The 7 things every plant manager should know about control system security

2,416 views
2,293 views

Published on

Not that long ago, the move towards “open systems” and the resulting incorporation of off-the-shelf technologies represented a huge step forward in control system design. System integration became easier, product development by manufacturers was accelerated, and training leveraged common tools and concepts. While the benefits have been tremendous, open technology has made control systems open to security vulnerabilities, putting production and human safety at risk. Nothing has made that risk more evident than the Stuxnet virus which has made headlines since it was discovered in July 2010. Countering these threats requires organizations to develop a better understanding of their process control system security risks and how to address them.
In this webinar, we will discuss the seven things that every plant manager and automation professional should know about industrial control system security. We will also discuss how to apply best practices from standards such as ISA 99.02.01 to mitigate these risks.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,416
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
232
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

The 7 things every plant manager should know about control system security

  1. 1. e ida The 7 Things Every Plant Manager Should Know About Control System Security y 24 February 2011
  2. 2. e ida John A Cusimano CFSE CISSP A. Cusimano, CFSE, • Director of Security Solutions for exida • 20+ years experience in industrial automation • Employment History: • Eastman Kodak • Moore Products • Siemens • Certifications: • CFSE, CFSE Certified Functional Safety Expert • CISSP, Certified Information Systems Security Professional • Industry Associations: • ISA S99 Committee • ISA S84 Committee • ISA Security Compliance Institute • ICSJWG Workforce Development & Vendor SubgroupsCopyright © 2010 - exida
  3. 3. e ida • We help our clients improve the safety, security and availability of their automation systemsCopyright © 2010 - exida
  4. 4. e ida Agenda• Intro to Control System Security• The 7 Things• Case St d C Study• Summary
  5. 5. e ida What is Control System Security? • Prevention of intentional or unintentional interference with the proper operation of industrial automation and p p p control systems through the use of computers, networks, operating systems, applications and other programmable configurable components of the system • Goes by many names: – SCADA Security – PCN Security – Industrial Automation and Control System Security – Control System Cyber Security – Industrial Network Security – Electronic Security for Industrial Automation and Control SystemsCopyright © 2010 - exida
  6. 6. e ida Control Systems are more y vulnerable today than ever before • Heavy use of Commercial Off-the Shelf Technology (COTS) and Off the protocols – Integration of technology such as MS Windows, SQL, and TCP/IP means that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems • Increased Connectivity – Enterprise integration (using plant, corporate and even public networks) means that process control systems (legacy) are now being subjected to stresses they were not designed for • Demand for Remote Access – 24/7 access for engineering, operations or technical support means more insecure or rogue connections to control system • Public Information – Manuals on how to use control system are publicly availableCopyright © 2010 - exida
  7. 7. e ida Actual Incident Types N/A 0% Outsider Insider 47% 53% Hacker Intentional 20% DisgruntledNetwork device, employee software IT Dept, Technician Unintentional 80% Insider 14% N/A 48% Outsider 38% Malware (virus, worm, trojan) © 2011 Security Incidents Organization
  8. 8. e ida Stuxnet Summary • First malware specifically targeting industrial control systems • First discovered in June 2010 (in circulation since June 2009) • Has the ability reprogram Siemens S7 PLCs • Infects Siemens SIMATIC software running on Win PCs • Uses SIMATIC software to read S7 PLC memory and overwrite FB with it own code (hidd ) it ith its d (hidden) • Spreads via USB memory sticks, local networks and Step 7 project files • Thousands of PC’s infected worldwide (predominantly Iran, India and Indonesia) • Approximately 22 cases reported on SIMATIC systems© Copyright 2010 exida 8
  9. 9. e ida Pathways for Stuxnet Infection Image courtesy of Byres Security Inc.
  10. 10. e ida Stuxnet Mitigation Matrixhttp://www.tofinosecurity.com/stuxnet-central
  11. 11. e ida F T F7 things every plant manager should do to secure their facility from unwanted intrusion
  12. 12. e ida THE 7 THINGS 1. Assess Existing Systems g y 2. Document Policies & Procedures 3. 3 Train Personnel & Contractors 4. Segment the Control System Network 5. Control Access to the System 6. Harden the Components of the System y 7. Monitor & Maintain System Security© Copyright 2010 exida 12
  13. 13. e ida #1 Assess Existing Systems • Perform control system security assessments of existing systems g y • Compare current control system design, architecture, policies and practices to standards & best practices • Identify gaps and provide recommendations for closure • Benefits: – Provides management with solid understanding of current situation, gaps and path f i i d h forward d – Helps identify and prioritize investments – First step in developing a security management program© Copyright 2010 exida 13
  14. 14. e ida Standards Efforts • International Society for Automation (ISA) – ISA99 I d t i l A t ISA99, Industrial Automation and C t l ti d Control System (IACS) Security • International Electrotechnical Commission (IEC) – IEC 62443 series of standards (equivalent to ISA 99) • National Institute for Standards and Technology (NIST) – SP800 82 Guide to Industrial Control SP800-82 Systems (ICS) SecurityCopyright © 2010 - exida
  15. 15. e ida Industry Specific Guidance y p • American Petroleum Institute – API Standard 1164 - SCADA Security • American Chemistry Council’s Chemical Information Technology Council (ChemITC)™ (ChemITC) Chemical Sector Cyber Security Program – Guidance for Addressing Cyber Security in the Chemical Industry Version 3 0 3.0 • North American Electric Reliability Corporation (NERC) – Critical Infrastructure Protection (CIP) 002 – 009 • Department of Homeland Security – Chemical Facility Anti-terrorism Standards (CFATS) Anti terrorism – Risk-based Performance Standards (RBPS) (RBPS 8)
  16. 16. e ida DHS Control Systems Security Program y y g
  17. 17. e ida #2 Document Policies & Procedures • Establish control system security policies & procedures – Scope – Management Support g pp – Roles & Responsibilities – Specific Policies • Remote access • Portable media • Patch mgmt g • Anti-virus management • Change Management • Backup & Restore – References© Copyright 2010 exida 17
  18. 18. e ida #3 Train Personnel & Contractors • Make sure personnel are aware of the importance of security and company policies • Provide role-based training – Visitors – Contractors –NNew hihires – Operations – Maintenance – Engineering – Management© Copyright 2010 exida 18
  19. 19. e ida #4 Segment the Network • Defense-in-Depth strategy • Partition the system into distinct security zones – Logical grouping of assets sharing common security requirements y q – There can be zones within zones, or subzones, that provide layered security – Zones can be defined physically and/or logically • Define security objectives and strategy for each zone – Physical – Logical • Create secure conduits for zone-to-zone communications – Install boundary or edge devices where communications enter or leave a zone y g to provide monitoring and control capability over which data flows are permitted or denied between particular zones.© Copyright 2010 exida 19
  20. 20. e ida System ArchitectureCopyright © 2010 - exida
  21. 21. e ida odels ause 6: MoCla Partitioning into Zones Copyright © 2010 -
  22. 22. e ida 6.5 Zone & Conduit Models delsClau 6: Mod useCopyright © 2009 - exida 22
  23. 23. e ida Specifying Zones & Conduits Image courtesy of Byres Security
  24. 24. e ida Honeywell Reference Architecture Image Courtesy of Honeywell Process Control
  25. 25. e ida Emerson Reference Architecture
  26. 26. e ida Siemens Reference Architecture Image Courtesy of Siemens AG
  27. 27. e ida DuPont Reference Architecture DuPont Reference Architecture Business Zone Manufacturing Corporate DUPONTNET d i gi t a l d i gi t a l DNS d i gi t a l Message Bus di gi t a l Patch Domain PE Server Adaptors: SAP, Management Controller Clients EConnect) Server WAN DUPONTNET Manufacturing Web.21 Resource Process d i gi t a l d i gi t a l digi t a l Application Server Domain Explorer Server S (optional) Controllers Clients LAN 3 Co m Operations Management Zone PCN di gi t a l IP.21 di g i t a l Manufacturing Firewall Ethernet Server Application PE Switch PM&C Server Clients OMN digi ta l DCS AD d i gi t a l DCS Process Domain Application DCS Explorer Controllers Server consoles Clients PCN DCS Controllers M odem Bank Field Bus Mode m Ban k Gateway RCN 3C om FBN Field Devices Field Devices M odem Bank SIS Field Devices Process Control Zone Safety System Zone Image Courtesy of DuPont
  28. 28. e ida #5 Control Access to System • Control and monitor access to control system resources • Logical & Physical • AAA – Ad i i t ti Administration – Authentication – Authorization • Review • Zone-by-zone – Who has access? •Asset-by-Asset – To what resources? •Role-by-Role y •Person-by-Person – With what privileges? – How is it enforced?© Copyright 2010 exida 28
  29. 29. e ida Role-based Access Control C.S. Eng. Oper ator View Only
  30. 30. e ida #6 Harden System Components • Remove or disable unused communication ports i ti t • Remove unnecessary applications and services • Apply p pp y patches when and where possible • Consider ‘whitelisting’ tools whitelisting • Use ISASecure™ certified products© Copyright 2010 exida 30
  31. 31. e ida Port locking devices Ethernet RJ-45 USB• Tamper proof Tamper-proof outlet lock • USB lock physically locks and lockable patch cord and blocks the USB• Protects against Ports. unauthorized port access th i d t • All Allows secured use of an d f in unused outlets authorized USB device by• Deters patch cord capturing the devices p g removal cable and locking it into• Removable only with a the USB port specially designed key Siemon LockIT™ Kensington USB Port Lock
  32. 32. e ida Patch Management• Prioritized and categorize all machines into groups that define when and how they are to be patched Example: patched. • “Early Adopters” receive patches as soon as available and act as Test/Quality Assurance y machines. • “No Touch” machines require manual intervention and/or detailed vendor consultation consultation.• Establish a procedure for keeping track of new patches and level of importance to control operations. p p
  33. 33. e ida Patch Management• When new vulnerability is announced and/or a patch fix is available conduct a PDA to evaluate the potential available, impact on the control system• This patch is then evaluated and p p prioritized for adoption p based on its risk evaluation. Reaction Plan Aggressiveness Implementation Window Level of Testing Alpha Al h Minimum Mi i Quarterly Q t l High Hi h Bravo Moderate By end of following week Best Effort Zebra Maximum Within 48 hours Minimal
  34. 34. e ida Application Whitelisting • Unlike antivirus solutions, that rely on blacklists of known , y malware, whitelisting enforces a relatively small list of the authorized applications for each computer • A t Automatically bl k all unauthorized applications ti ll blocks ll th i d li ti including unknown malware and rogue applications installed by users. • Minimal performance impact • Examples: – Core Trace Bouncer – Industrial Defender HIPSCopyright © 2010 - exida
  35. 35. e ida Stuxnet Response p“Addressing Stuxnet goes beyond using quality securitycontrols.controls The industry needs to demand higher qualitysoftware that is free from defects. Companies who developproducts and write code need to continue to mature theirdevelopment processes to become more secure.” Mark Weatherford Vice president and Chief Security Officer NERC
  36. 36. e ida ISASecure Embedded Device Security Certification ISA Security Compliance Institute Software Development Security Assurance (SDSA) Functional Security Assessment (FSA) ISASecure Certification Process 1. CRT test all accessible TCP/IP interfaces Communications 2. Perform FSA on device and all interfaces Robustness Testing (CRT) 3. Audit supplier’s software development process 4. 4 Perform integrated threat analysis 5. Issue certificationCopyright © 2010 - exida For more information visit: www.isasecure.org
  37. 37. e ida #7 Monitor & Maintain • Install vendor recommended anti- virus and update signatures regularly • Review system logs periodically • Consider Intrusion Detection (IDS) or Host Intrusion Prevention (HIPS) • Pen testing (offline only) • Periodic assessments© Copyright 2010 exida 37
  38. 38. e ida Anti-virus Management gStuxnet is not the first malware to infect industrial controlsystems© 2010 Security Incidents Organization, The Repository of Industrial Security Incidents (RISI) database
  39. 39. e ida MalwareThe intrusion of malware can result in:• Performance degradation• Loss of system availability• The capture, modification, or deletion of data…and since Stuxnet• Loss of control
  40. 40. e ida Mitigation Steps• Ensure that virus protection and Microsoft security hot fixes are up t date on all nodes i it h t fi to d t ll d in your process control network and the systems connected to it• Ensure that there are no email clients on any nodes of your process control network• Use a firewall and DMZ for the business network to process control network interface
  41. 41. e ida THE 7 THINGS 1. Assess Existing Systems g y 2. Document Policies & Procedures 3. 3 Train Personnel & Contractors 4. Segment the Control System Network 5. Control Access to the System 6. Harden the Components of the System y 7. Monitor & Maintain System Security© Copyright 2010 exida 41
  42. 42. e ida DCS Virus Infection, Vi I f ti Investigation and Response p A Case Study y
  43. 43. e ida Incident• December 2009• Petrochemical company in South Africa• Virus (Win32/Sality) infected DCS system• Two OPC servers shutdown• Operators ran plant partially blind for 8 hours• Engineers rebuild servers• Recovered without loss of production
  44. 44. e ida1.) Replaced servers andupdated access control li t d t d t l list Scenario 2. OPC servers stopped. Virus discovered.
  45. 45. e ida Win32/Sality Virus• Discovered: April 18, 2009• A worm that spreads by infecting executable files and copying itself to removable drives py g• Deletes files with .vdb, .avc and .key in the filename and also files listed under certain registry subkeys• Ends processes and lowers security settings by modifying the registry
  46. 46. e ida Response• Conducted a root-cause investigation• Implemented policy & procedural changes – Configuration management policy for IT switches – 3rd party software policy – Anti-virus management policy A ti i t li – Prohibited remote access – Portable media policy• Hired third-party SME to perform a thorough control system security assessment – Familiar with DCS, SIS and SCADA systems – Knowledgeable of latest standards & technology – Experience in similar p p plants – Unbiased
  47. 47. e ida The Project• exida hired to perform control system security assessment• Aug 23 – Aug 27, 2010 g g ,• Followed ANSI/ISA 99.02.01
  48. 48. e ida Assessment Process1. Understand and scope the system under assessment2.2 Develop a clear understanding of the network architecture and all traffic flows3. Develop an inventory of all networked control devices within the boundary of the system4. Perform device level assessment5.5 Interview key employees involved in operations and security of the control networks and equipment6. Analyze collected data and compare with corporate y p p standards and industry best practices to identify gaps7. Recommend solutions to close identified gaps
  49. 49. e ida Results• For each item in ISA 99.02.01 99 02 01 – Requirements – Importance to effective p security – Industry best practices – Observations – Recommendations• 48 recommendations d ti• 9 critical recommendations
  50. 50. e ida Network SegmentationObservations: – Network connections not well documented – Insufficient separation between business LAN and control system (VLANS & ACL’s) – Boundaries unclear and no boundary devices – Several computers were found to have hundreds of established network connections – Several dual-zoned servers
  51. 51. e ida Weak boundary Hundreds of computers in network neighborhood Dual-homed servers
  52. 52. e ida DuPont Reference Architecture Business Zone Manufacturing Corporate DUPONTNET d i gi t a l d i gi t a l DNS d i gi t a l Message Bus digi t al Patch Domain PE Server Adaptors: SAP, Management Controller Clients EConnect)) Server WAN DUPONTNET Manufacturing Web.21 Resource Process d i gi t a l d i gi t a l d i gi t a l Application Server Domain Explorer Server (optional) Controllers Clients LAN 3 Co m Operations Management Zone PCN digi ta l IP.21 digi ta l Manufacturing Firewall Ethernet Server Application PE Switch PM&C Server Clients OMN digi ta l DCS AD d i gi t a l DCS Process Domain Application DCS Explorer Controllers Server consoles Clients PCN DCS Controllers M ode m Ban k Field Bus M odem Ban k Gateway RCN 3C om FBN Field Devices Field Devices M odem Ban k SIS Field Devices Process Control Zone Safety System Zone Image Courtesy of DuPont
  53. 53. e ida
  54. 54. e ida System Hardening Observation Recommendation• Workstations extensive • Remove all unnecessary number of inappropriate applications and services applications • Apply the vendor – UltraVNC recommended or NIST – Microsoft ActiveSync hardening settings to all – Internet Explorer workstations and servers – Microsoft Outlook / Outlook • Immediately remove any Express unnecessary shares – Windows NetMeeting – I t Internet checkers game t h k – Remote access phonebook• Numerous files shares configured
  55. 55. e ida System Hardening Observation Recommendation• Numerous active, unused • Disable or lock any Ethernet ports unused ports• USB ports disabled by • Use physical devices to registry setting lock cables into used ports and block access to unused ports
  56. 56. e ida Lessons Learned Client Assessor• Network segmentation is • ANSI/ISA 99.02.01 critical provides good structure• Anti-virus used per but cannot be used as a supplier checklist recommendations • Zone and conduit• Portable media is modeling works dangerous • Supplier’s reference• Awareness/training is architectures need to be important adjusted for “real” real• Systems should be applications hardened and patched • Data collection must be per supplier performed very carefully f d f ll recommendations on a live control system
  57. 57. e ida Next Steps• Client is developing corporate policies and procedures• Client is preparing to deploy recommended network changes• Role-based security training is being developed and y g g p integrated into existing training program• Monitoring technology (e.g. IDS, HIPS) being investigated• Access control (logical and physical) being reviewed• System hardening being implemented with supplier support• Additional units and sites will be assessed
  58. 58. e ida Key Takeaways• ‘Security’ is a key component in control system reliability li bilit• The threats to control system security are real and b d becoming more sophisticated i hi ti t d• Excellent standards and best practices are available assist users in securing their systems• Automation equipment suppliers play an important role• Assessment is the first step This presentation is available on www.exida.com and www.slideshare.com

×