8/20/2015

1

Protecting Critical Infrastructure

in the Design-Build Framework

…A Focus on Cybersecurity

Chuck McGregor, CISM

VP, Parsons Converged Security Team

Overview

Owner-Operator Pressures

View: Converged Security

Update: Cybersecurity Threats

Security in the Engineering Process

Call to Action

2ITAR CM.01.2014

8/20/2015

2

Owner-Operator Pressures

Resources

Operational Effectiveness

Environmental Efficiency

Regulatory Compliance

Converged

SECURITY

ITAR CM.01.2014 3

Converged Security – Critical Asset

Protection• Physical Security

– Surveillance Systems

– Access Control Systems

– Anti-trespass Systems

• Cybersecurity

– Operational Technology Security

• Industrial Control Systems

– Endpoint Security

– Configuration Change Management Systems

– Alert Warning Systems

Cyber Threats

• Espionage

• Reconnaissance

• Remote Control

• Disruption of

Critical HW

• ICS Interdiction

• Irreversible

Damage

Cyber Threats

• Espionage

• Reconnaissance

• Remote Control

• Disruption of

Critical HW

• ICS Interdiction

• Irreversible

Damage

ITAR CM.01.2014 4

8/20/2015

3

Cyber Attacks - the Numbers

Source: Symantec Internet Security Threat Report XVIII, April 2013

ITAR CM.01.2014

Source: 2014 Verizon Cybersecurity Report

5

Critical Infrastructure Attacks on the Rise• Gazprom, Bellingham Gas Pipeline

(1999)

• Maroochy Water System (2000)

• Davis-Besse Nuclear Poser Plant (2003)

• CSX Corporation (2003)

• Tehama Colusa Canal Authority (2007)

• STUXNET (2010)

• Night Dragon (2011)

• Shady RAT (2011)

• DUQU (2011) Flame (2012)

• Aramco-Shamoom (2012)

• Red October (2013)

• Carmel Tunnel (2013)

• Monju Japan Nuclear Plant (2014)

• Havex – Energetic Bear (2014)

6

DHS ICS-CERT reported a 52%

increase in reported attacks in 2012.

2013 attack number was greater

DHS ICS-CERT reported a 52%

increase in reported attacks in 2012.

2013 attack number was greater

ITAR CM.01.2014

8/20/2015

4

Threat Evolution• Change in Motives

• Sophistication & Intensity

– Viruses � Denial of Service Attacks �Malware Injection

– Advanced Persistent Threats (APTs)

• Scope Evolution – the main targets are changing…

– Military � Gov’t Actors � Defense Contractors �

– Critical Infrastructure Owners/Operators

• We are in a “New Era” of Cyber Warfare

ITAR CM.01.2014 7

Focus on ICS/SCADA Systems

8

8/20/2015

5

Cri#cal Infrastructure Defined −

SCADA/ICS Drill-Down

• Industrial Control Systems (ICS) refer to a broad

array of control systems

– SCADA (Supervisory Control and Data Acquisition)

– BMS (Building Management Systems)

– DCS (Distributed Control Systems)

– PCS (Process Control Systems)

– EMS (Emergency Management Systems)

– AS (Automation Systems)

– SIS (Safety Instrumented Systems)

– HMI (Human Machine Interface)

ITAR CM.01.2014 9

SCADA System Vulnerabilities

• Aged Technology

• Low Sophistication

• Extremely Sensitive

• Increasingly Connected to Enterprise Systems

• Increasingly Windows™ based

• Operational Mindsets– Operations and Downtime

– Competition for Investment Resources

• Increase in RF Technology Connectivity

ITAR CM.01.2014 10

8/20/2015

6

Steps to Secure Critical Asset ICS1. Lock your PLC Closets and Server Rooms!

2. Disable internet access to trusted resources

3. Maintain trusted resources at latest patch levels

4. Require two-factor combinations for all systems

5. Control contractor access

6. Use network segmentation

7. Forbid ICS protocols on corporate networks

8. Implement external media lockdown

9. Follow a standard (NIST 800-52)

10. Red Team often / Exercises

ITAR CM.01.2014 11

Focus on the Impact of Building

Information Modeling (BIM)

12

8/20/2015

7

13

Steps to Secure the Engineering Process1. Solution design � Ops & Maintenance

� Decommissioning

2. Organization, structure of data, securing the data

– Impact of Building Information Modeling (BIM data)

3. Securing communications with contractors - encryptions

4. Securing facility diagrams, pollution analysis, hazardous material data, BIM, Facility Condition Assessment data…

5. Proper destruction of project materials

ITAR CM.01.2014 14

8/20/2015

8

BIM = Increased Cyber Exposure

• Often misunderstood/poorly

designed/controlled

• Multiple parties contributing

• Database interconnectivity

• Valuable intelligence

• Multiple points of attack

Key Thought

• Data design and

structure needed

for “Big Data” is

very similar to that

of a BIM

deployment

Key Thought

• Data design and

structure needed

for “Big Data” is

very similar to that

of a BIM

deployment

15

More Systems = More Data = Larger Attack Surface

16

8/20/2015

9

Key Tips to Secure BIM Deployments

1. Push for a robust security architecture

2. Ask your Technology Director for a data

security plan

3. Engage/Involve your cybersecurity team

early – educate them

4. Don’t compromise strong security practices

to facilitate Control and OEM access

ITAR CM.01.2014 17

CALL TO ACTION! Our Responsibilities

• Education

• Situational Awareness

• Design Security into Our

Solutions

• Ask Security Engineers

Questions

• Embrace Security as a Value

ITAR CM.01.2014 18

8/20/2015

10

Thank You

• Chuck McGregor, VP – Deputy Cybersecurity Director

(704) 957-2572

chuck.mcgregor@parsons.com

@chuck_mcg

Parsons ProprietaryITAR CM.06.2014 19