• Save
Industrial Control System Cybersecurity Lifecycle for New and Existing Facilities
Upcoming SlideShare
Loading in...5
×
 

Industrial Control System Cybersecurity Lifecycle for New and Existing Facilities

on

  • 1,102 views

Presented by John Cusimano and Gene Cammack of exida consulting at the 68th Annual Instrumentation Symposium for the Process Industries.

Presented by John Cusimano and Gene Cammack of exida consulting at the 68th Annual Instrumentation Symposium for the Process Industries.

Statistics

Views

Total Views
1,102
Views on SlideShare
1,097
Embed Views
5

Actions

Likes
1
Downloads
0
Comments
0

1 Embed 5

https://twitter.com 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 65th Annual Instrumentation Symposium for the Process Industry
  • Luigi Auriemma Ruben Santamarta Dillon Berresford
  • Copyright © 2010 - exida
  • Copyright © 2010 - exida
  • copyright © 2012 exida Consulting LLC www.exida.com
  • copyright © 2012 exida Consulting LLC www.exida.com
  • copyright © 2012 exida Consulting LLC www.exida.com
  • copyright © 2012 exida Consulting LLC www.exida.com
  • copyright © 2012 exida Consulting LLC www.exida.com
  • copyright © 2012 exida Consulting LLC www.exida.com
  • copyright © 2012 exida Consulting LLC www.exida.com
  • Even on Projects, the functions associated with the Security Life Cycle must be implemented. In particular, the Assess and Implement phases and the turnover to Operations for the Maintain phase must be completed. The critical factor is how to weave those functions into the Project schedule and tasks. 65th Annual Instrumentation Symposium for the Process Industry
  • The beginning is the development of a project specific philosophy. Even though Corporate security plans maybe in place, the specific requirements of the project must be considered. The philosophy must define the key drivers and key threats, just as we covered in the General Guidelines. 65th Annual Instrumentation Symposium for the Process Industry
  • The beginning is the development of a project specific philosophy. Even though Corporate security plans maybe in place, the specific requirements of the project must be considered. The philosophy must define the key drivers and key threats, just as we covered in the General Guidelines. 65th Annual Instrumentation Symposium for the Process Industry
  • Can I login without credentials Can I elevate my privileges (ex. Can an operator change OS settings, exit HMI, install software, etc.) Is the firewall properly blocking? 65th Annual Instrumentation Symposium for the Process Industry

Industrial Control System Cybersecurity Lifecycle for New and Existing Facilities Industrial Control System Cybersecurity Lifecycle for New and Existing Facilities Presentation Transcript

  • Industrial Control Systems Cybersecurity Workshop Approaches to the Cybersecurity Lifecycle for Existing and for New Facilities Presenters: John Cusimano, CFSE, CISSP, exida Consulting Gene Cammack, PE, CFSE, exida Consulting68th Annual Instrumentation Symposium for the Process Industry
  • Presenters John Cusimano, CFSE, CISSP John Cusimano is director of exida’s security services division and an ICS Security Subject Matter Expert. A process automation safety, security and reliability expert with more than twenty years of experience, John leads a team devoted to improving the security of control systems for companies worldwide. John is Chairman of ISA 99 WG4 TG2 Zones & Conduits committee and co-chair of ISA 99 WG4 TG6 Product Development committee. He represents exida as a voting member on the ISA-99 standards committee on control system security and the ISA Security Compliance Institute’s Technical Steering Committee. John is also active in a variety of other ISA S99, ISA S84, and ICSJWG working groups. John is also a qualified communication robustness test engineer. Prior to joining exida, John led market development for Siemens’ process automation and safety products and held various product management positions at Moore Products Co. John started his career at Eastman Kodak Company, where he implemented and managed automation projects. John has a B.S. degree in Electrical & Computer Engineering from Clarkson University and holds a CFSE and CISSP certification. Gene Cammack, PE, CFSE Gene Cammack is the Director – Gulf Coast Region for exida consulting. He has 30+ years of experience in safety, automation and control systems in the process industries. Before joining exida, he has worked for end users, engineering companies and manufacturers in roles ranging from system design and solution development to sales and marketing. He is a member of the Advisory Committee for the Texas A&M Instrumentation Symposium for the Process Industries . 268th Annual Instrumentation Symposium for the Process Industry
  • Outline • Cybersecurity Introduction • Regulations, Standards and Best Practices • The Cybersecurity Lifecycle • Brownfield Project Considerations • Greenfield Project Considerations 468th Annual Instrumentation Symposium for the Process Industry
  • Industrial Control Systems Cybersecurity CYBERSECURITY INTRODUCTION 568th Annual Instrumentation Symposium for the Process Industry
  • Current Events• Shamoon virus takes out 30,000 computers at Saudi Aramco• US Defense Secretary issues strong warning of cyber attacks on US critical infrastructure• DHS issues alerts about coordinated attacks on gas pipeline operators68th Annual Instrumentation Symposium for the Process Industry
  • Control System Cyber Security • Control systems operate industrial plant equipment and critical processes • Tampering with these systems can lead to: – Death, Injury, Sickness – Environmental releases – Equipment Damage – Production loss / service interruption – Off-spec / Dangerous product – Loss of Trade Secrets • Control system security is about preventing intentional or unintentional Interference with the proper operation of plant68th Annual Instrumentation Symposium for the Process Industry
  • Control Systems are more vulnerable today than ever before • Now use commercial technology • Highly connected • Offer remote access • Technical information is publically available • Hackers are now targeting control systems68th Annual Instrumentation Symposium for the Process Industry
  • Control System Vulnerabilities Reported 2001 - 2011 Number of Vulnerabilities Discovered Each Year Source: SCADA Safety in Numbers, 2012, Positive Technologies68th Annual Instrumentation Symposium for the Process Industry
  • Threats • Software bugs • Malicious software • Unauthorized physical access • Unauthorized network access • Abuse (e.g. disgruntled employee) • Misuse (i.e. human error)68th Annual Instrumentation Symposium for the Process Industry
  • General Incident Type Hacker Actual Incident N/A 0% Data Outsider 47% Insider 53% Intentional 20% Disgruntled Network device, employee software IT Dept, Technician Unintentional 80% Insider 14% N/A 48% Outsider 38% Malware (virus, worm, trojan) © 2011 Security Incidents Organization68th Annual Instrumentation Symposium for the Process Industry
  • The Repository of Industrial Security Incidents www.securityincidents.org PLCs Crashed by IT Security Audit Date: 1995 Company: Undisclosed Location: USA Industry: Food & Bev Incident type: Unintentional - Insider Impact: Loss of Production >$1M Description: A security consultant was scanning the food companies business and process networks for vulnerabilities. Probe packets containing deliberately malformed entered the Ethernet -based process control network and caused all PLCs to hard fault. The packets contained malformed ICMP Redirects messages with a subcode of 4 or greater.Source: The Repository of Industrial Security Incidents (www.securityincidents.org)
  • The Repository of Industrial Security Incidents www.securityincidents.org Browns Ferry Nuclear Plant Scrammed Date: Aug. 2006 Company: Browns Ferry Nuclear Location: Athens, AL, USA Industry: Nuclear Power Incident Type: Accidental Equipment Failure Impact: Unit #3 shutdown Description: Operators manually scrammed Browns Ferry, Unit 3, following a loss of both the 3A and 3B reactor recirculation pumps. The root cause was the malfunction of the VFD controller due to excessive traffic on the plant Ethernet based integrated computer system (ICS) network.Source: The Repository of Industrial Security Incidents (www.securityincidents.org)
  • The Repository of Industrial Security Incidents www.securityincidents.org Virus Infection Halts DCS OPC Servers Date: Dec 2009 Company: Undisclosed Location: South Africa Industry: Petro-Chemical Incident type: Malware Impact: Loss of View Description: OPC Services stopped running on two OPC servers following a hardware & application software upgrade of 4 OPC client machines that were connected to the servers. The client upgrades were aborted and the old machines were reinstalled. The OPC servers could not be rebooted. Upon investigation the PE_SALITY virus was found on both of the OPC servers.Source: The Repository of Industrial Security Incidents (www.securityincidents.org)
  • The Repository of Industrial Security Incidents www.securityincidents.org Steel plant infected with Conficker Incident ID: 216 Date: Feb. 6, 2011 Company: Confidential Location: Rio de Janeiro Industry: Metal Manufacturing Incident Type: Malware Impact: Loss of Production/Operation Description: The Alstom ALSPA control system suddenly stopped. An investigation revealed that there was a Conficker virus infection in all machines in the system. The worm spread throughout the power plant automation network. The virus flooded the network with unwanted packets and caused an instability in the communications between PLCs and supervisory stations and froze most of the supervisory systems. The automation team cleaned the infected machines, but the virus returned. After cleaning, the system recovered but was disconnected from the PI Historian. The worm infected the PI machine and the "SGE" network, but was removed without problems. All systems were restored while the external networks are disconnected. When these networks are reconnected, the malware returns. Due to this, the automation team decided to keep these external networks disconnected. Since the infection began, the company is paying monthly fines to government agencies because critical reports (such as environmental control, for example) were not being sent.© 2011 Security Incidents Organization
  • Summary of Cyber Threat Situation • Today’s control systems are highly vulnerable; • Suppliers are just beginning to learn how to secure their products/systems; • Threats are realistic, sophisticated and readily available; • Most systems are designed and installed with insufficient security controls (e.g. layers of protection); • Working with their suppliers, industrial facilities must focus on securing their control systems;68th Annual Instrumentation Symposium for the Process Industry
  • Industrial Control Systems Cybersecurity REGULATIONS, STANDARDS AND BEST PRACTICES 1768th Annual Instrumentation Symposium for the Process Industry
  • Regulations • Department of Homeland Security – 6 CFR part 27: Chemical Facility Anti-Terrorism Standards (CFATS) – National Cyber Security Division • Control Systems Security Program (CSSP) • Department of Energy – Federal Energy Regulatory Commission (FERC) • 18 CFR Part 40, Order 706 (mandates NERC CIPs 002-009) • Nuclear Regulatory Commission – 10 CFR 73.54 Cyber Security Rule (2009) – RG 5.71 1868th Annual Instrumentation Symposium for the Process Industry
  • Standards • International Society for Automation (ISA) – ISA 62443 Industrial Automation and Control System (IACS) Security • International Electrotechnical Commission (IEC) – IEC 62443 series of standards (equivalent to ISA 99) • National Institute for Standards and Technology (NIST) – SP800-82 Guide to Industrial Control Systems (ICS) Security68th Annual Instrumentation Symposium for the Process Industry
  • ISA / IEC 62443 Structure68th Annual Instrumentation Symposium for the Process Industry
  • Key Principles for Securing ICS • Step 1 – Assess Existing Systems • Step 2 – Document Policies & Procedures • Step 3 – Train Personnel & Contractors • Step 4 – Segment the Control System Network • Step 5 – Control Access to the System • Step 6 – Harden the Components of the System • Step 7 – Monitor & Maintain System Security68th Annual Instrumentation Symposium for the Process Industry
  • Security Life Cycle Security Life Cycle (IEC 62443/ISA 99) 2268th Annual Instrumentation Symposium for the Process Industry
  • Industrial Control System Cyber Security BROWNFIELD VERSUS GREENFIELD INSTALLATIONS 2368th Annual Instrumentation Symposium for the Process Industry
  • Key Constraints - Brownfield • Policies • Budgets • Resources • Legacy Equipment68th Annual Instrumentation Symposium for the Process Industry
  • Key Constraints - Greenfield • Project Structure • Project Deadlines • Compliance through multiple project layers Good News: •Have a budget •Fewer Legacy Issues •New Equipment 2568th Annual Instrumentation Symposium for the Process Industry
  • Industrial Control Systems Cybersecurity THE ICS CYBERSECURITY LIFECYCLE 2668th Annual Instrumentation Symposium for the Process Industry
  • The ICS Cybersecurity Lifecycle68th Annual Instrumentation Symposium for the Process Industry
  • Industrial Control System Security - Project Gates FEED Design Engineering Detailed Engineering Commissioning and Startup 2868th Annual Instrumentation Symposium for the Process Industry
  • Assess Phase 2968th Annual Instrumentation Symposium for the Process Industry
  • Scope Definition and Project Setup Goals •Bound the scope of the project •Identify project constraints •Gather and organize information •Define roles and responsibilities •Establish training requirements68th Annual Instrumentation Symposium for the Process Industry
  • Project Cybersecurity Management Plan Even though Corporate Security plans may be in place, a large project requires a look at project specific issues, including: • Corporate Security Plans • Project Specific Requirements • JV Partner Issues • Local Regulations • Processes • Roles and Responsibilities 3168th Annual Instrumentation Symposium for the Process Industry
  • Assess Phase 3268th Annual Instrumentation Symposium for the Process Industry
  • Vulnerability and Risk Assessment Goals: •Identify high risk areas and prioritize resources – Identify and classify key cyber assets – Identify and “quantify” vulnerabilities – Identify and “quantify” threats – Identify and “quantify” consequences – Determine risk – Establish risk reduction targets68th Annual Instrumentation Symposium for the Process Industry
  • Identification of Key Cyber Assets and Areas • Critical Systems • Data Repositories • Existing Measures Control Systems Safety Systems Monitoring and Data Collections Systems Remote Access Connections to Internet Connections to Business Systems 3468th Annual Instrumentation Symposium for the Process Industry
  • Cybersecurity Vulnerability Assessment • Expert analysis of control system to identify actual and potential security vulnerabilities – Network architecture diagrams – Network component configurations (e.g. switches, routers, firewalls) – Host device configurations – Access control strategies – Software and firmware versions68th Annual Instrumentation Symposium for the Process Industry
  • Threat Characterization • Threat Agents – Authorized worker, (non-malicious) – Unauthorized worker, (mischievous) – Outsider, (malicious) – Malware, (virus, worm, trojan horse) • Entry points – Via conduit – Computer keyboard – Portable media68th Annual Instrumentation Symposium for the Process Industry
  • Qualitative Risk Assessment Example Threat Threat Vulnerability Consequence DELIBERATE ACCIDENTAL Agent Is it What is the worst thingRef Entry Point What Could Happen? Who could do it? possible? How? that could happen? Sev. Pot. Risk Sev. Pot. Risk Potential Mitigations Comments 1.) Anti-virus on all Win SCADA boxes Most likely source would be Introduce malware Yes Virus in CC High High High High Med High 2.) Whitelisting on Win SCADA boxes infection at CC Economic Loss - due 3.) USB policy / protection to: Tamper Hack into CC or Private Shutdown; Communications traffic is (Modify/Delete data) Yes Comms Cloud High Med Med High Low Med 1.) Intrusion detection not encrypted B-LAN to Dispatch personnelA Information Hack into CC or Private the C-LAN Disclosure ("sniffing") Yes comms Cloud to determine Med Med Med Med Low Med 1.) Intrusion detection problem; Hack into CC or Private Denial-of-service Yes comms Cloud Lose data about Med High High Med Med Med 1.) Intrusion detection product; Gains unauthorized Stolen credentials, Access (e.g., pretends Yes hacked credentials Low Med Low Low High Low 1.) Intrusion detection to be someone else) USB into SCADA HMI to Introduce malware Yes B-LAN computer(s) High Med High High Med High Tamper (Modify/Delete data) Yes Access to B-LAN SQL DB High High High High Med Med Economic Loss Information Sends PLC data to web- - due to: C-LAN to Disclosure ("sniffing") Yes site web-site crashing; High Med High High Low LowB the B-LAN C-LAN sends a storm of Denial-of-service Yes requests to B-LAN Improper reporting High High High High Med Med to a regulator Gains unauthorized Stolen credentials, Access (e.g., pretends Yes hacked credentials Med Med Med Med High Low to be someone else) 68th Annual Instrumentation Symposium for the Process Industry
  • Assess Phase 3868th Annual Instrumentation Symposium for the Process Industry
  • Example68th Annual Instrumentation Symposium for the Process Industry
  • ExampleWithZones68th Annual Instrumentation Symposium for the Process Industry
  • Zone and Conduit Characteristics Per ISA 61443-3-2 the following items should be documented for each defined zone and conduit: •Name and/or unique identifier •Logical boundary •Physical boundary, if applicable •List of all access points and associated boundary devices •List of data flows associated with each access point •Connected zones or conduits •List of assets and associated consequences •Security Level Target •Applicable security policies •Assumptions and external dependencies68th Annual Instrumentation Symposium for the Process Industry
  • Cybersecurity Requirements Specification The final task in the assessment or FEED phase is to document the system-level cybersecurity requirements • Scope and purpose of the system • Physical and environmental security requirements • General cybersecurity Groupings of Requirements requirements •Access Control requirements • Identification and authentication of • Zone and Conduit specific users • User roles and privileges • User administration requirements •Confidentiality, Integrity and Availability requirements •Monitoring and reporting requirements ISA 62443-3-3 is a excellent source of ICS cybersecurity requirements 4268th Annual Instrumentation Symposium for the Process Industry
  • Implement Phase Design Engineering Detailed Engineering Commissioning and Startup68th Annual Instrumentation Symposium for the Process Industry
  • Implement Phase68th Annual Instrumentation Symposium for the Process Industry
  • Implementation• Conceptual Design – Defense-in-depth strategies – Selection of Cybersecurity countermeasures Design Spec – Revised Zone and Conduit Model – Updated architecture diagrams – Access control strategies 4568th Annual Instrumentation Symposium for the Process Industry
  • Countermeasure Examples • Physical access control • Logical access control • Portable media management • Malicious code protection • Organizational and operational controls • Communications filtering68th Annual Instrumentation Symposium for the Process Industry
  • Design Validation • Verify the conceptual design satisfies the cybersecurity requirements • Verify the selected countermeasures achieve sufficient risk reduction68th Annual Instrumentation Symposium for the Process Industry
  • Risk Assessment with Mitigations Threat Vulnerability Consequence DELIBERATE ACCIDENTAL DELIBERATE ACCIDENTAL Is it What is the worst thingRef Entry Point What Could Happen? How? Sev. Likelihood Risk Likelihood Risk Mitigations Likelihood Risk Likelihood Risk possible? that could happen? Virus modifies or Virus on business Introduce malware Yes network shutsdown the High Med Med High High 1.) Anti-virus on all Win SCADA boxes Low Med Low Med process Virus modifies or Virus on business 1.) Anti-virus on all Win SCADA boxes Introduce malware Yes network shutsdown the High Med Med High High 2.) Whitelisting on Win SCADA boxes Neg. Low Neg. Low process Business toA Attacker modifies or PCN Firewall Tamper Gain access through (Modify/Delete data) Yes firewall shutsdown the High Med Med Neg. Low 1.) Strengthen firewall rules Low Med Neg. Low process Attacker modifies or Tamper Gain access through 1.) Strengthen firewall rules (Modify/Delete data) Yes firewall shutsdown the High Med Med Neg. Low 2.) Encrypt traffic Neg. Low Neg. Low process No communications 1.) Intrusion detection Denial-of-service Yes Storm the firewall between Business Med Med Med Med Med 2.) Rate limiting Low Low Low Low and PCN 68th Annual Instrumentation Symposium for the Process Industry
  • Implement Phase68th Annual Instrumentation Symposium for the Process Industry
  • Develop Test Plans • Create test objectives and test plans based on cybersecurity requirements and design specs • Create checklists to audit security settings • Develop abuse cases for each entry point • Develop test procedures68th Annual Instrumentation Symposium for the Process Industry
  • Implement Phase68th Annual Instrumentation Symposium for the Process Industry
  • Cybersecurity Factory and Site Acceptance Testing • Functional Security Verification – Independent assessment of the configured system to verify that the required security functionality was properly implemented • Security Robustness Testing – Asset discovery – Known vulnerability scanning – Communication robustness testing • Security Integration Practices audit – Audit of system integrator’s security practices68th Annual Instrumentation Symposium for the Process Industry
  • Maintain Phase68th Annual Instrumentation Symposium for the Process Industry
  • Maintenance and Monitoring • Security countermeasures must be monitored and maintained – Evaluate, test and deploy security patches prudently – Test and deploy anti-virus updates – Monitor system logs • Firewall logs • Remote access logs • Plan and prepare for how to respond to security incidents68th Annual Instrumentation Symposium for the Process Industry
  • Maintain Phase68th Annual Instrumentation Symposium for the Process Industry
  • Change Management• A change management system should include both the IT and IACS environments• Important to assess all the risks of changing the IACS• Proposed changes to IACS should be reviewed for their potential impact to HS&E risks and cyber security risks• Changes should meet the security requirements for the zone• All changes should be backed-up68th Annual Instrumentation Symposium for the Process Industry
  • Maintain Phase68th Annual Instrumentation Symposium for the Process Industry
  • Periodic Audits • Periodic audits of the IACS shall be implemented to validate that the security measures and security management practices are performing as intended and meet the security objectives. • The results from each periodic audit should be expressed in the form of performance against a set of predefined and appropriate metrics to display security performance and security trends.68th Annual Instrumentation Symposium for the Process Industry
  • The ICS Cybersecurity Lifecycle68th Annual Instrumentation Symposium for the Process Industry
  • Importance of Establishing Security Policies• Demonstrates senior management support• Protect the company and preserve managements options in the event of a security incident.• Provides guidance and communicates expectations to employees and suppliers• Should be technology independent and not include the implementing procedures and processes• Should outline what you want to achieve, not how to do it
  • Key ICS Security Policy Topics• Applicable regulations & • Use of portable media standards • Vulnerability management• Risk assessment (patch management) requirements & methods • Anti-virus management• Training requirements • Intrusion detection and• Personnel security prevention requirements • Management of change• Access control (physical & • Business continuity (backup logical) & restore)• Remote access • Incident response• ICS information • Assessments management• Network segmentation• Wireless networking
  • Awareness• User Awareness is vital - A security system is only as good as its weakest link (which is usually human). – Most people believe that technical solutions take care of the security concerns and that their actions have little impact. – Policy violations and social engineering are significant contributing factors in most security breaches. – Usually because an employee or contractor did not understand the potential impact of his or her actions.
  • Training• Effective training programs and communication vehicles help employees understand: – Why new or updated security controls are required, – Ideas they can use to reduce risks, – Impact on the company if security methods are not incorporated.• Train users about: – The reasons behind specific security policies. – Acceptable procedures and practices. – Social engineering ploys.• Ensure that all stakeholders are appropriately trained including: – managers, -- engineers -- operators – contractors -- vendors
  • Questions and Discussion68th Annual Instrumentation Symposium for the Process Industry