170 likes | 358 Views
Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey ian.buffey@atkinsglobal.com. Agenda. Personal Introduction What is an Industrial Control System and why should I care? Evolution of control systems and their security
E N D
Risks to Facilities and Industrial Control SystemsCambridge September 19th 2014Dr. Ian Buffeyian.buffey@atkinsglobal.com
Agenda • Personal Introduction • What is an Industrial Control System and why should I care? • Evolution of control systems and their security • Why is ICS Cyber Security difficult? • What do you need to do to make it work? • What impact will quantum technology have on ICS systems?
Personal Introduction • Studied Chemistry and Theoretical Chemistry at Manchester ‘79-85 • Absorption of far IR by water clusters • Quantum mechanics knowledge a little rusty now! • Worked on Industrial Control Systems (ICS) since then • Variety of companies, industries and roles • Main focus on security since 2004
What are Industrial Control Systems and why should I care? • An equation (of sorts) • ICS=SCADA=DCS=OT(Operational Technology)=Any other acronym for a control/automation system • Much of the Critical National Infrastructure (CNI) we rely on daily relies on an ICS e.g. • Power, water, oil and gas, transport, chemicals, pharmaceuticals • Non-CNI too: Breweries, distilleries, chocolate factories, CERN • If the systems controlling these processes stop, everyday life stops with it • We live in an ever more interconnected world • IoT has been developing for a while
Typical (Simplified) ICS Lifecycle 1-2 years 5-15 years
Evolution of Control System Security • Hard to draw a graphic showing steady evolution • Common practice • Firewalls (between IT/OT networks, further segmentation less common) • AV on Windows systems • Less common practice • Centralised alert logging (SEM/SIEM) • Host and/or Network IDS/IPS • System hardening • Configuration monitoring/management(including patches/updates) • Application whitelisting or other software controls • Network Access Control (NAC) • Accurate network architecture drawings and inventories • Strong governance, policies, training • More...
So what has been achieved? • The short answer: “It’s patchy.” • Security is not the new safety • Coffee cups and hand rails • Some companies have good programmes in place • What does ‘good’ look like? • Security (especially architecture) has evolved over time • Budget for security (time as well as products) is available annually • There are staff who have security as at least a part of their ‘day job’ • Incidents detected, responded to, reported on, lessons are learned
Indications that all is not well • Security is not part of the ‘day job’ • Relying on heroic efforts • Lack of involvement from stakeholders • Security which is difficult to use or gets in the way • Anything which slows down operator actions is a risk • Lack of security awareness amongst ‘users’
Why is ICS Cyber Security so difficult? • System longevity, diversity and complexity • Threat landscape evolves more quickly than systems • Requirement evolution • Ecosystem complexity • Business justification/ROI
Requirement Evolution http://www.controlengeurope.com/article/46335/SCADA-virtualisation-delivering-real-benefits-.aspx http://www.controlengeurope.com/article/46490/Mobile-SCADA-increases-staff-efficiency-in-logistics-operation-by-15--and-cuts-support-call-costs-by-60-.aspx • Systems have many new requirements in their lifetimes • Today’s systems will likely have to cope with • Wireless, Mobile devices, Virtualization, Cloud • Other things nobody has thought of yet
ICS Cyber Security Ecosystem • System Operators • System Engineers • Instrument Technicians • Corporate IT • Vendors • System Integrators • Outsource Providers • Communication suppliers • Management/Investors • Academia • 11 UK universities • RITICS • Government • Standards bodies • Consumers
Business justification/ROI 1. http://www.bbc.co.uk/news/technology-26358042 • Notoriously difficult • Risk quantification very difficult • Energy companies denied insurance cover1 • Few attacks are ICS specific and fewer still aim to cause physical damage • Arguably Stuxnet is the only example • Google “To kill a centrifuge” to learn more about Stuxnet • Leaning heavily on FUD may have caused damage here • However, a single cyber event can easily cost more than several years’ security expenditure
What needs to be done to secure ICS? • NIST think they have the answer • Framework for Improving Critical Infrastructure Cybersecurity – 1.0 Feb 2014 • Seems abstract unless you’ve been through the pain • C2M2 – Cybersecurity Capability Maturity Model • Understand that governance, training and behavioural issues are as important as technology • ‘Mind the Gaps’ • Integration with physical, personnel and traditional IT security is vital • Security needs to be simple or invisible at point of use • Learn through other people’s successes and failures across multiple verticals and geographies
Quantum technology and ICS systems • Threat to PKI and possible alternative of QKD will impact ICS • PKI may be dead at just about the time it is fully embraced by ICS • SCADA in the cloud is on its way • Quantum clocks could remove the reliance of ICS on GPS/NTP/radio clocks • Anything else?