Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

32
Sharing Plant Data With Phones, Tablets and the Cloud Dale Peterson Digital Bond, Inc. [email protected] Twitter: @digitalbond.com

description

Dale Peterson of Digital Bond describes how to share Plant data without putting the integrity and availability of ICS at risk. He also describes the dangers of allowing remote access to an ICS.

Transcript of Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Page 1: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Sharing Plant Data With Phones, Tablets and the

Cloud

Dale PetersonDigital Bond, Inc.

[email protected]: @digitalbond.com

Page 2: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Two Reasons

Why would a remote user or application need access to an ICS?

1. Monitor or use the ICS dataPotential Impact: Loss of confidentiality of ICS data

2. Control the ICSPotential Impact: Loss of availability and integrity of ICS

Page 3: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 4: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Big Data in The Cloud

• GE On Site Monitoring (OSM)• 15 Terabyte Database• 93 Million Fleet Operation Hours• More than 30,000 Hours Every Day• More than 1500 Turbines (now 1800+)• Early warning of 60+ Failures• $70M Customer Savings in 2011

Source: 2012 GE Data Sheet

Page 5: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 6: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 7: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

GE Security

• Two-factor authentication• VPN tunnel• Firewall• IDS/IPS and anti-virus• Background checks

But … it is an extremely high value target because it can shut down 1800 power plants

Page 8: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Vendors As Targets / Watering Holes

Page 9: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Google Finds Everything

Page 10: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

How can we get the benefits of this type of monitoring and data analysis

without putting the availability andintegrity of the ICS at risk?

Push the ICS Data Out!

Page 11: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

GE Security

Page 12: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

ICS Data On Mobile Devices

• Same as the cloud example

PUSH IT OUT

Page 13: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 14: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

PI Server Examples

• OSIsoft PI is market leader in Historian by far

• Accepts almost any type of ICS data

• Other solutions are GE Proficy and vendor specific solutions

Page 15: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

PI Coresight

Page 16: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Transpara Visualization

• http://demo.transpara.com

Page 17: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

I Need The ICS Data!

• Answer … yes, we can provide that without risking the integrity or availability of the ICS– Here is how we do it– Here is what it costs to provide the data in the

format you requested– Business decision if the benefit of the data is

worth the investment

Page 18: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Control

• Almost every ICS has the need for emergency remote access with a control capability– It will be done poorly and insecurely if not

available– There are times where the risk of not having

immediate access is greater than the risk of allowing remote access

– Keyword: Emergency

Page 19: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Emergency Remote Access

• Create ICS Remote Access DMZ• Deploy a Jump Server

– Many solutions available• Physical disconnection• Require Operator to enable connection

– Build process around establishing connection– Have physical connection timeout– Review logs for “emergency” use

Page 20: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Assertion

A motivated and moderately skilled attacker could easily gain continuous access to the

ICS from the Internet.

How? Compromise an enterprise network computer or mobile device

that accesses the ICS.

Page 21: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

ICS Spear Phishing

• Three pipeline companies participated• Only company name provided to

researchers• Goal: Compromise PC’s with remote access

to the control system (SCADA)

Page 22: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 23: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 24: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 25: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 26: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 27: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Why Remote Access to ICS

• Convenience and Cost• Convenience

– People don’t want to go to a control area– Easy to change if risk is understood

• Cost– Reduced staffing, necessary people are not on

site– Partial solution: make data available and have

remote support call in operational changes

Page 28: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Don’t Give Up

• ARC Advisory Group on Iconics App

Page 29: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 30: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Page 31: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

HMI in The Cloud?

• Will we see Operator Stations / HMI and other ICS components run in the cloud?

• What are the security implications of this?

• One thought – If an ICS owner/operator is not going to secure and maintain the ICS, the risk of the HMI in the Cloud may be less than the owner/operator hosting and running the ICS– Think small organizations with limited IT &

security

Page 32: Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Questions