This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AppSec DC 2012/Securing Critical Infrastructure"

From OWASP
Jump to: navigation, search
(Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> __NOTOC__ == The Presentation == rightAuthor: Francis Cianfrocca, Bayshore Networks<br...")
 
Line 2: Line 2:
 
__NOTOC__
 
__NOTOC__
 
== The Presentation  ==
 
== The Presentation  ==
[[Image:Owasp_logo_normal.jpg|right]]Author: Francis Cianfrocca, Bayshore Networks<br>The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology.<br>The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries.<br>Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today.<br>We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time.<br>We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat.<br>Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.
+
Author: Francis Cianfrocca, Bayshore Networks<br>The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology.<br>The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries.<br>Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today.<br>We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time.<br>We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat.<br>Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.
 
== The Speakers  ==
 
== The Speakers  ==
Francis Cianfrocca and Bob Lam
+
<table>
 +
<tr>
 +
<td>
 +
===Francis Cianfrocca===
 +
[[Image:Owasp_logo_normal.jpg|left]]Bio TBA
 +
</td>
 +
</tr>
 +
<tr>
 +
<td>
 +
===Bob Lam===
 +
[[Image:Owasp_logo_normal.jpg|left]]Bio TBA
 +
</td>
 +
</tr>
 +
</table>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>

Revision as of 01:00, 12 March 2012

AppSecDC-468x60-banner-2012.jpg

Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org

The Presentation

Author: Francis Cianfrocca, Bayshore Networks
The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology.
The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries.
Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today.
We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time.
We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat.
Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.

The Speakers

Francis Cianfrocca

Owasp logo normal.jpg
Bio TBA

Bob Lam

Owasp logo normal.jpg
Bio TBA

Gold Sponsors

 Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors

 SPL-LOGO-MED.png

Small Business

 AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png

Exhibitors

 link=http://www.codenomicon.com/ Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Securing_Critical_Infrastructure&oldid=126004"