Published on: Mar 3, 2016
Transcripts - Natotbilisiswhitsitt
It’s just security
Jack Whitsitt | Sintixerr@gmail.com | http://twitter.com/sintixerr I am NOT representing my employer in any way, shape, orform I’m not a critical energy sector expert in particular Why am I here then? Started writing talk by answering panel questions◦ Got stuck on question 1
I have no idea what they are – don’t really care◦ This is where I got stuck! But I’ve seen instead:◦ Phishing◦ USB drives◦ Common Development Errors◦ Change Management Screw-ups◦ Lack of visibility Energy uses COTS and GUI systems for control◦ Why would bad guys burn something dedicated whenthey can use common stuff?◦ Maybe a pertinent answer is a question: Why can theystill use common stuff?
The oil and gas industry breaches….Marathon Oil, ExxonMobil, andConocoPhillips – occurred in 2008, until the FBI alerted them that yearand in early 2009 “We’ve seen real, targeted attacks on our C-level [most senior]executives,” saysone oil company official… Penetrated their electronic defenses using a combination of fake e-mailsand customized spyware programs Antivirus software misses more than 20 percent of the Trojans in mytesting,” “What I’m saying to you is that it’s not just the oil and gas industry that’svulnerable to this kind of attack: It’s any industry that the Chinesedecide they want to take a look at,” says an FBI source. “It’s like they’rejust going down the street picking out what they want to have.”
We are doing things over and over again we know weshouldn’t Examples:◦ WEP device attached to vendor network.◦ Previously unknown networks or connections to the internet – notin architecture.◦ Password-less Smart Meters found in a search engine. Whoops.◦ Lack of human awareness: “Let me click that link” These aren’t even “cyber security” specific failures But they’re what the bad guys use None should have happened: Errors made at a high,largely uncontrolled rate◦ Everyone makes them
Infinite Trust Chains and No Perimeters Examples:◦ HMI hardware out of box. Host file was alreadycompromised◦ Embedded Web Server vulnerability in HMI gear◦ No responsibility or authority, made worse bysupport models
Attack Surface Increasing At a MINIMUM because of increasing interconnections Even without new technology Tactical response won’t help: Not fixing one vulnerability Not fixing ten vulnerabilities Not fixing a thousand SCADA vulnerabilities Must slow the flow, reduce error rate Cant keep up if we don’t: We don’t have the resources Already can’t: Compromise at-will Key will be Language and Communication & Awareness Currently, we cant even consistently discuss goals in term ofcommon safety and operational and business priorities muchless derive strategic solutions
Architecture diagrams are never true. Ever.◦ If you want to know where your vulnerabilities are,look for where your reality is different from yourexpectation◦ This might not be a manually maintainable process;Possible subject for research Cyber Security efforts without solid changecontrol and management is like asking anancient Roman God for rain. It’s not science,it’s faith Number one failure of cyber security
Now that you know what you have…whatexactly are you DOING?◦ “Securing the infrastructure” not good enough – itdoesn’t mean anything Need an “Algebra of security” that◦ Allows consistent comparable expressions of goals◦ Assures line of sight between strategic risks FROMcyber systems and tactical risks TO cyber systems Until then, we’re talking at each other, not toeach other, and hoping to get lucky
Use the algebra to create energy-specificdefinitions of success◦ What do we mean by secure energy infrastructure? Techies cant answer this for you Create a definition that can be consistently understoodacross all players Separate out priority valuation of goals and commonlyunderstood goals◦ If you cant answer that question, how can you talkabout how to build it?◦ If you cant answer that question and compare it towhat you have to find gaps, how do you knowwhere to start?
Based partially on Sandia Incident ClassificationModel:Http://www.cert.org/research/taxonomy_988667.pdf Based partially on SABSA Enterprise SecurityArchitecture model Uses Business Threat Trees to◦ Define strategic cyber security requirements for long termplanning◦ Identify Tactical technical issues that impact long termobjectives◦ Allow independent parties to use same language to expresscyber security, even with different priority levels◦ Create framework which security service architecture can bevalidated
Cede the network◦ At least in terms of using network level controls as the firstmeans of data/access/action control at the application layer◦ Putting a box around it is not, and will never be granularenough◦ Can’t do it anyway, it’s really, really big. This is a last resort◦ Next steps of research: Small unit test cases fromdata/behavior transition from one step to the next Focus on Gracefully Handling Compromise◦ If we assume we’ve lost already and defense might be tooexpensive, are there alternatives?◦ We all live with bacteria inside of us, can theenergyinfrastructure? Don’t throw good money after bad◦ Antivirus, Firewalls, IPS’s, and patching have failed IT, don’tblindly invest in them
Jack Whitsitt | firstname.lastname@example.org |http://twitter.com/sintixerr