Kategorier: Alle - automation - assets - precision - reliability

av MariaEs Martinez 8 år siden

988

Industrial Control Systems Security

Operational Technology (OT) and Information Technology (IT) serve distinct roles within an organization. OT is primarily concerned with controlling physical equipment to produce goods safely and precisely, with human intervention being mostly supervisory.

Industrial Control Systems Security

OT vs IT

Architecture

Besides being pervasive in our personal lives, IT is a relatively standardized world, and that is far more homogeneous than OT.) IT also tends to adapt far more quickly to multiple computing trends, from PCs to Internet to mobility, all of which have broadly shaped today’s Corporate IT strategy.
In contrast, OT is filled with silos of proprietary architectures because of its task‐specific nature. For example, a refinery is designed so it can run continuously for 5+ years before it is shut down for maintenance. In other words, reliability can often trump innovation, open architecture, interoperability, etc.

Focus

The IT software portfolio is people‐centric in the sense that it helps people “make money” by managing and coordinating the higher‐level processes and transactions of the business.
In contrast, the OT portfolio is largely “thing‐centric” in the sense that it helps “make product” by controlling the physical equipment with a great deal of precision (and safety), where the human’s role is supervisory (as automation increases.)

End‐Point

The end‐point being managed is often a human (whose job tends to be information‐intensive) using a computing device (that has been relatively homogeneous until the recent and growing BYOD [bring your own device] trend.)
The end‐point being managed is often a physical asset such as pumps, motors, conveyors, valves, forklifts, etc., where these “things” come in all shapes, sizes, level of complexity, versions and vintage.

Scope & Ownership

IT
Covers the spectrum of systems that support corporate functions like Finance, HR, Supply Chain, Order Management, Sales, etc. Functions and their processes tend to have commonality across industries.
OT
Covers the spectrum of systems that deal with the physical transformation of products and services. They are task‐ specific systems, are highly customized for industries and considered mission‐critical. They typically fall under the domain of Engineering.

Industrial Control Systems Security

Actividad No. 3 Sistemas de Información Industrial

Fundamental Concepts

Safety and Security
Program Maturity
Foundational Requirements
Security Levels
Zones and Conduits
Security Life Cycle

Sources of Help

In typical order of usefulness…

Applications

Collaboration between safety and security
New approaches to program definition
System segmentation is an accepted concept

IT and OT; What’s the point?

Common Questions
“IT or Engineering control of the network?”
“What products and technologies are suitable?”
“How do I manage my risks?”
“How do I manage patches?”
“What are the real threats?”
“Separate or Interconnected Networks?”
Understanding it is essential for success in many areas, including Security
Distinction is nonetheless real
Old wine in new bottles

Changing the Conversation

Know what you are trying to achieve, and why
Speak in plain language, not “cyber speak”
Focus on process capability and potential consequence
Less Fear, Uncertainty and Doubt (FUD)

Creating the Program

Establish and implement measurements
Identify objectives
Assess current performance
Establish program structure
Technology
Process
People
Understand the Fundamental Concepts
Identify sources of “Help”
Expectations and Regulation
Standards
Practices and Guidance
OT – IT Partnership
With an understanding of consequences…

Additional Resources

Consequence
Be wary of statements like

“Why would anyone do that.”

“Well, that could never happen.”

Expand to include areas where:

»Devices don’t act as they are designed

»People don’t act as they are supposed to

Subtema

Be realistic
This is the focus for asset owners!
Vulnerability
Do vulnerabilities mean bad things will happen?
Well‐crafted malware can exist for months or years before detected
Will always exist in industrial systems

»“Zero‐Day” and “Forever‐Day”

Threat
Context is important!
Some details may be classified or otherwise protected
Often vague and/or non‐specific

»“There’s a virus in the wild!” »Sources include US‐CERT and ICS‐CERT

Determined as a result of Intelligence Gathering

Basic elements

NIST Framework
Product certification

The Challenge

Risk is real
But it is consequence that is our focus
Each element has a specific response, from a specific perspective