Every day we are hearing in the media of potential Cyber Security threats to Critical National Infrastructure such as power grids, airlines and nuclear power stations. David has spent over 40 years working in the ICS environments. He was invited to speak in London at the British Computer Society cyber event these are the slides.

1. Cyber Security in Real-Time Systems
Threats to SCADA and other real time
systems an update from the coal face.
David Spinks – Independent Cyber Security Consultant
April 2015
CSIRS
Cyber Security in Real-Time Systems

2. CSIRS
Cyber Security in Real-Time Systems
Why me?

3. 1970/75 – Glaxo Laboratories Cambois Northumberland -Worlds First Large ScaleAutomation

4. 1990 - 2000
Railtrack Safety
Critical Software
Sizewell B Software Emergency
Shut Down code validation
UK Government
assessment of Embedded
SoftwareAviation

5. CSIRS
Cyber Security in Real-Time Systems
Industrial Control Systems
Current Business
Environments
&
Drivers

6. “The Grey”
Traditional IT
Industrial
Control
Systems
?

7. ITTools, Methods, Culture ICS Culture,Tools
Very different and apparently no middle ground
“The Cavalry fast moving and flexible”
The Cannons fixed, slow yet effective not changed
much for centuries

8. Scada Hybrid Networks security comparison

9. CSIRS
Cyber Security in Real-Time Systems
Little or no action
to close the gap?

10. CSIRS
Cyber Security in Real-Time Systems
Advanced :
Planned ahead of time
Executed by individuals who have expertise
Intelligence gathered about “target” in advance
Adoption of social engineering techniques
Covering of entry and exit points
Motive not always understood
Perpetrated by unknown agencies
Multiple points of entry technical and non-technical
Complex execution across a period of time may be months or years
Use of multiple technologies, tools and techniques
Insider threat must be considered a possible entry point
Will explore logical and physical security weaknesses
May extend to supply chain
Changes in education of IT and ICS engineers
Changes in culture in large organisations
Disclosure & Legislation & Regulation
Information exchange
Investments in ICS security
Changes in ICS vendor culture
PossibleActions

11. CSIRS
Cyber Security in Real-Time Systems
What do recent statics
and surveys show us?

12. Trends impacting ICS Cyber Security
Business demands that data be passed from ICS to IT. Direct and
indirect connections.
Sophistication of attacks (the ones we know about) is increasing.
75% of breaches are discovered by third parties.
Resulting impacts of each attack is growing exponentially.

13. DocumentedAttacks on ICS from US ICS Cert Report

14. The majority of incidents were categorized as having an “unknown” access vector. In these instances, the organization
was confirmed to be compromised; however, forensic evidence did not point to a method used for intrusion because of a
lack of detection and monitoring capabilities within the compromised network

16. CSIRS
Cyber Security in Real-Time Systems
Example of poor
monitoring of a SCADA
system.

17. Information about the 8 November incident came to light
via the blog of Joe Weiss who advises utilities on how to
protect hardware against attack.
Mr Weiss quoted from a short report by the Illinois Statewide
Terrorism and Intelligence Center which said hackers
obtained access using stolen login names and passwords.
These were taken from a company which writes control
software for industrial systems.
The net address through which the attack was carried
out was traced to Russia, according to Mr Weiss. The
report said "glitches" in the remote access system for the
pump had been noticed for months before the burn out, said
Mr Weiss.

18. “I could have straightened it up with just one phone call, and this would all have
been defused,” said Jim Mimlitz, founder and owner of Navionics Research, who
helped set up the utility’s control system.“They assumed Mimlitz would never
ever have been in Russia.They shouldn’t have assumed that.”
Mimlitz’s small integrator company helped set up the Supervisory Control and
DataAcquisition system (SCADA) used by the Curran Gardner PublicWater
District outside of Springfield, Illinois, and provided occasional support to the
district. His company specializes in SCADA systems, which are used to control and
monitor infrastructure and manufacturing equipment.
Mimlitz says last June, he and his family were on vacation in Russia when someone
from Curran Gardner called his cell phone seeking advice on a matter and asked
Mimlitz to remotely examine some data-history charts stored on the SCADA
computer.

19. CSIRS
Cyber Security in Real-Time Systems
Common ground might
be the Security
Operations Centres?

20. Post Event Investigations:
Access to HR
Attendance records
Door access logs
Audit records
Phone logs
Systems logs

21. Potential Common Ground
Security
Operations Centre
IT ICS
Threats
Very few common methods such as NIST & Identity Management
Use Cases Mitigation
Impacts
DO-178C (avionics),
ISO 26262 (automotive systems),
IEC 62304 (medical devices),
CENELEC EN 50128 (railway systems),
ISO 27001:2013
Cobit 4.1
ISF
ISO 20000
Tools
Risks
Investigations

22. Potential Solution:
Small team cross trained across IT and ICS
Adoption of common language and understanding of impacts
Shared understanding ofThreats
Devise and plan for integrated tools ICS<>IT
Speak to bot camps
Common understanding of potential impacts
But would require commitment and proper funding

23. CSIRS
Cyber Security in Real-Time Systems
Information andWhite
Papers

24. Lots of white papers and solutions are available

26. CSIRS
Cyber Security in Real-Time Systems
Highest and Serious
Threats

27. Lessons still to be learnt
Insider threats
Social engineering
Prevent rather than respond
Effective intelligence and analysis
Planned and tested response to threats

28. Solution:
Understand what is “normal”
Monitor for unusual trends
Collect and analyse cyber intelligence
Investigate
Act accordingly
Actions

29. CSIRS
Cyber Security in Real-Time Systems
Recent
media reports
of interest

30. CSIRS
Cyber Security in Real-Time Systems
Planned ahead of time
Executed by individuals who have expertise
Intelligence gathered about “target” in advance
Adoption of social engineering techniques
Covering of entry and exit points
Motive not always understood
Perpetrated by unknown agencies
Rail signal upgrade 'could be hacked to cause crashes'
Prof David Stupples told the BBC that plans to replace ageing signal lights with
new computers could leave the rail network exposed to cyber-attacks.
UK tests of the European RailTraffic Management System are under way.
Network Rail, which is in charge of the upgrade, acknowledges the threat.
http://www.bbc.co.uk/news/technology-32402481

31. CSIRS
Cyber Security in Real-Time Systems
Advanced :
Planned ahead of time
Executed by individuals who have expertise
Intelligence gathered about “target” in advance
Adoption of social engineering techniques
Covering of entry and exit points
Motive not always understood
Perpetrated by unknown agencies
The debate erupted after cybersecurity expert Chris Roberts, founder of OneWorld Lab in
Denver, sent a tweet while he was a passenger on a UnitedAirlines flight suggesting he could
hack into the airline’s onboard system to trigger the oxygen masks to drop.
When the plane landed in Syracuse, FBI agents were waiting to question him and confiscate
his electronic devices, according to a statement from Roberts’ attorneys.
UnitedAirlines also was not amused and banned Roberts from flying on the carrier.
On the 27th April 2015 ….Yesterday

32. CSIRS
Cyber Security in Real-Time Systems
Advanced :
Planned ahead of time
Executed by individuals who have expertise
Intelligence gathered about “target” in advance
Adoption of social engineering techniques
Covering of entry and exit points
Motive not always understood
Perpetrated by unknown agencies
Persistent :
Today - AmericanAirlines planes grounded by iPad app error

33. CSIRS
Cyber Security in Real-Time Systems
Linkedin CSIRS :
http://www.linkedin.com/groupRegistration?gid=3623430
Dspinks41@gmail.com
Questions?