Blog del CCI

martes, 10 de junio de 2014

CCICon2. Bryan Owen. Patching in Paradise at CCICon2

The debate panels at CCICon2 were among my favorites. Let’s face it… panel discussions can be a bit dry without an alternate point of view!

“Learning from Cybersecurity Incidents in the Industrial World” generated differing perspectives on prevention, detection, and response.  Prevention and response activities often involve patching.
My presentation hinted at a series of vulnerabilities with available exploits targeting 3rd party library components used by many industrial control system HMIs. Fortunately, updates for the 3rd party library are available.

Many critical infrastructure operators successfully apply these patches in coordination with supplier qualification. However we also observed ‘sticky’ cases where commercial and/or technical factors blocked deployment of updates.

In these cases some turn to perimeter defenses to protect the fragile HMIs. Opening day 2 of the Congress, Claudio Caracciolo highlighted just how inventive plant operation staff can be in circumventing perimeter defenses. He emphasized human and cultural factors as more important than the technical gadgetry.

One leading organization mentioned yet a different approach. Since HMIs are prone to human induced problems (regardless of cyber or not) the plant invested in a resilient design with a rapid restore capability.  If problems are detected on the HMI, operators switch over and the suspect HMI station is simply restored to a known good image.

In summary, it takes a lot to keep cyber incidents at bay and it seems everyone has an interesting approach. The Congress is an ideal forum for sharing what works and what doesn’t.

Thanks for organizing a successful Congress and I look forward to future activities with CCI.


Bryan S. Owen PE
OSIsoft LLC – Cyber Security Manager

jueves, 5 de junio de 2014

CCICon2. Ayman Al-Issa. Protecting the Critical Infrastructures from the Emerging Cyber Threats

I have been speaking in the CCICon2 in Bogota about “The Practical Approach for Protecting the Critical Infrastructures from Emerging Cyber Threats”, detailing topics such as how emerging cyber threats that target industrial control systems and how such cyber-attacks can come in different forms including increasing pressure in a pipeline, changing field device parameter settings, closing/opening a motorized valve, causing a denial-of-service attack, increasing/decreasing motor speeds, and viewing fake HMI readings. Noting that all of these can result in a loss of view, control, operation, production, lives and more.

To counter cyber-attacks, companies need to keep in mind that attackers are always ahead. They have the time, resources, and experience, and for that, companies shall look forward to adopting industrial defense-in-depth cyber security techniques and build multiple cyber security layers.  It is not enough to have only cyber security solutions; these solutions shall be accompanied by techniques that can provide knowledge and vision about anomalies that could take place within these critical infrastructures. Having industrial cyber security operations center is no more an option. Also, people assume that they are not likely targets and they are not interesting to hackers. But this is not true. If they see a weakness, they attack, it’s as simple as that.

Ignorance is a killer. When you walk on mines, your first mistake is your last mistake. Security is not an option anymore.  Oil companies must, right now, start to consider security upfront, so it will be much easier to secure those systems if we do it at the front end engineering design phase, rather than later.

An effective process control security in the industrial oil and gas plants can make the difference between a normal day at work and a disaster. That’s why critical infrastructures operators need to consider cybersecurity at the core of their operations.

Ayman AL-Issa
Digital Oil Fields Cyber Security Advisor