I’ve recently passed my GICSP exam. This certification is deigned to bridge together IT, engineering and cyber security to achieve security for industrial control systems from design through retirement.
This unique vendor-neutral, practitioner focused industrial control system certification is a collaborative effort between GIAC and representatives from a global industry consortium involving organisations that design, deploy, operate and/or maintain industrial automation and control system infrastructure.
GICSP assesses a base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments.
Here are some useful links for those of you who are interested in sitting the exam:
I was invited to give a talk on industrial systems security at the London Metropolitan University.
The seminar was intended for academic staff to discuss current problems in this field. We managed to cover a broad range of issues regarding embedding devices and network and IT infrastructure in general.
The professors shared their perspective on this subject. This resulted in the identification of several research opportunities in this area.
Image courtesy of Vlado / FreeDigitalPhotos.net
I delivered a seminar to a group of students at the University of Westminster on industrial control systems security. We discussed the history of these systems, current developments and research opportunities in this area. There was some debate around the hypothesis that these systems weren’t designed to be secure and the trade-offs between confidentiality, integrity and availability helped the participants to better understand modern challenges. Practical recommendations were given pertaining the areas of risk management, disaster recovery, and resilience.
I also facilitated a workshop, where I divided the audience into several groups representing various stakeholders within the company: shareholders, process engineers, and security managers. This helped to drive further discussion regarding different points of view, priorities, and the complexity of communication.
Another successful event organised by NextSec and hosted by KPMG.
Great speakers and fantastic networking opportunities for junior security professionals.
I feel very proud to be a NextSec committee member.
Join us on our first 2014 conference focused on sharing knowledge of cyber security for the energy sector. We have a mixture of senior security leaders and NextSec members delivering a rich content to help you on your professional development
Attend this event, to meet and talk with technical experts, and network with like minded professionals from several industries
Information Security – Who is accountable?
Emma Leith BP IST CISO.
This session will discuss the role of Information Security teams in managing information security risks and who is truly accountable for the risks. It will cover some real-life example from BP in how they approached this whilst providing an insight into how they are starting to achieve their goal to ‘make security part of everyone’s job’.
The Importance & Limitations of Cross-Company Collaboration in the Infosec Industry
Adam Wood, National Grid and Michael Ramella, AstraZeneca.
This talk is aimed at covering what it means to truly collaborate within the Infosec industry. Expanding on lessons learned, guidance for successful collaboration will be presented, allowing the audience members to leave with next steps: The ability to understand and clarify their individual and their team levels of collaboration, and how to increase said levels if they so choose.
Securing Industrial Control Networks
Ian Henderson, BP Lead PCN Security Architect.
Ian will introduce Industrial Automation systems explaining how these critical systems have become a security issue. He will explain what can be done to secure these systems and highlight approaches that work. He will also explore the cultural and human aspects related to securing these systems and the perceived divide between the IT security and Engineering communities.
Securing data flows in the Energy sector with an API Gateway
Mark O’Neill, VP Innovation and Antoine Rizk, VP Vertical Markets, Axway.
The energy sector faces new challenges in governing all types of data flows with un-precedent volumes and security requirements. These data flows include; mobile device access for employees and field personnel, customer access for smart meter monitoring and bill payment, public access for locating charging stations and smart grid data exchanges. The speaker will illustrate technical security features and case studies of work with the energy sector.
The impact of major data losses on corporations and individuals
Yiannis Chrysanthou, Cyber Security Analyst.
The recent Adobe data breach exposed account information for 153 million users. This session will describe the means by which an attacker can leverage the Adobe leaked information to launch attacks against corporations and individuals.
Time & Date: 7th March, 2014 15:15 to 19:45
Location: KPMG – Canary Wharf, London
To sign up please complete the form.
Sign up early, limited places are available!
Image courtesy of kongsky / FreeDigitalPhotos.net
In order to ensure the security of a system sometimes it is not enough to follow the general advice outlined in the Overview of Protection Strategies and one may chose to perform a penetration test.
Security assessments of this highly sensitive environment should be conducted with extreme care. It requires not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.
On the photo you can see different types of PLC and RTU devices, discussed in the Overview of Industrial Control Systems:
- Modicon Momentum PLC
- Rockwell Automation MicroLogix 1100 PLC
- Siemens S7 1200 PLC
- Small embedded RTU device
The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.
To get a better understanding, one can use Modscan32 to connect to the PLC and view register data by entering the IP address and TCP port number in the tool.
If there is no live PLC available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the OPC server and building human-machine interfaces.
An Introduction to Industrial Control Systems Security Part II: An Overview of Protection StrategiesPosted: January 22, 2014
Initially, since most of the ICS components were physically found in secured areas, and were not connected to IT systems or networks, local threats were the only security concern. Because merging ICS systems and IT networks has become increasingly prevalent, the former have become significantly less isolated from the outside world, thus requiring security measures to protect them from external and remote threats.
Additionally, the implementation of wireless networking makes the ICS vulnerable to physically proximal adversaries who do not have a direct access to the equipment. The endless list of possible rivals or threats to an ICS might include discontented employees, hostile governments, malicious intruders, terrorist groups, natural disasters, accidents, complexities as well as accidental or malicious actions by insiders. Therefore, the security objectives for any ICS must follow the priority of availability, integrity and confidentiality, in that order.
An ICS may face the following possible scenarios:
- A modification to the ICS software or configuration settings, or ICS software infection with malware.
- ICS operation disruption due to delayed or blocked traffic through the ICS network.
- Interference with the operation of safety systems, which could endanger human life.
- Unauthorised changes to commands, instructions, or alarm thresholds, which could disable, damage or shut down equipment, create environmental impacts and risk human life.
- Inaccurate information sent to system operators, either to disguise unauthorised changes, or to cause the operators to initiate inappropriate actions.
An ICS implementation should include the following main security objectives:
- Physical access restrictions to the ICS network and devices. A combination of card readers, locks, and/or security guards could be used as physical access controls to protect the ICS’s components from functionality disruptions.
- Individual ICS component protection from exploitation. After testing them under the conditions of the field, security patches can be deployed as quickly as possible. All unused ports and services should be disabled, ICS user privileges should be restricted to only those that are required for each individual role, audit trails should be tracked and monitored, and security controls such as antivirus software and file integrity checking software should be used whenever it is technically feasible to prevent, detect, deter and mitigate malware.
- Logical access restrictions to the ICS network and network activity. In order to prevent information flow from travelling directly between the ICS and the corporate networks, a demilitarized zone (DMZ) network architecture with firewalls can be used, along with separate authentication mechanisms and credentials for the ICS and corporate network users. Additionally, a network topology with multiple layers can be implemented, keeping the ICS’s most critical communications in the most reliable and secure layer.
- Maintenance of functionality during adverse conditions. In order to do so, the ICS must be designed so that each critical component has a counterpart that is redundant. If and when a component fails, it should do so in a way that avoids unnecessary traffic from generating on the ICS and other networks, or that it doesn’t detonate a cascading event or other problems elsewhere.
- System restoration after an incident. Because incidents are inevitable, it is essential to have an incident response program. The mark of an effective security plan is defined by how quickly a system can be restored after an incident has disrupted it. It is thus vital for a cross-functional cyber security team from various domains to share their experience and knowledge and to work together in evaluating and reducing the possible risk to the ICS. This team must at the very least include a member of the company’s IT staff, a control system operator, a control engineer, a network and the system security expert, a member of the management staff, and a member of the physical security department. Additionally, for consistency, this cyber security team must consult with the control system vendor and system integrator. They should report to the organisation’s CIO/CSO or the site management, who must take full responsibility and assume complete accountability for the ICS’s cyber security. An effective ICS cyber security program must focus on a “defense-in-depth” strategy which layers the security mechanisms to minimise the impact of a failure in any one of said mechanisms.
CSSP recommenced defence-in-depth architecture (NIST 800-82)
A defense-in-depth strategy in any typical ICS therefore requires:
- Physical access restrictions to the ICS network and devices.
- Modern technology, such as smart cards, for Personal Identity Verification (PIV).
- The application of an ICS layered network topology, with the most critical communications occurring in the most reliable and secure layer.
- The implementation of a DMZ network architecture to prevent traffic between the ICS and corporate networks.
- The establishment of a logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks).
- The implementation of separate authentication mechanisms and credentials for users of the corporate network and the ICS network.
- The application of role-based access control and the configuration of each individual role based on the principle of least privilege, which means restricting ICS user privileges according to who is required for each job.
- The employment of security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.
- The implementation of security techniques such as cryptographic hashes and/or encryption to ICS data storage and communications where appropriate.
- The rapid deployment of security patches after testing all patches under field conditions before installation on the ICS.
- The disablement of unused ports and services on ICS devices after testing to reduce impact ICS operation.
- Tracking and monitoring audit trails on critical areas of the ICS.
- Ensuring that critical components are redundant and are on redundant networks.
- The design of critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events.
- Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning.
- The development of security policies, procedures, training and educational material that are specifically applicable to the ICS.
- Taking into account the ICS security policies and procedures following the Homeland Security Advisory System Threat Level, and employing progressively amplified security measures as the Threat Level increases.