Securing Industrial Control Systems in the Age of IoT · PDF fileSecuring Industrial Control...

© 2016 Belden Inc. | belden.com | @BeldenInc | info.beldon.com/iiot

October 2016

Jeff Lund

Securing Industrial Control Systems in the Age of IoT

© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 2

Control System Security Is Gaining Public Recognition


Reported Vulnerabilities & Incidents are Increasing

Source: FireEye iSight Intelligence 2016 ICS Vulnerability Trend Report


• <10% of issues are related to hackers

• Most “attacks” are device or human errors

But ICS Cybersecurity Is Much More than Hackers





ICS cybersecurity is about

• Improving system reliability

• Reducing down time

• Increasing productivity

• Decreasing operating costs

• Ensuring safety





ICS cybersecurity is about

• Improving system reliability

• Reducing down time

• Increasing productivity

• Decreasing operating costs

• Ensuring safety

And protecting from hackers


Industrial Systems Bring Unique Security Challenges

• Most of the devices are preexisting, don’t speak IP, use inherently insecure protocols— and live in the field for decades

• Configuration, testing and maintenance must be done without shutting down the network

• Patching is usually not practical

• Active scans can damage systems

• Systems must keep running even if under attack or impaired


• Regional wastewater treatment plant

− Mid-sized city in the Eastern U.S.

− 24 buildings / 500 pieces of equipment

− 15 treatment processes

− 13 million gallons of wastewater daily

− Runs 24 hours a day every day

• Little protection or separation of the SCADA network from the

city’s IT network

− Even the city’s high school students could gain access if they tried

Real World Example: The Problem


• Protect critical plant infrastructure from

malware, traffic storms, errors and

attacks

• Without giving up the ability to share

data interdepartmentally or remote

support and maintenance capabilities

• While increasing system reliability by

following ISA/IEC 62443 cybersecurity

standards

− Partition into zones; secure through

conduits

− Security embedded throughout the

system, not just as the perimeter

The Requirements


• Engaged ICS security consultant to analyze system and partition

into zones per ISA/IEC 62443 cybersecurity standard

• Each zone protected by a specialized

industrial security appliance

− “Field-level firewall”

− Transparent to the network (no IP address)

Easy to install, hard to attack

No changes required to network or subnet

addressing

− Deep Packet Inspection for industrial protocol

communications

Protects against all malformed packet attacks –

even ones that have yet to be discovered

Enforces use-case driven security policy

The Approach


The Solution: Final Application


• Tofino Security Appliances were

easily wired into the network

• No disruption to the active network

during configuration

• New system uses custom rules to

manage network traffic

• Tofino Security Appliances block

unneeded/unwanted traffic− Protects and strengths system

− Allows access to all needed business

and maintenance information

• Network is on the forefront of industrial

cybersecurity

The Results


• Most IIoT systems are “brown

field” with existing devices

using insecure protocols

• Safety and reliability are job #1

in industrial IoT systems

• Cyber security has a major role

to play in ensuring these goals

• Security is not just perimeter

protection or air gaps; security

needs to be woven throughout

the network fabric

Key Points to Take With You

Securing Industrial Control Systems in the Age of IoT · PDF fileSecuring Industrial Control...

Documents

Transcript of Securing Industrial Control Systems in the Age of IoT · PDF fileSecuring Industrial Control...