Matt BancroftTutis Industrial

Thursday 20 April 2023 © Tutis Fructis Ltd 2012

Common Industrial Control System VulnerabilitiesSANS SCADA Summit 2010

Inadequate Policies and ProceduresPoorly Designed Control System NetworksMis-configured or Un-patched Operating Systems and Devices Inappropriate use of Wireless Communication Inadequate Authentication of Control System Communications Inadequate Identification and Control of Access to Control

SystemLack of Detection and Logging of IntrusionDual Use of Control System NetworksLack of Security Checking of Control System

Software/ApplicationsLack of Change Management/Change Control Procedures and

Agreements

Page 2Thursday 20 April 2023 © Tutis Fructis Ltd 2012

Increased Risks – The Facts…Probably

2008 Goup Internal Audit Report 10 sites/G9 countries

2010/11 Supply Chain Security Assessment 30 sites/G17 Countries

Headlines No overall ownership and responsibility for production IT Risks to production continuity from IT Insecure and vulnerable IT systems Lack of local advanced IT skills No Group standards, policies or guidelines Not aligned with Group IT team and strategy No visibility, transparency or control

Page 3Thursday 20 April 2023 © Tutis Fructis Ltd 2012

The Past….

Historically…

Production IT systems have been physically separate

Ensured that the information security risks remained localised

ICS was based on proprietary platforms and protocols

Security through obscurity

Page 4Thursday 20 April 2023 © Tutis Fructis Ltd 2012

The Present…Now…

The security by obscurity and physical separation no longer relevant

Uses standard windows platforms and internet communication protocols

Integrate and communicate with group systems such as SAP via MES.

More sources of attacks Widely known and

exploitable vulnerabilities

….if not designed and managed effectively.

Page 5Thursday 20 April 2023 © Tutis Fructis Ltd 2012

Different Business…Different Challenges

– Month/Day/Year Page 6

Supply Chain Systems Drivers Reduce risk to Production Operations

SC is operating with increased risk’s… More connectivity between Prod & Enterprise – MES Production site consolidation Immature IT practices – as per Group Internal Audit Insecure and unreliable IT systems

Reduce Costs & Improve IT services Supply Chain Standardisation – Common standards and platforms Exploit Central procurement opportunities Utilise a central SC IT expert resource Allow local SC to concentrate on local issues Ensure focus on IT availability - critical to SC business

Align Group Enterprise Strategy, Functions & Policies Group Internal Audit – Close audit actions and instill confidence Central IT - Align and exploit synergies Group Security – Align with group policy

Page 7Thursday 20 April 2023 © Tutis Fructis Ltd 2012

Further ReadingThese concepts and themes are developed further in…

Tutis White Papers… Cyber Security Risk Management in Operational Technology Environments Global Management Of Converging Operational & Information Technology Supply Chain Systems: End to End Integrated Business Process & Technology View

And also… cpni.gov.uk Csrc.nist.gov NIST SP800-82 – Guide To Industrial Control System Security NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control

Networks  Defence In Depth in Industrial Control Systems  NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control

Networks

help@securefruits.comwww.securefruits.com

Thursday 20 April 2023 © Tutis Fructis Ltd 2012