Parsons: Design – Build - ProtectSecuring Critical Infrastructure

Phil Lacombe

Why Cyber Security of Critical Infrastructure

3

Change the way we think about security

Defining Security

Ensuring the enterprise can do what it is supposed to do

And not do what it is not supposed to do Mission performance Interdependent Privacy

Risk Management

The Security Imperative

Responsibility

Risk Environment Today

Threats have increased – as have the consequences of inactionVulnerabilities have increased – no longer geographically constrained

Demands for responsibility and accountability (Public and Private Sectors) have increased

Threat

Executives& Boards

Time

High

Low Government

Business

Cost

Availability

6

Threats to Critical Infrastructure

HP Cyber Risk Report 2013

7

For Example . . .

8

Internet Facing Control Systems

DHS – ICS CERT – 7,200 Internet facing control systems

9

Attack Vectors

Network Access• Internet accessible systems being mapped – SHODAN• Malware spread by trusted system to system connection• Ease of maneuver

Interconnects• Exploit applications that communicate through network segmentation• Connections to other plants, systems, organizations

Dial up• Many ICS assets remotely accessible through traditional

System Management• Patching/upgrade delays, no or outdated anti-virus/signatures• Default usernames and passwords

Supply Chain ICS not considered Physical Security

DHS ICS-CERT reported that the 1st half of 2013 had more attacks than all of 2012

Critical Infrastructure Attacks on the Rise

10ITAR CM.01.2014

CSX Corporation (2003) Tehama Colusa Canal Authority (2007) Stuxnet (2010) Duqu (2011) Flame (2012) Shamoon (2012) Carmel Tunnel (2013) Monju Japan Nuclear Plant (2014) Havex (2014)

*

11

Attacks on Critical Infrastructure

Emerging Understanding Long anticipated convergence of physical and cyber security domains is upon us Confluence of forces

• Policy environment• Executive Orders – recognizes cyber requirement for CI• NIST – framework/standards for cyber-physical systems security

• Governance

• Board responsibility and liability

• Shareholder concern

• Threat environment• Recent attacks provide irrefutable evidence

• Technology• SMART Grid – enabling two way communication• Cloud – enabling economies of operation• Big Data – enabling efficiencies in operation• IPv6 enabling Internet of Things

12