SANS SCADA and Process Control Europe Rome 2011 Ian Buffey Director International Services Industrial Defender ibuffey@industrialdefender.com
A Holistic Approach Planning, training and governance Cybersecurity procedures and equipment should be looked on in the same way as other safety technology think fire extinguishers, pressure release valves This needs to be a cross department/cross disciplinary effort involving operators, ICS owners, corporate IT, CIOs/CISOs and others Plan for when you have an incident, not if Systematic design and deployment of technology Defence in depth Incorrectly configured technology can be useless e.g. a firewall converted to a router by an ANY<->ANY rule Sustaining Effort Think from the start who is going to monitor and maintain the technology and sustain the process Rome wasn t built in a day!
Fleet wide rollouts Determine criticality of assets E.g. Critical, Important, Supportive Determine appropriate level of monitoring/protection for each site Define an architecture which is applicable to each/most sites Most companies (and even sites) have a wide range of control systems Define a business process to get repeatability and efficiency
Fleet Wide Rollout Process Initial Site Contact Site Audit/ Assessment/ Discovery Create Installation Plan Installation Post Installation Wrap Up Handover of responsibility for maintenance
Go with Experience! When dealing with Mission Critical Systems, partner with someone whose done it before successfully!
Technology Sophistication Security Maturity Evolution in Industrial Control Firewalls Business connectivity Locks on the Door Intrusion Detection Network Based Host Based Known Bad Industrial Protocols Alarm Sensors Event Monitor Central Logging Monitor and respond Alert on Events of interest Log everything and apply forensics Incident Management Flight recorder Intrusion Prevention Network Based Host Based Deep packet inspection Known Bad signatures Known Good Signatures Whitelisting System hardening System locked down Security Management Automates manual process Enforces policy, process & procedures Leverages baselines Manages changes Audit reporting Continuous assessments Attestation data Doing it and Proving you are doing it 2003 2005 2007 2009 2011 Cyber Threats, Mitigation and Compliance for the Evolving Electric Power System
What Will the Future Bring? More Technologies on the Plant Floor Wireless Mobile Devices Virtualization Other things we haven t even thought of yet New threats and Security Technology E.g. mobile devices! Security Thinking and Technology will need to be updated during the lifetime of any ICS (often over 10 years) Management of Technology will be key
Actually it s Happening now http://www.controlengeurope.com/article/46335/scada-virtualisation-delivering-real-benefits-.aspx http://www.controlengeurope.com/article/46490/mobile-scada-increases-staff-efficiency-in-logisticsoperation-by-15--and-cuts-support-call-costs-by-60-.aspx http://www.processonline.com.au/case_studies/45802-wireless-lan-system-at-petrochemical-plant
Mobile Apps for PLC monitoring?
You don t want to end up here! Compliance Mngr Industrial Defender Compliance Manager Office PC Office PC Internet Site Office Network Enterprise Network SEM HIPS Mngr Web Server, Remote Access etc Industrial Defender SEM Industrial Defender HIPS Manager Industrial Defender UTM DMZ Operator Workstations Engineering Workstation Industrial Defender NIDS Smart phone/ tablet Traffic and Device monitoring Redundant Client Server Network DCS Server Historian Domain Controller Other App Server Redundant Control Network Controller Controller Wireless Access Point
ICS Security Standards in Europe Single Standard in Europe across multiple verticals? Mandatory? European Standards per vertical? Like NERC CIP/CFATS Voluntary adoption of standards Company wide standards based on existing standards like ISA99 (and lots more) Creates basis for auditability Allows ROI calculation to a degree