1 / 21

Why Control System Cyber-Security Sucks… Me waiting for a change of paradigm.

Why Control System Cyber-Security Sucks… Me waiting for a change of paradigm. Attackers’ advantage: There is no 100% security They choose time, place, method Defenders’ dilemma: Need to protect against all Lack of money/resources/networks ( Int’l ) Law always a step behind.

yardley
Download Presentation

Why Control System Cyber-Security Sucks… Me waiting for a change of paradigm.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WhyControl System Cyber-SecuritySucks… Me waiting for a change of paradigm.

  2. Attackers’ advantage: • There is no 100% security • They choose time, place, method • Defenders’ dilemma: • Need to protect against all • Lack of money/resources/networks • (Int’l) Law always a step behind Attack vs. Defense

  3. Overview

  4. (R)Evolution of Control Systems

  5. Industrial control systems and the role of corporate ITDr. Stefan.Lueders@cern.ch Cyber Defence Summit, March 4th-5th 2013, Muscat (OMAN) (R)Evolution of Control Systems

  6. Pandora’s box is open!

  7. PC-Level: • Infiltration of plant • Infection of PC • Reconnaissance for target • PLC-Level: • Manipulation of communication • Fingerprinting of PLC • Reconfiguration of PLC • Obscuring communication • Process-Level: • Sabotage of process Stuxnet (2010)

  8. Towards a New Threat Vector

  9. The Lack of Patching

  10. Safety! • Needs heavy compliancetesting (vendor & utility) • Potential loss of guarantees& certification (e.g. SIL) • Availability: • Rare maintenance windows • Legacy: • Old or embedded devices • Integrity: • S/W development live-cycles • Thorough regression testing • Nightly builds • Full configuration management • Availability: • Redundancy & virtualization • Legacy: • (rare) The Problem of Patching

  11. The Lack of Access Controls

  12. Safety! • Access must always be guaranteed • Shared accounts • Encryption too “heavy” • Legacy: • Default passwords • Undocumented backdoors • Impossible IdM integration • No ACLs, iptables, etc. • Security: • Split of AuthN & AuthZ • SSO, LDAP & AD • Kerberos, x509 & 2-factor AuthN • Legacy: • (rare) The Problem of Access Control

  13. The Lack of Robustness

  14. Robustness: • Use-cases, not abuse-cases • Not always compliant to standards • No certification (yet?) • Security: • Not integral part……or through obscurity • Low priority, low knowledge • Unwillingness to share incidents… • Robustness: • (“Externally sponsored”)penetration testing &vulnerability scanning • Security: • Decades ofexperience & knowledge • CSIRT: Protection,detection & response • Responsible disclosure The Problem of Robustness

  15. Do you have followed appropriate training incl. on security paradigms? employed a version control system for your software and configuration? considered standard IT technologies offered by your IT department (e.g. DBs, web servers)? populated an inventory of all devices, accounts, applications, … as well as a list of their dependencies (e.g. NTP)? deployed an independent test system you can tamper with? conducted a penetration test to see whether your equipment is sufficiently robust? changed all defaults (passwords!) and removed unnecessary functionality? established procedures for applying timely software updates? agreed on a contingency plan in case your system fails? 10 Questionsto YOU

  16. PCS are (still) not designed to be secure.They fulfil use-cases and also abuse cases. Defence-in-Depth is the key.Make security part as functionality, usability,availability, maintainability, performance! Align Control System Cyber-Security with IT security!Patch procedures, access protection, robustness,certification & documentation need significant improvement. Hack the box! Buy any PCS on eBay and throw your favourite pen suite at it.Push vendors & start responsible disclosure …and please do not use this presentation as an excuse to do nothing  !!! Summary

  17. Literature

More Related