Industrial Control Systems Security

Industrial Control Systems Security

c1
The Challenge

The Challenge

Risk is real

Each element has a specific response, from a specific perspective

But it is consequence that is our focus

Basic elements

Product certification

Product certification

NIST Framework

NIST Framework

Additional Resources

Threat

Determined as a result of Intelligence
Gathering

Determined as a result of Intelligence
Gathering

Often vague and/or non‐specific

Often vague and/or non‐specific

»“There’s a virus in the wild!”
»Sources include US‐CERT and ICS‐CERT

Some details may be classified or otherwise protected

Context is important!

Vulnerability

Vulnerability

Will always exist in industrial systems

»“Zero‐Day” and “Forever‐Day”

Well‐crafted malware can exist for months or years before detected

Do vulnerabilities mean bad things will
happen?

Consequence

This is the focus for asset owners!

Be realistic

Expand to include areas where:

»People don’t act as they are supposed to

Subtema

»Devices don’t act as they are designed

Be wary of statements like

“Well, that could never happen.”

“Why would anyone do that.”

Creating the Program

Creating the Program

With an understanding of consequences…

Identify sources of “Help”

OT – IT Partnership

Practices and Guidance

Standards

Expectations and Regulation

Understand the Fundamental Concepts

Establish program structure

People

People

Process

Process

Technology

Technology

Assess current performance

Assess current performance

Identify objectives

Identify objectives

Establish and implement measurements

Establish and implement measurements

Changing the Conversation

Changing the Conversation

Less Fear, Uncertainty and Doubt (FUD)

Focus on process capability and potential
consequence

Speak in plain language, not “cyber speak”

Know what you are trying to achieve, and
why

IT and OT; What’s the point?

IT and OT; What’s the point?

Old wine in new bottles

Distinction is nonetheless real

Understanding it is essential for success in
many areas, including Security

Common Questions

“Separate or
Interconnected
Networks?”

“What are the
real threats?”

“How do I manage
patches?”

“How do I
manage my
risks?”

“What products and
technologies are
suitable?”

“IT or Engineering
control of the
network?”

Applications

Applications

System segmentation is an accepted concept

New approaches to program definition

Collaboration between safety and security

Sources of Help

Sources of Help

In typical order of usefulness…

OT – IT Partnership

Practices and Guidance

Standards

Expectations and Regulation

Fundamental Concepts

Fundamental Concepts

Security Life Cycle

Zones and Conduits

Security Levels

Foundational Requirements

Program Maturity

Safety and Security

OT vs IT

Subtema

Scope & Ownership

OT

Covers the spectrum of systems that deal with the physical
transformation of products and services. They are task‐
specific systems, are highly customized for industries and
considered mission‐critical. They typically fall under the
domain of Engineering.

IT

Covers the spectrum of systems that support
corporate functions like Finance, HR, Supply
Chain, Order Management, Sales, etc. Functions
and their processes tend to have commonality
across industries.

End‐Point

OT

The end‐point being managed is often a physical asset such
as pumps, motors, conveyors, valves, forklifts, etc., where
these “things” come in all shapes, sizes, level of complexity,
versions and vintage.

IT

The end‐point being managed is often a human
(whose job tends to be information‐intensive)
using a computing device (that has been relatively
homogeneous until the recent and growing BYOD
[bring your own device] trend.)

Focus

OT

In contrast, the OT portfolio is largely “thing‐centric” in the
sense that it helps “make product” by controlling the
physical equipment with a great deal of precision (and
safety), where the human’s role is supervisory (as
automation increases.)

IT

The IT software portfolio is people‐centric in the
sense that it helps people “make money” by
managing and coordinating the higher‐level
processes and transactions of the business.

Architecture

OT

In contrast, OT is filled with silos of proprietary
architectures because of its task‐specific nature. For
example, a refinery is designed so it can run continuously
for 5+ years before it is shut down for maintenance. In
other words, reliability can often trump innovation, open
architecture, interoperability, etc.

IT

Besides being pervasive in our personal lives, IT is
a relatively standardized world, and that is far
more homogeneous than OT.) IT also tends to
adapt far more quickly to multiple computing
trends, from PCs to Internet to mobility, all of
which have broadly shaped today’s Corporate IT
strategy.