There are a number of global information exchanges related to industrial control systems security. They offer useful guidelines and standards to help protect the environment.
The UK Centre for the Protection of National Infrastructure (CPNI) provides good practice and technical guidance as well as advice on securing industrial control systems.
Secure move to IP-based Networks (SCADA):
They also highlight the risks of wireless connectivity of physical security systems
I’ve recently passed my GICSP exam. This certification is deigned to bridge together IT, engineering and cyber security to achieve security for industrial control systems from design through retirement.
This unique vendor-neutral, practitioner focused industrial control system certification is a collaborative effort between GIAC and representatives from a global industry consortium involving organisations that design, deploy, operate and/or maintain industrial automation and control system infrastructure.
GICSP assesses a base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments.
Here are some useful links for those of you who are interested in sitting the exam:
I was invited to give a talk on industrial systems security at the London Metropolitan University.
The seminar was intended for academic staff to discuss current problems in this field. We managed to cover a broad range of issues regarding embedding devices and network and IT infrastructure in general.
The professors shared their perspective on this subject. This resulted in the identification of several research opportunities in this area.
Image courtesy of Vlado / FreeDigitalPhotos.net
I delivered a seminar to a group of students at the University of Westminster on industrial control systems security. We discussed the history of these systems, current developments and research opportunities in this area. There was some debate around the hypothesis that these systems weren’t designed to be secure and the trade-offs between confidentiality, integrity and availability helped the participants to better understand modern challenges. Practical recommendations were given pertaining the areas of risk management, disaster recovery, and resilience.
I also facilitated a workshop, where I divided the audience into several groups representing various stakeholders within the company: shareholders, process engineers, and security managers. This helped to drive further discussion regarding different points of view, priorities, and the complexity of communication.
Another successful event organised by NextSec and hosted by KPMG.
Great speakers and fantastic networking opportunities for junior security professionals.
I feel very proud to be a NextSec committee member.
Join us on our first 2014 conference focused on sharing knowledge of cyber security for the energy sector. We have a mixture of senior security leaders and NextSec members delivering a rich content to help you on your professional development
Attend this event, to meet and talk with technical experts, and network with like minded professionals from several industries
Information Security – Who is accountable?
Emma Leith BP IST CISO.
This session will discuss the role of Information Security teams in managing information security risks and who is truly accountable for the risks. It will cover some real-life example from BP in how they approached this whilst providing an insight into how they are starting to achieve their goal to ‘make security part of everyone’s job’.
The Importance & Limitations of Cross-Company Collaboration in the Infosec Industry
Adam Wood, National Grid and Michael Ramella, AstraZeneca.
This talk is aimed at covering what it means to truly collaborate within the Infosec industry. Expanding on lessons learned, guidance for successful collaboration will be presented, allowing the audience members to leave with next steps: The ability to understand and clarify their individual and their team levels of collaboration, and how to increase said levels if they so choose.
Securing Industrial Control Networks
Ian Henderson, BP Lead PCN Security Architect.
Ian will introduce Industrial Automation systems explaining how these critical systems have become a security issue. He will explain what can be done to secure these systems and highlight approaches that work. He will also explore the cultural and human aspects related to securing these systems and the perceived divide between the IT security and Engineering communities.
Securing data flows in the Energy sector with an API Gateway
Mark O’Neill, VP Innovation and Antoine Rizk, VP Vertical Markets, Axway.
The energy sector faces new challenges in governing all types of data flows with un-precedent volumes and security requirements. These data flows include; mobile device access for employees and field personnel, customer access for smart meter monitoring and bill payment, public access for locating charging stations and smart grid data exchanges. The speaker will illustrate technical security features and case studies of work with the energy sector.
The impact of major data losses on corporations and individuals
Yiannis Chrysanthou, Cyber Security Analyst.
The recent Adobe data breach exposed account information for 153 million users. This session will describe the means by which an attacker can leverage the Adobe leaked information to launch attacks against corporations and individuals.
Time & Date: 7th March, 2014 15:15 to 19:45
Location: KPMG – Canary Wharf, London
To sign up please complete the form.
Sign up early, limited places are available!
Image courtesy of kongsky / FreeDigitalPhotos.net
In order to ensure the security of a system sometimes it is not enough to follow the general advice outlined in the Overview of Protection Strategies and one may chose to perform a penetration test.
Security assessments of this highly sensitive environment should be conducted with extreme care. It requires not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.
On the photo you can see different types of PLC and RTU devices, discussed in the Overview of Industrial Control Systems:
- Modicon Momentum PLC
- Rockwell Automation MicroLogix 1100 PLC
- Siemens S7 1200 PLC
- Small embedded RTU device
The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.
To get a better understanding, one can use Modscan32 to connect to the PLC and view register data by entering the IP address and TCP port number in the tool.
If there is no live PLC available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the OPC server and building human-machine interfaces.