20140919093009551
advertisement
Risks to Facilities and Industrial Control Systems Cambridge September 19th 2014 Dr. Ian Buffey ian.buffey@atkinsglobal.com Agenda ● ● ● ● ● ● Personal Introduction What is an Industrial Control System and why should I care? Evolution of control systems and their security Why is ICS Cyber Security difficult? What do you need to do to make it work? What impact will quantum technology have on ICS systems? Personal Introduction ● Studied Chemistry and Theoretical Chemistry at Manchester ‘79-85 – Absorption of far IR by water clusters ● Quantum mechanics knowledge a little rusty now! ● Worked on Industrial Control Systems (ICS) since then – Variety of companies, industries and roles – Main focus on security since 2004 What are Industrial Control Systems and why should I care? • An equation (of sorts) • • ICS=SCADA=DCS=OT(Operational Technology)=Any other acronym for a control/automation system Much of the Critical National Infrastructure (CNI) we rely on daily relies on an ICS e.g. • Power, water, oil and gas, transport, chemicals, pharmaceuticals • Non-CNI too: Breweries, distilleries, chocolate factories, CERN • If the systems controlling these processes stop, everyday life stops with it • We live in an ever more interconnected world • IoT has been developing for a while 4 How does ICS work? 5 Evolution of Control Systems 2000 – Windows established. Increasing commoditization. 1995 – Windows NT 3.51/4 makes it a serious contender. IP for connectivity. 1990 – COTS now significant. Drive for OT/IT connectivity. 1985 – Systems mostly bespoke, running on obscure OS, isolated Post 9/11 – Realization of the criticality and vulnerability of ICS Typical (Simplified) ICS Lifecycle Initial specification / vendor selection Detailed Design Build (inc factory test) 1-2 years Commissioning (on site) Run and maintain 5-15 years ‘Refresh’ Evolution of Control System Security ● Hard to draw a graphic showing steady evolution ● Common practice ● – Firewalls (between IT/OT networks, further segmentation less common) – AV on Windows systems Less common practice – Centralised alert logging (SEM/SIEM) – Host and/or Network IDS/IPS – System hardening – Configuration monitoring/management(including patches/updates) – Application whitelisting or other software controls – Network Access Control (NAC) – Accurate network architecture drawings and inventories – Strong governance, policies, training – More... So what has been achieved? The short answer: “It’s patchy.” ● Security is not the new safety ● ● Coffee cups and hand rails ● Some companies have good programmes in place ● What does ‘good’ look like? – Security (especially architecture) has evolved over time – Budget for security (time as well as products) is available annually – There are staff who have security as at least a part of their ‘day job’ – Incidents detected, responded to, reported on, lessons are learned Indications that all is not well Security is not part of the ‘day job’ ● Relying on heroic efforts ● Lack of involvement from stakeholders ● Security which is difficult to use or gets in the way ● – ● Anything which slows down operator actions is a risk Lack of security awareness amongst ‘users’ Why is ICS Cyber Security so difficult? ● System longevity, diversity and complexity – ● Threat landscape evolves more quickly than systems Requirement evolution ● Ecosystem complexity ● Business justification/ROI Requirement Evolution ● Systems have many new requirements in their lifetimes ● Today’s systems will likely have to cope with – Wireless, Mobile devices, Virtualization, Cloud – Other things nobody has thought of yet http://www.controlengeurope.com /article/46335/SCADAvirtualisation-delivering-realbenefits-.aspx http://www.controlengeurope.com /article/46490/Mobile-SCADAincreases-staff-efficiency-inlogistics-operation-by-15--andcuts-support-call-costs-by-60.aspx ICS Cyber Security Ecosystem ● ● ● ● ● ● ● ● ● System Operators System Engineers Instrument Technicians Corporate IT Vendors System Integrators Outsource Providers Communication suppliers Management/Investors ● ● Academia ● 11 UK universities ● RITICS Government ● Standards bodies ● Consumers Business justification/ROI ● ● Notoriously difficult – Risk quantification very difficult – Energy companies denied insurance cover1 Few attacks are ICS specific and fewer still aim to cause physical damage – Arguably Stuxnet is the only example ● Google “To kill a centrifuge” to learn more about Stuxnet ● Leaning heavily on FUD may have caused damage here ● However, a single cyber event can easily cost more than several years’ security expenditure 1. http://www.bbc.co.uk/news/technology-26358042 What needs to be done to secure ICS? ● NIST think they have the answer ● Framework for Improving Critical Infrastructure Cybersecurity – 1.0 Feb 2014 ● Seems abstract unless you’ve been through the pain C2M2 – Cybersecurity Capability Maturity Model ● Understand that governance, training and behavioural issues are as important as technology ● ‘Mind the Gaps’ ● ● ● Integration with physical, personnel and traditional IT security is vital Security needs to be simple or invisible at point of use ● Learn through other people’s successes and failures across multiple verticals and geographies Quantum technology and ICS systems ● Threat to PKI and possible alternative of QKD will impact ICS ● PKI may be dead at just about the time it is fully embraced by ICS ● SCADA in the cloud is on its way ● Quantum clocks could remove the reliance of ICS on GPS/NTP/radio clocks ● Anything else? Questions? Dr. Ian Buffey ian.buffey@atkinsglobal.com
