Industrial Control Systems have cyber vulnerabilities. With critical infrastructure industries depending on control systems for their operations, they have become easy targets for cyber criminals interested. No industry or country can ignore these threats. The following advice of the US Department of Homeland Security’s advice to CEOs says it all – “Incorporate cyber risks into existing risk management and governance processes. Cyber Security is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cyber security risk throughout the enterprise.”
Exploring the Future Potential of AI-Enabled Smartphone Processors
Cyber war scenario what are the defenses
1. Cyber war Scenario: What are the
Defenses?
Rajabahadur V. Arcot
RR Concepts
Independent Industry Analyst/Columnist
and Manufacturing IT Consultant
2. Disclaimers
• I am an Industrial Control System Professional
• Stuxnet Episode and Aurora Experiment
Spurred me to take interest in ICS Cyber
Security Issues and Cyber War Scenario and
Possible Defenses
“Cyber war, cyber terrorism, and cyber espionage are
topics of increasing timeliness, and our nation and its
citizens will be ill prepared to deal with these threats if
those topics never get any discussion….”
so said Joe Sauver, Ph.D. at IT Security Conference, USA
3. Overview
• Structured to create awareness
• To spur all stakeholders (interested in
providing defenses against cyber attack) to
take serious note of the threats and
contribute to finding solutions
4. Cyber War Threat is Real
• Cyber weapons are powerful
• They can be launched simultaneously from
different locations and on multiple targets
• They are the least-cost weapons-option and
capable of very precisely putting out of service
– Essential critical infrastructure industries and
services
– Conventional offensive and defensive capabilities
– Cause panic and confusion
6. Critical Infrastructure Industries
• Power utilities
• Water utilities
• Communication
• Oil and Gas installations
• Chemical and Pharmaceutical industries
• Transportation
• Offensive and defensive capabilities
• Others
7. Operated by Control
Systems – PLC, DCS,
SCADA - built on IT open
platforms
BYOD
Connected
Connected to
Internet
Networked
Innumerable
embedded systemsInnumerable end
points
GPS
controlled
10. Seeking Defense From Cyber Attack
Quotation from CERN (European Council for Nuclear Research) Presentation
"Incorporate cyber risks into existing risk management and governance
processes. Cyber Security is NOT implementing a checklist of requirements;
rather it is managing cyber risks to an acceptable level. Managing cyber
security risk as part of an organization’s governance, risk management, and
business continuity frameworks provides the strategic framework for
managing cyber security risk throughout the enterprise.”
US Department of Homeland Security’s advice to CEOs
Overview
11. General
• Recognize ICS cyber security challenges are different from ensuring
data security
• Protecting the enterprise begins with implementing straight
forward proper work related systems, such as installing
• Passwords, Media Access Control, Software Updates, Virus Scanners, Firewalls,
“Data Diode” systems, and such others
• Eternal vigilance and the readiness and ability of the enterprise to
identify, recover, and nullify the effects of the cyber-attack are key to
achieve fair degree of protection
• Ability and preparedness to initiate counter measures to recover
quickly from the attack are critical
Seeking Defense From Cyber Attack
12. Critical Infrastructure Industries
• CII to gain awareness and instill awareness among the
workforce
• Create an in-house industrial control-system cyber security
team
• Team to consist of experts in automation & process
technologies in addition to experts in information and
communication technologies
• Team to carry out carry out security audit, vulnerability
assessment, and penetration testing, and evolve specific
policies & procedures and crisis management program
Seeking Defense From Cyber Attack
13. Critical Infrastructure Industries
• The team may seek the support of technology solution
providers and competent system integrators / consultants having
the appropriate skills in industrial control-system cyber security
• Companies, planning to install new control systems, must seek
readiness of their potential suppliers to provide safeguards and
their plans to ensure adherence to cyber security standards
• Build competence in system engineering of ICS and ensure
defense through system engineering
• Train operators and operating workforce to track anomalous
performances
Seeking Defense From Cyber Attack
14. • Build backup infrastructure
• Build cyber workforce
• Put in place a mechanism to prevent
panic and confusion
Seeking Defense From Cyber Attack
Policy Makers
15. Seeking Defense From Cyber Attack
Policy Makers
• Take secrecy veil off electronic warfare
• Universities, industries and institutes to
plug the gap in knowledge in the sector
16. Control System Suppliers / IT Technology Suppliers
• Until now, automation systems are designed typically to meet the operational
including functional safety and business needs
• Before Stuxnet, securing the control systems from cyber-threats was not part of
the requirement criteria and as such was not on the radar screen of automation
companies and standards’ committees
• However, the growing recognition that cyber threats are real calls for ensuring
secure functioning of the control systems even in the event of cyber-attacks. ICS
suppliers must recognize that cyber Security is integral to functional safety
• Automation companies may have to go back to their drawing boards to design
automation systems that include security as one of the manufacturing industries’
fundamental requirements
• Automation suppliers must offer control systems that have strong security
features to ensure protection from cyber-attacks and ensure compliance to ISA 99
and other standards
Providing Defense From Cyber Attack
17. • Build competence to carry out security audit,
vulnerability assessment, and penetration testing
• Industry must come together to develop
standards to govern embedded system and
product design – Trusted Computing
• In all future product development, security should
take equal if not precedence over functionality
and features
• Let us not repeat the Y2K story!
Providing Defense From Cyber Attack
IT Service Providers