Embed Size (px)
Citation preview
Why SCADA, ICS& Embedded Devices continue to be a threat
DUMB SECURITY & SMART GRIDSDUMB SECURITY & SMART GRIDSDUMB SECURITY & SMART GRIDS
Faris A. Al-Kharusi, MPhil, MSc., GWCBA
AGENDA
SCADA, ICS & Embedded Devices• Evolution of the Threat• Industry Standards vs. Residential Realities
Specific Contemporary Challenges• The {C}old War• Paradigm Shift
Cybersecurity World-View• Weak vs. Strong Implementations• The Real Calculation of Risk (Information Assurance)
Do’s & Don’t of Smart Projects• Data Storage & Security Policy• Knowledge & Competency• BCP & DRP
AGENDA
The Story So Far• Hard-Coded Passwords.• Hard-Coded Firmware
(Exploits can not be patched!)• Lack of belief that critical
infrastructure is internet-facing.
• Reconnaissance can be done anonymously with low likelihood of detection.
• Lack of skill-sets to conduct forensics minimize reporting on intrusions.
Evolution of the Threat: How We Got Here
– Complex interdependencies arose …
– The IP/TCP Landscape has opened the doors to ease of setup since the early 80’s ...
Evolution of the Threat: Global View
– Bacnet (port 47808)– DNP3 (port 20000)– EtherNet/IP (port 44818)– Niagara Fox (ports 1911 )– IEC-104 (port 2404)– Red Lion (port 789)– Modbus (port 502)– Siemens S7 (port 102)
And The Internet of Things Grows Regionally
UPnP - UDP Port 1900- Mobile Devices- CCTV- Biometric Readers- Energy Generators- Card Readers- Appliances- POS Kiosks- Routers- Printers- And the list goes on …
Industry Standards
The “Perfect Landscape” as conveyed in our security centric minds …
Residential Outlook
And the current reality …
The {C}old War
Paradigm Shift
Real-Time Operations: Weak ImplementationsSifting through Events
Real-Time Operations: Strong ImplementationsIntelligent Alarms & Exception Based Surveillance
The Real Calculation of Risk
Risk = Threat x Vulnerability x Consequence
Stop fighting yesterday’s war today . . .
The Do’s• Understand consequence
of your vulnerabilities.• Use Local Clouds – keep
ownership of your Data.• Think clearly about your
Data Analytics strategy as it pertains guarding your assets.
The Don’ts• Stop treating your
security decision’s like it is 2005.
• Outsource all the knowledge and competency (especially around forensics) to a third-party.
• Expect proprietary or complex setups to provide protection.
Thank You & Feel Free To Ask Questions
