Control System Cyber Security - A Different Approach


Published on

This excerpt was developed and presented by Emerson's Bob Huba at 63rd Annual Instrumentation Symposium for the Process Industries in January 2009.

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Control System Cyber Security - A Different Approach

  1. 1. Control System Cyber Security A different approach Bob Huba Sr. Product Manager Emerson Process Management
  2. 2. Goals <ul><li>Discuss security in context of people part of the solution </li></ul><ul><li>Beyond the technical solution </li></ul><ul><li>The human side of Security </li></ul><ul><ul><li>Your security culture </li></ul></ul><ul><ul><li>Policies and Procedures </li></ul></ul><ul><li>Help bridge the gap between IT and Operations </li></ul><ul><li>Why – because SCADA security requires people involvement to suceed. </li></ul>
  3. 3. What is SCADA Cyber Security <ul><li>Protection from intentional computer misuse that would cause inability for you to properly control the process </li></ul><ul><li>Protecting your process </li></ul><ul><ul><li>IT security protects information </li></ul></ul><ul><ul><li>SCADA security protects physical assets </li></ul></ul><ul><ul><li>SCADA security protects production </li></ul></ul><ul><li>Protects your control system </li></ul><ul><ul><li>Needed to manage your process </li></ul></ul>
  4. 4. Threats <ul><li>Undirected automatic attacks </li></ul><ul><ul><li>Worms, viruses, malware </li></ul></ul><ul><ul><li>Accidental or deliberate </li></ul></ul><ul><ul><li>Most concern on these types </li></ul></ul><ul><li>Deliberate attack </li></ul><ul><ul><li>Internal </li></ul></ul><ul><ul><li>External </li></ul></ul><ul><ul><li>Undirected attack – disrupt system somehow </li></ul></ul><ul><ul><li>Directed attack – take over and cause problems </li></ul></ul><ul><ul><li>Is becoming a much larger concern for some </li></ul></ul>Impending Government Regulations
  5. 5. Cyber-Security Strategy <ul><li>Implement a layered security strategy </li></ul><ul><li>This solution hardens the boundary between Control system and the plant LAN </li></ul><ul><ul><li>Maintain the “open” connections within control system </li></ul></ul><ul><li>Defense in depth </li></ul><ul><ul><ul><li>Layered security – harden the perimeter(s) </li></ul></ul></ul><ul><ul><ul><li>Internal system security solutions </li></ul></ul></ul><ul><ul><ul><ul><li>Anti-virus scanner </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Security Hardened Workstations and Controllers </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Security Patch management </li></ul></ul></ul></ul>
  6. 6. Develop a Security Policy <ul><li>They “gotta know da rules” </li></ul><ul><li>Leverage off the corporate policy </li></ul><ul><li>Modify where appropriate </li></ul><ul><ul><li>User Access maintenance </li></ul></ul><ul><ul><li>Patch and AV update procedures </li></ul></ul><ul><ul><li>Physical Access to equipment </li></ul></ul><ul><ul><li>Software Installation </li></ul></ul><ul><ul><li>Wireless Access </li></ul></ul><ul><ul><li>Remote Access </li></ul></ul><ul><li>Train users </li></ul><ul><li>Coordinate with IT </li></ul>
  7. 7. Goals for control system security <ul><li>Enable users to implement a secure system by working with site IT </li></ul><ul><ul><li>Our users are the process/operations personnel </li></ul></ul><ul><ul><li>Allow our users to communicate our needs to IT </li></ul></ul><ul><ul><li>Use SCADA recommended practices </li></ul></ul><ul><ul><li>Use layered security solutions </li></ul></ul><ul><li>Provide a framework for security procedures to be implemented </li></ul><ul><ul><li>Tested, documented solutions to wrap procedures around </li></ul></ul><ul><ul><li>Documentation on recommended practices for security deployment for consistent solutions </li></ul></ul>
  8. 8. Use a familiar Model <ul><li>What seems to be lacking is a model for implementing control systems security that we can understand and easily explain to plant personnel </li></ul><ul><li>IT models may not be the best fit- </li></ul><ul><ul><li>Confidentially vs. Availability </li></ul></ul><ul><ul><li>Information assets vs. Operations Physical assets </li></ul></ul><ul><ul><li>Highly technically oriented </li></ul></ul><ul><ul><li>Emphasis on IT protecting the assets </li></ul></ul><ul><ul><li>Managed by IT – without user involvement </li></ul></ul>
  9. 9. Develop a “Culture of Security” <ul><li>A Security program can be modeled after a Plant Safety program </li></ul><ul><li>A plant safety program creates an “culture of safety” within the plant </li></ul><ul><li>Security is a “way of life” </li></ul><ul><li>A way to manage risk around user actions </li></ul><ul><ul><li>Includes all people who come into the plant </li></ul></ul><ul><li>Like a successful safety program a successful security program requires that users develop a culture of security </li></ul>
  10. 10. Why this Model? <ul><li>Easily Understood by Operations </li></ul><ul><li>Implemented at right levels in organization </li></ul><ul><ul><li>People’s behavior promotes security </li></ul></ul><ul><li>Processes and procedures are localized </li></ul><ul><ul><li>Plant site – plant department – process units </li></ul></ul><ul><li>Procedures are control system specific </li></ul><ul><ul><li>Different vendors, different system versions </li></ul></ul>
  11. 11. Model Fits into overall Security Program <ul><li>Provides a foundation to support an overall program </li></ul><ul><li>Elements of the model are required to implement overall program anyway – for example a operations person is required to help with: </li></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><ul><li>Priorities – which assets to protect – in what order </li></ul></ul><ul><ul><li>How much “protection” to implement on each </li></ul></ul><ul><li>Provides a person with the process expertise to make the security program successful </li></ul><ul><ul><li>Process is secure and available </li></ul></ul>
  12. 12. Program Elements <ul><li>Treat “security” like we treat “safety” </li></ul><ul><li>Responsibility </li></ul><ul><ul><li>People (operators, engineers, supervisors) take responsibility for security of their areas </li></ul></ul><ul><ul><li>Security does not just “happen” </li></ul></ul><ul><li>Procedures </li></ul><ul><ul><li>Documented control system security policies </li></ul></ul><ul><li>Training </li></ul><ul><ul><li>People are trained on security </li></ul></ul><ul><ul><li>Understand security processes </li></ul></ul><ul><ul><li>Understand risks </li></ul></ul>
  13. 13. <ul><li>Awareness </li></ul><ul><ul><li>People recognize/prevent insecure behavior </li></ul></ul><ul><ul><li>Report problems </li></ul></ul><ul><li>Measurement </li></ul><ul><ul><li>Report security incidents – insecure actions </li></ul></ul><ul><ul><li>Reporting results </li></ul></ul><ul><li>Audits/Enforcement </li></ul><ul><ul><li>Are procedures being followed </li></ul></ul><ul><ul><li>Actions to correct audit results </li></ul></ul><ul><li>On-Going Effort </li></ul><ul><ul><li>Environment is always changing </li></ul></ul>Program Elements
  14. 14. A MOST IMPORTANT PERSON <ul><li>Operations security champion </li></ul>
  15. 15. Got to have an owner <ul><li>Control System security “champion” </li></ul><ul><ul><li>Site – department – process – unit </li></ul></ul><ul><ul><li>Somebody (in operations) has to be responsible </li></ul></ul><ul><ul><li>Not delegated to IT </li></ul></ul><ul><li>May be more than one person </li></ul><ul><ul><li>Team with different responsibilities </li></ul></ul><ul><li>Their job to “make security happen” </li></ul>
  16. 16. Summary <ul><li>Security Program Model = plant safety program </li></ul><ul><ul><li>Easy for Operations to understand </li></ul></ul><ul><li>Operations people have to be involved </li></ul><ul><ul><li>Success depends on training and awareness </li></ul></ul><ul><li>Have to have a security champion </li></ul><ul><ul><li>Somebody in operations takes responsibility </li></ul></ul><ul><li>Champion provides the “Operations view” on security solutions </li></ul><ul><li>Plant has to have a “culture of security” for the security program to be successful </li></ul>