Introduction to Control System Security Flashcards
Define Control System
Definition 1
Hardware and software components of an Industrial Automation and Control System (IACS)
Definition 2
Is a collective term used to describe different types of control system and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial process.
Define Cybersecurity
Definition 1
Measures taken to protect a computer or system against unauthorized access or attack.
Definition 2
Is the practice of protecting systems, networks, and programs from digital attacks.
These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information, extorting money from users via ransomware, or interrupting normal business processes.
Trends in Control System Cybersecurity
Increase in malicious code attacks
More COTS (commercial off the shelf)
Increased remote monitoring and access
Tools to automate attacks
More unauthorized attempts
Internet Protocols expose control systems
Associated risk with COTS
COTS components, increased connectivity and common protocols lead to:
- Potential adversaries are familiar with the technology
- Many risk are common with business systems
Potential consequences of cybersecurity breach.
Unauthorized access, theft of misuse of data
Loss of integrity or reliability of the control system
Loss of control system availability
Equipment damage
Personnel injury
Violation of legal and regulatory requirements.
Health, Safety and Environmental (HSE) impact.
Malware Events and Trends
Name four malware services available for purchase on the Internet
- Malware as a Service (MaaS)
- Hacking as a Service (HaaS)
- Crimeware as a Service (CaaS)
- Fraud as a Service (FaaS)
Five Common Myths regarding IACS Security
- We Don’t Connect to the Internet
- Control Systems are behind a Firewall
- Hackers Don’t Understand Control Systems
- Our Facility is Not a Target
- Our Safety Systems will protect us
Describe differences Between IT and IACS
Different Performance Requirements
IT:
1. Response must be realiable
2. High throughput
3. High delay and jitter tolerated
4. IT protocols
OT:
1. Response is time critical
2. Modest throughput
3. High delay is a serious concern
4. IT and industrial protocols
Describe differences Between IT and IACS
Different Security Priorities
- Different Security Priorities (CIA vs AIC):
IT
CIA: Confidentiality, Integrity and Availability
OT
AIC: Availability, Integrity and Confidentiality
Describe differences Between IT and IACS
Differences Availability Requirements
IT:
1. Scheduled operation
2. Occassional failures tolerated
3. Rebooting tolerated
4. Beta testing in the field acceptable
5. Modifications possible with little paperwork
OT:
1. Continuos operation
2. Outages intolerable
3. Rebooting may not be acceptable
4. Thorough QA testing expected in non-production enviroment
5. Formal certification may be required after any change.
Differences Between IT and IACS
Differences Risk Management Goals
IT:
1. Data Confidentiality and Integrity are paramount
2. Risk impact is loss of data, delay of business operations
3. Recovery by reboot
OT:
1. HSE and production are paramount (integrity & availability)
2. Risk Impact is loss of life, equipment or product
3. Fault tolerance is essential
Defense in Depth
Applying multiple countermeasures in a layered or stepwise manner
- Physical Security
- Policies and Procedures
- Zones & Conduits
- Malware Prevention
- Access Control
- Monitoring & Detection
- Patching
Cyber Risk Equation
Risk = Threat x Vulnerability x Consequence
Risk Response Strategies
- Desing the risk out
- Reduce the risk
- Accept the risk
- Transfer the or share the risk
- Redesign ineffective controls
