1 / 17

Agenda

Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey ian.buffey@atkinsglobal.com. Agenda. Personal Introduction What is an Industrial Control System and why should I care? Evolution of control systems and their security

zocha
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risks to Facilities and Industrial Control SystemsCambridge September 19th 2014Dr. Ian Buffeyian.buffey@atkinsglobal.com

  2. Agenda • Personal Introduction • What is an Industrial Control System and why should I care? • Evolution of control systems and their security • Why is ICS Cyber Security difficult? • What do you need to do to make it work? • What impact will quantum technology have on ICS systems?

  3. Personal Introduction • Studied Chemistry and Theoretical Chemistry at Manchester ‘79-85 • Absorption of far IR by water clusters • Quantum mechanics knowledge a little rusty now! • Worked on Industrial Control Systems (ICS) since then • Variety of companies, industries and roles • Main focus on security since 2004

  4. What are Industrial Control Systems and why should I care? • An equation (of sorts) • ICS=SCADA=DCS=OT(Operational Technology)=Any other acronym for a control/automation system • Much of the Critical National Infrastructure (CNI) we rely on daily relies on an ICS e.g. • Power, water, oil and gas, transport, chemicals, pharmaceuticals • Non-CNI too: Breweries, distilleries, chocolate factories, CERN • If the systems controlling these processes stop, everyday life stops with it • We live in an ever more interconnected world • IoT has been developing for a while

  5. How does ICS work?

  6. Evolution of Control Systems

  7. Typical (Simplified) ICS Lifecycle 1-2 years 5-15 years

  8. Evolution of Control System Security • Hard to draw a graphic showing steady evolution • Common practice • Firewalls (between IT/OT networks, further segmentation less common) • AV on Windows systems • Less common practice • Centralised alert logging (SEM/SIEM) • Host and/or Network IDS/IPS • System hardening • Configuration monitoring/management(including patches/updates) • Application whitelisting or other software controls • Network Access Control (NAC) • Accurate network architecture drawings and inventories • Strong governance, policies, training • More...

  9. So what has been achieved? • The short answer: “It’s patchy.” • Security is not the new safety • Coffee cups and hand rails • Some companies have good programmes in place • What does ‘good’ look like? • Security (especially architecture) has evolved over time • Budget for security (time as well as products) is available annually • There are staff who have security as at least a part of their ‘day job’ • Incidents detected, responded to, reported on, lessons are learned

  10. Indications that all is not well • Security is not part of the ‘day job’ • Relying on heroic efforts • Lack of involvement from stakeholders • Security which is difficult to use or gets in the way • Anything which slows down operator actions is a risk • Lack of security awareness amongst ‘users’

  11. Why is ICS Cyber Security so difficult? • System longevity, diversity and complexity • Threat landscape evolves more quickly than systems • Requirement evolution • Ecosystem complexity • Business justification/ROI

  12. Requirement Evolution http://www.controlengeurope.com/article/46335/SCADA-virtualisation-delivering-real-benefits-.aspx http://www.controlengeurope.com/article/46490/Mobile-SCADA-increases-staff-efficiency-in-logistics-operation-by-15--and-cuts-support-call-costs-by-60-.aspx • Systems have many new requirements in their lifetimes • Today’s systems will likely have to cope with • Wireless, Mobile devices, Virtualization, Cloud • Other things nobody has thought of yet

  13. ICS Cyber Security Ecosystem • System Operators • System Engineers • Instrument Technicians • Corporate IT • Vendors • System Integrators • Outsource Providers • Communication suppliers • Management/Investors • Academia • 11 UK universities • RITICS • Government • Standards bodies • Consumers

  14. Business justification/ROI 1. http://www.bbc.co.uk/news/technology-26358042 • Notoriously difficult • Risk quantification very difficult • Energy companies denied insurance cover1 • Few attacks are ICS specific and fewer still aim to cause physical damage • Arguably Stuxnet is the only example • Google “To kill a centrifuge” to learn more about Stuxnet • Leaning heavily on FUD may have caused damage here • However, a single cyber event can easily cost more than several years’ security expenditure

  15. What needs to be done to secure ICS? • NIST think they have the answer • Framework for Improving Critical Infrastructure Cybersecurity – 1.0 Feb 2014 • Seems abstract unless you’ve been through the pain • C2M2 – Cybersecurity Capability Maturity Model • Understand that governance, training and behavioural issues are as important as technology • ‘Mind the Gaps’ • Integration with physical, personnel and traditional IT security is vital • Security needs to be simple or invisible at point of use • Learn through other people’s successes and failures across multiple verticals and geographies

  16. Quantum technology and ICS systems • Threat to PKI and possible alternative of QKD will impact ICS • PKI may be dead at just about the time it is fully embraced by ICS • SCADA in the cloud is on its way • Quantum clocks could remove the reliance of ICS on GPS/NTP/radio clocks • Anything else?

  17. Questions?Dr. Ian Buffeyian.buffey@atkinsglobal.com

More Related