20140919093009551

Report
Risks to Facilities and Industrial Control Systems
Cambridge September 19th 2014
Dr. Ian Buffey
[email protected]
Agenda
●
●
●
●
●
●
Personal Introduction
What is an Industrial Control System
and why should I care?
Evolution of control systems and their
security
Why is ICS Cyber Security difficult?
What do you need to do to make it
work?
What impact will quantum technology
have on ICS systems?
Personal Introduction
●
Studied Chemistry and Theoretical
Chemistry at Manchester ‘79-85
–
Absorption of far IR by water clusters
●
Quantum mechanics knowledge a
little rusty now!
● Worked on Industrial Control Systems
(ICS) since then
–
Variety of companies, industries and roles
–
Main focus on security since 2004
What are Industrial Control Systems
and why should I care?
•
An equation (of sorts)
•
•
ICS=SCADA=DCS=OT(Operational Technology)=Any other
acronym for a control/automation system
Much of the Critical National Infrastructure (CNI) we rely
on daily relies on an ICS e.g.
•
Power, water, oil and gas, transport, chemicals, pharmaceuticals
•
Non-CNI too: Breweries, distilleries, chocolate factories, CERN
•
If the systems controlling these processes stop,
everyday life stops with it
•
We live in an ever more interconnected world
•
IoT has been developing for a while
4
How does ICS work?
5
Evolution of Control Systems
2000 – Windows
established.
Increasing
commoditization.
1995 – Windows NT 3.51/4
makes it a serious contender.
IP for connectivity.
1990 – COTS now
significant. Drive for
OT/IT connectivity.
1985 – Systems mostly bespoke,
running on obscure OS, isolated
Post 9/11 –
Realization of
the criticality
and
vulnerability of
ICS
Typical (Simplified) ICS Lifecycle
Initial
specification /
vendor
selection
Detailed
Design
Build (inc
factory test)
1-2 years
Commissioning
(on site)
Run and
maintain
5-15
years
‘Refresh’
Evolution of Control System Security
●
Hard to draw a graphic showing steady evolution
● Common practice
●
–
Firewalls (between IT/OT networks, further segmentation less common)
–
AV on Windows systems
Less common practice
–
Centralised alert logging (SEM/SIEM)
–
Host and/or Network IDS/IPS
–
System hardening
–
Configuration monitoring/management(including patches/updates)
–
Application whitelisting or other software controls
–
Network Access Control (NAC)
–
Accurate network architecture drawings and inventories
–
Strong governance, policies, training
–
More...
So what has been achieved?
The short answer: “It’s patchy.”
● Security is not the new safety
●
●
Coffee cups and hand rails
●
Some companies have good
programmes in place
● What does ‘good’ look like?
–
Security (especially architecture) has
evolved over time
–
Budget for security (time as well as
products) is available annually
–
There are staff who have security as at least
a part of their ‘day job’
–
Incidents detected, responded to, reported
on, lessons are learned
Indications that all is not well
Security is not part of the ‘day job’
● Relying on heroic efforts
● Lack of involvement from
stakeholders
● Security which is difficult to use or
gets in the way
●
–
●
Anything which slows down operator actions
is a risk
Lack of security awareness amongst
‘users’
Why is ICS Cyber Security so difficult?
●
System longevity, diversity and
complexity
–
●
Threat landscape evolves more quickly than
systems
Requirement evolution
● Ecosystem complexity
● Business justification/ROI
Requirement Evolution
●
Systems have many new
requirements in their lifetimes
● Today’s systems will likely have to
cope with
–
Wireless, Mobile devices, Virtualization,
Cloud
–
Other things nobody has thought of yet
http://www.controlengeurope.com
/article/46335/SCADAvirtualisation-delivering-realbenefits-.aspx
http://www.controlengeurope.com
/article/46490/Mobile-SCADAincreases-staff-efficiency-inlogistics-operation-by-15--andcuts-support-call-costs-by-60.aspx
ICS Cyber Security Ecosystem
●
●
●
●
●
●
●
●
●
System Operators
System Engineers
Instrument Technicians
Corporate IT
Vendors
System Integrators
Outsource Providers
Communication suppliers
Management/Investors
●
●
Academia
●
11 UK universities
●
RITICS
Government
● Standards bodies
● Consumers
Business justification/ROI
●
●
Notoriously difficult
–
Risk quantification very difficult
–
Energy companies denied insurance cover1
Few attacks are ICS specific and fewer
still aim to cause physical damage
–
Arguably Stuxnet is the only example
●
Google “To kill a centrifuge” to learn more about
Stuxnet
●
Leaning heavily on FUD may have
caused damage here
● However, a single cyber event can easily
cost more than several years’ security
expenditure
1. http://www.bbc.co.uk/news/technology-26358042
What needs to be done to secure ICS?
●
NIST think they have the answer
●
Framework for Improving Critical Infrastructure Cybersecurity – 1.0 Feb 2014
●
Seems abstract unless you’ve been through the pain
C2M2 – Cybersecurity Capability Maturity Model
● Understand that governance, training and behavioural issues
are as important as technology
● ‘Mind the Gaps’
●
●
●
Integration with physical, personnel and traditional IT security is vital
Security needs to be simple or invisible at point of use
● Learn through other people’s successes and failures across
multiple verticals and geographies
Quantum technology and ICS systems
●
Threat to PKI and possible alternative of QKD will impact
ICS
●
PKI may be dead at just about the time it is fully embraced by ICS
●
SCADA in the cloud is on its way
●
Quantum clocks could remove the reliance of ICS on
GPS/NTP/radio clocks
●
Anything else?
Questions?
Dr. Ian Buffey
[email protected]

similar documents