SlideShare a Scribd company logo

Should I Patch My ICS?

Digital Bond
Digital Bond

The document discusses whether patching control systems is an effective security practice given the challenges of securing industrial control systems. It makes three key points: 1. Patching insecure-by-design devices provides minimal risk reduction since attackers can achieve their goals by exploiting legitimate system features rather than vulnerabilities. 2. Most industrial control systems operate within an insecure-by-design zone, so patching may not prevent attacks since attackers do not need to exploit systems to cause damage. 3. Many control system components have low impact even if compromised, so patching provides little benefit given the effort. Prioritizing patching for systems directly accessible from untrusted networks is recommended over broadly patching everything.

Technology
1 of 28
Download to read offline
It’s My Job To Secure Our Control Systems Should I Patch? Dale Peterson of Digital Bond peterson@digitalbond.com Twitter: @digitalbond / Instagram: @s4xphoto
It’s a Big and Difficult Job •  Technology challenges •  Cultural challenges •  Budgeting challenges •  Measurement challenges Good Security Practices
Good Security Practice ü Patching is a good security practice ü Patching will reduce risk But By How Much? Disclaimer: Periodic (annual, bi-annual) patching and updates are part of a cyber maintenance program to maintain a supportable system … but not necessarily warranted for risk reduction related to a cyber attack
Important Term: Insecure By Design •  An attacker does not need a vulnerability to accomplish his goal –  Loss of control, loss of view, deceptive view –  Search Digital Bond Project Basecamp for videos and info •  Attacker uses legitimate features and functions to achieve goal Insecure By Design Is Much Worse Than A Lack of Secure By Design
Keep Two Divergent Thoughts In Your Head 1.  ICS protocols, design, deployment, operation and maintenance need dramatic changes if you believe there are people who want to do bad things Push Hard For Secure, True NextGen Solutions 2.  I’m stuck with an Insecure By Design legacy system or Insecure By Design choices for new solutions (TRAGIC in 2016) Triage: Efficient Risk Reduction
Efficient Risk Reduction Where will you maximize risk reduction for the next dollar or hour spent?
ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices
Case 1: Insecure By Design Devices •  2015: 1 Modicon Alert & 2 Advisories –  Hard coded credential, stack overflow on TCP/80, XSS / RFI –  Firmware upgrades •  Function code 90 –  All an attacker would want/need –  Modicon_stux_transfer Metasploit module –  Unity/EWS software capability •  No need for a vulnerability
Another Insecure By Design Case •  CoDeSys Gateway and Runtime Tools –  3 Advisories in 2015: 2 x Null Pointer Denial of Service, 1 x Heap Overflow –  Patches issued, yes but … •  Replay of my 2013 SANS talk –  Unauthenticated logic / program upload still there –  CoDeSys is ported to numerous OS –  Some OS allow attacker to gain root on the device and use it as an attack platform for the ICS
Warning #1 ICS patches often stop the exploit code, but don’t fix the vulnerability
Warning #2 Engineering Work Station (EWS) authentication is typically only authenticating the user to the EWS application, not to the PLC Attackers go right at the PLC
ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices 2.  Insecure By Design Zone
Insecure By Design Zone •  Main reason why most security patching provides minimal risk reduction
Examples •  Windows XP Panels connected to Insecure By Design PLC/RTU –  Hacking the panel is actually an extra, unnecessary step for an attacker •  Hacking RSLogix/RSLinx or most other engineering workstations –  If an attacker is on the network he doesn’t need the EWS or HMI •  Hacking a SCADA Server –  Depends if there are internal ICS zones Most ICS are flat at Levels 1 and 2
Prioritized Security Patching •  Create groups and patch frequency based on efficient risk reduction •  Example: –  Priority 1 (ASAP / Monthly): Anything accessible from an untrusted zone, such as systems in an ICS DMZ, perimeter security devices, removable media transfer stations •  Typically don’t affect operations •  Should be a very small number or you are doing something wrong –  Priority 2 (Quarterly): Anything that communicates with Priority 1 computers … or ... most critical ICS components in a further segmented zone … or … –  Priority 3 (Annual): Everything else for cyber maintenance
2015 Examples •  Priority 1 Examples –  Historians like OSIsoft PI family (2 Advisories) –  DNP3 Stacks in SCADA system with unmanned remote sites •  Project ROBUS vulnerabilities were hugely important •  2 Advisories (Kepware and TOP Server) –  OT firewalls: 1 advisory for mGuard but only denial of service –  Remote access solutions ... Siemens SPCanywhere Advisory •  Not in ICS-CERT –  IT firewall and router vulns, RDP vulns, database vulns, …
Consider All Of The Software •  Operating System •  3rd Party Applications •  ICS Applications •  Libraries and Components that are often hidden –  Triangle Microworks DNP3 Stacks (from Robus in 2013/2014) –  CoDeSys Software Inventory is Key
ICS-CERT Numbers Are Almost Meaningless •  They do: –  Indicate the level of effort by researchers willing to disclose vulns –  Indicate what products researchers can access •  They do not: –  Provide any metric related to ICS code quality –  Provide any metric to what vendors are better or worse in security –  Provide any metric related to quantity or skill level of threat agents –  Provide any data about what sectors are being targeted by attackers
Better ICS-CERT Statistics To Track •  Does the vendor have a published security contact with PGP key? •  How long did it take the vendor to respond to ICS-CERT? •  Did the vendor test and disclose if the vuln was in other products? •  Is the vulnerability in an insecure by design product? •  Did the vendor fix the vuln and has the fix been validated? •  Does the vendor have key elements of an SDL DHS/ICS-CERT Should Focus Efforts
ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices 2.  Insecure By Design Zone 3.  Low Impact If Compromised
Low Impact If Compromised •  Many components provide low value –  Monitoring of tank farm when a human checks level daily –  Metering when back end checks will detect fraud •  Many components have mechanical, offline or secondary processes in place to prevent medium or high impact events WARNING: Be sure, assume a malicious directed attack, and don’t rely on a networked safety system for low impact
So What Should I Be Doing •  Focus on your physical and cyber security perimeter •  Focus on devices accessible through the cyber security perimeter •  Insure you have Recovery Time Objectives (RTO) set by management and can meet them –  RTO is based on recovering capabilities not computers •  Detect when you are being attacked / have been compromised ___________ •  Develop and measure a Cyber Maintenance Program
Questions

Recommended

Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsItex Solutions
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...Eran Goldstein
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA Jeffrey Wang , P.Eng
 

Recommended

Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsItex Solutions
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...Eran Goldstein
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA Jeffrey Wang , P.Eng
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...Shah Sheikh
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen MillerAVEVA
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNorth Texas Chapter of the ISSA
 
Securing Industrial Control Systems
Securing Industrial Control SystemsSecuring Industrial Control Systems
Securing Industrial Control SystemsEric Andresen
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...AVEVA
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkMarcoAfzali
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Priyanka Aash
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 

More Related Content

What's hot

Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...Shah Sheikh
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen MillerAVEVA
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNorth Texas Chapter of the ISSA
 
Securing Industrial Control Systems
Securing Industrial Control SystemsSecuring Industrial Control Systems
Securing Industrial Control SystemsEric Andresen
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...AVEVA
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkMarcoAfzali
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Priyanka Aash
 

What's hot (20)

Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
 
Securing Industrial Control Systems
Securing Industrial Control SystemsSecuring Industrial Control Systems
Securing Industrial Control Systems
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security Products
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
 

Viewers also liked

ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Digital Bond
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSDigital Bond
 
PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code ProtectionDigital Bond
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)Digital Bond
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service HardeningDigital Bond
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
PT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening GuidePT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening Guideqqlan
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 

Viewers also liked (20)

ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICS
 
PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code Protection
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
PT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening GuidePT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening Guide
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 

Similar to Should I Patch My ICS?

Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentMark Szewczul, CISSP
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testingCu Nguyen
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Nagios Conference 2014 - Jorge Higueros - SNAPS
Nagios Conference 2014 - Jorge Higueros - SNAPSNagios Conference 2014 - Jorge Higueros - SNAPS
Nagios Conference 2014 - Jorge Higueros - SNAPSNagios
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
The myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISThe myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISSaazan Shrestha
 

Similar to Should I Patch My ICS? (20)

Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product Development
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Nagios Conference 2014 - Jorge Higueros - SNAPS
Nagios Conference 2014 - Jorge Higueros - SNAPSNagios Conference 2014 - Jorge Higueros - SNAPS
Nagios Conference 2014 - Jorge Higueros - SNAPS
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
The myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISThe myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MIS
 

More from Digital Bond

Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Digital Bond
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Digital Bond
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Digital Bond
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Digital Bond
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItDigital Bond
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 

More from Digital Bond (8)

Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze It
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability Analysis
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack Vector
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

Should I Patch My ICS?

  • 1. It’s My Job To Secure Our Control Systems Should I Patch? Dale Peterson of Digital Bond peterson@digitalbond.com Twitter: @digitalbond / Instagram: @s4xphoto
  • 2. It’s a Big and Difficult Job •  Technology challenges •  Cultural challenges •  Budgeting challenges •  Measurement challenges Good Security Practices
  • 3. Good Security Practice ü Patching is a good security practice ü Patching will reduce risk But By How Much? Disclaimer: Periodic (annual, bi-annual) patching and updates are part of a cyber maintenance program to maintain a supportable system … but not necessarily warranted for risk reduction related to a cyber attack
  • 4.
  • 5. Important Term: Insecure By Design •  An attacker does not need a vulnerability to accomplish his goal –  Loss of control, loss of view, deceptive view –  Search Digital Bond Project Basecamp for videos and info •  Attacker uses legitimate features and functions to achieve goal Insecure By Design Is Much Worse Than A Lack of Secure By Design
  • 6.
  • 7. Keep Two Divergent Thoughts In Your Head 1.  ICS protocols, design, deployment, operation and maintenance need dramatic changes if you believe there are people who want to do bad things Push Hard For Secure, True NextGen Solutions 2.  I’m stuck with an Insecure By Design legacy system or Insecure By Design choices for new solutions (TRAGIC in 2016) Triage: Efficient Risk Reduction
  • 8. Efficient Risk Reduction Where will you maximize risk reduction for the next dollar or hour spent?
  • 9. ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices
  • 10. Case 1: Insecure By Design Devices •  2015: 1 Modicon Alert & 2 Advisories –  Hard coded credential, stack overflow on TCP/80, XSS / RFI –  Firmware upgrades •  Function code 90 –  All an attacker would want/need –  Modicon_stux_transfer Metasploit module –  Unity/EWS software capability •  No need for a vulnerability
  • 11. Another Insecure By Design Case •  CoDeSys Gateway and Runtime Tools –  3 Advisories in 2015: 2 x Null Pointer Denial of Service, 1 x Heap Overflow –  Patches issued, yes but … •  Replay of my 2013 SANS talk –  Unauthenticated logic / program upload still there –  CoDeSys is ported to numerous OS –  Some OS allow attacker to gain root on the device and use it as an attack platform for the ICS
  • 12. Warning #1 ICS patches often stop the exploit code, but don’t fix the vulnerability
  • 13. Warning #2 Engineering Work Station (EWS) authentication is typically only authenticating the user to the EWS application, not to the PLC Attackers go right at the PLC
  • 14. ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices 2.  Insecure By Design Zone
  • 15. Insecure By Design Zone •  Main reason why most security patching provides minimal risk reduction
  • 16.
  • 17. Examples •  Windows XP Panels connected to Insecure By Design PLC/RTU –  Hacking the panel is actually an extra, unnecessary step for an attacker •  Hacking RSLogix/RSLinx or most other engineering workstations –  If an attacker is on the network he doesn’t need the EWS or HMI •  Hacking a SCADA Server –  Depends if there are internal ICS zones Most ICS are flat at Levels 1 and 2
  • 18.
  • 19. Prioritized Security Patching •  Create groups and patch frequency based on efficient risk reduction •  Example: –  Priority 1 (ASAP / Monthly): Anything accessible from an untrusted zone, such as systems in an ICS DMZ, perimeter security devices, removable media transfer stations •  Typically don’t affect operations •  Should be a very small number or you are doing something wrong –  Priority 2 (Quarterly): Anything that communicates with Priority 1 computers … or ... most critical ICS components in a further segmented zone … or … –  Priority 3 (Annual): Everything else for cyber maintenance
  • 20. 2015 Examples •  Priority 1 Examples –  Historians like OSIsoft PI family (2 Advisories) –  DNP3 Stacks in SCADA system with unmanned remote sites •  Project ROBUS vulnerabilities were hugely important •  2 Advisories (Kepware and TOP Server) –  OT firewalls: 1 advisory for mGuard but only denial of service –  Remote access solutions ... Siemens SPCanywhere Advisory •  Not in ICS-CERT –  IT firewall and router vulns, RDP vulns, database vulns, …
  • 21. Consider All Of The Software •  Operating System •  3rd Party Applications •  ICS Applications •  Libraries and Components that are often hidden –  Triangle Microworks DNP3 Stacks (from Robus in 2013/2014) –  CoDeSys Software Inventory is Key
  • 22.
  • 23. ICS-CERT Numbers Are Almost Meaningless •  They do: –  Indicate the level of effort by researchers willing to disclose vulns –  Indicate what products researchers can access •  They do not: –  Provide any metric related to ICS code quality –  Provide any metric to what vendors are better or worse in security –  Provide any metric related to quantity or skill level of threat agents –  Provide any data about what sectors are being targeted by attackers
  • 24. Better ICS-CERT Statistics To Track •  Does the vendor have a published security contact with PGP key? •  How long did it take the vendor to respond to ICS-CERT? •  Did the vendor test and disclose if the vuln was in other products? •  Is the vulnerability in an insecure by design product? •  Did the vendor fix the vuln and has the fix been validated? •  Does the vendor have key elements of an SDL DHS/ICS-CERT Should Focus Efforts
  • 25. ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices 2.  Insecure By Design Zone 3.  Low Impact If Compromised
  • 26. Low Impact If Compromised •  Many components provide low value –  Monitoring of tank farm when a human checks level daily –  Metering when back end checks will detect fraud •  Many components have mechanical, offline or secondary processes in place to prevent medium or high impact events WARNING: Be sure, assume a malicious directed attack, and don’t rely on a networked safety system for low impact
  • 27. So What Should I Be Doing •  Focus on your physical and cyber security perimeter •  Focus on devices accessible through the cyber security perimeter •  Insure you have Recovery Time Objectives (RTO) set by management and can meet them –  RTO is based on recovering capabilities not computers •  Detect when you are being attacked / have been compromised ___________ •  Develop and measure a Cyber Maintenance Program