OWASP AppSec DC 2012/Securing Critical Infrastructure

The Presentation
Author: Francis Cianfrocca, Bayshore Networks The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology. The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries. Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today. We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time. We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat. Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.