Beyond the Basics of ICS Security – Getting It Right From the Start
May 30, 2016
Shah Sheikh (1294 articles)

Beyond the Basics of ICS Security – Getting It Right From the Start

The Internet of Things is gradually but very surely creeping in to impact every sphere of modern life. And that goes as much for people as for business, as much for new industries as for incumbent sectors.

This network of physical objects has the ability to play havoc with security and is significantly increasing the challenge of securing Industrial Control Systems (ICSs). Threats to ICSs for players in the utilities, energy and nuclear sectors can have life-threatening consequences.

Originally, these systems were designed to run independently. However, evolving business requirements often necessitate interconnection between control and office environments. Systems were also devised to last for decades without the need for heavy maintenance, and at their inception, security was far from a priority.

Interconnection and standardization certainly have their advantages, but they also introduce far greater risk. Interconnected systems offer a larger surface for potential attack. Manage to breach one point, and you can potentially access everything.

Ever since NightDragon and Stuxnet caught public attention, awareness of the need for improved ICS security has grown and the demand for it substantially increased. Government regulations and standards have already been drafted and are being published to establish a common way to secure Industrial Control Systems.

As a result, there’s also a growing need for talented ICS security professionals. And their remit is widening. More and more security professionals and firms are performing security assessments, including penetration testing on an ICS level.

Two years ago, I was asked whether I was willing to evolve from a ‘standard’ security professional to an ICS-specific security expert. I gladly took up the challenge.

Since then, I’ve discovered distinct differences in the challenges being faced; for example, in comparison to ‘normal’ IT networks, ICSs are unable to cope with the running of automated vulnerability assessment tools. The result is often disrupted processes and services.

ICS security provides a broad area of opportunity and my presentation at BSidesLVfocuses on helping any security professional make the move to ICS security. I’m looking to provide a real starting point – going below what some may consider to be the basics of the subject – to offer a genuine grounding in ICS security.

Source | TripWire