Securing Industrial Control Systems in the Age of IoT

Size: px

Start display at page:

Download "Securing Industrial Control Systems in the Age of IoT"

Marjory Jackson
6 years ago
Views:

1 Securing Industrial Control Systems in the Age of IoT Jeff Lund October Belden Inc. info.beldon.com/iiot

2 Control System Security Is Gaining Public Recognition 2016 Belden Inc. Inc info.belden.com/iiot 2

3 Control System Security Is Gaining Public Recognition 2016 Belden Inc. Inc info.belden.com/iiot 3

4 Control System Security Is Gaining Public Recognition 2016 Belden Inc. Inc info.belden.com/iiot 4

5 Reported Vulnerabilities & Incidents are Increasing Source: FireEye isight Intelligence 2016 ICS Vulnerability Trend Report 2016 Belden Inc. Inc info.belden.com/iiot 5

6 But ICS Cybersecurity Is Much More than Hackers <10% of issues are related to hackers Most attacks are device or human errors 2016 Belden Inc. Inc info.belden.com/iiot 6

But ICS Cybersecurity Is Much More than Hackers <10% of issues are related to hackers Most attacks are device or human errors ICS cybersecurity is about Improving

7 But ICS Cybersecurity Is Much More than Hackers <10% of issues are related to hackers Most attacks are device or human errors ICS cybersecurity is about Improving system reliability Reducing down time Increasing productivity Decreasing operating costs Ensuring safety 2016 Belden Inc. Inc info.belden.com/iiot 7

reliability Reducing down time Increasing productivity Decreasing operating costs

8 But ICS Cybersecurity Is Much More than Hackers <10% of issues are related to hackers Most attacks are device or human errors ICS cybersecurity is about Improving system reliability Reducing down time Increasing productivity Decreasing operating costs Ensuring safety And protecting from hackers 2016 Belden Inc. Inc info.belden.com/iiot 8

Industrial Systems Bring Unique Security Challenges Most of the devices are preexisting, don t speak IP, use inherently insecure protocols and live in the field for decades Configuration, testing and

9 Industrial Systems Bring Unique Security Challenges Most of the devices are preexisting, don t speak IP, use inherently insecure protocols and live in the field for decades Configuration, testing and maintenance must be done without shutting down the network Patching is usually not practical Active scans can damage systems Systems must keep running even if under attack or impaired 2016 Belden Inc. Inc info.belden.com/iiot 9

10 Real World Example: The Problem Regional wastewater treatment plant Mid-sized city in the Eastern U.S. 24 buildings / 500 pieces of equipment 15 treatment processes 13 million gallons of wastewater daily Runs 24 hours a day every day Little protection or separation of the SCADA network from the city s IT network Even the city s high school students could gain access if they tried 2016 Belden Inc. Inc info.belden.com/iiot 10

reliability by following ISA/IEC 62443 cybersecurity standards Partition into zones; secure through conduits Security

11 The Requirements Protect critical plant infrastructure from malware, traffic storms, errors and attacks Without giving up the ability to share data interdepartmentally or remote support and maintenance capabilities While increasing system reliability by following ISA/IEC cybersecurity standards Partition into zones; secure through conduits Security embedded throughout the system, not just as the perimeter 2016 Belden Inc. Inc info.belden.com/iiot 11

The Approach Engaged ICS security consultant to analyze system and partition into zones per ISA/IEC 62443 cybersecurity standard Each zone protected

changes required to network or subnet addressing Deep Packet Inspection for industrial protocol communications Protects against all malformed packet

12 The Approach Engaged ICS security consultant to analyze system and partition into zones per ISA/IEC cybersecurity standard Each zone protected by a specialized industrial security appliance Field-level firewall Transparent to the network (no IP address) Easy to install, hard to attack No changes required to network or subnet addressing Deep Packet Inspection for industrial protocol communications Protects against all malformed packet attacks even ones that have yet to be discovered Enforces use-case driven security policy 2016 Belden Inc. Inc info.belden.com/iiot 12

13 The Solution: Final Application 2016 Belden Inc. Inc info.belden.com/iiot 13

The Results Tofino Security Appliances were easily wired into the network No disruption to the active network during configuration New system uses custom rules to manage network traffic Tofino

14 The Results Tofino Security Appliances were easily wired into the network No disruption to the active network during configuration New system uses custom rules to manage network traffic Tofino Security Appliances block unneeded/unwanted traffic Protects and strengths system Allows access to all needed business and maintenance information Network is on the forefront of industrial cybersecurity 2016 Belden Inc. Inc info.belden.com/iiot 14

Key Points to Take With You Most IIoT systems are brown field with existing devices using insecure protocols Safety and reliability are job #1 in industrial IoT systems Cyber security has a major

15 Key Points to Take With You Most IIoT systems are brown field with existing devices using insecure protocols Safety and reliability are job #1 in industrial IoT systems Cyber security has a major role to play in ensuring these goals Security is not just perimeter protection or air gaps; security needs to be woven throughout the network fabric 2016 Belden Inc. Inc info.belden.com/iiot 15

16 info.belden.com/iiot Inc Belden Inc.

Introducing the 9202-ETS MTL Tofino industrial Ethernet security appliance

Introducing the 9202-ETS MTL Tofino industrial Ethernet security appliance HAKIM- Sales Engineer 1 Cybersecurity of valuable assets and processes in a wide range of industry verticals, such as: Oil & Gas