Risks to Facilities and Industrial Control SystemsCambridge September 19th 2014

Dr. Ian Buffeyian.buffey@atkinsglobal.com

Agenda

● Personal Introduction● What is an Industrial Control System

and why should I care?● Evolution of control systems and their

security● Why is ICS Cyber Security difficult?● What do you need to do to make it

work?● What impact will quantum technology

have on ICS systems?

Personal Introduction

● Studied Chemistry and Theoretical Chemistry at Manchester ‘79-85– Absorption of far IR by water clusters

● Quantum mechanics knowledge a little rusty now!

● Worked on Industrial Control Systems (ICS) since then– Variety of companies, industries and roles

– Main focus on security since 2004

4

What are Industrial Control Systems and why should I care?

• An equation (of sorts)• ICS=SCADA=DCS=OT(Operational Technology)=Any other

acronym for a control/automation system

• Much of the Critical National Infrastructure (CNI) we rely on daily relies on an ICS e.g.

• Power, water, oil and gas, transport, chemicals, pharmaceuticals

• Non-CNI too: Breweries, distilleries, chocolate factories, CERN

• If the systems controlling these processes stop, everyday life stops with it

• We live in an ever more interconnected world• IoT has been developing for a while

5

How does ICS work?

Evolution of Control Systems

1985 – Systems mostly bespoke, running on obscure OS, isolated

1990 – COTS now significant. Drive for OT/IT connectivity.

1995 – Windows NT 3.51/4 makes it a serious contender. IP for connectivity.

2000 – Windows established. Increasing commoditization.

Post 9/11 – Realization of the criticality and vulnerability of ICS

Typical (Simplified) ICS Lifecycle

Initial specification /

vendor selection

Detailed Design

Build (inc factory test)

Commissioning (on site)

Run and maintain ‘Refresh’

1-2 years5-15 years

Evolution of Control System Security

● Hard to draw a graphic showing steady evolution● Common practice– Firewalls (between IT/OT networks, further segmentation less common)

– AV on Windows systems

● Less common practice– Centralised alert logging (SEM/SIEM)

– Host and/or Network IDS/IPS

– System hardening

– Configuration monitoring/management(including patches/updates)

– Application whitelisting or other software controls

– Network Access Control (NAC)

– Accurate network architecture drawings and inventories

– Strong governance, policies, training

– More...

So what has been achieved?

● The short answer: “It’s patchy.”● Security is not the new safety

● Coffee cups and hand rails

● Some companies have good programmes in place

● What does ‘good’ look like?– Security (especially architecture) has

evolved over time

– Budget for security (time as well as products) is available annually

– There are staff who have security as at least a part of their ‘day job’

– Incidents detected, responded to, reported on, lessons are learned

Indications that all is not well

● Security is not part of the ‘day job’● Relying on heroic efforts● Lack of involvement from

stakeholders● Security which is difficult to use or

gets in the way– Anything which slows down operator actions

is a risk

● Lack of security awareness amongst ‘users’

Why is ICS Cyber Security so difficult?

● System longevity, diversity and complexity– Threat landscape evolves more quickly than

systems

● Requirement evolution● Ecosystem complexity● Business justification/ROI

Requirement Evolution

● Systems have many new requirements in their lifetimes

● Today’s systems will likely have to cope with– Wireless, Mobile devices, Virtualization,

Cloud

– Other things nobody has thought of yet http://www.controlengeurope.com/article/46490/Mobile-SCADA-increases-staff-efficiency-in-logistics-operation-by-15--and-cuts-support-call-costs-by-60-.aspx

http://www.controlengeurope.com/article/46335/SCADA-virtualisation-delivering-real-benefits-.aspx

● System Operators● System Engineers● Instrument Technicians● Corporate IT● Vendors● System Integrators● Outsource Providers● Communication suppliers● Management/Investors

ICS Cyber Security Ecosystem

● Academia● 11 UK universities

● RITICS

● Government● Standards bodies● Consumers

Business justification/ROI

● Notoriously difficult– Risk quantification very difficult

– Energy companies denied insurance cover1

● Few attacks are ICS specific and fewer still aim to cause physical damage– Arguably Stuxnet is the only example

● Google “To kill a centrifuge” to learn more about Stuxnet

● Leaning heavily on FUD may have caused damage here

● However, a single cyber event can easily cost more than several years’ security expenditure

1. http://www.bbc.co.uk/news/technology-26358042

What needs to be done to secure ICS?

● NIST think they have the answer● Framework for Improving Critical Infrastructure Cybersecurity – 1.0 Feb 2014

● Seems abstract unless you’ve been through the pain

● C2M2 – Cybersecurity Capability Maturity Model● Understand that governance, training and behavioural issues

are as important as technology● ‘Mind the Gaps’

● Integration with physical, personnel and traditional IT security is vital

● Security needs to be simple or invisible at point of use● Learn through other people’s successes and failures across

multiple verticals and geographies

Quantum technology and ICS systems

● Threat to PKI and possible alternative of QKD will impact ICS

● PKI may be dead at just about the time it is fully embraced by ICS

● SCADA in the cloud is on its way

● Quantum clocks could remove the reliance of ICS on GPS/NTP/radio clocks

● Anything else?

Questions?Dr. Ian Buffey

ian.buffey@atkinsglobal.com