process control cyber security
Post on 18-Jan-2015
459 Views
Preview:
DESCRIPTION
TRANSCRIPT
Process Control Cyber Security
Jim GilsinnSenior Investigator
Kenexis Security Consulting
2
Before we start…
• Who wants a process that they can say is secure?
3
Before we start…
• Who wants a process that they can say is secure?
• Who wants a process that does what its expected to do, when and for who its expected to do it, and for the purposes it was designed?
4
• Who wants a process that they can say is secure?
• Who wants a process that does what its expected to do, when and for who its expected to do it, and for the purposes it was designed?
Before we start…
5
Safety
SecurityPerformance
6
Safety
SecurityPerformance
RELIABILITY
7
Selected Aspects of Security
• Risk Management
• Network Segmentation
• Monitoring
8
Risk Management
• Risk management is nothing new– Safety, financial,
physical security have all been around for a long time
• Cyber security should not try to reinvent the wheel
9
Risk Management
• Brown Field– Probably have some
risk management and treatment in place
– Security should feed into existing risk management process, not be a separate entity
• Green Field– Security should be part
of the process from the beginning
10
Risk Management
• Consequences are generally the same–Many times they are already identified– Difference comes about due to root cause
• Expand to include areas where:– People don’t act as they are supposed– Devices don’t act as they are designed
• Be wary of statements like “Well, that could never happen” and “Why would anyone do that”.
11
Network Segmentation
• Network segmentation as a security technique:– Prevents the spread of an incident– Provides a front-line set of defenses
• Network segmentation is a lot more!
12
Network Segmentation
• Network segmentation is a process to understand:–What devices communicate– How fast/often those devices
communicate–Where information flows–What form that information takes
• Technology helps, but architecture is more important
13
Network Segmentation
• Limit the ingress and egress points through zone boundaries
• Protect the connections between zones
• Zones & conduits are logical– For practical purposes,
match zones to network architecture as much as possible
14
Network Segmentation
15
Monitoring
• Do any of these sound familiar?– It used to work.– Something just seems to have failed.– Not really sure what happened.– Don’t do anything to that system over
there, its touchy.– This system is just so slow.
16
Monitoring
• Monitoring is extremely important– Firewalls are good, but useless if you aren’t
monitoring the rules and logs– IDS are useful (if monitored). Not many are
industrial aware, but can be trained.– Network performance indicators can give early
indications of something failing
17
Performance Monitoring
• Monitoring isn’t just for security• Performance can be a leading
indicator– Small blips in performance can indicate
unusual activity
• Helps to eliminating false-positives
18
Performance Monitoring2 ms Mean Measured Packet Interval~ ±0.8 ms Jitter
19
Performance Monitoring
2 ms Mean Measured Packet Interval-0.8 ms to +2.2 ms Jitter
20
Performance Monitoring50 ms Mean Measured Packet IntervalBimodal (25 ms & 75 ms) with Outliers (100 ms)
21
Looking Forward
• Vulnerabilities
• Whitelisting
22
Vulnerabilities
• Vulnerabilities will always exist in the industrial environment– Zero-day vulnerabilities are inevitable– Infinite-day vulnerabilities are not uncommon– Industrial protocols themselves are vulnerable
• Well-crafted malware can exist for months or years before detected
• Do vulnerabilities mean badthings will happen?
23
Whitelisting
• Limits execution on a computer– Known good set of applications
and libraries–Monitors applications and memory-space
against changes
• Has been around for a while• Makes sense for industrial environment
where things remain relatively static• Not a silver bullet!
24
Contact Information
• Jim GilsinnSenior InvestigatorKenexis Security Consulting
• http://www.kenexis.com• (614) 323-2254• @JimGilsinn
top related