Post on 15-Apr-2017
transcript
What’s the Big Deal with Assessing ICS/SCADA?
Jim Gilsinn
• 4 Years Senior Investigator, Kenexis Consulting
• 20 Years Electronics Engineer, NIST Engineering Lab
• Got my first certification less than a year ago
• @JimGilsinn
• jim.gilsinn@kenexis.com
Why Am I Here?
• ICS/SCADA systems are an extension of IT systems
• ICS/SCADA systems are being connected to IT systems
• ICS/SCADA systems don’t behave like IT systems
• ICS/SCADA systems are now being scrutinized
Traditional ICS/SCADA• ICS = Industrial Control Systems• DCS = Distributed Control Systems• SCADA = Supervisory Control And Data Acquisition
Non-Traditional ICS/SCADA or “Control Systems”• Building automation systems• Heating, ventilation, and air conditioning (HVAC) systems• Energy monitoring & conservation systems• Fire monitoring & suppression systems• Physical security systems• Traffic monitoring & control systems• Sensor networks
If You Live Here…
If You Live Here…
If You Live Here…
If You Live Here…
If You Live Here…
What Do A Lot Of Assessors Do?
• Discover ICS/SCADA systems inadvertently!
• Knock things over accidentally!
• Avoid them like the plague!
• There is a better way!
Understand the Risks
Understanding the Risks
• Talk to the customer!
• Very few assessment steps have a “Crater Factor”
• Most problems lead to system downtime
• Unplanned downtime is real $$$
Determine What The Customer REALLY Wants
• Passive Network Assessment
• Vulnerability Assessment
• Penetration Test
Figure Out How To Tailor Tools For Use
• Most are IT tools tailored for ICS/SCADA
• Slow things down
• Don’t be aggressive
• Second guess the tools
Questions To Ask – Pre-Engagement
• PPE = Personal Protective Equipment?
• Safety training?
• Can we actually plug in?
• Logistics of communication?
• Where/how are we allowed to store data?
Questions To Ask – During Engagement
• What are the risks?
• Walk-down?
• Will someone be monitoring the system?
• How do we report thing?