Common Industrial Control System VulnerabilitiesSANS SCADA Summit 2010
Inadequate Policies and ProceduresPoorly Designed Control System NetworksMis-configured or Un-patched Operating Systems and Devices Inappropriate use of Wireless Communication Inadequate Authentication of Control System Communications Inadequate Identification and Control of Access to Control
SystemLack of Detection and Logging of IntrusionDual Use of Control System NetworksLack of Security Checking of Control System
Software/ApplicationsLack of Change Management/Change Control Procedures and
Agreements
Page 2Thursday 20 April 2023 © Tutis Fructis Ltd 2012
Increased Risks – The Facts…Probably
2008 Goup Internal Audit Report 10 sites/G9 countries
2010/11 Supply Chain Security Assessment 30 sites/G17 Countries
Headlines No overall ownership and responsibility for production IT Risks to production continuity from IT Insecure and vulnerable IT systems Lack of local advanced IT skills No Group standards, policies or guidelines Not aligned with Group IT team and strategy No visibility, transparency or control
Page 3Thursday 20 April 2023 © Tutis Fructis Ltd 2012
The Past….
Historically…
Production IT systems have been physically separate
Ensured that the information security risks remained localised
ICS was based on proprietary platforms and protocols
Security through obscurity
Page 4Thursday 20 April 2023 © Tutis Fructis Ltd 2012
The Present…Now…
The security by obscurity and physical separation no longer relevant
Uses standard windows platforms and internet communication protocols
Integrate and communicate with group systems such as SAP via MES.
More sources of attacks Widely known and
exploitable vulnerabilities
….if not designed and managed effectively.
Page 5Thursday 20 April 2023 © Tutis Fructis Ltd 2012
Supply Chain Systems Drivers Reduce risk to Production Operations
SC is operating with increased risk’s… More connectivity between Prod & Enterprise – MES Production site consolidation Immature IT practices – as per Group Internal Audit Insecure and unreliable IT systems
Reduce Costs & Improve IT services Supply Chain Standardisation – Common standards and platforms Exploit Central procurement opportunities Utilise a central SC IT expert resource Allow local SC to concentrate on local issues Ensure focus on IT availability - critical to SC business
Align Group Enterprise Strategy, Functions & Policies Group Internal Audit – Close audit actions and instill confidence Central IT - Align and exploit synergies Group Security – Align with group policy
Page 7Thursday 20 April 2023 © Tutis Fructis Ltd 2012
Further ReadingThese concepts and themes are developed further in…
Tutis White Papers… Cyber Security Risk Management in Operational Technology Environments Global Management Of Converging Operational & Information Technology Supply Chain Systems: End to End Integrated Business Process & Technology View
And also… cpni.gov.uk Csrc.nist.gov NIST SP800-82 – Guide To Industrial Control System Security NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control
Networks Defence In Depth in Industrial Control Systems NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control
Networks
Thursday 20 April 2023 © Tutis Fructis Ltd 2012