DESCRIPTION

Industrial automation plants and IT are increasingly exposed to targeted cyber attacks and the threat situation regarding IT/OT security is growing steadily . Furthermore, cyber security has also become the focus of government action - see European Network and Information Security (NIS) Directive , the German IT-Sicherheitsgesetz. These regulations require, among other things, a reporting system for IT security incidents and security monitoring of the implemented security status.
In order to adequately address the above described regulations, companies must be able to monitor the IT/OT security status. Due to the enormous number of components to be monitored, this can only be done in an automated way. In this presentation, a proposal is presented as to how continuous monitoring of the IT/OT security status can be developed. The basis of the proposed monitoring is the configuration parameters or files that define the security status of a component and, in combination with all other involved components, of an entire system. The security status configured in this way should meet the requirements as defined in the company's security rules and regulations. Thus, the task consists of procuring on the one hand the configuration parameters regularly (task 1) and of checking against the valid set of security rules of the enterprise (task 2). First suggestions for the two tasks mentioned are sketched in the lecture:
a) Procurement of the security parameters.
Here, common techniques or protocols such as SNMP, syslog cannot be used. For the procurement of the configuration parameters other solutions must be found, e.g. agents or tools available on the components, in order to be able to access the configuration parameters and the adjusted values. In the lecture a first example for Microsoft Windows components is discussed. Note, that Windows-based components (e.g. Engineering Station, Historian Database etc.) are increasingly used also in OT environments.
b) Checking against a set of security rules
To check compliance with the set of security rules, these rules must first be converted into a form that can be processed by a computer program. Secondly, the security parameters must be transformed in a normalized form to be able to process them also digitally automated. Then, a compliance check of the set of valid security rules can be performed against the procured and normalized security parameters. In the talk, initial approaches using Answer Set Programming will be presented to realize this described compliance check: a declarative approach to programming describing what is counted as a solution.

WHY THE COMMITTEE CHOSE THIS TALK

Often companies do not allow security checks in ICS and OT as they fear operational issues. And to be honest: no one can completely rule that risk out. Thomas proposes to do security checks on a digital twin. An interesting idea and we look forward to his talk detailing his experience.

SPEAKER

Prof. Dr. Thomas Stoertkuhl