SECURE TO THE LAST MILE - LBCG...Terry Gilsenan CIO/VP Technology, PIE Operating LLC WHAT WE WILL...

SECURE TO THE LAST MILE Learn How To Build Out Your System So That It Is Secure To The Last Mile On A Geographically Disperse SCADA System

Terry Gilsenan CIO/VP Technology, PIE Operating LLC

WHAT WE WILL DISCUSS TODAY

•  Security – A Definition, or two.

•  Real-Time IT – Where to get support.

•  Involving The CIA – spooky points of view.

•  The Last 10 Years – Have we learned anything?

•  The Battle Ground – it’s a war out there.

•  Self Awareness – The truth will set you free.

•  The GAP Analysis – is it convenient?

•  The Container Principle – Simple Tools.

•  What it is going to take – Give AND Take.

SECURITY MUST BE DESIGNED IN, NOT SIMPLY BOLTED ON!

•  In this context, Security is a process not a product. A process involves the ongoing application of a set of protocols covering hardware, software, procedures, and people.

•  Retro-fitting security into production systems is fraught with potential pitfalls.

•  The PROCESS must work.

Security must be designed in, not simply bolted on!

I.T. “MOSTLY” DOESN'T DO REAL TIME

•  For Safety, and Security, we expect Availability and Control.

•  We have always assumed that Integrity was part of Availability.

•  Adding Confidentiality and the Authentication aspects of integrity have traditionally not been desired for several reasons: 1.  How would these changes/upgrades impact Availability? 2.  Backward Compatibility with existing systems? 3.  Have you considered approaching the business and

asking them to shutdown the refinery for a couple of months while we retrofit? Yeah, That!


THE C.I.A TRIAD – WHAT IS CRITICAL?

•  IT security starts with the CIA Triad and builds out from there, most often focusing on: •  Confidentiality •  Integrity

•  Process Control starts with Availability and often that’s as far as it goes.

•  We, yes we, are getting the opportunity to change this!

Confidentiality

Availability Integrity


STUXNET: CLICHÉ OR A WARNING •  Hackers are Successfully crossing the Cyber/Kinetic interface •  Stuxnet, cyber attack – late 2007, discovery 2010 •  Turkey pipeline blast August 2008 (

http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar)

•  German Steel Mill Blast Furnace destruction 2014 (https://www.wired.com/2015/01/german-steel-mill-hack-destruction/)

•  The “Aurora attack”, Using the inertia of the generation equipment to force the phase angle out of sync with the supply.

•  The list is growing.


PARADIGM SHIFT? •  Stuxnet – Why was it different?

•  It was entirely modular.

•  It behaved like a worm and used multiple vectors.

•  It took great pains to avoid collateral damage.

•  It was a reverse proxy to a fake interface.

•  It could read and change the logic in the controllers.

•  Unlike E.T., It did not need to “phone home”.

•  And its almost 10 years old… Let that sink in for a moment…


SO… WHAT DO WE DO?

•  Know yourself, know the enemy. You need not fear the results of a hundred battles. – Sun Tzu

•  Do we even know what our enemy is?

•  Do we know our risk Surface or risk Appetite?

•  The supreme art of war is to subdue the enemy without fighting. – Sun Tzu

•  This is about making sure we are not the low hanging fruit.


KNOW YOUR ENEMY?

•  Who or what is Our Enemy?

•  If we have difficulty in even defining who or what our enemy is, how can we know our enemy?

•  Thankfully there are people and resources available that we can utilize to gain a better understanding of this.


KNOW YOURSELF - CONNECTIONS

•  Are your networks connected to or connectable from unknown devices?

•  Do you have nodes that are controlled by GPRS or SMS?

•  Do your systems traverse the internet?

•  Do you have critical but unreliable links, eg: VSAT?


KNOW YOURSELF - PERIMETER

•  Many large-scale infrastructure systems refer to their “As-Built” as the only documentation they have. Many systems have been upgraded, extended and built out, but the documentation has not kept pace.

•  V-LAN or separate physical networks? If the SCADA/DCS network is sharing the same physical infrastructure as the ADMIN LAN, what happens to our systems if the IT department update switching firmware etc? Are we ok with a 5 minute outage as the Switch is rebooted?


AIR-GAP VS CONVENIENCE •  Consider for a moment, a COO demanding to be able

to connect to our SCADA/DCS control system to look at the operations in real time.

•  What can we do to prevent problems? •  Say no to the COO? •  Install VNC on the SCADA/DCS control system? •  Design an application proxy and firewall that will provide

very specific access and prevent all other access?

•  Remember: Convenience will override security unless we educate the business AND provide the access that they NEED (note: Need != Want).


^^^ This is what I chose to do

EDUCATION – HOW? WHO? •  It is our responsibility to educate the business about the

profit impacts from addressing security in a workable way.

•  Don’t assume that the IT department can secure our systems, for the most part they don’t have the prerequisite knowledge.

•  Don’t assume that we can simply purchase a device that will secure our networks without impacting our real-time systems.

•  Don’t assume that the business executives know what needs to be done - they are looking to you to educate them.


CANNED ELEPHANT •  The Canning process keeps all the yummy goodness in,

but what is more important is that it keeps contaminants, oxidizers, and microbes out.

•  When we are looking at the task in front of us, we must remember, to approach it as if we were eating an Elephant: One mouthful at a time.

•  By using the Canning analogy to contain and protect the systems, and then the Elephant meal analogy to take it step by step… The task becomes Possible.


SIMPLE TOOLS


Building the tools I needed, meant convincing some people to work together.

So, I put a Tux, and a Tie On this guy

Total Cost: Less than $100

THE APPLICATION PROXY

•  All bits are recycled, none are passed through

•  Firewall includes: •  Snort IDS/IDP. •  Port-Knocking. •  IP/MAC source policing. •  Application Specific Reverse Proxy. •  DROP by default Firewall rules (including ICMP) •  Certificate Client Authentication. •  VPN between Client and Firewall.


HOW DO WE TACKLE THIS?

•  There has to be a joint effort between the security people who understand IT—but do not understand the domains of electric power, water, chemicals—and the engineers who understand that domain, but may not understand security. - Joe Weiss, 14 Jan, 2016, “Cyberwire interview” (Managing Partner, Applied Control Solutions)

•  We (IT and Engineering) need to work together and share in-depth knowledge of our different domains, working for the one goal: Security.


THANK YOU

I certainly appreciate that your time is valuable, and I am impressed that you chose to spend some of it listening to me…. You are awesome!

And Remember: Security must be designed in, not simply bolted on!

Date post:	20-Aug-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

SECURE TO THE LAST MILE - LBCG...Terry Gilsenan CIO/VP Technology, PIE Operating LLC WHAT WE WILL...

Documents