The document discusses the evolving landscape of cyber security, particularly for industrial control systems, highlighting a shift from individual crime to large-scale cyber attacks with minimal repercussions. It emphasizes the importance of continuous risk-based planning, user education, and tailored security solutions rather than a one-size-fits-all approach. The key takeaway is the necessity for organizations to prioritize security maturity and comprehensive incident response strategies to mitigate the diverse and changing threats in cyber security.

1. Cyber Security
for
Industrial Control
Systems

2. Introduction
• Infonaligy background
• Overview
2

3. Crime has changed
• Individual crime was – mugger that could only impact one person at a time
• High risk of getting caught
• Relatively small rewards
• Individual crime now – 15 year old in Vladivostok hitting tens of millions of
people at once
• Targets can be individuals or companies
• High monetary rewards
• Nearly zero chance of repercussions or accountability
• Crime syndicates invest in and develop technology at a higher rate than most
industries.
• In either case, you are the prize. Individual with high net worth or company, they
are after your money, financial information, or data.
3

4. Trends
As consultants, we engage with a wide variety of verticals, and see some
disturbing trends in Cyber Security today:
• False sense of security
• Treating ICS networks like traditional IT networks
• Gaps in end user education
• Lack of security maturity
4

5. False sense of security
• A false sense of security can be as bad as no security for a company.
Buying a firewall and putting it in the data closet is how many companies
deal with security – they look to buy things so they can ‘check the box’.
• Cyber Security is not a static state. You should constantly be preparing your
defenses, monitoring for issues, and staying up to date with the daily
changes that happen in the world of security.
• Someone in your organization should approach supply chain, physical, and
data security with a focused eye on risk.
• Are you staffed for that? This is why Cyber Security companies are popping
up everywhere.
5

6. ICS vs IT
• ICS equipment much less resilient to ‘normal’ network activity
• PLCs that run 24x7 when not connected to the network, then flap when
connected
• Unexplained downtime
• Overwrite PLC firmware with common penetration testing tools
• Well-intentioned people connect ICS systems to IT networks to view reports,
remotely connect to PLCs, or just to “get the job done”
• Either policy does not exist or employees work around and do not document
• Your ICS is connected to the Internet?
• Shodan.io
• scadahacker.com
6

7. Vulnerabilities
• https://github.com/hslatman/awesome-industrial-control-system-security
7

8. Impact
• Whether in Critical Infrastructure or manufacturing, OEMs design ICS
equipment to stay up 24x7
• When an issue occurs, you are losing:
• Safety
• Money in lost production opportunities
• Time
8

9. There are a thousand hacking at the branches of
evil to one who is striking at the root.
-Henry David Thoreau
• The threats and risks of Cyber Security are overwhelming.
• Risk-based planning is a proven way to mitigate threats. Don’t be tempted
to buy a single product to solve a single problem – spend the time with a
security expert to understand the big picture and plan solutions customized
to your business needs.
• If someone tells you they can secure your company from 100% of threats,
run.
9

10. Policies, Procedures, Documentation
• Start simply, then schedule annual policy updates.
• Begin by meeting the requirements of any regulatory bodies you fall under,
then build from there. Compliance does not equal security.
• If you are not regulated, the CIS / SANS 20 are solid templates.
• We work with clients under HIPAA, FINRA, NIST, NERC, and Department of
Defense regulations, and bring the best practices from other groups into
our clients environments if those work best for that organization.
10

11. Security maturity
• Document your environment – you can’t manage what you don’t control.
• Design your systems for incident response.
• Plan and Implement in a way that minimizes operational impact but
maximizes security impact. Some is unavoidable, and people will need to
be trained on more secure processes.
• Prepare and document your defenses.
• Plan for an incident BEFORE the incident.
11

12. Security maturity process example
BASELINE PROACTIVE ENABLED
Password policy
Install or Replace FW
End-user Training
Physical Security Review
Patching/Vulnerability mgmt
Asset Inventory
Software inventory
Policy and Procedure reviews
SSL inspection on F/W
Hardware hardening
Admin Privilege Audits
VPN User Audits
FW monitoring
O365 Threat monitoring
Risk Management
Audit preparation
12

13. Security Services that provide Intelligence
• Actionable intelligence for your environment.
• Events from a good firewall can be turned directly into tickets for
immediate resolution.
• It is a constant battle – and more often than not, we are humans battling
against automated scripts that are attacking our organizations.
• Invest in solutions that prevent, not just detect. (NGTP, Gen V)
13

14. Timely, actionable reports
14

15. Visibility into your networks
15

16. Demonstrations
16

17. 17

18. Email scams
• People give their email logins away
because of social engineering tricks
• No current technical solution for the most
clever of these attacks:
• Sent from valid emails
• Sent with links that are clean / valid when
the emails are sent
• Sent by the millions to catch as many
people as possible before the links are
identified as deceptive
• If you use on-site Exchange and no URL
filtering, you will never have bad links
blocked
• Employee education is key 18

19. Mobile hacking
• Mobile data protection is critical,
but currently rarely deployed
• Breaking into the corporate network
• Tracking location
• Stealing email
• Stealing contact lists
• Microphone recordings
• Taking photos
• Stealing passwords
• Intercepting text messages
19

20. Boot with no password
• A hacker with one local admin password is
an immediate and catastrophic risk to all
machines that share the same local admin
password.
• This is a fairly new best practice, but an
important one
• $24 on Amazon or free with a google
search. Extremely low barrier to entry with
this method.
20

21. USB Killer
• Quick and painful
• Design flaw in the USB power system that
allows this tool to destroy the motherboard
in about a second
• Not only computers (laptops, desktops,
servers), but think about any public facing
devices you have: medical equipment, your
USB input on your car stereo, time cards,
computer in lobby
• Physical access is important in security
planning, to counter this threat, we would
disable or block USB access on those
devices. USB blocks require a key to remove
the block.
21

22. Tactical Wrap up
• Segregate your networks
• Educate users about the WHY so they don’t attempt to work around
• Get visibility into your networks
• You can’t manage what you don’t control
• No shared local admin passwords on IT or ICS systems
• Categorize data that is critical to your company, then focus your security on
that data.
• Good backups = no ransomware payouts.
• Don’t ignore physical security
• https://www.dhs.gov/critical-infrastructure-vulnerability-assessments
22

23. Strategic Wrap up
• Documentation is your friend. Plan the work, work the plan.
• Develop an intelligence plan and put it into practice.
• Trust, but verify your security solutions. Good reports are solid evidence that
you are on track.
• Define a formal security education plan for your users – they are the first
target of hackers.
• Design your systems for incident response, and develop a plan for when
there is an incident.
• Begin to build your security maturity – either with internal resources or with
outside expert consultants.
23

24. More Information
• Cyber Security threats change daily, and mitigating those threats requires
trained, dedicated resources. It is difficult to attract and retain those resources
for most SMB and small Enterprise organizations, which is what makes a
partnership with a focused security organization a good fit for many businesses.
• Many organizations don’t pay attention to security until they have an event that
forces them to.
• Infonaligy is here to be your security partner to get you ahead of that curve. If
we can be of service, let’s talk. For additional information about Infonaligy
services, or to schedule a free one-hour consultation with our CISO, please
contact:
Brad Germany
Infonaligy
bgermany@infonaligy.com
469.270.0499
24