The document discusses securing industrial control systems to the last mile. It emphasizes that security needs to be designed into systems from the start, rather than bolted on later. Key points covered include defining security as an ongoing process; the focus on availability over confidentiality and integrity in real-time systems; knowing potential threats and one's own network vulnerabilities; educating business stakeholders on security needs; and taking a step-by-step approach through collaboration between IT and engineering teams.
1. SECURE TO THE
LAST MILE
Learn How To Build Out Your System So That It Is Secure To
The Last Mile On A Geographically Disperse SCADA System
Terry Gilsenan
CIO/VP Technology,
PIE Operating LLC
2. WHAT WE WILL DISCUSS TODAY
• Security – A Definition, or two.
• Real-Time IT – Where to get support.
• Involving The CIA – spooky points of view.
• The Last 10 Years – Have we learned anything?
• The Battle Ground – it’s a war out there.
• Self Awareness – The truth will set you free.
• The GAP Analysis – is it convenient?
• The Container Principle – Simple Tools.
• What it is going to take – Give AND Take.
3. SECURITY MUST BE DESIGNED
IN, NOT SIMPLY BOLTED ON!
• In this context, Security is a
process not a product. A process
involves the ongoing application
of a set of protocols covering
hardware, software, procedures,
and people.
• Retro-fitting security into
production systems is fraught with
potential pitfalls.
• The PROCESS must work.
Security must be designed in, not simply bolted on!
4. I.T. “MOSTLY” DOESN'T DO REAL TIME
• For Safety, and Security, we expect Availability and
Control.
• We have always assumed that Integrity was part of
Availability.
• Adding Confidentiality and the Authentication aspects
of integrity have traditionally not been desired for
several reasons:
1. How would these changes/upgrades impact Availability?
2. Backward Compatibility with existing systems?
3. Have you considered approaching the business and
asking them to shutdown the refinery for a couple of
months while we retrofit?
Yeah, That!
Security must be designed in, not simply bolted on!
5. THE C.I.A TRIAD – WHAT IS CRITICAL?
• IT security starts with the CIA
Triad and builds out from
there, most often focusing on:
• Confidentiality
• Integrity
• Process Control starts with
Availability and often that’s as
far as it goes.
• We, yes we, are getting the
opportunity to change this!
Confidentiality
AvailabilityIntegrity
Security must be designed in, not simply bolted on!
6. STUXNET: CLICHÉ OR A WARNING
• Hackers are Successfully crossing the Cyber/Kinetic interface
• Stuxnet, cyber attack – late 2007, discovery 2010
• Turkey pipeline blast August 2008 (
http://www.bloomberg.com/news/articles/2014-12-10/
mysterious-08-turkey-pipeline-blast-opened-new-cyberwar)
• German Steel Mill Blast Furnace destruction 2014 (
https://www.wired.com/2015/01/german-steel-mill-hack-
destruction/)
• The “Aurora attack”, Using the inertia of the generation
equipment to force the phase angle out of sync with the
supply.
• The list is growing.
Security must be designed in, not simply bolted on!
7. PARADIGM SHIFT?
• Stuxnet – Why was it different?
• It was entirely modular.
• It behaved like a worm and used multiple vectors.
• It took great pains to avoid collateral damage.
• It was a reverse proxy to a fake interface.
• It could read and change the logic in the controllers.
• Unlike E.T., It did not need to “phone home”.
• And its almost 10 years old…
Let that sink in for a moment…
Security must be designed in, not simply bolted on!
8. SO… WHAT DO WE DO?
• Know yourself, know the enemy. You need not fear the
results of a hundred battles. – Sun Tzu
• Do we even know what our enemy is?
• Do we know our risk Surface or risk Appetite?
• The supreme art of war is to subdue the enemy without
fighting. – Sun Tzu
• This is about making sure we are not the low hanging fruit.
Security must be designed in, not simply bolted on!
9. KNOW YOUR ENEMY?
• Who or what is Our Enemy?
• If we have difficulty in even defining who or what our
enemy is, how can we know our enemy?
• Thankfully there are people and resources available
that we can utilize to gain a better understanding of
this.
Security must be designed in, not simply bolted on!
10. KNOW YOURSELF - CONNECTIONS
• Are your networks connected to or connectable from
unknown devices?
• Do you have nodes that are controlled by GPRS or
SMS?
• Do your systems traverse the internet?
• Do you have critical but unreliable links, eg: VSAT?
Security must be designed in, not simply bolted on!
11. KNOW YOURSELF - PERIMETER
• Many large-scale infrastructure systems refer to their
“As-Built” as the only documentation they have. Many
systems have been upgraded, extended and built out,
but the documentation has not kept pace.
• V-LAN or separate physical networks? If the SCADA/
DCS network is sharing the same physical infrastructure
as the ADMIN LAN, what happens to our systems if the IT
department update switching firmware etc? Are we ok
with a 5 minute outage as the Switch is rebooted?
Security must be designed in, not simply bolted on!
12. AIR-GAP VS CONVENIENCE
• Consider for a moment, a COO demanding to be able
to connect to our SCADA/DCS control system to look at
the operations in real time.
• What can we do to prevent problems?
• Say no to the COO?
• Install VNC on the SCADA/DCS control system?
• Design an application proxy and firewall that will provide
very specific access and prevent all other access?
• Remember: Convenience will override security unless
we educate the business AND provide the access that
they NEED (note: Need != Want).
Security must be designed in, not simply bolted on!
^^^ This is what I chose to do
13. EDUCATION – HOW? WHO?
• It is our responsibility to educate the business about the
profit impacts from addressing security in a workable
way.
• Don’t assume that the IT department can secure our
systems, for the most part they don’t have the
prerequisite knowledge.
• Don’t assume that we can simply purchase a device
that will secure our networks without impacting our real-
time systems.
• Don’t assume that the business executives know what
needs to be done - they are looking to you to educate
them.
Security must be designed in, not simply bolted on!
14. CANNED ELEPHANT
• The Canning process keeps all the yummy goodness in,
but what is more important is that it keeps
contaminants, oxidizers, and microbes out.
• When we are looking at the task in front of us, we must
remember, to approach it as if we were eating an
Elephant: One mouthful at a time.
• By using the Canning analogy to contain and protect
the systems, and then the Elephant meal analogy to
take it step by step… The task becomes Possible.
Security must be designed in, not simply bolted on!
15. SIMPLE TOOLS
Security must be designed in, not simply bolted on!
Building the tools I needed, meant convincing some
people to work together.
So, I put a Tux, and a Tie On this guy
Total Cost: Less than $100
16. THE APPLICATION PROXY
• All bits are recycled, none are passed through
• Firewall includes:
• Snort IDS/IDP.
• Port-Knocking.
• IP/MAC source policing.
• Application Specific Reverse Proxy.
• DROP by default Firewall rules (including ICMP)
• Certificate Client Authentication.
• VPN between Client and Firewall.
Security must be designed in, not simply bolted on!
17. HOW DO WE TACKLE THIS?
• There has to be a joint effort between the security
people who understand IT—but do not understand the
domains of electric power, water, chemicals—and the
engineers who understand that domain, but may not
understand security. - Joe Weiss, 14 Jan, 2016,
“Cyberwire interview” (Managing Partner, Applied
Control Solutions)
• We (IT and Engineering) need to work together and
share in-depth knowledge of our different domains,
working for the one goal: Security.
Security must be designed in, not simply bolted on!
18. THANK YOU
I certainly appreciate that your time is
valuable, and I am impressed that you chose
to spend some of it listening to me….
You are awesome!
And Remember: Security must be designed in, not simply bolted on!