This document summarizes a presentation on adapting techniques from internet-scale companies, such as continuous delivery, configuration management, and automation, to improve reliability in industrial control systems. The presentation argues that these companies have solved problems of scale and complexity that industrial companies face with updating and changing systems. By automating repetitive tasks, reducing human errors, and leveraging tools like version control, configuration management, and continuous integration, industrial companies can significantly reduce the time and effort required to implement changes while improving reliability. The first steps involve analyzing processes to identify opportunities for automation, and facilitating adoption through practices like putting all configurations under version control and adding tests for changes.

1. Time Traveling: Adapting
Techniques from the Future to
Improve Reliability
Jacob Kitchel
January 14, 2014

2. Bio
Present:
Security Architect at Exelon
Past:
Security & Compliance at Industrial Defender
ICS Risk Assessment (PT, VA, etc.)
Application Security research (Project Basecamp)
Enterprise Security Operations & Monitoring
Speaker (S4, EnergySec, ISA, API IT Security)
Hilarious LinkedIn Endorsements
1
Presentation Title

3. Abstract
Technology in ICS environments lags the Enterprise
by 10-15yr. This often leads to ICS companies
having to stand by while other more nimble
institutions are able to take advantage of new
technology. What few people realize, is that our
industry gets to watch the future happen out on the
Internet and then pick and choose the best
techniques to adapt and bring back in time.
2
Presentation Title

4. How far have we come?
We have:
• Compliance
• Incidents?
• Specialization
• Conferences
• Big Headlines?
• A LOT of vulnerabilities
3
Presentation Title

5. Where has it gotten us?
Here we are:
• Multiple revisions of compliance requirements
• Basic improvements in security monitoring
• SOME patching happens
4
Presentation Title

6. What is working against us?
Mountains or mole hills?
• Refresh cycles
• “If it isn’t broken, don’t fix it”
• Skill set(s)
• Unknown unknowns
• Security v. Operations
• Budgets & time
5
Presentation Title

7. Progress is sloooooowwwww….
6
Presentation Title

8. What to do?
• Where do operations goals and security goals intersect?
• What is the lowest common denominator?
• What can have an impact?
It’s all about the customer…
If you aren’t solving customer pain, then you aren’t doing anything
7
Presentation Title

9. It’s about the customer
Operations
Customer
Security
• Safety
• Security
• Reliability
• Compliance
• Uptime
• Vulnerabilities
Where do these two areas intersect?
8
Presentation Title

10. Where do Security and Operations Intersect?
• Patching
• Change Management
• Configuration Management
In other words…
• Time-intensive
• Error-prone
• High-risk activities
9
Presentation Title

11. Solving “Customer” problems lets you solve
security
How can we do that?
10
Presentation Title

12. Take a step back…to the future!
11
Presentation Title

13. How?
How can we:
• Reduce time commitments required
• Reduce errors
• Reduce risk
Has anyone solved this problem before?
Is there anyone that “looks” like us?
12
Presentation Title

14. Know any of these names?
13
Presentation Title

15. Internet-scale companies
• Millions of customers, world-wide
• High-availability, (near) zero downtime
• Complacency is death
• Some of the brightest minds >40
• Solving scale and complexity problems that we can barely imagine
• Leveraging software and hardware to dynamically define environments
• Have to be reliable and fast
14
Presentation Title

16. How are they doing this?
They are doing it CONTINUALLY.
Continuous Delivery:
Changes to your environment are
proven to be deployable
with predictable results
15
Presentation Title

17. But you say, “There’s a catch!”
Continuous Delivery was popularized by Internet companies!
Internet companies deliver software and/or services as their products!
They’re not like us! We have a physical process!
Etc, etc, etc…
Guess What?
Continuous Delivery is a collection of tools and processes – tools and
processes that you use to focus your ability to deliver your physical
process
Hint: You’re not getting off that easy! ;)
16
Presentation Title

18. What does this mean to us?
• Major reduction in time and effort to push changes
What would a major time/effort reduction mean to
your operations?
• 500hr task takes 5 hours or 5 minutes?
• 40hr task takes 4hr or 4 minutes?
• How many times do all of your tasks gets repeated annually?
• What if you could save half of that time and effort?
17
Presentation Title

19. How do we get there?
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
Automation Automation Automation Automation Automation Automation
18
Presentation Title

20. Continuous Delivery in Practice
How do you move a mountain?
19
Presentation Title

21. First steps first
• Follow your build/development process & write it all down
•
What takes the most time?
•
What tasks are the most error-prone?
•
What tasks require the most human intervention?
–
•
What tasks cause headaches or are time sinks?
–
20
Automate these tasks FIRST!
Automate these next!
Presentation Title

22. Facilitate Adoption
• Put everything into version control
• Add tests to verify that changes work
• Manage servers with configuration management tools
• Monitor EVERYTHING
21
Presentation Title

23. Tools
• Software-defined infrastructure
• Code Review
• Monitoring
• Configuration Management
• Continuous Integration
• Orchestration
• Version Control
• Dashboards
End Goal
• Quality
• Reliability
• Speed
22
Presentation Title

24. Tool Specific Information
23
Presentation Title

25. Software-defined Infrastructure
Tool example:
How to apply:
• Quali Systems TestShell
• Define common network
architecture and system objects
• Create test topology
• Run tests and see what breaks,
verify what works
24
Presentation Title

26. Version Control
Tool examples:
How to apply:
• Git
• Track versions of clear-text
configuration files
• SVN
25
Presentation Title
Firewall, switch, router
configuration files
•
• CVS
•
Application configuration files

27. Configuration Management
Tool examples:
How to apply:
• Puppet
• Store all configurations in
management tool
• Chef
• Ansible
• Salt
• Microsoft SCCM
26
Presentation Title
• As machines run, configuration
management tool ensures
declared configuration

28. Orchestration
Tool examples:
How to apply:
• Puppet
• Determine order of components
• Chef
• Leverage tools to operate,
deploy, and automatically
configure systems in proper
order
• Mcollective
• Ansible
• Capistrano
• WinRM
27
Presentation Title

29. Virtualization
Tool examples:
How to apply:
• Most common tool here is
VMWare and is likely your
vendor’s approved virtualization
provider
• Mirror Dev, Test, and Production
environments
28
Presentation Title
• Bonus: backup/redundant assets
• Can begin to act as a “do over”
button

30. Metrics & Dashboards
Tool examples:
How to apply:
• Logstash
MONITOR EVERYTHING
• Graphite
• Nagios
• Cactii
29
Presentation Title

31. Continuous Delivery tool
Tool example:
How to apply:
• Thoughtworks Go
• Automate and streamline the
build-test-release cycle
30
Presentation Title

32. Automated Testing
Tool examples:
How to apply:
• Thoughtworks Twist
• Write tests to verify functionality
• BDD/TDD tools
• Run tests automatically every
time new code, features, or
configuration changes are made
31
Presentation Title