Tales from Industrial Plants and Responders.

Network-, Security- and Vulnerability Monitoring for ICS: a demystification from an asset owner’s perspective.

In this session Dr. Mona Lange (Audi) and Christian Augustat (Gassco) will take you on a conceptual tour through Industrial Control System (ICS) Security, both have a solid background in securing industrial plants in the manufacturing and Oil- and Gas industry. The session will provide you with insights into areas of Governance, Network Security Monitoring, Vulnerability Management and Continuous Security Monitoring, all from the perspective of an Asset-Owner.

In the area of Governance management we will dissect the pros and cons of IEC62443, ISO27001 and CIS as a foundation for an ICS security strategy, demonstrate how to prioritize security measures and render existing security risks transparent to management for security risk acceptance. Based on this security strategy, we will motivate the importance of asset management as a foundation for network security monitoring, describe how to build an MAC Address based Asset Inventory based on existing network components and integrate it into a Security Information and Event Management System (SIEM). Effective network security monitoring requires asset owners to understand what sources of infection or attack on ICS exist, how threat groups exploit them and how they can be monitored.

Generally, it is not feasible to defend against all threats everywhere, however we will demonstrate how baselining can be used to make an existing attack surface transparent and prioritize network security monitoring efforts in a threat aware manner. We will show how baselining can be used as a foundation for hardening Firewalls and deriving monitoring scenarios and integrating them into a SIEM. In addition, we will point out the difference between shopping security in comparison to building security. Vulnerability management means identifying vulnerabilities present in the environment, understanding their impact for an attack surface and finding possible mitigations as alternatives to patching.

We will show how the concept of ICS in a Virtual Machine can be used for live vulnerability scanning and provide some practical examples on how to rank the criticality of vulnerabilities. Main focus is to point out common problems from an asset owner’s perspective and point towards easy solutions based on our experience “from the trenches”.

Next Presentation

Christopher Corbett Kevin Gomez Buquerin