Several Invensys troopers gave interesting discussions on systems security. The most interesting of the Invensys staff was Ernie Rakaczky, whose sermon was about Prevention instead of Reaction to system attacks.
"Everything starts with a site security review," he said, "that addresses your specific needs. This is really a risk assessment."
"Being secure doesn't mean giving up productivity," he went on, "but it does mean that you may have to be more rigid with your processes."
Your security system should be built of multiple layers, in which the judgement call is the risk vs. value assessment. You may want to consider data isolation strategies, building "data DMZs" for data that is critical and susceptible to attack. You may want to seriously consider data warehousing, instead of letting people go directly to the operating control system and pull down data.
"The key concern," Rakaczky said,"is the impact of Day Zero. That's the day the attack first starts."
Day Zero is not attressed by anti-virus; it is not addressed by network detection and monitoring; it is not addressed by patch management-- and this is not a Windows issue. This is true for all OSes.
Invensys, he reported, is security focused, building security from within, in new product development, in existing products, and with new validation and testing methodology. Invensys helps end users in the design phase of projects, in the implementation phase of projects, and, above all, Invensys offers security program management services. (There's that "services" word again...)
Invensys has established a security-focused website: https://ips.csc.invensys.com. On this site are whitepapers, tutorials, links and etc.
Invensys also provides Security Review services, system hardening, and solution implementation.
"We are the industry leaders," Rakaczky boasted. "We were the first DCS supplier to ship our product with integrated anti-virus. We run our vulnerability scans on our own equipment."
Rakaczky implored his audience to get involved with the standards working groups like SP99 and PCSRF and others. "It is exciting to be part of this," he said.
