0
0

Loading.... (view fulltext now)

Full text

(1)

   

(2)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Securing Control Systems

A recipe for success

Must utilize security principles

Must recognize system constraints

(3)

 

         

   

                       

 

 

Securing Control Systems

Recent Paths

Ad‐Hoc

– Insert specific magic pixie dust here

Reuse IT guidance

– It is an IT system after all (NOT) – Tie to NIST or 20 top controls

Combinations

(4)

   

 

 

 

 

 

 

 

 

 

 

 

 

   

 

                     

 

 

Securing Control Systems

What is wrong with?

• A structured approach, like we have used for

all preceding efforts – tailored to Control

Systems

– Hard

– Requires cooperation between control systems and IT security

(5)

   

 

 

 

 

   

 

 

 

 

                 

 

 

Securing Control Systems

Why IT best practices don’t work out of the box

Top 20 security controls

– Designed on premise of elements available in IT – Authentication

– Access Control – Automation

(6)

 

   

 

 

 

 

 

 

                 

 

 

 

 

 

   

 

 

 

 

Securing Control Systems

Basic Approach

Not a new method, we have done this before

– Basis for all solid original solutions – Avoids the church of appliancology

Built on security and system fundamentals

Solution is one you control

(7)

 

 

 

 

 

 

Securing Control Systems

Steps

Systems

Network

Data flows

Processes, People and Technology

Management

(8)

 

   

   

 

 

 

 

   

 

 

 

Securing Control Systems

Security

Security is defined by objectives, not rules

Rules are used to achieve objectives

(9)

 

 

     

 

   

   

 

 

 

 

       

 

 

Securing Control Systems

Threat Modeling

• Structured assessments of all threats

• Communication tool to evaluate all threats

and mitigations

(10)

 

 

 

 

 

 

 

 

 

Securing Control Systems

Data Flows

What data goes where

(11)

 

 

   

   

 

   

 

 

Securing Control Systems

A beginning

Who needs to talk to whom?

– HMI

– Historian – OPC

– PLCs

– Engineering Workstation – Corporate data needs

(12)

 

 

 

 

 

 

   

 

   

 

 

 

 

Securing Control Systems

News Flash

In today’s world we don’t get to control who is

on the network

(13)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

   

 

 

 

 

Securing Control Systems

Network Ins and Outs

Define what should come in

Define what should go out

Use firewalls designed for control systems

Block everything else (explicit deny)

(14)

 

 

 

 

 

       

 

 

Securing Control Systems

Quiz – Network Architectures

Network architectures exist to:

(15)

 

 

 

 

 

                   

 

 

Securing Control Systems

Quiz – Network Architectures

Network architectures exist to:

A. Provide something for network architects to do B. Enable hyperconnectivity – allow everything to

(16)

 

 

 

 

 

                           

 

 

Securing Control Systems

Quiz – Network Architectures

Network architectures exist to:

A. Provide something for network architects to do B. Enable hyperconnectivity – allow everything to

talk to everything

C. Enforce security objective related communications

(17)

 

 

 

 

 

                                   

 

 

Securing Control Systems

Quiz – Network Architectures

Network architectures exist to:

A. Provide something for network architects to do B. Enable hyperconnectivity – allow everything to

talk to everything

C. Enforce security objective related communications

(18)

 

 

 

 

 

                                   

 

 

Securing Control Systems

Quiz – Network Architectures

Network architectures exist to:

A. Provide something for network architects to do B. Enable hyperconnectivity – allow everything to

talk to everything

C. Enforce security objective related communications

(19)

 

                                             

 

 

Securing Control Systems

Network Architectures

• Think locally, not globally

– Global addressing is an unacceptable risk

• Define zones and conduits

• Define who needs to talk with whom

• Must have accurate network map of all connections • Physical security

(20)

 

 

 

                                                                       

 

 

Securing Control Systems

Controlling Ins and Outs

• Mediate all ins and outs

– Firewalls (must be control system cognizant)

– Unidirectional gateways (when high security matters)

– IDS (employ to see who is actually talking)

• Monitor and audit

– Loss Prevention

• How do we know if data is leaving the system

• Accounts are not a panacea

– Should the CFO be able to perform critical transactions

(21)

     

 

 

 

       

 

         

 

 

Securing Control Systems

Devices

Inventory of all devices

Only authorized code runs

– Software and versions (dependencies) – White listing

Configuration Control

– No default passwords – Services and ports

(22)

 

                           

 

 

Securing Control Systems

Devices (continued)

• Access control – define even if you can’t enforce • Admin privilege control

• Harden everything • Anti‐virus

• USBs – power only

• Physical access control • Backups

(23)

 

                 

 

 

 

       

 

 

Securing Control Systems

Systems

Configuration Control

– Updates and patching – No default passwords

– No un‐necessary services, ports or apps

Only authorized code runs

– Software and versions (dependencies) – White listing

(24)

                           

 

 

Securing Control Systems

Systems

• Access control – define even if you can’t enforce • Admin privilege control

• Harden everything • Anti‐virus

• USBs – power only

• Physical access control • Backups

(25)

 

 

   

 

 

 

 

Securing Control Systems

Why software matters

Know all systems and dependencies

– Heartbleed – Bash

(26)

 

 

 

 

         

 

 

 

   

 

 

 

 

   

 

 

Securing Control Systems

Policies, Procedures and People

• These govern:

– IT

– Control systems

– All work for that matter

• They should differ between IT and Control

System security functions

(27)

 

 

 

 

                         

 

 

Securing Control Systems

Specific policies and Procedures

Configuration management

– Specific to control systems, not IT systems – Updates and patches

– No defaults

– Incident Response posture

– DRP/BCP for the control system – Training

(28)

 

 

 

 

 

 

 

 

 

 

   

   

   

 

   

 

 

 

 

 

 

Securing Control Systems

People

Controls system people are from Mars

IT security people are from Venus

Would a sysadmin do X on a critical system?

Would a control system engineer even know?

(29)

 

 

 

 

 

 

 

 

   

               

 

 

 

 

   

 

 

 

Securing Control Systems

Management

Support risk based security

Controls system resources

Control system cybersecurity operations

Culture is everything

– Think Target, Home Depot

– And not enough – JP Morgan Chase

(30)

 

 

 

     

           

 

 

 

Securing Control Systems

Recap

Your system, you defined it as critical

– Understand it

– Understand its implications – Own it, control it

(31)

 

   

       

 

 

Securing Control Systems

What matters

• Network • Devices • Systems

• Policies and procedures • Management

(32)

 

   

 

 

Securing Control Systems

Questions

Contact

Art Conklin

College of Technology [email protected]

(33)

 

 

References

Related documents

The College head shall ensure that all information technology security breaches occurring within his/her College are reported to the Enterprise Security and Risk Management

The Australian market place for Medical and Disability Aids and Equipment is unique, as all 20 medical aids and equipment manufacturers actively promote their equipment..

A short circuit can occur if the secondary cable connecting the fixtures to the power supply is cut or if the exposed ends touch a metal post or water.. After you have determined

In Smart House technology, the dwelling is wired with a single multiconductor cable that includes electric power wires, communications cables for telephone... and video, and

The incisal portion of the dentin has mamelons that are responsible for giving shape to the opalescence; the enamel located in the incisal edge lets light pass freely; this area is

We have audited the consolidated financial statements of Basler Aktiengesellschaft, Ahrensburg, — consisting of balance sheet, profit and loss statement, statement of

In LEAP no change in energy consumption is observed in the carbon tax scenario. By contrast, the application of a carbon tax in TIAM-ECN results in a decrease of approximately

The irony in this case was that the court was first required to decide the merits of the contractor’s differing site conditions claim and then, after denying that claim, to