1.
Critical Infrastructure Security Woes
...and Why it Matters
Webinar

2.
Introduction
Who We Are
Jay Kaplan, CEO & Co-Founder
Julia Yrani, Strategic Alliances Lead
Wesley Wineberg, Security Research Engineer
What We’ll Cover
Critical Infrastructure Sentiment Survey Results briefed during RSA 2016
Technical Deep-dive on Implications
Potential Technology and Policy-driven Solutions

3.
Survey Demographics
Industries: Transportation, Healthcare and Public Health, Energy, Water and
Wastewater Systems, Financial Services
Titles: Information Technology / Security / Risk Management, Operations,
Engineering

4.
Survey Findings from an Attacker’s Perspective
What we see:
55% of respondents said
they had no dedicated
security team, another
10% have a single
dedicated resource.
What an attacker sees:
A single security person to manage the security of
dozens or hundreds of ICS endpoints is going to
be ineffective
Companies never permit IT to interact with their
Process Control Systems. This means that
organizations that only have IT security in effect
have no SCADA/ICS security.
An attacker thus has a very low chance of being
detected in most cases as there is simply no one
who is handling the security of these systems

5.
Survey Findings from an Attacker’s Perspective
What we see:
Only 33% of respondents
were concerned about weak/
outdated network systems.
What an attacker knows:
Unlike consumer and business software / systems,
SCADA systems are always running software that
is years old and does not integrate security
patches.
Process control systems often have a 30 year
lifespan, which also includes the computers and
software which run these systems.
Reliability is always chosen over frequent updates to
systems and software, leaving systems open to
vulnerabilities for months and years at a time.

6.
Survey Findings from an Attacker’s Perspective
What an attacker does:
The larger the network, the easier to hack - all large
business networks have been hacked at one point
(or are still actively compromised).
An attacker can easily pivot to the process control
network.
They can then steal proprietary data and trade secrets,
cause millions of dollars of downtime, or with
careful planning, cause irreparable damage to the
process control system - both physical and
electronic damage.
What we see:
67% stated that they have direct
connectivity from their
corporate network to the
internal process control
systems
92% admit both inside-out and
outside-in connectivity

7.
Survey Findings from an Attacker’s Perspective
What we see:
Over 60% of respondents
don’t have adequate training,
budget, systems updates
lined up in the near term.
What an attacker sees:
Essentially, poor training, unpatched systems, and
limited budgets all make for an easy to hack target
Attackers will always target the weakest systems for
compromise first, and then attempt to expand
access
Attackers are increasingly becoming aware of the fact
that critical infrastructure is a poorly secured
target

8.
Solutions
Technology
Connectivity comes with the trade-off of adding a path into an (arguably) impossible to
secure system
Companies should consider the actual risk they have taken on by adding external
connections to process control networks.
Technology controls that are possible include “one-way” data transfer appliances,
safety systems (which are not network controlled or connected)
This comes with additional costs and challenges, but greatly helps to limit likelihood of
attack and the impact of a compromise
Policy
Define and implement policy that requires a more secure architecture across all critical
infrastructure industries. This will drive budget towards solving the problem.

9.
Thank You