Presented @ Saudi Aramco Global Reliability Forum 2013 Houston, TX, June 19-20, 2013 The only totally secure system is one that is shutoff, unplugged, and locked in a completely sealed box. Security is a balancing act of managing risk and maintaining operations. Too little security and the system may become compromised. Too much security may affect core system functionality, usability, or reliability. Finding the right level of security for a particular system may seem like a daunting task for many industrial control system vendors, integrators, and end-users. There are many different aspects to security and there is no single countermeasure that will work in all situations. This talk will discuss some of the different aspects to security and discuss how some of the more common countermeasures may affect the overall reliability of the system.

1. Process Control Cyber
Security
Jim Gilsinn
Senior Investigator
Kenexis Security Consulting

2. Before we start…
• Who wants a process that they can say is
secure?
2

3. Before we start…
• Who wants a process that they can say is
secure?
• Who wants a process that does what its
expected to do, when and for who its
expected to do it, and for the purposes it
was designed?
3

4. Before we start…
• Who wants a process that they can say is
secure?
• Who wants a process that does what its
expected to do, when and for who its
expected to do it, and for the purposes it
was designed?
4

5. Safety
Performance
Security
5

6. Safety
RELIABILITY
Performance
Security
6

7. Selected Aspects of Security
• Risk Management
• Network Segmentation
• Monitoring
7

8. Risk Management
• Risk management is
nothing new
– Safety, financial,
physical security have
all been around for a
long time
• Cyber security should
not try to reinvent the
wheel
8

9. Risk Management
• Brown Field
– Probably have some risk
management and
treatment in place
– Security should feed into
existing risk management
process, not be a separate
entity
• Green Field
– Security should be part of
the process from the
beginning
9

10. Risk Management
• Consequences are generally the same
– Many times they are already identified
– Difference comes about due to root cause
• Expand to include areas where:
– People don’t act as they are supposed
– Devices don’t act as they are designed
• Be wary of statements like “Well, that
could never happen” and “Why would
anyone do that”.
10

11. Network Segmentation
• Network segmentation as a security
technique:
– Prevents the spread of an incident
– Provides a front-line set of defenses
• Network segmentation is a lot more!
11

12. Network Segmentation
• Network segmentation is a process to
understand:
– What devices communicate
– How fast/often those devices communicate
– Where information flows
– What form that information takes
• Technology helps, but architecture is more
important
12

13. Network
Segmentation
• Limit the ingress and
egress points through zone
boundaries
• Protect the connections
between zones
• Zones & conduits are
logical
– For practical purposes,
match zones to network
architecture as much as
possible
13

14. Network Segmentation
14

15. Monitoring
• Do any of these sound familiar?
– It used to work.
– Something just seems to have failed.
– Not really sure what happened.
– Don’t do anything to that system over there,
its touchy.
– This system is just so slow.
15

16. Monitoring
• Monitoring is extremely important
– Firewalls are good, but useless if you aren’t
monitoring the rules and logs
– IDS are useful (if monitored). Not many are industrial
aware, but can be trained.
– Network performance indicators can give early
indications of something failing
16

17. Performance Monitoring
• Monitoring isn’t just for security
• Performance can be a leading indicator
– Small blips in performance can indicate
unusual activity
• Helps to eliminating false-positives
17

18. Performance Monitoring
2 ms Mean Measured Packet Interval
~ 0.8 ms Jitter
18

19. Performance Monitoring
2 ms Mean Measured Packet Interval
-0.8 ms to +2.2 ms Jitter
19

20. Performance Monitoring
50 ms Mean Measured Packet Interval
Bimodal (25 ms & 75 ms) with Outliers (100 ms)
20

21. Looking Forward
• Vulnerabilities
• Whitelisting
21

22. Vulnerabilities
• Vulnerabilities will always exist in the
industrial environment
– Zero-day vulnerabilities are inevitable
– Infinite-day vulnerabilities are not uncommon
– Industrial protocols themselves are vulnerable
• Well-crafted malware can exist for months
or years before detected
• Do vulnerabilities mean bad
things will happen?
22

23. Whitelisting
• Limits execution on a computer
– Known good set of applications
and libraries
– Monitors applications and memory-space
against changes
• Has been around for a while
• Makes sense for industrial environment
where things remain relatively static
• Not a silver bullet!
23

24. Contact Information
• Jim Gilsinn
Senior Investigator
Kenexis Security Consulting
• http://www.kenexis.com
• (614) 323-2254
• @JimGilsinn
24