ICS Security Assessment Methodology, Tools & Tips
HTML-код
- Опубликовано: 4 июл 2024
- Dale Peterson of Digital Bond describes how to perform an ICS / SCADA cyber security assessment in this S4xJapan video.
He goes into a lot of detail on the tools and how to use them in the fragile and insecure by design environment that is an ICS.
There are also useful tips on when to bother applying security patches (this will likely surprise you), the importance of identifying the impact of a vulnerability, and an efficient risk reduction approach. 
Наука
I appreciate the Topics Covered and Presenter presented them...
Thank you so much for this presentation. It was very informative.
Wonderful presentation
Great, great presentation.
Sometimes we receive a very comprehensive requirement encompassing all areas of cybersecurity including physical, I just wanted to understand what would be the pitfalls during the project execution. Any specific questions that we should raise to client before the project is awarded.
That's a big question. You may want to look for the Cyber Security Procurement Language for Control Systems (search for it). It tries to answer the question, but you need to use some judgment rather than just cut and pasting into a RFP.
Nice one, is there a guestimate on the time it would take to audit a medium size facility?
Oddly enough, the better the security, the longer it will take. For many plants, refineries, water treatment facilities, factories, that are just starting out with cyber security about 1 week onsite plus some prep days and analysis reporting time post assessment is sufficient. This is due to no cyber maintenance so it doesn't take long to figure out everything is missing patches, in default config, bad user management, ... These actually are more of the interview and inspection than online testing. Most of the effort here is to determine what should be done first, second, third because there is a long list of lacking security controls.
As organizations become more mature it can take a second week onsite, particularly if the team has not been to the site recently. The online testing becomes a larger and more detailed effort, the interview identifies processes that need to be audited, and other items.
@@S4Events How about a 20 wind turbine generator farm?
You mentioned you've been doing live scanning using tools on ICS without any "unacceptable impact to operation". I wonder if the two examples you've mentioned, 1. Safety PLC crash because of firmware upgrade port scanning 2. Server crash due to active server scan running critical service not backed up by standby server, were acceptable interruptions to the plant owners?
Yes, they were. As noted in the video, the approach is to find one of every type of computer and device that will not cause an unacceptable impact if it goes down. There are times when a certain type of device cannot be scanned to a risk of an outage, and in these cases you've identified a different finding ... lack of redundancy for a operationally critical cyber asset.