agenda
DESCRIPTION
Risks to Facilities and Industrial Control Systems Cambridge September 19 th 2014 Dr. Ian Buffey [email protected]. Agenda. Personal Introduction What is an Industrial Control System and why should I care? Evolution of control systems and their security - PowerPoint PPT PresentationTRANSCRIPT
Risks to Facilities and Industrial Control SystemsCambridge September 19th 2014
Dr. Ian [email protected]
Agenda
● Personal Introduction● What is an Industrial Control System
and why should I care?● Evolution of control systems and their
security● Why is ICS Cyber Security difficult?● What do you need to do to make it
work?● What impact will quantum technology
have on ICS systems?
Personal Introduction
● Studied Chemistry and Theoretical Chemistry at Manchester ‘79-85– Absorption of far IR by water clusters
● Quantum mechanics knowledge a little rusty now!
● Worked on Industrial Control Systems (ICS) since then– Variety of companies, industries and roles
– Main focus on security since 2004
4
What are Industrial Control Systems and why should I care?
• An equation (of sorts)• ICS=SCADA=DCS=OT(Operational Technology)=Any other
acronym for a control/automation system
• Much of the Critical National Infrastructure (CNI) we rely on daily relies on an ICS e.g.
• Power, water, oil and gas, transport, chemicals, pharmaceuticals
• Non-CNI too: Breweries, distilleries, chocolate factories, CERN
• If the systems controlling these processes stop, everyday life stops with it
• We live in an ever more interconnected world• IoT has been developing for a while
5
How does ICS work?
Evolution of Control Systems
1985 – Systems mostly bespoke, running on obscure OS, isolated
1990 – COTS now significant. Drive for OT/IT connectivity.
1995 – Windows NT 3.51/4 makes it a serious contender. IP for connectivity.
2000 – Windows established. Increasing commoditization.
Post 9/11 – Realization of the criticality and vulnerability of ICS
Typical (Simplified) ICS Lifecycle
Initial specification /
vendor selection
Detailed Design
Build (inc factory test)
Commissioning (on site)
Run and maintain ‘Refresh’
1-2 years5-15 years
Evolution of Control System Security
● Hard to draw a graphic showing steady evolution● Common practice– Firewalls (between IT/OT networks, further segmentation less common)
– AV on Windows systems
● Less common practice– Centralised alert logging (SEM/SIEM)
– Host and/or Network IDS/IPS
– System hardening
– Configuration monitoring/management(including patches/updates)
– Application whitelisting or other software controls
– Network Access Control (NAC)
– Accurate network architecture drawings and inventories
– Strong governance, policies, training
– More...
So what has been achieved?
● The short answer: “It’s patchy.”● Security is not the new safety
● Coffee cups and hand rails
● Some companies have good programmes in place
● What does ‘good’ look like?– Security (especially architecture) has
evolved over time
– Budget for security (time as well as products) is available annually
– There are staff who have security as at least a part of their ‘day job’
– Incidents detected, responded to, reported on, lessons are learned
Indications that all is not well
● Security is not part of the ‘day job’● Relying on heroic efforts● Lack of involvement from
stakeholders● Security which is difficult to use or
gets in the way– Anything which slows down operator actions
is a risk
● Lack of security awareness amongst ‘users’
Why is ICS Cyber Security so difficult?
● System longevity, diversity and complexity– Threat landscape evolves more quickly than
systems
● Requirement evolution● Ecosystem complexity● Business justification/ROI
Requirement Evolution
● Systems have many new requirements in their lifetimes
● Today’s systems will likely have to cope with– Wireless, Mobile devices, Virtualization,
Cloud
– Other things nobody has thought of yet http://www.controlengeurope.com/article/46490/Mobile-SCADA-increases-staff-efficiency-in-logistics-operation-by-15--and-cuts-support-call-costs-by-60-.aspx
http://www.controlengeurope.com/article/46335/SCADA-virtualisation-delivering-real-benefits-.aspx
● System Operators● System Engineers● Instrument Technicians● Corporate IT● Vendors● System Integrators● Outsource Providers● Communication suppliers● Management/Investors
ICS Cyber Security Ecosystem
● Academia● 11 UK universities
● RITICS
● Government● Standards bodies● Consumers
Business justification/ROI
● Notoriously difficult– Risk quantification very difficult
– Energy companies denied insurance cover1
● Few attacks are ICS specific and fewer still aim to cause physical damage– Arguably Stuxnet is the only example
● Google “To kill a centrifuge” to learn more about Stuxnet
● Leaning heavily on FUD may have caused damage here
● However, a single cyber event can easily cost more than several years’ security expenditure
1. http://www.bbc.co.uk/news/technology-26358042
What needs to be done to secure ICS?
● NIST think they have the answer● Framework for Improving Critical Infrastructure Cybersecurity – 1.0 Feb 2014
● Seems abstract unless you’ve been through the pain
● C2M2 – Cybersecurity Capability Maturity Model● Understand that governance, training and behavioural issues
are as important as technology● ‘Mind the Gaps’
● Integration with physical, personnel and traditional IT security is vital
● Security needs to be simple or invisible at point of use● Learn through other people’s successes and failures across
multiple verticals and geographies
Quantum technology and ICS systems
● Threat to PKI and possible alternative of QKD will impact ICS
● PKI may be dead at just about the time it is fully embraced by ICS
● SCADA in the cloud is on its way
● Quantum clocks could remove the reliance of ICS on GPS/NTP/radio clocks
● Anything else?