Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Critical Infrastructure Security Woes
...and Why it Matters

Webinar
Introduction
Who We Are
Jay Kaplan, CEO & Co-Founder
Julia Yrani, Strategic Alliances Lead
Wesley Wineberg, Security Resea...
Survey Demographics

Industries: Transportation, Healthcare and Public Health, Energy, Water and
Wastewater Systems, Finan...
Survey Findings from an Attacker’s Perspective
What we see:
55% of respondents said
they had no dedicated
security team, a...
Survey Findings from an Attacker’s Perspective

What we see:
Only 33% of respondents
were concerned about weak/
outdated n...
Survey Findings from an Attacker’s Perspective

What an attacker does:
The larger the network, the easier to hack - all la...
Survey Findings from an Attacker’s Perspective
What we see:
Over 60% of respondents
don’t have adequate training,
budget, ...
Solutions

Technology
Connectivity comes with the trade-off of adding a path into an (arguably) impossible to
secure system...
Thank You
Upcoming SlideShare
Loading in …5
×

Synack cirtical infrasructure webinar

552 views

Published on

As presented at this year's RSA Conference, a 2016 survey of critical infrastructure companies and officials demonstrates that this scenario could be reality. Jay and Julia will take you through the spine-chilling specifics of why the nation's critical infrastructure is at an ever increased risk of cyber attacks as hackers make them their prime target.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Synack cirtical infrasructure webinar

  1. 1. Critical Infrastructure Security Woes ...and Why it Matters Webinar
  2. 2. Introduction Who We Are Jay Kaplan, CEO & Co-Founder Julia Yrani, Strategic Alliances Lead Wesley Wineberg, Security Research Engineer What We’ll Cover Critical Infrastructure Sentiment Survey Results briefed during RSA 2016 Technical Deep-dive on Implications Potential Technology and Policy-driven Solutions
  3. 3. Survey Demographics Industries: Transportation, Healthcare and Public Health, Energy, Water and Wastewater Systems, Financial Services Titles: Information Technology / Security / Risk Management, Operations, Engineering
  4. 4. Survey Findings from an Attacker’s Perspective What we see: 55% of respondents said they had no dedicated security team, another 10% have a single dedicated resource. What an attacker sees: A single security person to manage the security of dozens or hundreds of ICS endpoints is going to be ineffective Companies never permit IT to interact with their Process Control Systems. This means that organizations that only have IT security in effect have no SCADA/ICS security. An attacker thus has a very low chance of being detected in most cases as there is simply no one who is handling the security of these systems
  5. 5. Survey Findings from an Attacker’s Perspective What we see: Only 33% of respondents were concerned about weak/ outdated network systems. What an attacker knows: Unlike consumer and business software / systems, SCADA systems are always running software that is years old and does not integrate security patches. Process control systems often have a 30 year lifespan, which also includes the computers and software which run these systems. Reliability is always chosen over frequent updates to systems and software, leaving systems open to vulnerabilities for months and years at a time.
  6. 6. Survey Findings from an Attacker’s Perspective What an attacker does: The larger the network, the easier to hack - all large business networks have been hacked at one point (or are still actively compromised). An attacker can easily pivot to the process control network. They can then steal proprietary data and trade secrets, cause millions of dollars of downtime, or with careful planning, cause irreparable damage to the process control system - both physical and electronic damage. What we see: 67% stated that they have direct connectivity from their corporate network to the internal process control systems 92% admit both inside-out and outside-in connectivity
  7. 7. Survey Findings from an Attacker’s Perspective What we see: Over 60% of respondents don’t have adequate training, budget, systems updates lined up in the near term. What an attacker sees: Essentially, poor training, unpatched systems, and limited budgets all make for an easy to hack target Attackers will always target the weakest systems for compromise first, and then attempt to expand access Attackers are increasingly becoming aware of the fact that critical infrastructure is a poorly secured target
  8. 8. Solutions Technology Connectivity comes with the trade-off of adding a path into an (arguably) impossible to secure system Companies should consider the actual risk they have taken on by adding external connections to process control networks. Technology controls that are possible include “one-way” data transfer appliances, safety systems (which are not network controlled or connected) This comes with additional costs and challenges, but greatly helps to limit likelihood of attack and the impact of a compromise Policy Define and implement policy that requires a more secure architecture across all critical infrastructure industries. This will drive budget towards solving the problem.
  9. 9. Thank You

×