usable security for control systems
play

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, - PowerPoint PPT Presentation

Aug 28, 2022 •248 likes •350 views

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist junho.huh@honeywell.com Honeywell.com What is usable security? Building security solutions that are intuitive and easy to use Many security

  1. Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist junho.huh@honeywell.com

  2.  Honeywell.com What is usable security? • Building security solutions that are intuitive and easy to use – Many security architects do not consider usability tradeoffs and implications – Do not know how to measure and balance the security and usability tradeoffs • Improving usability of existing security solutions without compromising too much security • Designing security based on understanding of users’ mental models, perceptions, capabilities, and technological gaps • The usable security community is actively investigating topics like usable authentication, privacy, security perceptions/experiences in different countries, security for minority groups, and so on.

  3.  Honeywell.com What is the current status of usable security for control systems? Security mechanisms for control systems are often designed without much consideration of usability implications Security architects often don’t understand operators’ security awareness levels, expectations, preferences, and capabilities in using security mechanisms The usable security community isn’t really looking into this space…

  4.  Honeywell.com Result: Control systems are often equipped with tedious security mechanisms that are hard to use

  5.  Honeywell.com Having received numerous user experience complaints from customers, management folks have tendency to pushback security mechanisms that may significantly hinder daily operations of operators

  6.  Honeywell.com RBAC project experiences • In 2011, Honeywell worked with UIUC on a DOE-funded project to design an role-based access control (RBAC) system for distributed control systems (DCS) • Designed an RBAC model fully tailored to DCS requirements – capable of capturing complex RBAC policies – e.g., temporal constraints, environmental attributes, role templates • Designed an UI for managing complex RBAC policies

  7.  Honeywell.com Strong pushback to deploy the new RBAC model because it was too complicated for DCS admins and operators to understand and use

  8.  Honeywell.com Issue 1: Authentication for controllers • Field operators often manage tens or sometimes hundreds of controllers across multiple building sites – A separate user account needs to be created for each controller – Operators end up managing tens or hundreds of passwords – Often use the same password across all controllers – Sometimes share the password with other operators • Periodically changing a lot of passwords is cumbersome • For admins, managing user accounts is difficult – e.g., deleting user accounts, assigning permissions to users, proper auditing is infeasible when operators share accounts, etc. • Possible directions: Single sign-on (SSO), one-time passwords (OTP), and biometric authentication

  9.  Honeywell.com Issue 2: Cybersecurity dashboards • Existing research on intrusion detection for control systems primarily focus on advancing intrusion/anomaly detection engines – Designing new detection algorithms – Improving detection performance • How do we present the information about the detected events? – Operators are non-experts – Existing warning systems are often not intuitive and hard to use – Not enough research is being done in this area • Intuitive dashboards need to be designed to help operators easily understand detected cyber events, and quickly take desirable actions – Design based on the understanding of operators’ security awareness levels, expectations, preferences, and capabilities – Conduct user studies to evaluate intuitiveness and ease of use

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Systems Security: Control-Flow Integrity Trent Jaeger Systems and Internet

Advanced Systems Security: Control-Flow Integrity Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Control-Flow Integrity Trent

1.55k views • 36 slides
Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in

Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in Secure Systems Engineering lersse.ece.ubc.ca Electrical and Computer

348 views • 9 slides
Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

395 views • 12 slides
Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred

Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred

Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred Schneider Historical Context 1961 1969 1960s OSes begin to be shared. Enter: Communication Synchronization Protection Security:

1.16k views • 53 slides
Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings September 13, 2006 Boston, MA Stuart Katzke and Keith Stouffer, National Institute of Standards & Technology, Gaithersburg, MD Marshall Abrams, The

460 views • 23 slides
DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name

598 views • 48 slides
June 2017 ECL Cyber Security Senior Systems Engineer Engineering Control Ltd 10+ years

June 2017 ECL Cyber Security Senior Systems Engineer Engineering Control Ltd 10+ years

June 2017 ECL Cyber Security Senior Systems Engineer Engineering Control Ltd 10+ years experience Control Systems (DCS/PLC) Safety Systems (TV FSE 7040/13) Industrial Networks (Ethernet/fibre) Server Management

417 views • 19 slides
Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Humans are

1.24k views • 67 slides
Version Control Systems (Part 1) Devin J. Pohly <djpohly@cse.psu.edu> CMPSC 311:

Version Control Systems (Part 1) Devin J. Pohly <djpohly@cse.psu.edu> CMPSC 311:

Systems and Internet i Infrastructure Security i Institute for Networking and Security Research Department of Computer Science and Engineering Pennsylvania State University, University Park, PA Version Control Systems (Part 1) Devin J.

581 views • 47 slides
Version Control Systems (Part 2) Devin J. Pohly <djpohly@cse.psu.edu> CMPSC 311:

Version Control Systems (Part 2) Devin J. Pohly <djpohly@cse.psu.edu> CMPSC 311:

Systems and Internet i Infrastructure Security i Institute for Networking and Security Research Department of Computer Science and Engineering Pennsylvania State University, University Park, PA Version Control Systems (Part 2) Devin J.

406 views • 40 slides
Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell,

715 views • 34 slides
yxwvutsrponmlkihgfedcbaUTSONCA Control systems are computer based facilities, systems, and

yxwvutsrponmlkihgfedcbaUTSONCA Control systems are computer based facilities, systems, and

7/11/2011 Why this presentation? This is an emerging and important area of information assurance that of cyber physical systems. CPS instantiated in the industrial world can be view as control system security or sometimes called

130 views • 10 slides
What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given a choice between dancing pigs and security, users will pick dancing pigs every time. Felton and McGraw (1999) clicky lusers BYU LAB

1.12k views • 84 slides
Security Challenges and Requirements for Industrial Control Systems in the Semiconductor

Security Challenges and Requirements for Industrial Control Systems in the Semiconductor

Security Challenges and Requirements for Industrial Control Systems in the Semiconductor Manufacturing Sector Malek Ben Salem Accenture Technology Labs NIST Workshop on Cyber-Security for Cyber-physical Devices April 23 rd , 2012 Outline

837 views • 37 slides
Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of Internet Speaking to a host end-to-end channel Communication security container-based authenticity: X.509, Certificate

678 views • 57 slides
ICS Vulnerability Disclosure To Disclose or Not to Disclose ICS-CERT Control Systems Security

ICS Vulnerability Disclosure To Disclose or Not to Disclose ICS-CERT Control Systems Security

ICS Vulnerability Disclosure To Disclose or Not to Disclose ICS-CERT Control Systems Security Program U.S. Department of Homeland Security ICS Security Entered the Public Stage Pace for ICS Vulnerability Disclosure is Quickening Reported ICS

403 views • 24 slides
Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon, Vyas Sekar Michael K. Reiter Context: Infrastructure-as-a-Service Clouds Client API Cloud Controller VM VM Machine VM VM VM Machine Machine

919 views • 73 slides
Unit 8 Compiling C/C++ Code Debugging Programs 2 COMPILATION 3 Editors "Real"

Unit 8 Compiling C/C++ Code Debugging Programs 2 COMPILATION 3 Editors "Real"

1 Unit 8 Compiling C/C++ Code Debugging Programs 2 COMPILATION 3 Editors "Real" developers use editors designed for writing code No word processors!! You need a text editor to write your code Eclipse, Sublime, MS

625 views • 26 slides
4th Grade Multiplication & Division of Multi-Digit Numbers 2013-03-21 www.njctl.org Slide

4th Grade Multiplication & Division of Multi-Digit Numbers 2013-03-21 www.njctl.org Slide

Slide 1 / 156 New Jersey Center for Teaching and Learning Progressive Mathematics Initiative This material is made freely available at www.njctl.org and is intended for the non-commercial use of students and teachers. These materials may not be

693 views • 52 slides
HB # : increasing the security and effjciency of HB + Henri Gilbert, Matt Robshaw, and Yannick

HB # : increasing the security and effjciency of HB + Henri Gilbert, Matt Robshaw, and Yannick

HB # : increasing the security and effjciency of HB + Henri Gilbert, Matt Robshaw, and Yannick Seurin Eurocrypt 2008 April 16, 2008 intro HB+ random-HB # HB # general MIM attacks conclusion the context pervasive computing (RFID tags . .

530 views • 23 slides
Power Grid Analysis with Hierarchical Support Graphs Xueqian Zhao Jia Wang Zhuo Feng Shiyan Hu

Power Grid Analysis with Hierarchical Support Graphs Xueqian Zhao Jia Wang Zhuo Feng Shiyan Hu

Design Automation Group Power Grid Analysis with Hierarchical Support Graphs Xueqian Zhao Jia Wang Zhuo Feng Shiyan Hu 2011 International Conference on Computer-Aided Design (ICCAD) 1 Power Grid Modeling & Analysis Multi-layer

456 views • 13 slides
IT Infrastructure: Hardware and Software LEARNING OBJECTIVES What are the components of IT

IT Infrastructure: Hardware and Software LEARNING OBJECTIVES What are the components of IT

9/23/2013 IT Infrastructure: Hardware and Software LEARNING OBJECTIVES What are the components of IT infrastructure? What are the major computer hardware, data storage, input, and output technologies used in business? What are

424 views • 19 slides
iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University

iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University

iCoq : Regression Proof Selection for Large-Scale Verification Projects iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University of Illinois at Urbana-Champaign Joint work with Ahmet Celik and Milos

837 views • 45 slides
Software and Programming I Lab 2: Step-by-step execution of programs using a Debugger

Software and Programming I Lab 2: Step-by-step execution of programs using a Debugger

Software and Programming I Lab 2: Step-by-step execution of programs using a Debugger SP1-Lab2-20.pdf 1 23 January 2020 Tobi Brodie (tobi@dcs.bbk.ac.uk) Lab Session 2: Objectives This session we are concentrating on BlueJs built-in

658 views • 32 slides

More recommend