Your SlideShare is downloading. ×
0
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
The 7 things every plant manager should know about control system security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The 7 things every plant manager should know about control system security

1,920

Published on

Not that long ago, the move towards “open systems” and the resulting incorporation of off-the-shelf technologies represented a huge step forward in control system design. System integration became …

Not that long ago, the move towards “open systems” and the resulting incorporation of off-the-shelf technologies represented a huge step forward in control system design. System integration became easier, product development by manufacturers was accelerated, and training leveraged common tools and concepts. While the benefits have been tremendous, open technology has made control systems open to security vulnerabilities, putting production and human safety at risk. Nothing has made that risk more evident than the Stuxnet virus which has made headlines since it was discovered in July 2010. Countering these threats requires organizations to develop a better understanding of their process control system security risks and how to address them.
In this webinar, we will discuss the seven things that every plant manager and automation professional should know about industrial control system security. We will also discuss how to apply best practices from standards such as ISA 99.02.01 to mitigate these risks.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,920
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
206
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. e ida The 7 Things Every Plant Manager Should Know About Control System Security y 24 February 2011
  • 2. e ida John A Cusimano CFSE CISSP A. Cusimano, CFSE, • Director of Security Solutions for exida • 20+ years experience in industrial automation • Employment History: • Eastman Kodak • Moore Products • Siemens • Certifications: • CFSE, CFSE Certified Functional Safety Expert • CISSP, Certified Information Systems Security Professional • Industry Associations: • ISA S99 Committee • ISA S84 Committee • ISA Security Compliance Institute • ICSJWG Workforce Development & Vendor SubgroupsCopyright © 2010 - exida
  • 3. e ida • We help our clients improve the safety, security and availability of their automation systemsCopyright © 2010 - exida
  • 4. e ida Agenda• Intro to Control System Security• The 7 Things• Case St d C Study• Summary
  • 5. e ida What is Control System Security? • Prevention of intentional or unintentional interference with the proper operation of industrial automation and p p p control systems through the use of computers, networks, operating systems, applications and other programmable configurable components of the system • Goes by many names: – SCADA Security – PCN Security – Industrial Automation and Control System Security – Control System Cyber Security – Industrial Network Security – Electronic Security for Industrial Automation and Control SystemsCopyright © 2010 - exida
  • 6. e ida Control Systems are more y vulnerable today than ever before • Heavy use of Commercial Off-the Shelf Technology (COTS) and Off the protocols – Integration of technology such as MS Windows, SQL, and TCP/IP means that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems • Increased Connectivity – Enterprise integration (using plant, corporate and even public networks) means that process control systems (legacy) are now being subjected to stresses they were not designed for • Demand for Remote Access – 24/7 access for engineering, operations or technical support means more insecure or rogue connections to control system • Public Information – Manuals on how to use control system are publicly availableCopyright © 2010 - exida
  • 7. e ida Actual Incident Types N/A 0% Outsider Insider 47% 53% Hacker Intentional 20% DisgruntledNetwork device, employee software IT Dept, Technician Unintentional 80% Insider 14% N/A 48% Outsider 38% Malware (virus, worm, trojan) © 2011 Security Incidents Organization
  • 8. e ida Stuxnet Summary • First malware specifically targeting industrial control systems • First discovered in June 2010 (in circulation since June 2009) • Has the ability reprogram Siemens S7 PLCs • Infects Siemens SIMATIC software running on Win PCs • Uses SIMATIC software to read S7 PLC memory and overwrite FB with it own code (hidd ) it ith its d (hidden) • Spreads via USB memory sticks, local networks and Step 7 project files • Thousands of PC’s infected worldwide (predominantly Iran, India and Indonesia) • Approximately 22 cases reported on SIMATIC systems© Copyright 2010 exida 8
  • 9. e ida Pathways for Stuxnet Infection Image courtesy of Byres Security Inc.
  • 10. e ida Stuxnet Mitigation Matrixhttp://www.tofinosecurity.com/stuxnet-central
  • 11. e ida F T F7 things every plant manager should do to secure their facility from unwanted intrusion
  • 12. e ida THE 7 THINGS 1. Assess Existing Systems g y 2. Document Policies & Procedures 3. 3 Train Personnel & Contractors 4. Segment the Control System Network 5. Control Access to the System 6. Harden the Components of the System y 7. Monitor & Maintain System Security© Copyright 2010 exida 12
  • 13. e ida #1 Assess Existing Systems • Perform control system security assessments of existing systems g y • Compare current control system design, architecture, policies and practices to standards & best practices • Identify gaps and provide recommendations for closure • Benefits: – Provides management with solid understanding of current situation, gaps and path f i i d h forward d – Helps identify and prioritize investments – First step in developing a security management program© Copyright 2010 exida 13
  • 14. e ida Standards Efforts • International Society for Automation (ISA) – ISA99 I d t i l A t ISA99, Industrial Automation and C t l ti d Control System (IACS) Security • International Electrotechnical Commission (IEC) – IEC 62443 series of standards (equivalent to ISA 99) • National Institute for Standards and Technology (NIST) – SP800 82 Guide to Industrial Control SP800-82 Systems (ICS) SecurityCopyright © 2010 - exida
  • 15. e ida Industry Specific Guidance y p • American Petroleum Institute – API Standard 1164 - SCADA Security • American Chemistry Council’s Chemical Information Technology Council (ChemITC)™ (ChemITC) Chemical Sector Cyber Security Program – Guidance for Addressing Cyber Security in the Chemical Industry Version 3 0 3.0 • North American Electric Reliability Corporation (NERC) – Critical Infrastructure Protection (CIP) 002 – 009 • Department of Homeland Security – Chemical Facility Anti-terrorism Standards (CFATS) Anti terrorism – Risk-based Performance Standards (RBPS) (RBPS 8)
  • 16. e ida DHS Control Systems Security Program y y g
  • 17. e ida #2 Document Policies & Procedures • Establish control system security policies & procedures – Scope – Management Support g pp – Roles & Responsibilities – Specific Policies • Remote access • Portable media • Patch mgmt g • Anti-virus management • Change Management • Backup & Restore – References© Copyright 2010 exida 17
  • 18. e ida #3 Train Personnel & Contractors • Make sure personnel are aware of the importance of security and company policies • Provide role-based training – Visitors – Contractors –NNew hihires – Operations – Maintenance – Engineering – Management© Copyright 2010 exida 18
  • 19. e ida #4 Segment the Network • Defense-in-Depth strategy • Partition the system into distinct security zones – Logical grouping of assets sharing common security requirements y q – There can be zones within zones, or subzones, that provide layered security – Zones can be defined physically and/or logically • Define security objectives and strategy for each zone – Physical – Logical • Create secure conduits for zone-to-zone communications – Install boundary or edge devices where communications enter or leave a zone y g to provide monitoring and control capability over which data flows are permitted or denied between particular zones.© Copyright 2010 exida 19
  • 20. e ida System ArchitectureCopyright © 2010 - exida
  • 21. e ida odels ause 6: MoCla Partitioning into Zones Copyright © 2010 -
  • 22. e ida 6.5 Zone & Conduit Models delsClau 6: Mod useCopyright © 2009 - exida 22
  • 23. e ida Specifying Zones & Conduits Image courtesy of Byres Security
  • 24. e ida Honeywell Reference Architecture Image Courtesy of Honeywell Process Control
  • 25. e ida Emerson Reference Architecture
  • 26. e ida Siemens Reference Architecture Image Courtesy of Siemens AG
  • 27. e ida DuPont Reference Architecture DuPont Reference Architecture Business Zone Manufacturing Corporate DUPONTNET d i gi t a l d i gi t a l DNS d i gi t a l Message Bus di gi t a l Patch Domain PE Server Adaptors: SAP, Management Controller Clients EConnect) Server WAN DUPONTNET Manufacturing Web.21 Resource Process d i gi t a l d i gi t a l digi t a l Application Server Domain Explorer Server S (optional) Controllers Clients LAN 3 Co m Operations Management Zone PCN di gi t a l IP.21 di g i t a l Manufacturing Firewall Ethernet Server Application PE Switch PM&C Server Clients OMN digi ta l DCS AD d i gi t a l DCS Process Domain Application DCS Explorer Controllers Server consoles Clients PCN DCS Controllers M odem Bank Field Bus Mode m Ban k Gateway RCN 3C om FBN Field Devices Field Devices M odem Bank SIS Field Devices Process Control Zone Safety System Zone Image Courtesy of DuPont
  • 28. e ida #5 Control Access to System • Control and monitor access to control system resources • Logical & Physical • AAA – Ad i i t ti Administration – Authentication – Authorization • Review • Zone-by-zone – Who has access? •Asset-by-Asset – To what resources? •Role-by-Role y •Person-by-Person – With what privileges? – How is it enforced?© Copyright 2010 exida 28
  • 29. e ida Role-based Access Control C.S. Eng. Oper ator View Only
  • 30. e ida #6 Harden System Components • Remove or disable unused communication ports i ti t • Remove unnecessary applications and services • Apply p pp y patches when and where possible • Consider ‘whitelisting’ tools whitelisting • Use ISASecure™ certified products© Copyright 2010 exida 30
  • 31. e ida Port locking devices Ethernet RJ-45 USB• Tamper proof Tamper-proof outlet lock • USB lock physically locks and lockable patch cord and blocks the USB• Protects against Ports. unauthorized port access th i d t • All Allows secured use of an d f in unused outlets authorized USB device by• Deters patch cord capturing the devices p g removal cable and locking it into• Removable only with a the USB port specially designed key Siemon LockIT™ Kensington USB Port Lock
  • 32. e ida Patch Management• Prioritized and categorize all machines into groups that define when and how they are to be patched Example: patched. • “Early Adopters” receive patches as soon as available and act as Test/Quality Assurance y machines. • “No Touch” machines require manual intervention and/or detailed vendor consultation consultation.• Establish a procedure for keeping track of new patches and level of importance to control operations. p p
  • 33. e ida Patch Management• When new vulnerability is announced and/or a patch fix is available conduct a PDA to evaluate the potential available, impact on the control system• This patch is then evaluated and p p prioritized for adoption p based on its risk evaluation. Reaction Plan Aggressiveness Implementation Window Level of Testing Alpha Al h Minimum Mi i Quarterly Q t l High Hi h Bravo Moderate By end of following week Best Effort Zebra Maximum Within 48 hours Minimal
  • 34. e ida Application Whitelisting • Unlike antivirus solutions, that rely on blacklists of known , y malware, whitelisting enforces a relatively small list of the authorized applications for each computer • A t Automatically bl k all unauthorized applications ti ll blocks ll th i d li ti including unknown malware and rogue applications installed by users. • Minimal performance impact • Examples: – Core Trace Bouncer – Industrial Defender HIPSCopyright © 2010 - exida
  • 35. e ida Stuxnet Response p“Addressing Stuxnet goes beyond using quality securitycontrols.controls The industry needs to demand higher qualitysoftware that is free from defects. Companies who developproducts and write code need to continue to mature theirdevelopment processes to become more secure.” Mark Weatherford Vice president and Chief Security Officer NERC
  • 36. e ida ISASecure Embedded Device Security Certification ISA Security Compliance Institute Software Development Security Assurance (SDSA) Functional Security Assessment (FSA) ISASecure Certification Process 1. CRT test all accessible TCP/IP interfaces Communications 2. Perform FSA on device and all interfaces Robustness Testing (CRT) 3. Audit supplier’s software development process 4. 4 Perform integrated threat analysis 5. Issue certificationCopyright © 2010 - exida For more information visit: www.isasecure.org
  • 37. e ida #7 Monitor & Maintain • Install vendor recommended anti- virus and update signatures regularly • Review system logs periodically • Consider Intrusion Detection (IDS) or Host Intrusion Prevention (HIPS) • Pen testing (offline only) • Periodic assessments© Copyright 2010 exida 37
  • 38. e ida Anti-virus Management gStuxnet is not the first malware to infect industrial controlsystems© 2010 Security Incidents Organization, The Repository of Industrial Security Incidents (RISI) database
  • 39. e ida MalwareThe intrusion of malware can result in:• Performance degradation• Loss of system availability• The capture, modification, or deletion of data…and since Stuxnet• Loss of control
  • 40. e ida Mitigation Steps• Ensure that virus protection and Microsoft security hot fixes are up t date on all nodes i it h t fi to d t ll d in your process control network and the systems connected to it• Ensure that there are no email clients on any nodes of your process control network• Use a firewall and DMZ for the business network to process control network interface
  • 41. e ida THE 7 THINGS 1. Assess Existing Systems g y 2. Document Policies & Procedures 3. 3 Train Personnel & Contractors 4. Segment the Control System Network 5. Control Access to the System 6. Harden the Components of the System y 7. Monitor & Maintain System Security© Copyright 2010 exida 41
  • 42. e ida DCS Virus Infection, Vi I f ti Investigation and Response p A Case Study y
  • 43. e ida Incident• December 2009• Petrochemical company in South Africa• Virus (Win32/Sality) infected DCS system• Two OPC servers shutdown• Operators ran plant partially blind for 8 hours• Engineers rebuild servers• Recovered without loss of production
  • 44. e ida1.) Replaced servers andupdated access control li t d t d t l list Scenario 2. OPC servers stopped. Virus discovered.
  • 45. e ida Win32/Sality Virus• Discovered: April 18, 2009• A worm that spreads by infecting executable files and copying itself to removable drives py g• Deletes files with .vdb, .avc and .key in the filename and also files listed under certain registry subkeys• Ends processes and lowers security settings by modifying the registry
  • 46. e ida Response• Conducted a root-cause investigation• Implemented policy & procedural changes – Configuration management policy for IT switches – 3rd party software policy – Anti-virus management policy A ti i t li – Prohibited remote access – Portable media policy• Hired third-party SME to perform a thorough control system security assessment – Familiar with DCS, SIS and SCADA systems – Knowledgeable of latest standards & technology – Experience in similar p p plants – Unbiased
  • 47. e ida The Project• exida hired to perform control system security assessment• Aug 23 – Aug 27, 2010 g g ,• Followed ANSI/ISA 99.02.01
  • 48. e ida Assessment Process1. Understand and scope the system under assessment2.2 Develop a clear understanding of the network architecture and all traffic flows3. Develop an inventory of all networked control devices within the boundary of the system4. Perform device level assessment5.5 Interview key employees involved in operations and security of the control networks and equipment6. Analyze collected data and compare with corporate y p p standards and industry best practices to identify gaps7. Recommend solutions to close identified gaps
  • 49. e ida Results• For each item in ISA 99.02.01 99 02 01 – Requirements – Importance to effective p security – Industry best practices – Observations – Recommendations• 48 recommendations d ti• 9 critical recommendations
  • 50. e ida Network SegmentationObservations: – Network connections not well documented – Insufficient separation between business LAN and control system (VLANS & ACL’s) – Boundaries unclear and no boundary devices – Several computers were found to have hundreds of established network connections – Several dual-zoned servers
  • 51. e ida Weak boundary Hundreds of computers in network neighborhood Dual-homed servers
  • 52. e ida DuPont Reference Architecture Business Zone Manufacturing Corporate DUPONTNET d i gi t a l d i gi t a l DNS d i gi t a l Message Bus digi t al Patch Domain PE Server Adaptors: SAP, Management Controller Clients EConnect)) Server WAN DUPONTNET Manufacturing Web.21 Resource Process d i gi t a l d i gi t a l d i gi t a l Application Server Domain Explorer Server (optional) Controllers Clients LAN 3 Co m Operations Management Zone PCN digi ta l IP.21 digi ta l Manufacturing Firewall Ethernet Server Application PE Switch PM&C Server Clients OMN digi ta l DCS AD d i gi t a l DCS Process Domain Application DCS Explorer Controllers Server consoles Clients PCN DCS Controllers M ode m Ban k Field Bus M odem Ban k Gateway RCN 3C om FBN Field Devices Field Devices M odem Ban k SIS Field Devices Process Control Zone Safety System Zone Image Courtesy of DuPont
  • 53. e ida
  • 54. e ida System Hardening Observation Recommendation• Workstations extensive • Remove all unnecessary number of inappropriate applications and services applications • Apply the vendor – UltraVNC recommended or NIST – Microsoft ActiveSync hardening settings to all – Internet Explorer workstations and servers – Microsoft Outlook / Outlook • Immediately remove any Express unnecessary shares – Windows NetMeeting – I t Internet checkers game t h k – Remote access phonebook• Numerous files shares configured
  • 55. e ida System Hardening Observation Recommendation• Numerous active, unused • Disable or lock any Ethernet ports unused ports• USB ports disabled by • Use physical devices to registry setting lock cables into used ports and block access to unused ports
  • 56. e ida Lessons Learned Client Assessor• Network segmentation is • ANSI/ISA 99.02.01 critical provides good structure• Anti-virus used per but cannot be used as a supplier checklist recommendations • Zone and conduit• Portable media is modeling works dangerous • Supplier’s reference• Awareness/training is architectures need to be important adjusted for “real” real• Systems should be applications hardened and patched • Data collection must be per supplier performed very carefully f d f ll recommendations on a live control system
  • 57. e ida Next Steps• Client is developing corporate policies and procedures• Client is preparing to deploy recommended network changes• Role-based security training is being developed and y g g p integrated into existing training program• Monitoring technology (e.g. IDS, HIPS) being investigated• Access control (logical and physical) being reviewed• System hardening being implemented with supplier support• Additional units and sites will be assessed
  • 58. e ida Key Takeaways• ‘Security’ is a key component in control system reliability li bilit• The threats to control system security are real and b d becoming more sophisticated i hi ti t d• Excellent standards and best practices are available assist users in securing their systems• Automation equipment suppliers play an important role• Assessment is the first step This presentation is available on www.exida.com and www.slideshare.com

×