After the break there’s discussion about risk management, and business impact analysis. How do we know what’s worth protecting for what kind of investment? There’s a point made that we’ve focused on protecting devices, not data. Should be focusing on what is your data and where does it reside? Can we partner with audit teams to look at these risks?
When Worlds Collide: Security, the physical world & IoT – Bill Allison, UC Berkeley
Consider what’s coming: media, environmental monitoring, infrastructure management, manufacturing, energy management, medical and healthcare systems, building and home automation, transportation, large scale deployments (e.g. smart cities).
More is not just more – it’s different.
Security at Berkeley began around WWI with three guys with flashlights, guns, and sticks. 1986 – online intrusion was the Cuckoo’s Egg and the 1988 Morris Worm.
SCADA _ Supervisory Control and Data Acquisition – generations: First generation, monolithic; second generation, distributed; third generation, networked; fourth generation, Internet of Things.
Most institutions have SCADA systems but they’re not controlled in IT.
SCADA AND BAS – Jim Jolkl, UVa
SCADA: Focus: industrial process automation, utilities, gas pipelines; BAS – Building Auotmation Systems. Same technologies, by and large.
Monitor and Control: Heating and cooling systems including our data centers, hospitals and clinics, animal studies areas, biosafety rooms, HAZMAt areas; Power systems, distribution, generators and transfer switches; often fire and security systems, sometimes door locks. How secure are these systems?
Systems arenot small – 200 buildings; 90,500 physical BAS points used for monitoring and/or control; 15,000 BAS controllers, at UVa.
BAS Network Technology: Common protocol, BACnet, supports services beyond HVAC. Security: security was not a focus, but standards now exist. But deployment use of BACnet security is limited. Multiple transport forms supported: RS-485, ARCNET, ethernet, BACnet over IP.
SCADA – what is different? Scada networks perform critical functions: temperature, pressure, valves, generators, chillers, etc. Constructed with old technology with a very long refresh cycle (15-30 years). Intrinsic security generally lacking; Expensive ($1m for a moderate building); limited CPU power in devices, so hard to do crypto or mutual authentication. Firmware update facilities are good, allowing to push anything to it.
Typically campuses hire control vendors whose knowledge of networking comes from dedicated dialups. See that in things like video surveillance systems too.
Decentralized SCADA – Much SCADA gear is outside the control of facilities: freezers; lab equipment; door systems; classroom controls; cameras. Many of us have no knowledge of what types of control and data acquisition equipment departments place on the network.
Protection strategy: IT Security: Firewalls, etc; Physical security; Monitoring; Cryptography – work towards being able to consider the SCADA network as an untrusted network.
We’re back in the 90s again, sort of: important equipment that can’t protect itself. Protofols are open, widely deployed and insecure; large installed base of old equipment on a slow refresh cycle. But our ability to add external protection is much better, active monitoring is generally in place; system owners generally understand the problem and want to fix; main control software runs on modern platforms.