SlideShare ist ein Scribd-Unternehmen logo

terry-gilsenan-pie-operating.10433

T
Terry Gilsenan

The document discusses securing industrial control systems to the last mile. It emphasizes that security needs to be designed into systems from the start, rather than bolted on later. Key points covered include defining security as an ongoing process; the focus on availability over confidentiality and integrity in real-time systems; knowing potential threats and one's own network vulnerabilities; educating business stakeholders on security needs; and taking a step-by-step approach through collaboration between IT and engineering teams.

1 von 18
Downloaden Sie, um offline zu lesen
SECURE TO THE LAST MILE Learn How To Build Out Your System So That It Is Secure To The Last Mile On A Geographically Disperse SCADA System Terry Gilsenan CIO/VP Technology, PIE Operating LLC
WHAT WE WILL DISCUSS TODAY •  Security – A Definition, or two. •  Real-Time IT – Where to get support. •  Involving The CIA – spooky points of view. •  The Last 10 Years – Have we learned anything? •  The Battle Ground – it’s a war out there. •  Self Awareness – The truth will set you free. •  The GAP Analysis – is it convenient? •  The Container Principle – Simple Tools. •  What it is going to take – Give AND Take.
SECURITY MUST BE DESIGNED IN, NOT SIMPLY BOLTED ON! •  In this context, Security is a process not a product. A process involves the ongoing application of a set of protocols covering hardware, software, procedures, and people. •  Retro-fitting security into production systems is fraught with potential pitfalls. •  The PROCESS must work. Security must be designed in, not simply bolted on!
I.T. “MOSTLY” DOESN'T DO REAL TIME •  For Safety, and Security, we expect Availability and Control. •  We have always assumed that Integrity was part of Availability. •  Adding Confidentiality and the Authentication aspects of integrity have traditionally not been desired for several reasons: 1.  How would these changes/upgrades impact Availability? 2.  Backward Compatibility with existing systems? 3.  Have you considered approaching the business and asking them to shutdown the refinery for a couple of months while we retrofit? Yeah, That! Security must be designed in, not simply bolted on!
THE C.I.A TRIAD – WHAT IS CRITICAL? •  IT security starts with the CIA Triad and builds out from there, most often focusing on: •  Confidentiality •  Integrity •  Process Control starts with Availability and often that’s as far as it goes. •  We, yes we, are getting the opportunity to change this! Confidentiality AvailabilityIntegrity Security must be designed in, not simply bolted on!
STUXNET: CLICHÉ OR A WARNING •  Hackers are Successfully crossing the Cyber/Kinetic interface •  Stuxnet, cyber attack – late 2007, discovery 2010 •  Turkey pipeline blast August 2008 ( http://www.bloomberg.com/news/articles/2014-12-10/ mysterious-08-turkey-pipeline-blast-opened-new-cyberwar) •  German Steel Mill Blast Furnace destruction 2014 ( https://www.wired.com/2015/01/german-steel-mill-hack- destruction/) •  The “Aurora attack”, Using the inertia of the generation equipment to force the phase angle out of sync with the supply. •  The list is growing. Security must be designed in, not simply bolted on!
PARADIGM SHIFT? •  Stuxnet – Why was it different? •  It was entirely modular. •  It behaved like a worm and used multiple vectors. •  It took great pains to avoid collateral damage. •  It was a reverse proxy to a fake interface. •  It could read and change the logic in the controllers. •  Unlike E.T., It did not need to “phone home”. •  And its almost 10 years old… Let that sink in for a moment… Security must be designed in, not simply bolted on!
SO… WHAT DO WE DO? •  Know yourself, know the enemy. You need not fear the results of a hundred battles. – Sun Tzu •  Do we even know what our enemy is? •  Do we know our risk Surface or risk Appetite? •  The supreme art of war is to subdue the enemy without fighting. – Sun Tzu •  This is about making sure we are not the low hanging fruit. Security must be designed in, not simply bolted on!
KNOW YOUR ENEMY? •  Who or what is Our Enemy? •  If we have difficulty in even defining who or what our enemy is, how can we know our enemy? •  Thankfully there are people and resources available that we can utilize to gain a better understanding of this. Security must be designed in, not simply bolted on!
KNOW YOURSELF - CONNECTIONS •  Are your networks connected to or connectable from unknown devices? •  Do you have nodes that are controlled by GPRS or SMS? •  Do your systems traverse the internet? •  Do you have critical but unreliable links, eg: VSAT? Security must be designed in, not simply bolted on!
KNOW YOURSELF - PERIMETER •  Many large-scale infrastructure systems refer to their “As-Built” as the only documentation they have. Many systems have been upgraded, extended and built out, but the documentation has not kept pace. •  V-LAN or separate physical networks? If the SCADA/ DCS network is sharing the same physical infrastructure as the ADMIN LAN, what happens to our systems if the IT department update switching firmware etc? Are we ok with a 5 minute outage as the Switch is rebooted? Security must be designed in, not simply bolted on!
AIR-GAP VS CONVENIENCE •  Consider for a moment, a COO demanding to be able to connect to our SCADA/DCS control system to look at the operations in real time. •  What can we do to prevent problems? •  Say no to the COO? •  Install VNC on the SCADA/DCS control system? •  Design an application proxy and firewall that will provide very specific access and prevent all other access? •  Remember: Convenience will override security unless we educate the business AND provide the access that they NEED (note: Need != Want). Security must be designed in, not simply bolted on! ^^^ This is what I chose to do
EDUCATION – HOW? WHO? •  It is our responsibility to educate the business about the profit impacts from addressing security in a workable way. •  Don’t assume that the IT department can secure our systems, for the most part they don’t have the prerequisite knowledge. •  Don’t assume that we can simply purchase a device that will secure our networks without impacting our real- time systems. •  Don’t assume that the business executives know what needs to be done - they are looking to you to educate them. Security must be designed in, not simply bolted on!
CANNED ELEPHANT •  The Canning process keeps all the yummy goodness in, but what is more important is that it keeps contaminants, oxidizers, and microbes out. •  When we are looking at the task in front of us, we must remember, to approach it as if we were eating an Elephant: One mouthful at a time. •  By using the Canning analogy to contain and protect the systems, and then the Elephant meal analogy to take it step by step… The task becomes Possible. Security must be designed in, not simply bolted on!
SIMPLE TOOLS Security must be designed in, not simply bolted on! Building the tools I needed, meant convincing some people to work together. So, I put a Tux, and a Tie On this guy Total Cost: Less than $100
THE APPLICATION PROXY •  All bits are recycled, none are passed through •  Firewall includes: •  Snort IDS/IDP. •  Port-Knocking. •  IP/MAC source policing. •  Application Specific Reverse Proxy. •  DROP by default Firewall rules (including ICMP) •  Certificate Client Authentication. •  VPN between Client and Firewall. Security must be designed in, not simply bolted on!
HOW DO WE TACKLE THIS? •  There has to be a joint effort between the security people who understand IT—but do not understand the domains of electric power, water, chemicals—and the engineers who understand that domain, but may not understand security.  - Joe Weiss, 14 Jan, 2016, “Cyberwire interview” (Managing Partner, Applied Control Solutions) •  We (IT and Engineering) need to work together and share in-depth knowledge of our different domains, working for the one goal: Security. Security must be designed in, not simply bolted on!
THANK YOU I certainly appreciate that your time is valuable, and I am impressed that you chose to spend some of it listening to me…. You are awesome! And Remember: Security must be designed in, not simply bolted on!

Empfohlen

Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_final
PacSecJP
 
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
CODE BLUE
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly
 
Simplitfy - Guarding your Data
Simplitfy - Guarding your DataSimplitfy - Guarding your Data
Simplitfy - Guarding your Data
Erick Solms
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
Security Weekly
 

Empfohlen

Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_final
PacSecJP
 
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
CODE BLUE
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly
 
Simplitfy - Guarding your Data
Simplitfy - Guarding your DataSimplitfy - Guarding your Data
Simplitfy - Guarding your Data
Erick Solms
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
Security Weekly
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
Chris Gates
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case Study
Lastline, Inc.
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture Training
Greg Foss
 
API Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About ThemAPI Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About Them
Eoin Woods
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
Major General Brett Williams
Major General Brett WilliamsMajor General Brett Williams
Major General Brett Williams
Hanah Croft
 
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseWebinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Cyren, Inc
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
APNIC
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven Defense
Greg Foss
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
TruShield Security Solutions
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
Security Weekly
 
Six steps for securing offshore development
Six steps for securing offshore developmentSix steps for securing offshore development
Six steps for securing offshore development
gmaran23
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
Daniel Miessler
 
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Claus Cramon Houmann
 
Personal Digital Hygiene
Personal Digital HygienePersonal Digital Hygiene
Personal Digital Hygiene
Lars Hilse Global Thought Leader in #CyberSecurity, #CyberTerrorism, #CyberDefence, #CyberCrime
 
situación de la economía general en sinaloa
situación de la economía general en sinaloa situación de la economía general en sinaloa
situación de la economía general en sinaloa
julian vadez
 
Nomenclatura de óxidos
Nomenclatura de óxidosNomenclatura de óxidos
Nomenclatura de óxidos
Vilma Ramos
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
TruShield Security Solutions
 

Was ist angesagt? (20)

The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case Study
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture Training
 
API Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About ThemAPI Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About Them
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Major General Brett Williams
Major General Brett WilliamsMajor General Brett Williams
Major General Brett Williams
 
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseWebinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of Defense
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven Defense
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
Six steps for securing offshore development
Six steps for securing offshore developmentSix steps for securing offshore development
Six steps for securing offshore development
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
 
Personal Digital Hygiene
Personal Digital HygienePersonal Digital Hygiene
Personal Digital Hygiene
 

Andere mochten auch

situación de la economía general en sinaloa
situación de la economía general en sinaloa situación de la economía general en sinaloa
situación de la economía general en sinaloa
julian vadez
 
anees_rahman_cvn-EBE - new
anees_rahman_cvn-EBE - newanees_rahman_cvn-EBE - new
anees_rahman_cvn-EBE - new
anees pt
 
estructura agraria de mexico después de realización de la reforma agraria
estructura agraria de mexico después de realización de la reforma agraria estructura agraria de mexico después de realización de la reforma agraria
estructura agraria de mexico después de realización de la reforma agraria
julian vadez
 

Andere mochten auch (20)

situación de la economía general en sinaloa
situación de la economía general en sinaloa situación de la economía general en sinaloa
situación de la economía general en sinaloa
 
Nomenclatura de óxidos
Nomenclatura de óxidosNomenclatura de óxidos
Nomenclatura de óxidos
 
Historia de la batalla de puebla del 5 de mayo
Historia de la batalla de puebla del 5 de mayoHistoria de la batalla de puebla del 5 de mayo
Historia de la batalla de puebla del 5 de mayo
 
Paper 3_3
Paper 3_3Paper 3_3
Paper 3_3
 
AnFeng HSM
AnFeng HSMAnFeng HSM
AnFeng HSM
 
anees_rahman_cvn-EBE - new
anees_rahman_cvn-EBE - newanees_rahman_cvn-EBE - new
anees_rahman_cvn-EBE - new
 
Power point
Power pointPower point
Power point
 
Clase integrada tic
Clase integrada ticClase integrada tic
Clase integrada tic
 
TRABAJO EN LABORATORIO
TRABAJO EN LABORATORIOTRABAJO EN LABORATORIO
TRABAJO EN LABORATORIO
 
Poa lengua materna
Poa lengua maternaPoa lengua materna
Poa lengua materna
 
Clase integrada tic
Clase integrada ticClase integrada tic
Clase integrada tic
 
Sistem solar
Sistem solarSistem solar
Sistem solar
 
Práctica de laboratorio
Práctica de laboratorio Práctica de laboratorio
Práctica de laboratorio
 
Practica de laboratorio 3 d
Practica de laboratorio 3 dPractica de laboratorio 3 d
Practica de laboratorio 3 d
 
08 aprendizaje-autonomo11
08 aprendizaje-autonomo1108 aprendizaje-autonomo11
08 aprendizaje-autonomo11
 
Motores
MotoresMotores
Motores
 
educación física de calidad
educación física de calidadeducación física de calidad
educación física de calidad
 
ZEUS CORP Profile
ZEUS CORP ProfileZEUS CORP Profile
ZEUS CORP Profile
 
সমস্যা ডারউইনবাদ সৃষ্টি মানবজীবনের যাও. Bengali বাঙালি
সমস্যা ডারউইনবাদ সৃষ্টি মানবজীবনের যাও. Bengali বাঙালিসমস্যা ডারউইনবাদ সৃষ্টি মানবজীবনের যাও. Bengali বাঙালি
সমস্যা ডারউইনবাদ সৃষ্টি মানবজীবনের যাও. Bengali বাঙালি
 
estructura agraria de mexico después de realización de la reforma agraria
estructura agraria de mexico después de realización de la reforma agraria estructura agraria de mexico después de realización de la reforma agraria
estructura agraria de mexico después de realización de la reforma agraria
 

Ähnlich wie terry-gilsenan-pie-operating.10433

Commercial and government cyberwarfare
Commercial and government cyberwarfareCommercial and government cyberwarfare
Commercial and government cyberwarfare
Nicholas Davis
 
Commercial And Government Cyberwarfare
Commercial And Government CyberwarfareCommercial And Government Cyberwarfare
Commercial And Government Cyberwarfare
Nicholas Davis
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
Business of Software Conference
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 

Ähnlich wie terry-gilsenan-pie-operating.10433 (20)

Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
 
Securing embedded systems
Securing embedded systemsSecuring embedded systems
Securing embedded systems
 
Considerations for a secure internet of things for cities and communities
Considerations for a secure internet of things for cities and communitiesConsiderations for a secure internet of things for cities and communities
Considerations for a secure internet of things for cities and communities
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Commercial and government cyberwarfare
Commercial and government cyberwarfareCommercial and government cyberwarfare
Commercial and government cyberwarfare
 
Commercial And Government Cyberwarfare
Commercial And Government CyberwarfareCommercial And Government Cyberwarfare
Commercial And Government Cyberwarfare
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsRothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security Products
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 

terry-gilsenan-pie-operating.10433

  • 1. SECURE TO THE LAST MILE Learn How To Build Out Your System So That It Is Secure To The Last Mile On A Geographically Disperse SCADA System Terry Gilsenan CIO/VP Technology, PIE Operating LLC
  • 2. WHAT WE WILL DISCUSS TODAY •  Security – A Definition, or two. •  Real-Time IT – Where to get support. •  Involving The CIA – spooky points of view. •  The Last 10 Years – Have we learned anything? •  The Battle Ground – it’s a war out there. •  Self Awareness – The truth will set you free. •  The GAP Analysis – is it convenient? •  The Container Principle – Simple Tools. •  What it is going to take – Give AND Take.
  • 3. SECURITY MUST BE DESIGNED IN, NOT SIMPLY BOLTED ON! •  In this context, Security is a process not a product. A process involves the ongoing application of a set of protocols covering hardware, software, procedures, and people. •  Retro-fitting security into production systems is fraught with potential pitfalls. •  The PROCESS must work. Security must be designed in, not simply bolted on!
  • 4. I.T. “MOSTLY” DOESN'T DO REAL TIME •  For Safety, and Security, we expect Availability and Control. •  We have always assumed that Integrity was part of Availability. •  Adding Confidentiality and the Authentication aspects of integrity have traditionally not been desired for several reasons: 1.  How would these changes/upgrades impact Availability? 2.  Backward Compatibility with existing systems? 3.  Have you considered approaching the business and asking them to shutdown the refinery for a couple of months while we retrofit? Yeah, That! Security must be designed in, not simply bolted on!
  • 5. THE C.I.A TRIAD – WHAT IS CRITICAL? •  IT security starts with the CIA Triad and builds out from there, most often focusing on: •  Confidentiality •  Integrity •  Process Control starts with Availability and often that’s as far as it goes. •  We, yes we, are getting the opportunity to change this! Confidentiality AvailabilityIntegrity Security must be designed in, not simply bolted on!
  • 6. STUXNET: CLICHÉ OR A WARNING •  Hackers are Successfully crossing the Cyber/Kinetic interface •  Stuxnet, cyber attack – late 2007, discovery 2010 •  Turkey pipeline blast August 2008 ( http://www.bloomberg.com/news/articles/2014-12-10/ mysterious-08-turkey-pipeline-blast-opened-new-cyberwar) •  German Steel Mill Blast Furnace destruction 2014 ( https://www.wired.com/2015/01/german-steel-mill-hack- destruction/) •  The “Aurora attack”, Using the inertia of the generation equipment to force the phase angle out of sync with the supply. •  The list is growing. Security must be designed in, not simply bolted on!
  • 7. PARADIGM SHIFT? •  Stuxnet – Why was it different? •  It was entirely modular. •  It behaved like a worm and used multiple vectors. •  It took great pains to avoid collateral damage. •  It was a reverse proxy to a fake interface. •  It could read and change the logic in the controllers. •  Unlike E.T., It did not need to “phone home”. •  And its almost 10 years old… Let that sink in for a moment… Security must be designed in, not simply bolted on!
  • 8. SO… WHAT DO WE DO? •  Know yourself, know the enemy. You need not fear the results of a hundred battles. – Sun Tzu •  Do we even know what our enemy is? •  Do we know our risk Surface or risk Appetite? •  The supreme art of war is to subdue the enemy without fighting. – Sun Tzu •  This is about making sure we are not the low hanging fruit. Security must be designed in, not simply bolted on!
  • 9. KNOW YOUR ENEMY? •  Who or what is Our Enemy? •  If we have difficulty in even defining who or what our enemy is, how can we know our enemy? •  Thankfully there are people and resources available that we can utilize to gain a better understanding of this. Security must be designed in, not simply bolted on!
  • 10. KNOW YOURSELF - CONNECTIONS •  Are your networks connected to or connectable from unknown devices? •  Do you have nodes that are controlled by GPRS or SMS? •  Do your systems traverse the internet? •  Do you have critical but unreliable links, eg: VSAT? Security must be designed in, not simply bolted on!
  • 11. KNOW YOURSELF - PERIMETER •  Many large-scale infrastructure systems refer to their “As-Built” as the only documentation they have. Many systems have been upgraded, extended and built out, but the documentation has not kept pace. •  V-LAN or separate physical networks? If the SCADA/ DCS network is sharing the same physical infrastructure as the ADMIN LAN, what happens to our systems if the IT department update switching firmware etc? Are we ok with a 5 minute outage as the Switch is rebooted? Security must be designed in, not simply bolted on!
  • 12. AIR-GAP VS CONVENIENCE •  Consider for a moment, a COO demanding to be able to connect to our SCADA/DCS control system to look at the operations in real time. •  What can we do to prevent problems? •  Say no to the COO? •  Install VNC on the SCADA/DCS control system? •  Design an application proxy and firewall that will provide very specific access and prevent all other access? •  Remember: Convenience will override security unless we educate the business AND provide the access that they NEED (note: Need != Want). Security must be designed in, not simply bolted on! ^^^ This is what I chose to do
  • 13. EDUCATION – HOW? WHO? •  It is our responsibility to educate the business about the profit impacts from addressing security in a workable way. •  Don’t assume that the IT department can secure our systems, for the most part they don’t have the prerequisite knowledge. •  Don’t assume that we can simply purchase a device that will secure our networks without impacting our real- time systems. •  Don’t assume that the business executives know what needs to be done - they are looking to you to educate them. Security must be designed in, not simply bolted on!
  • 14. CANNED ELEPHANT •  The Canning process keeps all the yummy goodness in, but what is more important is that it keeps contaminants, oxidizers, and microbes out. •  When we are looking at the task in front of us, we must remember, to approach it as if we were eating an Elephant: One mouthful at a time. •  By using the Canning analogy to contain and protect the systems, and then the Elephant meal analogy to take it step by step… The task becomes Possible. Security must be designed in, not simply bolted on!
  • 15. SIMPLE TOOLS Security must be designed in, not simply bolted on! Building the tools I needed, meant convincing some people to work together. So, I put a Tux, and a Tie On this guy Total Cost: Less than $100
  • 16. THE APPLICATION PROXY •  All bits are recycled, none are passed through •  Firewall includes: •  Snort IDS/IDP. •  Port-Knocking. •  IP/MAC source policing. •  Application Specific Reverse Proxy. •  DROP by default Firewall rules (including ICMP) •  Certificate Client Authentication. •  VPN between Client and Firewall. Security must be designed in, not simply bolted on!
  • 17. HOW DO WE TACKLE THIS? •  There has to be a joint effort between the security people who understand IT—but do not understand the domains of electric power, water, chemicals—and the engineers who understand that domain, but may not understand security.  - Joe Weiss, 14 Jan, 2016, “Cyberwire interview” (Managing Partner, Applied Control Solutions) •  We (IT and Engineering) need to work together and share in-depth knowledge of our different domains, working for the one goal: Security. Security must be designed in, not simply bolted on!
  • 18. THANK YOU I certainly appreciate that your time is valuable, and I am impressed that you chose to spend some of it listening to me…. You are awesome! And Remember: Security must be designed in, not simply bolted on!