Securing Control Systems
A recipe for success
•
Must utilize security principles
•
Must recognize system constraints
Securing Control Systems
Recent Paths
•
Ad‐Hoc
– Insert specific magic pixie dust here
•
Reuse IT guidance
– It is an IT system after all (NOT) – Tie to NIST or 20 top controls
•
Combinations
Securing Control Systems
What is wrong with?
• A structured approach, like we have used for
all preceding efforts – tailored to Control
Systems
– Hard
– Requires cooperation between control systems and IT security
Securing Control Systems
Why IT best practices don’t work out of the box
•
Top 20 security controls
– Designed on premise of elements available in IT – Authentication
– Access Control – Automation
Securing Control Systems
Basic Approach
•
Not a new method, we have done this before
– Basis for all solid original solutions – Avoids the church of appliancology
•
Built on security and system fundamentals
•
Solution is one you control
Securing Control Systems
Steps
•
Systems
•
Network
•
Data flows
•
Processes, People and Technology
•
Management
Securing Control Systems
Security
•
Security is defined by objectives, not rules
•
Rules are used to achieve objectives
Securing Control Systems
Threat Modeling
• Structured assessments of all threats
• Communication tool to evaluate all threats
and mitigations
Securing Control Systems
Data Flows
•
What data goes where
Securing Control Systems
A beginning
•
Who needs to talk to whom?
– HMI
– Historian – OPC
– PLCs
– Engineering Workstation – Corporate data needs
Securing Control Systems
News Flash
•
In today’s world we don’t get to control who is
on the network
Securing Control Systems
Network Ins and Outs
•
Define what should come in
•
Define what should go out
•
Use firewalls designed for control systems
•
Block everything else (explicit deny)
Securing Control Systems
Quiz – Network Architectures
•
Network architectures exist to:
Securing Control Systems
Quiz – Network Architectures
•
Network architectures exist to:
A. Provide something for network architects to do B. Enable hyperconnectivity – allow everything to
Securing Control Systems
Quiz – Network Architectures
•
Network architectures exist to:
A. Provide something for network architects to do B. Enable hyperconnectivity – allow everything to
talk to everything
C. Enforce security objective related communications
Securing Control Systems
Quiz – Network Architectures
•
Network architectures exist to:
A. Provide something for network architects to do B. Enable hyperconnectivity – allow everything to
talk to everything
C. Enforce security objective related communications
Securing Control Systems
Quiz – Network Architectures
•
Network architectures exist to:
A. Provide something for network architects to do B. Enable hyperconnectivity – allow everything to
talk to everything
C. Enforce security objective related communications
Securing Control Systems
Network Architectures
• Think locally, not globally
– Global addressing is an unacceptable risk
• Define zones and conduits
• Define who needs to talk with whom
• Must have accurate network map of all connections • Physical security
Securing Control Systems
Controlling Ins and Outs
• Mediate all ins and outs
– Firewalls (must be control system cognizant)
– Unidirectional gateways (when high security matters)
– IDS (employ to see who is actually talking)
• Monitor and audit
– Loss Prevention
• How do we know if data is leaving the system
• Accounts are not a panacea
– Should the CFO be able to perform critical transactions
Securing Control Systems
Devices
•
Inventory of all devices
•
Only authorized code runs
– Software and versions (dependencies) – White listing
•
Configuration Control
– No default passwords – Services and ports
Securing Control Systems
Devices (continued)
• Access control – define even if you can’t enforce • Admin privilege control
• Harden everything • Anti‐virus
• USBs – power only
• Physical access control • Backups
Securing Control Systems
Systems
•
Configuration Control
– Updates and patching – No default passwords
– No un‐necessary services, ports or apps
•
Only authorized code runs
– Software and versions (dependencies) – White listing
Securing Control Systems
Systems
• Access control – define even if you can’t enforce • Admin privilege control
• Harden everything • Anti‐virus
• USBs – power only
• Physical access control • Backups
Securing Control Systems
Why software matters
•
Know all systems and dependencies
– Heartbleed – Bash
Securing Control Systems
Policies, Procedures and People
• These govern:
– IT
– Control systems
– All work for that matter
• They should differ between IT and Control
System security functions
Securing Control Systems
Specific policies and Procedures
•
Configuration management
– Specific to control systems, not IT systems – Updates and patches
– No defaults
– Incident Response posture
– DRP/BCP for the control system – Training
Securing Control Systems
People
•
Controls system people are from Mars
•
IT security people are from Venus
•
Would a sysadmin do X on a critical system?
•
Would a control system engineer even know?
Securing Control Systems
Management
•
Support risk based security
•
Controls system resources
•
Control system cybersecurity operations
•
Culture is everything
– Think Target, Home Depot
– And not enough – JP Morgan Chase
Securing Control Systems
Recap
•
Your system, you defined it as critical
– Understand it
– Understand its implications – Own it, control it
Securing Control Systems
What matters
• Network • Devices • Systems
• Policies and procedures • Management