practical operational environment securitybasic approach •“crown jewels” •perimeter defense...
TRANSCRIPT
Practical Operational Environment SecurityJ O E P E T E R S ON, P EWA R R E N L A P L A N T EA L L E T E/ MN P O W E R
Topics• What is an Operational Environment?
• Basic Approach
• Considerations
• Cyber Security
• Physical Security
• Questions
• Resources
Operational Environment• Control Centers
• Generation Plants
• Substations
• Industrial/Manufacturing Control Systems
• Building Automation Systems
Different Technology Environments
I N F O R M ATI ON ( I T )
• Focus is Information
• Servers, Printers, Routers…
• Technology/Skillsets Align
• Devices/Software Last ~3-5 Years
• Devices are Complex/Adaptable
• Primarily Networked
• Cyber Security ~35 years
O P E R AT I ONA L (OT )
• Focus is Physical Interaction
• Relays, RTU, PLC, Meters…
• Technology/Skillsets Do Not Align
• Devices Last ~10-25 Years
• Devices are Simple/Rigid
• Can Be Air-Gapped/Isolated
• Cyber Security is a Growing Focus
Basic Approach
•“Crown Jewels”•Perimeter
Defense Systems•Safety
What to Protect
•Impact/Damage•Applicable to
Your System
Determine Threat/Risk •Impact/Risk
•Compliance•Budget
Prioritize
•Plan 2-5 Years•Document Key
Characteristics
Plan Your Defenses •Address the
Threat•Modify if Needed
Implement
•Keep Current•Re-Evaluate
Adapt and Improve
Collaboration• IT/OT
• Cyber Security
• Firewall
• Network
• Communications
• Physical Security
• Management
• Engineering
• Operations
• Field Personnel
• Safety
• Project Management
• Purchasing
• Compliance
Considerations• Know Your Devices, System, and Environment!
• Risk -> Threat x Vulnerability x Potential Impact x Likeliness
• Layers of Defense – Prevent, Detect, Deter, Delay, Alert/Alarm
• Resiliency/Recovery
• Simplicity
• Compliance does not Equal Security
Cyber Security – Why We Need to Care• Stuxnet
• Ukraine• Crash Override/Industroyer
• Energetic Bear/DragonFly• Havex/Backdoor.Oldrea
• Safety• Triton/Trisis
• Backdoor:W32/BlackEnergy
• WannaCry
• Eternal Blue
• Petya and NotPetya
• Conficker
Cyber SecurityDevice Risks
• Firmware vs OS Devices
• Diversify Brands (as Needed)
• Serial vs Dial-Up vs Ethernet
• Communication Converters – Use Caution
• Virtualization – Use Caution
Cyber SecurityRemote Access Risks
• Airgap
• Minimize Remote Access and Connected Devices
• Secure Local Gateway/Proxy Device
• Minimize Unencrypted Communications – Telnet, FTP, DNP, etc.
• Enable/Disable Network Port, Modem/etc.
Cyber SecurityNetwork Architecture Risks
• WIFI – Proceed with Caution
• Separate Trust Levels• Physical/Hardware
• Logical/Virtual
• Encryption – SSL VPN/VPN Tunnel
Cyber SecurityAlerts and Awareness
• RTU, PLCS, or Other Remote I/O• Inputs – Monitor Alerts/Alarms
• Outputs – Switch Power or Enables (Consider Consequences)
• Locks/Locking Racks
• Tamper Tape
Cyber SecurityGeneral Good Practices
• Password Management
• Multi-Factor Authentication
• Security Patch Management
• Spares/Backups
• Change Management
• Use Logs
Physical Security
Source: 101clipart.com
Why We Need to Care
• Copper thefts
• Equipment thefts
• Property Damage
• Suspicious Activity
• Metcalf Substation
Methodology • Traditional Security Engineering
• Crime Prevention Through
Environmental Design (CPTED)
Source: corpsrisk
Traditional SecurityDETER
DETECTDELAY
RESPOND
ANALYISSource: montaukgirl.wordpress
Source: SpoterRF
Source: safezoneballistics
COMM
Source: shycom
Source: unknown
Source: Warren
Traditional Security Engineering• What are you trying to protect
• What is the threat
• What are the vulnerabilities
• What is the risk (R=TxVxC)
• Prioritize and Develop Mitigation
Source: DHS
Traditional Security Engineering Examples
Source: seton
Soucre: montaukgirl.wordpress
Source: tindallsecurity
Source: spsfence
Source: midstatelockandsafe
Source: libertyunyielding
Source: racomtel
Source: psxgroup
Source: lightloc
PhysicalSecurity Plan
Source: unknown
Collaboration Examples (???)
Source: wallpaper4me.com
Source: Pinterest
Source: Pinterest
Source: CISSP Common Body of Knowledge Review PPT, V 5.10
Source: unknown
Source: Warren LaPlante
CPTED• Is a considerations guide
• Natural lighting
• Open areas
• Natural avenues of travel
• Easy Up-keep
• Augmented with traditional
security concepts
Source: cityoftacoma.org
CPTED Examples
Source: blog.conversion.comSource: powerinn.org
Source: Warren LaPlante
Source: Easyplanettravel.com
Questions?Joe Peterson [email protected]
Warren LaPlante [email protected]
Resources - Cyber• Websites
• Wired
• Ars Technica
• Dark Reading
• NIST (Intro to Information Security, Guide to ICS Security, Framework)
• Info Security Magazine
• National Vulnerability Database
• Industrial Internet Consortium
Resources - Cyber• Government
• E-ISAC• ICS CERT (ICS JWG, Recommended Practices, CSET, Training, Defense-In-Depth)• US CERT (C3 VP)• NERC (Alerts, Lessons Learned)
• NERC Regional Reliability Organizations (WECC, MRO, ReliabilityFirst, etc.)
• Conferences (YouTube has some videos)• Black Hat• DEF CON• DerbyCon• Bsides
Resources - Cyber• Podcasts
• SANS StormCast
• GRC Security Now
• Defensive Security
• The CyberWire
• Recorded Future
• Training• SANS (Secure Architecture, CIS Critical Security Controls)
Resources – Physical• Government
• E-ISAC
• NERC (Alerts, Lessons Learned)• NERC Regional Reliability Organizations (WECC, MRO, ReliabilityFirst, etc.)
• National Institute of Crime Prevention
• www.usacearmy.mil
• DHS
• FEMA
• Department of Defense (DoD, all branches)
Resources - Physical• Private/Other
• www.asisonline (American Society for Industrial Security)
• www.CPTED.net
• www.cptedtraining.net
Practical Operational Environment SecurityJoe Peterson, Warren LaPlante, Minnesota Power
The operational world has evolved to an integrated network of intelligent devices that requires attention to physical and cybersecurity measures to operate effectively, safely, and reliably. Practical approaches and available resources will be discussed.