Cyber Security - Amends -...
Transcript of Cyber Security - Amends -...
• Cundall IT and audio visual• Setting the scene• UK construction industry• Computer networks• Ethical hacker• Case studies• Summary• Final thoughts
Cyber security
• Lifecycle, consultancy led– Strategy and business case support– Concept and detailed design– Procurement and implementation
• Key areas– Revenue generation / cost reduction– Audio visual and collaborative technology– IP data networks (wired/wireless/mobile)
• Main projects (large IT / audio visual influence)– Offices and data centres– Schools, colleges, universities– Hotels, sports venues
IT and audio visual - services
Cundall sectors
Critical Systems Education Government Healthcare Industrial
Lifestyle Masterplanning and infrastructure
Residential Retail Workplace
Sample projects
Sussex Coast College, Hastings and Ore, United Kingdom
New Street Square (Deloitte HQ) London, United Kingdom
Lingfield Park redevelopment Surrey, United Kingdom
Porto Dubai Island Dubai, United Arab Emirates
• Deloitte London Campus• ENI Saipem• Antofagasta
• Sussex Coast College• Sevenoaks School• Lycee Francais School
• One Hyde Park• Smart Home• Porto Dubai
• Confidential clients• Cobalt Data Centre• Kingfisher
• Twickenham Stadium• Lingfield Racecourse• Dubawi Island
• Northern Ireland Telephony• Hospices• The London Clinic
Workplace Education Residential
Critical Systems Lifestyle Healthcare
Setting the scene
2%
10%
59%
5%
14%
10%
National Cyber Security Programme Investment (2011-2015)
Department for Business, Innovation and Skills, workingwith the private sector and improving resilience 2%
Home Office, tackling cyber crime 10%
Single Intelligence Account, building cross cuttingcapabalities, including Information Assurance 59%
Cabinet Office, co‐ordinating and maintaining a view ofoperational threat 5%
Ministry of Defence mainstreaming cyber in defence 14%
Government ICT, building secure online services 10%
Setting the scene
CESG – Communications Electronics Security Group:UK Government's National Technical Authority for Information Assurance (IA).
• Cyber security:http://www.cpni.gov.uk/advice/infosec/
• Protection of business systems– Applications– IP networking (computer networks)– Operating systems– SCADA or similar building control networks (i.e. BMS)– Telecommunications
Setting the scene
• Most don’t know they have a problem:– If they do, few understand it
• What is the problem:– Computer systems and networks increasingly control
buildings/estates/cities
– Compromise the networks, compromise the buildings
– Solution?: no networks• Answer: NO! No benefit to clients
UK construction industry
• Benefits verses risks. Understand risks –understand technology and how it can be abused
• Construction industry is a slow moving industry– Best practice?
• Often what was done last time (and before…)
– Technology adoption 5-10 years - Inertia is problem– Designs often obsolete when constructed
• Supply chain not up to the job (IT companies moving in)
• What the industry needs is a very public security breach of a building to raise profile (not advertised…)
UK construction industry
• Examples of ‘compromising a building’:– Take control (or just turn off) security and building
management systems:• De-activate cameras, delete CCTV footage (theft)• Change access control permissions (theft)• Lighting control (nuisance, cost)• BMS (change, parameters, alarm handling)
– Nuisance?– Mission critical – lead to downtime
• Remote power management – turn devices or even building off (downtime, death?)
UK construction industry
• Need to understand technology and design building computer networks and systems that deliver benefits to clients but mitigate against security risks.
• Networks are multi-layer, from applications to bits & bytes
Computer networks
• A few simple steps to improving security:
– Think holistically– Have a policy– Educate staff– Control who has access– Manage passwords– Patch and update systems– Deploy firewalls and intrusion detection– Leave programmable systems in ‘run’ mode not
‘programme mode’
Computer networks
• You have designed secure networks/systems for buildings, how do you commission and prove the configurations are correct?
Ethical hacker
Penetration testing
• BMS and lighting network
• Financial trading environment
• Global IT standards• Network design
reviewed by client IT• Part of network
traverses corporate network
Case study - bank
Case study – large campus
• Multi million lifecycle network
• All services run over multiple virtual networks
• Architecture allows for multiple 3rd parties to operate securely
• External and internal threats considered
• Users and devices authenticated
• Architecture appropriate for a large campus, hospital, airport
• Cyber security
– Design development – benefits v risks– Multi-layer problem, multi-layer approach required– Different mind-set for commissioning– Don’t forget people and policy!
Summary
Answer• Depends – you can use wireless access
points to detect rogue wireless access points
(You need to consider the risk that someone has attached an unauthorised wireless device to the network and is broadcasting information outside of the building or locally to a receiving device. You also get the benefit of having wireless!)
Some final thoughts
Question
Is the following good practice?
“Set the BMS password at the head-end to ‘0’, it will be easy to remember then”
Some final thoughts
Question
Is this following a sufficient performance specification for a network?: “Provide a network for corporate, security and BMS use. Deliver 1 gigabit to the desk performance.”
Some final thoughts
Question
Is the following good practice?
“Have separate physical data networks for corporate, security, BMS and other services?”
Some final thoughts
Answer – in most cases - No
• Multiple networks that need to be maintained, monitored and updated
• Separate networks mean passing information between networks which creates vulnerabilities
• Benefits to the client?
Some final thoughts
Question
Is the following good practice?
“…we have a separate network, it is not connected to the internet or other networks, we don’t need IT security…”
Some final thoughts
• Answer – No
If you ask them do they use laptops during maintenance and fault finding, the answer is likely to be yes.
Therefore, network is vulnerable.
• Stuxnet Trojan that attacked (re-programmed) Siemens PLCs− N.B. Traverses networks not connected to the
Internet/other networks
Some final thoughts