why control system cyber-security sucks… me waiting for a change of paradigm
DESCRIPTION
Why Control System Cyber-Security Sucks… Me waiting for a change of paradigm. Attackers’ advantage: There is no 100% security They choose time, place, method Defenders’ dilemma: Need to protect against all Lack of money/resources/networks ( Int’l ) Law always a step behind. - PowerPoint PPT PresentationTRANSCRIPT
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)
WhyControl System Cyber-Security
Sucks…Me waiting for a change of paradigm.
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)Attack vs. Defense
Attackers’ advantage: There is no 100% security They choose time, place, method
Defenders’ dilemma: Need to protect against all Lack of money/resources/networks (Int’l) Law always a step behind
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)Overview
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)(R)Evolution of Control Systems
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)(R)Evolution of Control Systems Industrial control systems and the role of corporate ITDr. [email protected]
Cyber Defence Summit, March 4th-5th 2013, Muscat (OMAN)
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)Pandora’s box is open!
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)Stuxnet (2010)
PC-Level: Infiltration of plant Infection of PC Reconnaissance for target
PLC-Level: Manipulation of communication Fingerprinting of PLC Reconfiguration of PLC Obscuring communication
Process-Level: Sabotage of process
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)Towards a New Threat Vector
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)The Lack of Patching
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)The Problem of Patching
Safety! Needs heavy compliance
testing (vendor & utility) Potential loss of guarantees
& certification (e.g. SIL)
Availability: Rare maintenance windows
Legacy: Old or embedded devices
Integrity: S/W development live-cycles Thorough regression testing
Nightly builds Full configuration management
Availability: Redundancy & virtualization
Legacy: (rare)
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)The Lack of Access Controls
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)The Problem of Access Control
Safety! Access must always be guaranteed Shared accounts Encryption too “heavy”
Legacy: Default passwords Undocumented backdoors Impossible IdM integration No ACLs, iptables, etc.
Security: Split of AuthN & AuthZ
SSO, LDAP & AD Kerberos, x509 & 2-factor AuthN
Legacy: (rare)
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)The Lack of Robustness
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)The Problem of Robustness
Robustness: Use-cases, not abuse-cases Not always compliant to standards No certification (yet?)
Security: Not integral part…
…or through obscurity Low priority, low knowledge Unwillingness to share incidents…
Robustness: (“Externally sponsored”)
penetration testing &vulnerability scanning
Security: Decades of
experience & knowledge CSIRT: Protection,
detection & response Responsible disclosure
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)10 Questions to YOU
Do you have1. followed appropriate training incl. on security paradigms?2. employed a version control system for your software and
configuration?3. considered standard IT technologies offered by your IT
department (e.g. DBs, web servers)?4. populated an inventory of all devices, accounts, applications,
… as well as a list of their dependencies (e.g. NTP)?5. deployed an independent test system you can tamper with?6. conducted a penetration test to see whether your equipment
is sufficiently robust?7. changed all defaults (passwords!) and removed unnecessary
functionality?8. established procedures for applying timely software updates?9. agreed on a contingency plan in case your system fails?
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)Summary
…and please do not use this presentation as an excuse to do nothing !!!
PCS are (still) not designed to be secure.
They fulfil use-cases and also abuse cases.
Defence-in-Depth is the key.Make security part as functionality, usability,
availability, maintainability, performance!
Hack the box! Buy any PCS on eBay and throw your favourite pen suite at it.
Push vendors & start responsible disclosure
Align Control System Cyber-Security with IT security!Patch procedures, access protection, robustness,
certification & documentation need significant improvement.
Why Control System Cyber-Security Sucks…Dr. [email protected]
CLA Summit, March 20th 2013, Geneva (CH)Literature