Professional Documents
Culture Documents
Chapter 3
Chapter 3
SECURE SYSTEMS
Chapter Overview
• Industrial Control Systems
• Mobile Device Security
• System Development
• Incorporating Security into SDLCs
• Case study on information security policies
3.1 Industrial Control Systems
• Industrial control system (ICS) is a collective term used to
describe different types of control systems and associated
instrumentation, which include the devices, systems,
networks, and controls used to operate and/or automate
industrial processes.
• Depending on the industry, each ICS functions differently and
are built to electronically manage tasks efficiently.
• Today the devices and protocols used in an ICS are used in
nearly every industrial sector and critical infrastructure such
as the manufacturing, transportation, energy, and water
treatment industries.
3.1 Industrial Control Systems
3.1.1 ICS Operation
• PLCs: These are solid-state control systems with programmable memories
where instructions can be stored or executed for achieving specific tasks
including I/O controls, logical operations, three-mode (PID) controls,
communications, arithmetic processing and file/data processing.
• DCS: They are distributed control system that enables control of many
distributed control systems or processes on an individual basis. Rather of
relying on a single centrally situated control unit, intelligence dispersed
across the regulated process is employed to establish control.
• SCADA: The acronym for supervisory control and data acquisition (SCADA)
is supervisory control and data acquisition. It's a catch-all term describing
a computerized system capable of collecting, processing, and
implementing operational controls over great distances.
3.1.1 ICS Operation
• RTUs (Remote Terminal Units) – RTUs are microprocessor based electronic
devices that connect diverse devices to DCS or SCADA in industrial control
systems.
• Industrial Automation and Control Systems (IACS) - IACS systems are made
up of a secure infrastructure for data transfers and communications, as
well as smart data gathering devices.
• Programmable Automation Controllers (PACs) – Any automation controller
with higher-level instructions is referred to as a "programmable
automation controller."
• Intelligent Electronic Devices (IEDs) - A microprocessor-based electronic
component (such as a regulator or circuit control) that can interact
digitally through Fieldbus, real-time Ethernet, or other industrial protocols
is known as an intelligent electronic device (IED).
3.1.2 Network Components
• FBNs (Fieldbus Networks): FBNs are device-to-device
communication systems where sensing devices are connected
to PLCs or other controllers through field bus networks.
• Control Network: The supervisory control level is connected
to lower-level control modules through the control network.
• Communication Router: Routers are devices that connect
networks by sending and receiving messages.
• Firewall: A firewall monitors and regulates communication
packets using specified filtering policies to safeguard devices
on a network. I
• Modems are a type of communication device.
3.1.3 Data Acquisition and Supervisory
Control
• SCADA systems consist of three main components:
– A central command center consists of all the servers
running SCADA software
– Multiple, remotely located local control systems directly
control and automate process equipment
– Communication systems connect the servers at the central
command center to the remote locations
3.1.4 Distributed Control System
• Distributed Control System (DCS) is a type of process control
system that connects controllers, sensors, operator terminals
and actuators.
• The data acquisition and control functions are performed by
distributed processors situated near the peripheral devices or
instruments from which data is being gathered.
• While DCS and SCADA are functionally very similar, DCS is
generally employed at large, continuous processing facilities.
Operations are almost always controlled onsite rather than
remotely.
What’s the Difference Between OT, ICS,
SCADA and DCS?
• Every day, multiple technologies work
in the background to make modern
life possible. Two of the most
important examples include
Information Technology (IT) and
Operational Technology (OT).
• OT can be difficult to understand, but
that’s only because most of us are
unaware of the nomenclature. In
recent times, exciting developments
are bringing about a convergence
between OT and IT that have big
implications for technology and
industry.
3.2 Security for Mobile Devices
• Mobile Device Security refers to the measures
designed to protect sensitive information stored on
and transmitted by laptops, smartphones, tablets,
wearables, and other portable devices.
• At the root of mobile device security is the goal of
keeping unauthorized users from accessing the
enterprise network.
• It is one aspect of a complete enterprise security
plan.
3.2.1 Mobile Security Threats
1. Data Leakage
2. Unsecured Wi-Fi
3. Network Spoofing
4. Phishing Attacks
5. Spyware
6. Broken Cryptography
7. Improper Session Handling
3.2.2 Comparing Mobile Security: iOSvs Android
Security vs BlackBerry vs Windows Phone
3.2.3 Steps to secure mobile devices
1. Organizations may provide their employees mobile devices
or allow them to use their own devices for work must first
put in place adequate security procedures.
2. Establish a clear mobile usage policy.
3. Segment data and apps on enterprise devices.
4. Encrypt and minimize visibility into devices that have access
to the company network.
5. Install security software on mobile devices.
6. Monitor user behavior.
7. Build mobile security awareness through training.
3.3 Development of Software Systems
• Secure software is the result of software
development processes that are security conscious
and incorporate security features.
• Security measures may be easily implemented if they
are developed and created using SDLCs, especially in
critical systems or those that handle sensitive data.
3.3.1 Lifecycle of Secure Development (SDLCs)