Cevn Vibert CITP MIET MInstMC MBCS MISA MISSA MCSA MISACA CERT210W
Global Director Industrial Cyber Security
Vibert Solutions Ltd.
Cevn Vibert designed and managed the Thales UK OT/IT/Cyber/Comms/C4i CNI Protection Demo/Learning/Training/Dev Facility, He helped launch a top UK SCADA Distributor into Industrial Cyber, created marcom, strategy, and webfeed for Industrial System Integrators, assisted a Cyber global vendor in compliance and strategy, trained a team of Security officers in Norway, led a global oil company building a global OT SOC (GSOC), and is currently assisting OT Cyber Risk Assessments and Security Designs on a large pipeline control system.
Cevn has delivered solutions for CNI and most industries in many countries. He has provided innovative solutions for EDF, Sellafield, Network Rail, Thames Water, Ford, Shell, Kuwait Oil Company, Ryvita, Proctor&Gamble, GlaxoSmithKline, Infineum, London Underground, MOD, Ginsters and many other organisations in the UK and overseas.
Cevn has had extensive experience in Automation, SCADA, MES, Physical and Cyber Security.
Cevn often speaks or chairs on practical Industrial Cyber at international conferences, recently chairing an Aviation Cyber conference and then a Maritime Cyber conference. He has relationships with UK Cyber University Academies CoEs and has spoken alongside NCSC at several events. Cevn is known for speaking Technical-in-Human during these exciting times. Cevn is frequently blogging on LinkedIn and welcomes links from new people. He manages many topic-specific LinkedIn groups and is Education Officer for The Institute of Measurement and Control (Wessex).
Presentation: Practical Industrial Cyber Security Enhancements for CIP
The Industrial Cyber Security market is facing rapid changes as more threats are discovered, more impact is felt by end-users and Cyber Security vendors vie for leadership. The paper highlights both alerts and advice for end-users of automation and control Systems (ICS/OT) and selected advisory notes for practitioners of Industrial Cyber Physical Security.
Strategic methodologies and programmes of activities for mitigation of impacts on IIOT, IOT and how Holistic Integrated Security can provide comprehensive situational awareness are provided. Multiple types of security are addressed, together with some mythical attack and defence scenarios. The history of Industrial cyber-attacks is mentioned briefly, to counterpoint the prevalent myths of defence, and finally some alerts to the Cyber arms race.
End-users face increased pressure to improve their security stance, and the paper discusses some successful methods for implementing these improvements including a “stairway”, a “jigsaw” and an “A-Team”.
The Cyber Physical bad guys are now attacking IOT and IIOT. They are constantly getting better at attacking and so the good guys must also constantly get better at defending. There is much evidence that most good guys have not even properly started to improve their security stance yet, so this is also a serious ‘call-to-action’ paper.
Our modern society is built on automation, control systems and their management. The “Things”, mentioned often in the Internet of Things(IOT) and the Industrial Internet of Things(IIOT), are becoming smarter and more ubiquitous. If you think about all the automation controlled “Things” that have contributed to your day and try to list them, you may be surprised and perhaps a little worried to know that they are also being invisibly attacked.
Food Manufacturing, Transport (Planes, Trains, Automobiles, etc.), Clothing, Water Treatment, Waste Processing and Management, Pharmaceutical Manufacturing and Testing, Logistics, Medical Device Manufacturing, Energy (generation, Transmission, Distribution), Power, Defence, Hospitals, Cashpoints, and Beverage Dispensers are just some of the examples of this melange of “Things” in our personal lives.
Critical National Infrastructures are under immense pressure from Government, Regulators, and themselves to enhance their defences, improve Cyber monitoring and to re-work the gargantuan quantities of legacy systems. This is not an easy task with Industrial IT, due to a range of largely legacy problems. The aging and legacy Industrial systems were not designed to be monitored and interrupted and scanned by active defence solutions. These security problems are both procedural, legislative and technical, so all end-users are now having to review remediation against enormous business and operational risks.
The rise in attacks on these ‘Things’ has started to concern people. National Infrastructures are investing in improvement plans, many markets are ahead of the game, but so much more is to be done. Meanwhile the bad guys get better at the attacking.
We now know of many new Cyber Perpetrators/Threats and there is a veritable ‘Cyber Zoo’ of Attackers: Yetis, Bears, Dragons, Dragonfly, Worms, Penguins, etc.… A whole new Cyber Genus perhaps yet to come?
There are also many new words and references in our evolving Cyber weapons vocabulary: Cyber Zombies, Watering holes, Slammer, Nachi, Mahdi, Shamoon, Red October, Petya, ShadowBrokers, Conficker, Duqu, Flame, Havex, APTs, Blasters, Dumpsters, Drive-bys, Honeypots, Pastebin, Phishing, BotNets, Trojans, Heartbleed, Modbus and CANbus, etc. all being aired or created on social media and on news sources around the world.
Figure 2: Industrial Cyber words (used wordle.org)
Many conferences now are haranguing the audience as being ‘incompetent’, again tongue-in-cheek, but aiming at both the vendors and integrators who do not implement Security-by-Design in their products and systems together with the security industry which has not yet eradicated cyber-attacks by Leap-Frogging the bad guys with new innovative defences and solutions.
The steps to climb the stairway to security can be very high, certainly for organisations with extensive legacy systems, but the steps need to be climbed, and sooner rather than later. The best approach is often to build small steps, parallel steps and think differently.
Remember, the bad guys are always improving, so it is essential for organisations to also keep improving, but more than that, looking for that giant leap ahead in defences. There is talk of new Secure Operating Systems, new Secure Trusted Computer Systems, and of the increased lock-down and monitoring of The Internet. All these advances are being made but are they appearing on the market quickly enough to make that giant leap forward in the Cyber Arms Race?
The industry must now stop talking about Stuxnet and start talking about Innovation and new ways of thinking. Keynote speakers are talking about the soft skills of the Cyber War. Cyber-attacks are made by humans, often exploiting human weaknesses as key building blocks of their attacks. The Cyber Defence industry must recognise this more and build security improvement programs which include humans as the core to the solution.