It’s just security
Jack Whitsitt | Sintixerr@gmail.com | http://twitter.com/sintixerr I am NOT representing my employer in any way, shape, o...
 I have no idea what they are – don’t really care◦ This is where I got stuck! But I’ve seen instead:◦ Phishing◦ USB driv...
 The oil and gas industry breaches….Marathon Oil, ExxonMobil, andConocoPhillips – occurred in 2008, until the FBI alerted...
 We are doing things over and over again we know weshouldn’t Examples:◦ WEP device attached to vendor network.◦ Previous...
 Infinite Trust Chains and No Perimeters Examples:◦ HMI hardware out of box. Host file was alreadycompromised◦ Embedded ...
 Attack Surface Increasing At a MINIMUM because of increasing interconnections Even without new technology Tactical re...
 Architecture diagrams are never true. Ever.◦ If you want to know where your vulnerabilities are,look for where your real...
 Now that you know what you have…whatexactly are you DOING?◦ “Securing the infrastructure” not good enough – itdoesn’t me...
 Use the algebra to create energy-specificdefinitions of success◦ What do we mean by secure energy infrastructure? Techi...
 Based partially on Sandia Incident ClassificationModel:Http://www.cert.org/research/taxonomy_988667.pdf Based partially...
 Cede the network◦ At least in terms of using network level controls as the firstmeans of data/access/action control at t...
Jack Whitsitt | sintixerr@gmail.com |http://twitter.com/sintixerr
Natotbilisiswhitsitt
Natotbilisiswhitsitt
of 15

Natotbilisiswhitsitt

Published on: Mar 3, 2016
Published in: Technology      Business      
Source: www.slideshare.net


Transcripts - Natotbilisiswhitsitt

  • 1. It’s just security
  • 2. Jack Whitsitt | Sintixerr@gmail.com | http://twitter.com/sintixerr I am NOT representing my employer in any way, shape, orform I’m not a critical energy sector expert in particular Why am I here then? Started writing talk by answering panel questions◦ Got stuck on question 1 
  • 3.  I have no idea what they are – don’t really care◦ This is where I got stuck! But I’ve seen instead:◦ Phishing◦ USB drives◦ Common Development Errors◦ Change Management Screw-ups◦ Lack of visibility Energy uses COTS and GUI systems for control◦ Why would bad guys burn something dedicated whenthey can use common stuff?◦ Maybe a pertinent answer is a question: Why can theystill use common stuff?
  • 4.  The oil and gas industry breaches….Marathon Oil, ExxonMobil, andConocoPhillips – occurred in 2008, until the FBI alerted them that yearand in early 2009 “We’ve seen real, targeted attacks on our C-level [most senior]executives,” saysone oil company official… Penetrated their electronic defenses using a combination of fake e-mailsand customized spyware programs Antivirus software misses more than 20 percent of the Trojans in mytesting,” “What I’m saying to you is that it’s not just the oil and gas industry that’svulnerable to this kind of attack: It’s any industry that the Chinesedecide they want to take a look at,” says an FBI source. “It’s like they’rejust going down the street picking out what they want to have.”
  • 5.  We are doing things over and over again we know weshouldn’t Examples:◦ WEP device attached to vendor network.◦ Previously unknown networks or connections to the internet – notin architecture.◦ Password-less Smart Meters found in a search engine. Whoops.◦ Lack of human awareness: “Let me click that link” These aren’t even “cyber security” specific failures But they’re what the bad guys use None should have happened: Errors made at a high,largely uncontrolled rate◦ Everyone makes them
  • 6.  Infinite Trust Chains and No Perimeters Examples:◦ HMI hardware out of box. Host file was alreadycompromised◦ Embedded Web Server vulnerability in HMI gear◦ No responsibility or authority, made worse bysupport models
  • 7.  Attack Surface Increasing At a MINIMUM because of increasing interconnections Even without new technology Tactical response won’t help: Not fixing one vulnerability Not fixing ten vulnerabilities Not fixing a thousand SCADA vulnerabilities Must slow the flow, reduce error rate Cant keep up if we don’t: We don’t have the resources Already can’t: Compromise at-will Key will be Language and Communication & Awareness Currently, we cant even consistently discuss goals in term ofcommon safety and operational and business priorities muchless derive strategic solutions
  • 8.  Architecture diagrams are never true. Ever.◦ If you want to know where your vulnerabilities are,look for where your reality is different from yourexpectation◦ This might not be a manually maintainable process;Possible subject for research Cyber Security efforts without solid changecontrol and management is like asking anancient Roman God for rain. It’s not science,it’s faith Number one failure of cyber security
  • 9.  Now that you know what you have…whatexactly are you DOING?◦ “Securing the infrastructure” not good enough – itdoesn’t mean anything Need an “Algebra of security” that◦ Allows consistent comparable expressions of goals◦ Assures line of sight between strategic risks FROMcyber systems and tactical risks TO cyber systems Until then, we’re talking at each other, not toeach other, and hoping to get lucky
  • 10.  Use the algebra to create energy-specificdefinitions of success◦ What do we mean by secure energy infrastructure? Techies cant answer this for you Create a definition that can be consistently understoodacross all players Separate out priority valuation of goals and commonlyunderstood goals◦ If you cant answer that question, how can you talkabout how to build it?◦ If you cant answer that question and compare it towhat you have to find gaps, how do you knowwhere to start?
  • 11.  Based partially on Sandia Incident ClassificationModel:Http://www.cert.org/research/taxonomy_988667.pdf Based partially on SABSA Enterprise SecurityArchitecture model Uses Business Threat Trees to◦ Define strategic cyber security requirements for long termplanning◦ Identify Tactical technical issues that impact long termobjectives◦ Allow independent parties to use same language to expresscyber security, even with different priority levels◦ Create framework which security service architecture can bevalidated
  • 12.  Cede the network◦ At least in terms of using network level controls as the firstmeans of data/access/action control at the application layer◦ Putting a box around it is not, and will never be granularenough◦ Can’t do it anyway, it’s really, really big. This is a last resort◦ Next steps of research: Small unit test cases fromdata/behavior transition from one step to the next Focus on Gracefully Handling Compromise◦ If we assume we’ve lost already and defense might be tooexpensive, are there alternatives?◦ We all live with bacteria inside of us, can theenergyinfrastructure? Don’t throw good money after bad◦ Antivirus, Firewalls, IPS’s, and patching have failed IT, don’tblindly invest in them
  • 13. Jack Whitsitt | sintixerr@gmail.com |http://twitter.com/sintixerr

Related Documents