1 / 19

Current Status of C yber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004

Current Status of C yber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004. Agenda. Control systems defined Control systems cyber security threats are real Address the issue: It makes good business sense Productivity improvements Response to security threats Reliability

aadi
Download Presentation

Current Status of C yber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Current Status of Cyber Security Issues2004Keynote Address Joe WeissJanuary 20, 2004

  2. Agenda • Control systems defined • Control systems cyber security threats are real • Address the issue: It makes good business sense • Productivity improvements • Response to security threats • Reliability • Regulatory compliance • Liability

  3. What’s a Control System? • SCADA/EMS • DCS • PLCs • RTUs/IEDs • Meters • Enterprise applications for utility operations

  4. Successful Attacks With Damage • Electric Utility • 100 – 150 hits/day on control network • 17 Intrusions • 2 Denial of Service (DOS) Events • 3 Loss of Control Events • Switchgear controller • Boiler Deaerator controls • Wastewater Utility • Wireless hack by disgruntled ex-SCADA supplier employee • Release of millions of liters of sewage

  5. Hackers Starting to Look at SCADA • - Brumcon Report “It was a detailed breakdown of the RF systems used by water management authorities in the UK and how these systems can be abused, interfered with and generally messed. The live demonstration included how to monitor the un-encrypted water management systems and create a DOS attack. It was clear that additional communication channels using dial up connections would kick in automatically in the event of an attack.”

  6. Business Drivers • Need for productivity improvements • Customer service • Financial impact • Response to security threats • Reliability: High visibility • Regulatory compliance • Liability

  7. Need for productivity improvements • Technology Advances Enabling • On-line maintenance (RCM) • System optimization • Wide access to system data • Centralized data analysis • Security solution • Standards organizations: Lack of coordination • Policies • Procedures • Control systems architecture • Develop security policies • ISO 17799 not adequate

  8. Productivity Improvement:Examples • Major Oil/Gas Company • ~90% of control systems world-wide are networked • IED Supplier • Systems require dial-up access • PLC Supplier • Systems have default passwords hardcoded into firmware

  9. Response to security threats • Current responses • NERC • Presidential decision directive • DHS/DOE • National Plan to secure cyber space • Industry/standards organizations • Solution • Conduct vulnerability and risk assessment • Develop recovery plans • Address IT/Operations gap • Provide training programs

  10. SCADA Cyber Assessment • Test conducted following factory acceptance test • Most secure possible case • Vendor knew we were coming • All patches installed • No outside connections • Penetration complete within 2 working days

  11. Misidentification • Penetration test performed by organization without significant control system expertise • Identified unauthorized access of plant DCS Engineer’s Workstation • Control system assessment • Confirmed identified workstation was not DCS Engineer’s Workstation • Additional walkdown identified vulnerabilities not found by traditional penetration testing • Non-IP vulnerabilities

  12. Reliability: High Visibility • Cyber security/reliability connection • Cyber events have impacted reliability of utility control systems • Fixes to improve reliability can impact cyber security • Control systems role in preventing and/or mitigating future blackouts • Solution • Include cyber security in reliability upgrades

  13. Example: Substation Automation/EMS Upgrade • Includes cyber security considerations • Industry proven specifications • Remote access • Data communications/protocols • Vendor access • Training

  14. Regulatory compliance • Current compliance issues • NERC • Presidential decision directive • AGA • EPA • Solution • Vulnerability and risk assessment • Policies and procedures • IT strategy and plan

  15. NERC • Urgent Action Standard 1200 • Control Center Only • Substantial compliance by March 2004 • 16 tasks • Some require additional work • SAR • In ballot process • Includes power plant controls and substation equipment

  16. Homeland Security Presidential Directive 7 HSPD-7 December 17, 2003 • National goal: Protect critical infrastructure from physical and cyber attacks § • DHS Lead Agency • DOE responsible for Energy • Require a strategy to identify, prioritize, and coordinate protection of critical infrastructure • By July 2004, develop plans for protecting critical infrastructure

  17. Why liability is an issue • This is not an unforeseen event • Insurance will have exclusions for cyber • Insurance may not cover company executives • SEC may require status of cyber in filings • Solution • Perform due diligence • Move toward industry accepted program Liability

  18. National SCADA Test Bed • Developing new tools • Determine vulnerabilities • Large scale assessments • Testing and validating • Industry products • Safe and secure test bed • Full scale testing • Computer controls • Communications • Field Systems • Substations and RTU’s

  19. Conclusion • Cyber security threats are real • Cyber security is not just a regulatory or national infrastructure issue; it makes good business sense • Technology will continue to evolve to meet demands for productivity and reliability improvements • Security requirements need to keep pace with technology advancements • There are workable near-term solutions • We need to work toward • Addressing the gap between IT and operations • Long-term technology changes

More Related