Presentation is loading. Please wait.

Presentation is loading. Please wait.

Creating Realistic Cybersecurity Policies

Published byReynard King Modified over 7 years ago

Similar presentations

Presentation on theme: "Creating Realistic Cybersecurity Policies"— Presentation transcript:

1 Creating Realistic Cybersecurity Policies
David Blanco SCADA Security Adviser AUTOSOL Inc

2 https://autosoln.com/news-events/cshm-2017/
Materials White Paper & Presentation available for download:

3 Agenda Attacks against SCADA SCADA Security Challenges
Separate SCADA & IT Cyber Policies SCADA Cybersecurity Policymaking Questions

4 What kind of attacks are SCADA systems facing?

5 Attacks against SCADA Increasing trends of attacks
North America has most SCADA on Internet ICS-CERT reported 189 new equipment vulnerabilities ICS-CERT responded to 295 incidents in 2015 True attack numbers are underreported

6 Attacks against SCADA Unencrypted Encrypted Field Office Internet
Corporate Office Field Office Firewall & VPN Concentrator SCADA Server Field Office Unencrypted Encrypted

7 Attacks against SCADA MIT & Kyle Wilhoit Honeypot 28 Days 39 Attacks
11 Countries

8 Attacks against SCADA MIT & Kyle Wilhoit Honeypot
Death of security by obscurity Actively hunting Flank IT

9 Attacks against SCADA Unencrypted Encrypted Field Office Internet
Random User Internet Corporate Office Field Office Firewall & VPN Concentrator SCADA Server Field Office Unencrypted Encrypted

10 Attacks against SCADA German Steel Mill IT to OT Blocked controllers
Caused Explosion

11 Attacks against SCADA German Steel Mill
Accidental access very dangerous Safety logic failed

12 Attacks against SCADA Unencrypted Encrypted Field Office Internet
Corporate Office Field Office Firewall & VPN Concentrator SCADA Server Field Office Unencrypted Encrypted

13 Attacks against SCADA Turkish Pipeline Explosion Valve control
Pipeline over pressurized Suppressed alarms to controllers Deleted logs $460 million

14 Attacks against SCADA Turkish Pipeline Explosion
Targeting Field equipment Destruction is goal Control is key

15 Attacks against SCADA Unencrypted Encrypted Field Office Internet
Corporate Office Field Office Firewall & VPN Concentrator SCADA Server Field Office Unencrypted Encrypted

16 Attacks against SCADA PLC Blaster Targeting Field equipment
Spread directly between PLC’s Exploits features of equipment NOT exploiting a vulnerability

17 Attacks against SCADA What’s the difference between a hack and an accident? Not the results. Can you prove the difference? 1000+ deaths from SCADA hacking SCADA hacking is a strategic weapon

18 Why are SCADA attacks able to succeed?

19 SCADA Security Challenges

20 SCADA Security Challenges
Availability Confidentiality SCADA IT Pg. 5 Integrity Confidentiality Availability Integrity

21 SCADA Security Challenges
Availability Confidentiality SCADA IT Pg. 5 Integrity Confidentiality Availability Integrity

22 SCADA Security Challenges
Availability Confidentiality SCADA IT Pg. 5 Integrity Confidentiality Availability Integrity

23 SCADA Security Challenges
Legacy Equipment Issues Older than attacks Static defenses against elements Not security devices Vendors are not cyber experts Features become vulnerabilities

24 SCADA Security Challenges
Safety Logic Here to protect against automation Not a cyber defense Air Gapping 2 million public SCADA IP’s 94,000 Modbus devices “…in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network.”

25 How does all this affect cybersecurity policies?

26 Separate SCADA & IT Cyber Policies

27 Separate SCADA & IT Cyber Policies
IT policy: Regularly apply updates to all servers SCADA Implementation: Hold off on applying updates until test is run Schedule downtime/backup server for update

28 Separate SCADA & IT Cyber Policies
IT policy: Uniformity in hardware & software SCADA Implementation: Assets in field for over 30 years Diverse because of acquisitions

29 Separate SCADA & IT Cyber Policies
IT policy: Physically restrict access to network equipment SCADA Implementation: Assets geographically diverse Physical security applicable only at some sites.

30 Separate SCADA & IT Cyber Policies
Focus on actionable to achieve the doable Security comes from good implementation Do what can implemented on what can be protected Cybersecurity policy is an enterprise wide opportunity

31 Separate SCADA & IT Cyber Policies
SCADA needs to craft its own cyber security policies Understands business Understand how policies will impact business Knows the ROI for assets Understands the capabilities of equipment Knows the risks of hacks None IT SCADA Vulnerable Secure

32 What should a SCADA cybersecurity policy do?

33 SCADA Cybersecurity Policymaking
Blueprints for security NIST Framework for Improving Critical Infrastructure No technology specifics ISA-99 / ISA 62443 1-4 Use Cases “Planning” phase 4-4 Implementation “Planning” phase Move us forward Ideas to take to the test lab

34 SCADA Cybersecurity Policymaking
Identify strategically important assets Protect the field equipment Hackers target the field Focus on prevention Can stop damage No backups Controlling access = safety

35 SCADA Cybersecurity Policymaking
Deploy Security to the Field Target of Hackers Rabbit Fence Analogy

36 SCADA Cybersecurity Policymaking
Identify the correct security technology Design security into the process Avoid “bolt-on” solutions Easy to implement Hard to defend How it affects the process is what matters

37 SCADA Cybersecurity Policymaking
Encryption Process of securely encoding a message Scales both functionally and technologically Open sourced is secured source Public Key Infrastructure Data only valuable if correct

38 SCADA Cybersecurity Policymaking

39 SCADA Cybersecurity Policymaking
Defense in Depth Firewalls and virus scans Strategic Chokepoint Deeper OT Security Two Factor Authentication Networking Logs at device level Extend life of legacy equipment Unauthorized PLC-to-PLC communication Defend against hidden ports Defend against Zero Days

40 SCADA Cybersecurity Policymaking
FIPS 140-2 National Institute of Standards and Technology Communications Security Establishment Canada Required for “critical” communications by USG Documented process for security Certified compliance by third party TRANSITION:

41 SCADA Cybersecurity Policymaking
Multi-user tier Officer and User levels Encryption AES 256, RSA 2048 Public Key Infrastructure Create Security boundary No backdoors Clearly Enable FIPS Mode No Default Passwords New PKI TRANSITION:

42 SCADA Cybersecurity Policymaking
TRANSITION:

43 SCADA Cybersecurity Policymaking
FIPS criticisms Inhibits development FIPS prohibits changes to certified models Restricts innovation Long development cycles

44 SCADA Cybersecurity Policymaking
FIPS enhances SCADA’s security lasts 5 years before renewal SCADA equipment has no schedule Validation process changes every year

45 SCADA Cybersecurity Policymaking
FIPS enhances SCADA’s security Market forces push innovation Voluntary compliance Patch vulnerabilities for market access Stuxnet Transmitter Example Committed vendor market

46 SCADA Cybersecurity Policymaking
FIPS enhances SCADA’s legacy security FIPS market is also a legacy market

47 Conclusion SCADA needs its own Cybersecurity Policy
Focus on Prevention Defend the field Encryption enhances security with low impact FIPS has test lab ready devices

48 Please complete your course evaluation online: www.cshmsurvey.com

49 Supplemental Talking Points for Q&A
Link between Geopolitics and SCADA Hacking

Download ppt "Creating Realistic Cybersecurity Policies"

Similar presentations

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
1 ● Plant Automation Security Review of Cyber Security Attack at Maroochy Water Services ● Bradley Yager ● National Business Development Manager – Telemetry.

1 ● Plant Automation Security Review of Cyber Security Attack at Maroochy Water Services ● Bradley Yager ● National Business Development Manager – Telemetry.
הקריה למחקר גרעיני - נגב Nuclear Research Center – Negev (NRCN) Society of Electrical and Electronics Engineers in Israel (SEEEI) 2012 Eran Salfati, Amir.

הקריה למחקר גרעיני - נגב Nuclear Research Center – Negev (NRCN) Society of Electrical and Electronics Engineers in Israel (SEEEI) 2012 Eran Salfati, Amir.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.

Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.
April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Computer Security By Duncan Hall.

Computer Security By Duncan Hall.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.

Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.

Similar presentations

Ads by Google