OWASP AppSec DC 2012/Securing Critical Infrastructure - Revision history

Mark.bristow at 19:34, 25 March 2012

2012-03-25T19:34:53Z

Mark.bristow at 01:00, 12 March 2012

2012-03-12T01:00:10Z

Mark.bristow: Created page with "{{:OWASP AppSec DC 2012 Header}} NOTOC == The Presentation == rightAuthor: Francis Cianfrocca, Bayshore Networks
2012-03-02T20:54:27Z

Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> NOTOC == The Presentation == rightAuthor: Francis Cianfrocca, Bayshore Networks<br..."

New page
<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude>
NOTOC
== The Presentation ==
[[Image:Owasp_logo_normal.jpg|right]]Author: Francis Cianfrocca, Bayshore Networks The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology. The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries. Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today. We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time. We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat. Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.
== The Speakers ==
Francis Cianfrocca and Bob Lam
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>

@@ Line 8: / Line 8: @@
 <td>
 ===Francis Cianfrocca===
-[[Image:Owasp_logo_normal.jpg|left]]Bio TBA
+[[Image:AppSecDC12-Cianfocca.jpg|left]]Francis Cianfrocca is the founder and CEO of Bayshore Networks LLC, in New York City. He is the inventor of Bayshore's SingleKey, a groundbreaking information-assurance product used for protection of corporate and industrial information systems. As Bayshore's CEO, he has overseen SingleKey's acceptance by a range of major enterprises, and the establishment of strong management and technical teams.
 </td>
 </tr>

@@ Line 2: / Line 2: @@
 __NOTOC__
 == The Presentation  ==
-[[Image:Owasp_logo_normal.jpg|right]]Author: Francis Cianfrocca, Bayshore Networks<br>The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology.<br>The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries.<br>Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today.<br>We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time.<br>We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat.<br>Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.
+Author: Francis Cianfrocca, Bayshore Networks<br>The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology.<br>The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries.<br>Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today.<br>We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time.<br>We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat.<br>Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.
 == The Speakers  ==
-Francis Cianfrocca and Bob Lam
+<table>
 <noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>