Industrial Control Systems Security
The Challenge
Risk is real
Each element has a specific response, from a specific perspective
But it is consequence that is our focus
Basic elements
Product certification
NIST Framework
Additional Resources
Threat
Determined as a result of Intelligence
Gathering
Often vague and/or non‐specific
»“There’s a virus in the wild!”
»Sources include US‐CERT and ICS‐CERT
Some details may be classified or otherwise protected
Context is important!
Vulnerability
Will always exist in industrial systems
»“Zero‐Day” and “Forever‐Day”
Well‐crafted malware can exist for months or years before detected
Do vulnerabilities mean bad things will
happen?
Consequence
This is the focus for asset owners!
Be realistic
Expand to include areas where:
»People don’t act as they are supposed to
Subtema
»Devices don’t act as they are designed
Be wary of statements like
“Well, that could never happen.”
“Why would anyone do that.”
Creating the Program
With an understanding of consequences…
Identify sources of “Help”
OT – IT Partnership
Practices and Guidance
Standards
Expectations and Regulation
Understand the Fundamental Concepts
Establish program structure
People
Process
Technology
Assess current performance
Identify objectives
Establish and implement measurements
Changing the Conversation
Less Fear, Uncertainty and Doubt (FUD)
Focus on process capability and potential
consequence
Speak in plain language, not “cyber speak”
Know what you are trying to achieve, and
why
IT and OT; What’s the point?
Old wine in new bottles
Distinction is nonetheless real
Understanding it is essential for success in
many areas, including Security
Common Questions
“Separate or
Interconnected
Networks?”
“What are the
real threats?”
“How do I manage
patches?”
“How do I
manage my
risks?”
“What products and
technologies are
suitable?”
“IT or Engineering
control of the
network?”
Applications
System segmentation is an accepted concept
New approaches to program definition
Collaboration between safety and security
Sources of Help
In typical order of usefulness…
OT – IT Partnership
Practices and Guidance
Standards
Expectations and Regulation
Fundamental Concepts
Security Life Cycle
Zones and Conduits
Security Levels
Foundational Requirements
Program Maturity
Safety and Security
OT vs IT
Subtema
Scope & Ownership
OT
Covers the spectrum of systems that deal with the physical
transformation of products and services. They are task‐
specific systems, are highly customized for industries and
considered mission‐critical. They typically fall under the
domain of Engineering.
IT
Covers the spectrum of systems that support
corporate functions like Finance, HR, Supply
Chain, Order Management, Sales, etc. Functions
and their processes tend to have commonality
across industries.
End‐Point
OT
The end‐point being managed is often a physical asset such
as pumps, motors, conveyors, valves, forklifts, etc., where
these “things” come in all shapes, sizes, level of complexity,
versions and vintage.
IT
The end‐point being managed is often a human
(whose job tends to be information‐intensive)
using a computing device (that has been relatively
homogeneous until the recent and growing BYOD
[bring your own device] trend.)
Focus
OT
In contrast, the OT portfolio is largely “thing‐centric” in the
sense that it helps “make product” by controlling the
physical equipment with a great deal of precision (and
safety), where the human’s role is supervisory (as
automation increases.)
IT
The IT software portfolio is people‐centric in the
sense that it helps people “make money” by
managing and coordinating the higher‐level
processes and transactions of the business.
Architecture
OT
In contrast, OT is filled with silos of proprietary
architectures because of its task‐specific nature. For
example, a refinery is designed so it can run continuously
for 5+ years before it is shut down for maintenance. In
other words, reliability can often trump innovation, open
architecture, interoperability, etc.
IT
Besides being pervasive in our personal lives, IT is
a relatively standardized world, and that is far
more homogeneous than OT.) IT also tends to
adapt far more quickly to multiple computing
trends, from PCs to Internet to mobility, all of
which have broadly shaped today’s Corporate IT
strategy.