Society of American Military Engineers: Industry Day May 14, 2015 - - PowerPoint PPT Presentation

Society of American Military Engineers: Industry Day May 14, 2015 Michael E. Backers, PE The relationship between physical security and cyber security: why we need to pay attention, and what we should consider in our decision making

Geotechnical, Material and Environmental Engineers Ensuring stable foundations for structures and civil works Quality assurance tests and inspections to ensure that construction meets design requirements

Michael E. Backers, PE ➢ BSCE, MSCE from University of Cincinnati ➢ Registered Professional Engineer ➢ Military Brat

Speaker Background

Career path: ➢ City and County Government ➢ Consulting Engineering ➢ CompuServe / UUNET ➢ Altoria / Ordovician ➢ Patriot

The relationship between physical security and cyber security

Discussion Topic

Physical Security ➢ Personal Safety ➢ Family and Community ➢ Building and Place Access ➢ Civil Infrastructure ➢ Command and Control Installations ➢ Weapons Access ➢ Treasure and Monuments ➢ Information Technology Infrastructure

Cyber Security (Threat Surface) ➢ Building and Place Access ➢ Data Store and Servers ➢ Desktop and Devices ➢ Personnel ➢ Data Transport

Consider this….. ➢ The Cloud is an interconnection of physical things ➢ The Cloud extends across the globe and into our solar system ➢ The hardware and digital components are manufactured in factories and then assembled ➢ Protocols are used to organize and transport data ➢ Computer Code is behind all of the data and content that we consume. What we see and how we see it.

Cyber Security ➢ AAA ➢ Typical Internet Security System ➢ Not that much different than Physical Security Authentication: ➢ Who are you? Username and password Authorization: ➢ What you are allowed to access based on who you are Accounting: ➢ Transactional data. When you logged in and out.

Improving our practices Authentication: ➢ Lets make it Multi-factor! ➢ Limit Anonymous Access! Authorization: ➢ Enough Granularity? ➢ Protocol or SOP in place for granting rights? ➢ Revoking rights? ➢ Adding services or access? Accounting: ➢ Usually used for cost accounting only ➢ Soooo much data can be captured ➢ Analysis and trends > PATRIOT ACT > META DATA

Taking it Further (The 5 A’s) Action: ➢ Based on Authentication or Accounting trends ➢ Honey Pots, Quarantines ➢ Revocation of Authorization or Authentication ➢ Bread crumb trails – Added Accounting ➢ Alert and flags for suspicious signatures Auditing: ➢ Incident Based ➢ Time Based ➢ Appropriate Outside Authority (Sarbanes–Oxley)

Physical Systems and Cyber Systems Overlap: ➢ SCADA (supervisory control and data acquisition) ➢ Design, Bid, Build, Operate Infrastructure and Buildings ➢ Manipulation of on-line systems to alter Physical Access or SCADA Controls ➢ Infrastructure attack: ➢ Aside from being costly and potentially deadly, initiates certain protocol responses. ➢ Detection systems down, response over-rides, reboots, administrator logins, distraction, chaos, false alarm mentality…creates cloaked

• pportunities for …you name it.

SCADA ➢ SCADA is a multi-tiered system ➢ Probes and controls to measure and alter temperature, pressure, flow, valves, scales, doors, bins, voltage, etc. ➢ Processing based on Windows, Linux, Solaris, Etc. ➢ Human Interfaces (GUI) > Windows, “APPS”, Android ➢ Communication of Data > Analog, Serial, Wifi, RFI, Radio, X.10, TCP/IP (The Cloud).

SCADA ➢ SCADA controls…Dams, Locks, Nuclear Power Plants, Drinking Water Systems, Traffic Control, Manufacturing, MEP Building Systems. ➢ So what? ➢ The systems are vulnerable ➢ Ubiquitous access to most systems in the clear ➢ No encryption for the native protocols ➢ No authentication for the native Protocols ➢ Operators are not educated on security ➢ Becoming more pervasive

New Projects Design, Bidding, Construction, Operations ➢ Plans, MEP systems, Specifications, Manuals ➢ It is all on-line! Rehabilitation Projects Design, Bidding, Construction, Operations ➢ Plans, MEP systems, Specifications, Manuals ➢ It is all on-line!

Base and Post Operations (Home and Abroad) ➢ Childcare Centers ➢ Officer’s Clubs ➢ Critical Command Center locations ➢ Barracks ➢ Procedures for Convenience ➢ Hours of access ➢ Events and gatherings ➢ It is all on-line!

The Art of War ➢ The Battle of Security vs. Convenience ➢ Knowing your enemy (Threat Vectors) ➢ What are they after? ➢ How would they get in? ➢ How would you know? ➢ Knowing your yourself and your vulnerabilities ➢ Will you survive? ➢ What are my defenses? ➢ What are my warning signs and detections? ➢ What action do we take?

Decision Making Designing Systems and Operating Critical Infrastructure ➢ Need to Know Basis ➢ Access to Places and Systems ➢ Parts or Whole ➢ Trusted parties ➢ If we need to share it, can that be a transaction rather than an indefinite repository of information? ➢ Can we unplug it? ➢ Who, What, Where, When, Why, How ? ? ? ? ? ? ➢ The 5 A’s

Cyber Associations and Accreditations International Association of Cloud Computing & Managed Services Providers (MSPA) ➢ Certified And Examined Cloud & Managed Service Providers International Information System Security Certification Consortium, Inc., (ISC)² ➢ Certified Information Systems Security Professional (CISSP) Information Systems Audit and Control Association (ISACA) ➢ Certified Information Systems Auditor (CISA)

MSPA ➢ Code of Ethics ➢ Based on Engineers, Doctors and Lawyers Ethics Codes – Public Safety, Integrity, Competency and Trust ➢ http://www.mspalliance.com/code-of-ethics/ ➢ IT Consumer Guide ➢ What questions to ask when purchasing Computing and IT services Accreditation Program ➢ (Unified Certification Standard (UCS)) ➢ Also the (SAS 70 -> SSAE16)

MSPA Accreditation ➢ MSP Organization, Governance, Planning, and Risk Management ➢ MSP Policies and Procedures ➢ Confidentiality and Privacy ➢ Service & Program Change Management ➢ Event Management ➢ Logical Security ➢ Data Integrity and Availability ➢ Physical and Environmental Security ➢ Service Level Agreements, Reporting and Billing ➢ Corporate Health ➢ http://www.mspalliance.com/ucs-published-standard/

A Good Society ➢ NSPE, ASCE, SAME, ABET, NCEES ➢ Exams and Professional Registration ➢ Apprenticeship and Recommendations ➢ State Building Codes ➢ Design Professionals ➢ Building Officials ➢ Special Inspections ➢ Let’s embrace cyber systems and computer engineering as an integral part of our Training, Accreditation, Registration, and Professional Practice.

Cincinnati/Dayton 937.847.9707 Regional Manager Michael E. Backers, P.E. mbackers@patrioteng.com