Cyber war scenario what are the defenses

Cyber war Scenario: What are the

Defenses?

Rajabahadur V. Arcot RR Concepts

Independent Industry Analyst/Columnist and Manufacturing IT Consultant

Disclaimers

• I am an Industrial Control System Professional

• Stuxnet Episode and Aurora Experiment Spurred me to take interest in ICS Cyber Security Issues and Cyber War Scenario and Possible Defenses

“Cyber war, cyber terrorism, and cyber espionage are

topics of increasing timeliness, and our nation and its citizens will be ill prepared to deal with these threats if

those topics never get any discussion….” so said Joe Sauver, Ph.D. at IT Security Conference, USA

Overview

• Structured to create awareness

• To spur all stakeholders (interested in providing defenses against cyber attack) to take serious note of the threats and contribute to finding solutions

Cyber War Threat is Real

• Cyber weapons are powerful

• They can be launched simultaneously from different locations and on multiple targets

• They are the least-cost weapons-option and capable of very precisely putting out of service – Essential critical infrastructure industries and

services

– Conventional offensive and defensive capabilities

– Cause panic and confusion

World is Getting Ready

Critical Infrastructure Industries

• Power utilities

• Water utilities

• Communication

• Oil and Gas installations

• Chemical and Pharmaceutical industries

• Transportation

• Offensive and defensive capabilities

• Others

Operated by Control Systems – PLC, DCS,

SCADA - built on IT open platforms

BYOD Connected

Connected to Internet

Networked

Innumerable embedded systems Innumerable end

points

GPS controlled

Control Systems Connectivity

Typical Critical Infrastructure Control System Architecture

Seeking Defense From Cyber Attack

Quotation from CERN (European Council for Nuclear Research) Presentation

"Incorporate cyber risks into existing risk management and governance processes. Cyber Security is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cyber security risk throughout the enterprise.”

US Department of Homeland Security’s advice to CEOs

Overview

General • Recognize ICS cyber security challenges are different from ensuring data security

• Protecting the enterprise begins with implementing straight forward proper work related systems, such as installing

• Passwords, Media Access Control, Software Updates, Virus Scanners, Firewalls, “Data Diode” systems, and such others

• Eternal vigilance and the readiness and ability of the enterprise to identify, recover, and nullify the effects of the cyber-attack are key to achieve fair degree of protection

• Ability and preparedness to initiate counter measures to recover quickly from the attack are critical

Seeking Defense From Cyber Attack

Critical Infrastructure Industries

• CII to gain awareness and instill awareness among the workforce

• Create an in-house industrial control-system cyber security team

• Team to consist of experts in automation & process technologies in addition to experts in information and communication technologies

• Team to carry out carry out security audit, vulnerability assessment, and penetration testing, and evolve specific policies & procedures and crisis management program

Seeking Defense From Cyber Attack

Critical Infrastructure Industries

• The team may seek the support of technology solution providers and competent system integrators / consultants having the appropriate skills in industrial control-system cyber security

• Companies, planning to install new control systems, must seek readiness of their potential suppliers to provide safeguards and their plans to ensure adherence to cyber security standards

• Build competence in system engineering of ICS and ensure defense through system engineering

• Train operators and operating workforce to track anomalous performances

Seeking Defense From Cyber Attack

• Build backup infrastructure

• Build cyber workforce

• Put in place a mechanism to prevent

panic and confusion

Seeking Defense From Cyber Attack

Policy Makers

Seeking Defense From Cyber Attack

Policy Makers

• Take secrecy veil off electronic warfare

• Universities, industries and institutes to

plug the gap in knowledge in the sector

Control System Suppliers / IT Technology Suppliers • Until now, automation systems are designed typically to meet the operational

including functional safety and business needs

• Before Stuxnet, securing the control systems from cyber-threats was not part of the requirement criteria and as such was not on the radar screen of automation companies and standards’ committees

• However, the growing recognition that cyber threats are real calls for ensuring secure functioning of the control systems even in the event of cyber-attacks. ICS suppliers must recognize that cyber Security is integral to functional safety

• Automation companies may have to go back to their drawing boards to design automation systems that include security as one of the manufacturing industries’ fundamental requirements

• Automation suppliers must offer control systems that have strong security features to ensure protection from cyber-attacks and ensure compliance to ISA 99 and other standards

Providing Defense From Cyber Attack

• Build competence to carry out security audit, vulnerability assessment, and penetration testing

• Industry must come together to develop standards to govern embedded system and product design – Trusted Computing

• In all future product development, security should take equal if not precedence over functionality and features

• Let us not repeat the Y2K story!

Providing Defense From Cyber Attack

IT Service Providers

Thanks