The Internet of Things is gradually but very surely creeping in to impact every sphere of modern life. And that goes as much for people as for business, as much for new industries as for incumbent sectors. This network of physical objects has the ability to play havoc with security and is significantly increasing the challenge of securing Industrial Control Systems (ICSs). Threats to ICSs for players in the utilities, energy and nuclear sectors can have life-threatening consequences. Originally, these systems were designed to run independently. However, evolving business requirements often necessitate interconnection between control and office environments. Systems were also devised to last for decades without the need for heavy maintenance, and at their inception, security was far from a priority. Interconnection and standardization certainly have their advantages, but they also introduce far greater risk. Interconnected systems offer a larger surface for potential attack. Manage to breach one point, and you can potentially access everything. Ever since NightDragon and Stuxnet caught public attention, awareness of the need for improved ICS security has grown and the demand for it substantially increased. Government regulations and standards have already been drafted and are being published to establish a common way to secure Industrial Control Systems. As a result, there’s also a growing need for talented ICS security professionals. And their remit is widening. More and more security professionals and firms are performing security assessments, including penetration testing on an ICS level. Two years ago, I was asked whether I was willing to evolve from a ‘standard’ security professional to an ICS-specific security expert. I gladly took up the challenge. Since then, I’ve discovered distinct differences in the challenges being faced; for example, in comparison to ‘normal’ IT networks, ICSs are unable to cope with the running of automated vulnerability assessment tools. The result is often disrupted processes and services. ICS security provides a broad area of opportunity and my presentation at BSidesLV focuses on helping any security professional make the move to ICS security. I’m looking to provide a real starting point – going below what some may consider to be the basics of the subject – to offer a genuine grounding in ICS security.
About the Author: Larry Vandenaweele (@lvandenaweele) works for a consulting firm in Belgium. He’s been active in the security industry for over five years. Until two years ago, he mainly performed penetration tests on IT environments, but has now made the shift toward OT environments. Before beginning his professional career, he did charity work in the Philippines as part of an internship. Larry holds a Bachelor of Science in New Media and Communication Technology from Howest University College as well as numerous certifications, including GICSP, MCSA. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.