process control cyber security
DESCRIPTION
Presented @ Saudi Aramco Global Reliability Forum 2013 Houston, TX, June 19-20, 2013 The only totally secure system is one that is shutoff, unplugged, and locked in a completely sealed box. Security is a balancing act of managing risk and maintaining operations. Too little security and the system may become compromised. Too much security may affect core system functionality, usability, or reliability. Finding the right level of security for a particular system may seem like a daunting task for many industrial control system vendors, integrators, and end-users. There are many different aspects to security and there is no single countermeasure that will work in all situations. This talk will discuss some of the different aspects to security and discuss how some of the more common countermeasures may affect the overall reliability of the system.TRANSCRIPT
![Page 1: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/1.jpg)
Process Control Cyber Security
Jim GilsinnSenior Investigator
Kenexis Security Consulting
![Page 2: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/2.jpg)
2
Before we start…
• Who wants a process that they can say is secure?
![Page 3: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/3.jpg)
3
Before we start…
• Who wants a process that they can say is secure?
• Who wants a process that does what its expected to do, when and for who its expected to do it, and for the purposes it was designed?
![Page 4: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/4.jpg)
4
• Who wants a process that they can say is secure?
• Who wants a process that does what its expected to do, when and for who its expected to do it, and for the purposes it was designed?
Before we start…
![Page 5: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/5.jpg)
5
Safety
SecurityPerformance
![Page 6: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/6.jpg)
6
Safety
SecurityPerformance
RELIABILITY
![Page 7: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/7.jpg)
7
Selected Aspects of Security
• Risk Management
• Network Segmentation
• Monitoring
![Page 8: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/8.jpg)
8
Risk Management
• Risk management is nothing new– Safety, financial,
physical security have all been around for a long time
• Cyber security should not try to reinvent the wheel
![Page 9: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/9.jpg)
9
Risk Management
• Brown Field– Probably have some
risk management and treatment in place
– Security should feed into existing risk management process, not be a separate entity
• Green Field– Security should be part
of the process from the beginning
![Page 10: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/10.jpg)
10
Risk Management
• Consequences are generally the same–Many times they are already identified– Difference comes about due to root cause
• Expand to include areas where:– People don’t act as they are supposed– Devices don’t act as they are designed
• Be wary of statements like “Well, that could never happen” and “Why would anyone do that”.
![Page 11: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/11.jpg)
11
Network Segmentation
• Network segmentation as a security technique:– Prevents the spread of an incident– Provides a front-line set of defenses
• Network segmentation is a lot more!
![Page 12: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/12.jpg)
12
Network Segmentation
• Network segmentation is a process to understand:–What devices communicate– How fast/often those devices
communicate–Where information flows–What form that information takes
• Technology helps, but architecture is more important
![Page 13: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/13.jpg)
13
Network Segmentation
• Limit the ingress and egress points through zone boundaries
• Protect the connections between zones
• Zones & conduits are logical– For practical purposes,
match zones to network architecture as much as possible
![Page 14: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/14.jpg)
14
Network Segmentation
![Page 15: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/15.jpg)
15
Monitoring
• Do any of these sound familiar?– It used to work.– Something just seems to have failed.– Not really sure what happened.– Don’t do anything to that system over
there, its touchy.– This system is just so slow.
![Page 16: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/16.jpg)
16
Monitoring
• Monitoring is extremely important– Firewalls are good, but useless if you aren’t
monitoring the rules and logs– IDS are useful (if monitored). Not many are
industrial aware, but can be trained.– Network performance indicators can give early
indications of something failing
![Page 17: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/17.jpg)
17
Performance Monitoring
• Monitoring isn’t just for security• Performance can be a leading
indicator– Small blips in performance can indicate
unusual activity
• Helps to eliminating false-positives
![Page 18: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/18.jpg)
18
Performance Monitoring2 ms Mean Measured Packet Interval~ ±0.8 ms Jitter
![Page 19: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/19.jpg)
19
Performance Monitoring
2 ms Mean Measured Packet Interval-0.8 ms to +2.2 ms Jitter
![Page 20: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/20.jpg)
20
Performance Monitoring50 ms Mean Measured Packet IntervalBimodal (25 ms & 75 ms) with Outliers (100 ms)
![Page 21: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/21.jpg)
21
Looking Forward
• Vulnerabilities
• Whitelisting
![Page 22: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/22.jpg)
22
Vulnerabilities
• Vulnerabilities will always exist in the industrial environment– Zero-day vulnerabilities are inevitable– Infinite-day vulnerabilities are not uncommon– Industrial protocols themselves are vulnerable
• Well-crafted malware can exist for months or years before detected
• Do vulnerabilities mean badthings will happen?
![Page 23: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/23.jpg)
23
Whitelisting
• Limits execution on a computer– Known good set of applications
and libraries–Monitors applications and memory-space
against changes
• Has been around for a while• Makes sense for industrial environment
where things remain relatively static• Not a silver bullet!
![Page 24: Process Control Cyber Security](https://reader033.vdocuments.us/reader033/viewer/2022061220/54bc2efb4a7959c42d8b4610/html5/thumbnails/24.jpg)
24
Contact Information
• Jim GilsinnSenior InvestigatorKenexis Security Consulting
• http://www.kenexis.com• (614) 323-2254• @JimGilsinn