Process Control Cyber Security

668 views
463 views

Published on

Presented @ Saudi Aramco Global Reliability Forum 2013
Houston, TX, June 19-20, 2013

The only totally secure system is one that is shutoff, unplugged, and locked in a completely sealed box. Security is a balancing act of managing risk and maintaining operations. Too little security and the system may become compromised. Too much security may affect core system functionality, usability, or reliability. Finding the right level of security for a particular system may seem like a daunting task for many industrial control system vendors, integrators, and end-users.

There are many different aspects to security and there is no single countermeasure that will work in all situations. This talk will discuss some of the different aspects to security and discuss how some of the more common countermeasures may affect the overall reliability of the system.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
668
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
40
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Process Control Cyber Security

  1. 1. Process Control Cyber Security Jim Gilsinn Senior Investigator Kenexis Security Consulting
  2. 2. Before we start… • Who wants a process that they can say is secure? 2
  3. 3. Before we start… • Who wants a process that they can say is secure? • Who wants a process that does what its expected to do, when and for who its expected to do it, and for the purposes it was designed? 3
  4. 4. Before we start… • Who wants a process that they can say is secure? • Who wants a process that does what its expected to do, when and for who its expected to do it, and for the purposes it was designed? 4
  5. 5. Safety Performance Security 5
  6. 6. Safety RELIABILITY Performance Security 6
  7. 7. Selected Aspects of Security • Risk Management • Network Segmentation • Monitoring 7
  8. 8. Risk Management • Risk management is nothing new – Safety, financial, physical security have all been around for a long time • Cyber security should not try to reinvent the wheel 8
  9. 9. Risk Management • Brown Field – Probably have some risk management and treatment in place – Security should feed into existing risk management process, not be a separate entity • Green Field – Security should be part of the process from the beginning 9
  10. 10. Risk Management • Consequences are generally the same – Many times they are already identified – Difference comes about due to root cause • Expand to include areas where: – People don’t act as they are supposed – Devices don’t act as they are designed • Be wary of statements like “Well, that could never happen” and “Why would anyone do that”. 10
  11. 11. Network Segmentation • Network segmentation as a security technique: – Prevents the spread of an incident – Provides a front-line set of defenses • Network segmentation is a lot more! 11
  12. 12. Network Segmentation • Network segmentation is a process to understand: – What devices communicate – How fast/often those devices communicate – Where information flows – What form that information takes • Technology helps, but architecture is more important 12
  13. 13. Network Segmentation • Limit the ingress and egress points through zone boundaries • Protect the connections between zones • Zones & conduits are logical – For practical purposes, match zones to network architecture as much as possible 13
  14. 14. Network Segmentation 14
  15. 15. Monitoring • Do any of these sound familiar? – It used to work. – Something just seems to have failed. – Not really sure what happened. – Don’t do anything to that system over there, its touchy. – This system is just so slow. 15
  16. 16. Monitoring • Monitoring is extremely important – Firewalls are good, but useless if you aren’t monitoring the rules and logs – IDS are useful (if monitored). Not many are industrial aware, but can be trained. – Network performance indicators can give early indications of something failing 16
  17. 17. Performance Monitoring • Monitoring isn’t just for security • Performance can be a leading indicator – Small blips in performance can indicate unusual activity • Helps to eliminating false-positives 17
  18. 18. Performance Monitoring 2 ms Mean Measured Packet Interval ~ 0.8 ms Jitter 18
  19. 19. Performance Monitoring 2 ms Mean Measured Packet Interval -0.8 ms to +2.2 ms Jitter 19
  20. 20. Performance Monitoring 50 ms Mean Measured Packet Interval Bimodal (25 ms & 75 ms) with Outliers (100 ms) 20
  21. 21. Looking Forward • Vulnerabilities • Whitelisting 21
  22. 22. Vulnerabilities • Vulnerabilities will always exist in the industrial environment – Zero-day vulnerabilities are inevitable – Infinite-day vulnerabilities are not uncommon – Industrial protocols themselves are vulnerable • Well-crafted malware can exist for months or years before detected • Do vulnerabilities mean bad things will happen? 22
  23. 23. Whitelisting • Limits execution on a computer – Known good set of applications and libraries – Monitors applications and memory-space against changes • Has been around for a while • Makes sense for industrial environment where things remain relatively static • Not a silver bullet! 23
  24. 24. Contact Information • Jim Gilsinn Senior Investigator Kenexis Security Consulting • http://www.kenexis.com • (614) 323-2254 • @JimGilsinn 24

×