Process Control Cyber Security

Process Control Cyber Security

Jim GilsinnSenior Investigator

Kenexis Security Consulting

2

Before we start…

• Who wants a process that they can say is secure?

3

Before we start…


• Who wants a process that does what its expected to do, when and for who its expected to do it, and for the purposes it was designed?

4


• Who wants a process that does what its expected to do, when and for who its expected to do it, and for the purposes it was designed?

Before we start…

5

Safety

SecurityPerformance

6

Safety

SecurityPerformance

RELIABILITY

7

Selected Aspects of Security

• Risk Management

• Network Segmentation

• Monitoring

8

Risk Management

• Risk management is nothing new– Safety, financial,

physical security have all been around for a long time

• Cyber security should not try to reinvent the wheel

9

Risk Management

• Brown Field– Probably have some

risk management and treatment in place

– Security should feed into existing risk management process, not be a separate entity

• Green Field– Security should be part

of the process from the beginning

10

Risk Management

• Consequences are generally the same–Many times they are already identified– Difference comes about due to root cause

• Expand to include areas where:– People don’t act as they are supposed– Devices don’t act as they are designed

• Be wary of statements like “Well, that could never happen” and “Why would anyone do that”.

11

Network Segmentation

• Network segmentation as a security technique:– Prevents the spread of an incident– Provides a front-line set of defenses

• Network segmentation is a lot more!

12


• Network segmentation is a process to understand:–What devices communicate– How fast/often those devices

communicate–Where information flows–What form that information takes

• Technology helps, but architecture is more important

13


• Limit the ingress and egress points through zone boundaries

• Protect the connections between zones

• Zones & conduits are logical– For practical purposes,

match zones to network architecture as much as possible

14


15

Monitoring

• Do any of these sound familiar?– It used to work.– Something just seems to have failed.– Not really sure what happened.– Don’t do anything to that system over

there, its touchy.– This system is just so slow.

16

Monitoring

• Monitoring is extremely important– Firewalls are good, but useless if you aren’t

monitoring the rules and logs– IDS are useful (if monitored). Not many are

industrial aware, but can be trained.– Network performance indicators can give early

indications of something failing

17

Performance Monitoring

• Monitoring isn’t just for security• Performance can be a leading

indicator– Small blips in performance can indicate

unusual activity

• Helps to eliminating false-positives

18

Performance Monitoring2 ms Mean Measured Packet Interval~ ±0.8 ms Jitter

19

Performance Monitoring

2 ms Mean Measured Packet Interval-0.8 ms to +2.2 ms Jitter

20

Performance Monitoring50 ms Mean Measured Packet IntervalBimodal (25 ms & 75 ms) with Outliers (100 ms)

21

Looking Forward

• Vulnerabilities

• Whitelisting

22

Vulnerabilities

• Vulnerabilities will always exist in the industrial environment– Zero-day vulnerabilities are inevitable– Infinite-day vulnerabilities are not uncommon– Industrial protocols themselves are vulnerable

• Well-crafted malware can exist for months or years before detected

• Do vulnerabilities mean badthings will happen?

23

Whitelisting

• Limits execution on a computer– Known good set of applications

and libraries–Monitors applications and memory-space

against changes

• Has been around for a while• Makes sense for industrial environment

where things remain relatively static• Not a silver bullet!

24

Contact Information

• Jim GilsinnSenior InvestigatorKenexis Security Consulting

• http://www.kenexis.com• (614) 323-2254• @JimGilsinn

http://www.kenexis.com/