Control System Cyber Security - A Different Approach

Control System Cyber Security A different approach Bob Huba Sr. Product Manager Emerson Process Management

Goals
Discuss security in context of people part of the solution
Beyond the technical solution
The human side of Security
Your security culture
Policies and Procedures
Help bridge the gap between IT and Operations
Why – because SCADA security requires people involvement to suceed.

What is SCADA Cyber Security
Protection from intentional computer misuse that would cause inability for you to properly control the process
Protecting your process
IT security protects information
SCADA security protects physical assets
SCADA security protects production
Protects your control system
Needed to manage your process

Threats
Undirected automatic attacks
Worms, viruses, malware
Accidental or deliberate
Most concern on these types
Deliberate attack
Internal
External
Undirected attack – disrupt system somehow
Directed attack – take over and cause problems
Is becoming a much larger concern for some
Impending Government Regulations

Cyber-Security Strategy
Implement a layered security strategy
This solution hardens the boundary between Control system and the plant LAN
Maintain the “open” connections within control system
Defense in depth
Layered security – harden the perimeter(s)
Internal system security solutions
Anti-virus scanner
Security Hardened Workstations and Controllers
Security Patch management

Develop a Security Policy
They “gotta know da rules”
Leverage off the corporate policy
Modify where appropriate
User Access maintenance
Patch and AV update procedures
Physical Access to equipment
Software Installation
Wireless Access
Remote Access
Train users
Coordinate with IT

Goals for control system security
Enable users to implement a secure system by working with site IT
Our users are the process/operations personnel
Allow our users to communicate our needs to IT
Use SCADA recommended practices
Use layered security solutions
Provide a framework for security procedures to be implemented
Tested, documented solutions to wrap procedures around
Documentation on recommended practices for security deployment for consistent solutions

Use a familiar Model
What seems to be lacking is a model for implementing control systems security that we can understand and easily explain to plant personnel
IT models may not be the best fit-
Confidentially vs. Availability
Information assets vs. Operations Physical assets
Highly technically oriented
Emphasis on IT protecting the assets
Managed by IT – without user involvement

Develop a “Culture of Security”
A Security program can be modeled after a Plant Safety program
A plant safety program creates an “culture of safety” within the plant
Security is a “way of life”
A way to manage risk around user actions
Includes all people who come into the plant
Like a successful safety program a successful security program requires that users develop a culture of security

Why this Model?
Easily Understood by Operations
Implemented at right levels in organization
People’s behavior promotes security
Processes and procedures are localized
Plant site – plant department – process units
Procedures are control system specific
Different vendors, different system versions

Model Fits into overall Security Program
Provides a foundation to support an overall program
Elements of the model are required to implement overall program anyway – for example a operations person is required to help with:
Risk assessment
Priorities – which assets to protect – in what order
How much “protection” to implement on each
Provides a person with the process expertise to make the security program successful
Process is secure and available

Program Elements
Treat “security” like we treat “safety”
Responsibility
People (operators, engineers, supervisors) take responsibility for security of their areas
Security does not just “happen”
Procedures
Documented control system security policies
Training
People are trained on security
Understand security processes
Understand risks

Awareness
People recognize/prevent insecure behavior
Report problems
Measurement
Report security incidents – insecure actions
Reporting results
Audits/Enforcement
Are procedures being followed
Actions to correct audit results
On-Going Effort
Environment is always changing
Program Elements

A MOST IMPORTANT PERSON
Operations security champion

Got to have an owner
Control System security “champion”
Site – department – process – unit
Somebody (in operations) has to be responsible
Not delegated to IT
May be more than one person
Team with different responsibilities
Their job to “make security happen”

Summary
Security Program Model = plant safety program
Easy for Operations to understand
Operations people have to be involved
Success depends on training and awareness
Have to have a security champion
Somebody in operations takes responsibility
Champion provides the “Operations view” on security solutions
Plant has to have a “culture of security” for the security program to be successful

http://www.emersonprocessxperts.com	116
http://www.slideshare.net	2
http://translate.googleusercontent.com	1
http://webcache.googleusercontent.com	1
http://prsync.com	1

Control System Cyber Security - A Different Approach

by Jim Cahill on Feb 06, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 121

Statistics

Control System Cyber Security - A Different Approach — Presentation Transcript