CHAPTER 3

SECURE SYSTEMS
 Chapter Overview
• Industrial Control Systems
• Mobile Device Security
• System Development
• Incorporating Security into SDLCs
• Case study on information security policies
 3.1 Industrial Control Systems
• Industrial control system (ICS) is a collective term used to
describe different types of control systems and associated
instrumentation, which include the devices, systems,
networks, and controls used to operate and/or automate
industrial processes.
• Depending on the industry, each ICS functions differently and
are built to electronically manage tasks efficiently.
• Today the devices and protocols used in an ICS are used in
nearly every industrial sector and critical infrastructure such
as the manufacturing, transportation, energy, and water
treatment industries.
3.1 Industrial Control Systems
 3.1.1 ICS Operation
• PLCs: These are solid-state control systems with programmable memories
where instructions can be stored or executed for achieving specific tasks
including I/O controls, logical operations, three-mode (PID) controls,
communications, arithmetic processing and file/data processing.
• DCS: They are distributed control system that enables control of many
distributed control systems or processes on an individual basis. Rather of
relying on a single centrally situated control unit, intelligence dispersed
across the regulated process is employed to establish control.
• SCADA: The acronym for supervisory control and data acquisition (SCADA)
is supervisory control and data acquisition. It's a catch-all term describing
a computerized system capable of collecting, processing, and
implementing operational controls over great distances.
 3.1.1 ICS Operation
• RTUs (Remote Terminal Units) – RTUs are microprocessor based electronic
devices that connect diverse devices to DCS or SCADA in industrial control
systems.
• Industrial Automation and Control Systems (IACS) - IACS systems are made
up of a secure infrastructure for data transfers and communications, as
well as smart data gathering devices.
• Programmable Automation Controllers (PACs) – Any automation controller
with higher-level instructions is referred to as a "programmable
automation controller."
• Intelligent Electronic Devices (IEDs) - A microprocessor-based electronic
component (such as a regulator or circuit control) that can interact
digitally through Fieldbus, real-time Ethernet, or other industrial protocols
is known as an intelligent electronic device (IED).
 3.1.2 Network Components
• FBNs (Fieldbus Networks): FBNs are device-to-device
communication systems where sensing devices are connected
to PLCs or other controllers through field bus networks.
• Control Network: The supervisory control level is connected
to lower-level control modules through the control network.
• Communication Router: Routers are devices that connect
networks by sending and receiving messages.
• Firewall: A firewall monitors and regulates communication
packets using specified filtering policies to safeguard devices
on a network. I
• Modems are a type of communication device.
 3.1.3 Data Acquisition and Supervisory
Control
• SCADA systems consist of three main components:
– A central command center consists of all the servers
running SCADA software
– Multiple, remotely located local control systems directly
control and automate process equipment
– Communication systems connect the servers at the central
command center to the remote locations
 3.1.4 Distributed Control System
• Distributed Control System (DCS) is a type of process control
system that connects controllers, sensors, operator terminals
and actuators.
• The data acquisition and control functions are performed by
distributed processors situated near the peripheral devices or
instruments from which data is being gathered.
• While DCS and SCADA are functionally very similar, DCS is
generally employed at large, continuous processing facilities.
Operations are almost always controlled onsite rather than
remotely.
 What’s the Difference Between OT, ICS,
SCADA and DCS?
• Every day, multiple technologies work
in the background to make modern
life possible. Two of the most
important examples include
Information Technology (IT) and
Operational Technology (OT).
• OT can be difficult to understand, but
that’s only because most of us are
unaware of the nomenclature. In
recent times, exciting developments
are bringing about a convergence
between OT and IT that have big
implications for technology and
industry.
 3.2 Security for Mobile Devices
• Mobile Device Security refers to the measures
designed to protect sensitive information stored on
and transmitted by laptops, smartphones, tablets,
wearables, and other portable devices.
• At the root of mobile device security is the goal of
keeping unauthorized users from accessing the
enterprise network.
• It is one aspect of a complete enterprise security
plan.
 3.2.1 Mobile Security Threats
1. Data Leakage
2. Unsecured Wi-Fi
3. Network Spoofing
4. Phishing Attacks
5. Spyware
6. Broken Cryptography
7. Improper Session Handling
3.2.2 Comparing Mobile Security: iOSvs Android
Security vs BlackBerry vs Windows Phone
 3.2.3 Steps to secure mobile devices
1. Organizations may provide their employees mobile devices
or allow them to use their own devices for work must first
put in place adequate security procedures.
2. Establish a clear mobile usage policy.
3. Segment data and apps on enterprise devices.
4. Encrypt and minimize visibility into devices that have access
to the company network.
5. Install security software on mobile devices.
6. Monitor user behavior.
7. Build mobile security awareness through training.
 3.3 Development of Software Systems
• Secure software is the result of software
development processes that are security conscious
and incorporate security features.
• Security measures may be easily implemented if they
are developed and created using SDLCs, especially in
critical systems or those that handle sensitive data.
3.3.1 Lifecycle of Secure Development (SDLCs)

• It's a collection of practices for guaranteeing security

and compliance in a consolidated environment.
• The following are the strongest arguments for
adopting SDL practices:
– Improved Security.
– Minimizing Cost.
– Regulatory Compliance.
3.3.2 Challenges in SDL
 3.3.3 A Brief History of Software
Development Practices
• The SDLCs (Software Development Lifecycles) covers
the phases of application development as follows:
– Obtaining specifications
– Development of new capabilities (writing code to fulfill
criteria)
– Verification of new capabilities—confirming that they
match the requirements
– Once the release is out the door, maintenance and
development of these capabilities are required.
3.3.4 SDLCs and Application Security
3.3.5 Secure Software Development Life Cycle
Process
 3.3.6 Phases of Secure Software
Development Life Cycle
• Phase 1: Requirements
– The requirements phase focuses on the functional
requirements, architectural decisions, data storage,
transmission methodologies and interactions.
– The criticality in running the application under
various circumstances which may have vulnerabilities
that could be exploited by the cyber criminals.
– The regulatory compliances in place requiring
businesses to prove due diligence in protecting user
data and ensuring complete data security.
 3.3.6 Phases of Secure Software
Development Life Cycle
• Phase 2: Planning and Design
• Security planning encompasses many tasks including
documenting native security flaws and protection in different
platforms, frameworks, identification of various security
algorithms and libraries and other modules.
• According to OWASP, once identified,
– Functional design: Page should retrieve the user’s name; email, phone,
and address from CUSTOMER INFO table in the database and show it
on screen.
– Security concern: A must verify that the user has a valid session token
before retrieving information from the database. If absent, the user
should be redirected to the login page.
 3.3.6 Phases of Secure Software
Development Life Cycle
• Phase 3: Development
– Validating user inputs before processing the information
they contain
– Checking open source libraries for vulnerabilities before
using them
– Sanitizing any data that is returned to the user from the
database
 3.3.6 Phases of Secure Software
Development Life Cycle
• Phase 4: Verification
– Automated tests that express your application's most
significant routes
– Automated execution of application unit tests to ensure
that the underlying application is accurate.
– Production-ready deployment tools that dynamically swap
in application secrets
 3.3.6 Phases of Secure Software
Development Life Cycle
• Phase 5: Maintenance and Evolution
 3.3.6 Phases of Secure Software
Development Life Cycle
• Phase 6: End of life
– Data Retention
– Data disposal
3.2 Incorporating Security into SDLCs
3.5 Microsoft Security Development Lifecycle
(SDL)
3.6 OWASP Software Assurance Maturity
Model (SAMM)
3.7 Building Security In Maturity Model
(BSIMM)
 3.8 Benefits of SSDLC
• Makes security a continuous concern—including all
stakeholders in the security considerations
• Helps detect flaws early in the development process
—reducing business risks for the organization
• Reduces costs—by detecting and resolving issues
early in the lifecycle.