This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AppSec DC 2012/Securing Critical Infrastructure"

From OWASP
Jump to: navigation, search
(Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> __NOTOC__ == The Presentation == rightAuthor: Francis Cianfrocca, Bayshore Networks<br...")
 
 
(One intermediate revision by the same user not shown)
Line 2: Line 2:
 
__NOTOC__
 
__NOTOC__
 
== The Presentation  ==
 
== The Presentation  ==
[[Image:Owasp_logo_normal.jpg|right]]Author: Francis Cianfrocca, Bayshore Networks<br>The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology.<br>The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries.<br>Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today.<br>We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time.<br>We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat.<br>Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.
+
Author: Francis Cianfrocca, Bayshore Networks<br>The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology.<br>The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries.<br>Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today.<br>We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time.<br>We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat.<br>Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.
 
== The Speakers  ==
 
== The Speakers  ==
Francis Cianfrocca and Bob Lam
+
<table>
 +
<tr>
 +
<td>
 +
===Francis Cianfrocca===
 +
[[Image:AppSecDC12-Cianfocca.jpg|left]]Francis Cianfrocca is the founder and CEO of Bayshore Networks LLC, in New York City. He is the inventor of Bayshore's SingleKey, a groundbreaking information-assurance product used for protection of corporate and industrial information systems. As Bayshore's CEO, he has overseen SingleKey's acceptance by a range of major enterprises, and the establishment of strong management and technical teams.
 +
 
 +
Francis founded Tempest Software Inc. in 1995 to develop middleware products for advanced enterprise applications. The company flourished under his leadership, growing to $8 million in sales in its first five years. In 1991 he founded Heldenleben Corporation, where he developed HeldenPort, the world's first compiler for a graphical 4GL. The product was licensed and marketed to over 40,000 developers around the world.
 +
 
 +
Prior to becoming an entrepreneur, Francis held senior technology positions at the Bank of New York, New York Life Insurance Company, and several other major corporations. He was the lead developer for major enterprise systems for applications including finance, manufacturing, treasury management, and underwriting.
 +
 
 +
Francis is a noted expert in the fields of cybersecurity, computer-language design, compiler implementation, network communications, large-scale distributed application architectures. He has several issued and pending patents to his credit.
 +
 
 +
A very strong advocate of open-source software development, Francis created several widely-used open projects, including the Ruby Net/LDAP library, and the EventMachine high-speed network-event management system. He has also contributed to many other projects.
 +
 
 +
A strong speaker and writer, Francis has developed a significant following on subjects relating to technology, cybersecurity, financial markets, and national economic and security policy. He is a regular guest on the Coffee & Markets podcast series, and has been published in Commentary Magazine, Human Events, and others.
 +
 
 +
Francis attended the Eastman School of Music and the University of Michigan, majoring in music history and orchestral conducting. He began his career at the New York City Opera, under the direction of Beverly Sills. He and his wife Paula, a professional opera singer, reside in Long Island City, NY. Francis is a member of the 2000 class of Henry Crown Fellows at the Aspen Institute
 +
</td>
 +
</tr>
 +
<tr>
 +
<td>
 +
===Bob Lam===
 +
[[Image:Owasp_logo_normal.jpg|left]]Bio TBA
 +
</td>
 +
</tr>
 +
</table>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>

Latest revision as of 19:34, 25 March 2012

AppSecDC-468x60-banner-2012.jpg

Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org

The Presentation

Author: Francis Cianfrocca, Bayshore Networks
The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology.
The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries.
Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today.
We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time.
We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat.
Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.

The Speakers

Francis Cianfrocca

AppSecDC12-Cianfocca.jpg
Francis Cianfrocca is the founder and CEO of Bayshore Networks LLC, in New York City. He is the inventor of Bayshore's SingleKey, a groundbreaking information-assurance product used for protection of corporate and industrial information systems. As Bayshore's CEO, he has overseen SingleKey's acceptance by a range of major enterprises, and the establishment of strong management and technical teams.

Francis founded Tempest Software Inc. in 1995 to develop middleware products for advanced enterprise applications. The company flourished under his leadership, growing to $8 million in sales in its first five years. In 1991 he founded Heldenleben Corporation, where he developed HeldenPort, the world's first compiler for a graphical 4GL. The product was licensed and marketed to over 40,000 developers around the world.

Prior to becoming an entrepreneur, Francis held senior technology positions at the Bank of New York, New York Life Insurance Company, and several other major corporations. He was the lead developer for major enterprise systems for applications including finance, manufacturing, treasury management, and underwriting.

Francis is a noted expert in the fields of cybersecurity, computer-language design, compiler implementation, network communications, large-scale distributed application architectures. He has several issued and pending patents to his credit.

A very strong advocate of open-source software development, Francis created several widely-used open projects, including the Ruby Net/LDAP library, and the EventMachine high-speed network-event management system. He has also contributed to many other projects.

A strong speaker and writer, Francis has developed a significant following on subjects relating to technology, cybersecurity, financial markets, and national economic and security policy. He is a regular guest on the Coffee & Markets podcast series, and has been published in Commentary Magazine, Human Events, and others.

Francis attended the Eastman School of Music and the University of Michigan, majoring in music history and orchestral conducting. He began his career at the New York City Opera, under the direction of Beverly Sills. He and his wife Paula, a professional opera singer, reside in Long Island City, NY. Francis is a member of the 2000 class of Henry Crown Fellows at the Aspen Institute

Bob Lam

Owasp logo normal.jpg
Bio TBA

Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors

SPL-LOGO-MED.png

Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png

Exhibitors

link=http://www.codenomicon.com/ Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg