Why and How should You include Industrial Cyber Security among the topics to be covered during the definition of an industrial or infrastructural Project?
ServiTecno Tieghi Aggiungere Video Al Telecontrollo Per Telecontrollo2009 R2
Project Management & Industrial Cyber Security (ICS) by Enzo M. Tieghi
1. Proteggiamo da incidenti cyber i
Sistemi di controllo e automazione
nell’industria e nelle infrastrutture
Enzo M. Tieghi
etieghi@servitecno.it
em.tieghi@infrastrutturecritiche.it
3. Enzo Maria Tieghi
Amministratore Delegato di ServiTecno
(da oltre 20 anni software industriale)
Consigliere AIIC, attivo in associazioni e gruppi di studio
per la cyber security industriale (ISA s99 member)
In Advisory Board, gruppi e progetti internazionali su
Industrial Security e CIP (Critical Infrastructure Protection)
Co-autore ed autore pubblicazioni, articoli e memorie
3
6. 6
ANSI/ISA95 Functional Hierarchy www.isa.org
Level 4
Level 1
Level 2
Level 3
Business Planning
& Logistics
Plant Production Scheduling,
Operational Management, etc
Manufacturing
Operations Management
Dispatching Production, Detailed Production
Scheduling, Reliability Assurance, ...
Batch
Control
Discrete
Control
Continuous
Control
1 - Sensing the production process,
manipulating the production process
2 - Monitoring, supervisory control and
automated control of the production process
3 - Work flow / recipe control to produce the
desired end products. Maintaining records
and optimizing the production process.
Time Frame
Days, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -
production, material use, delivery, and
shipping. Determining inventory levels.
Time Frame
Months, weeks, days
Level 0 0 - The actual production process
Level 4
Level 1
Level 2
Level 3
Business Planning
& Logistics
Plant Production Scheduling,
Operational Management, etc
Manufacturing
Operations Management
Dispatching Production, Detailed Production
Scheduling, Reliability Assurance, ...
Batch
Control
Discrete
Control
Continuous
Control
1 - Sensing the production process,
manipulating the production process
2 - Monitoring, supervisory control and
automated control of the production process
3 - Work flow / recipe control to produce the
desired end products. Maintaining records
and optimizing the production process.
Time Frame
Days, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -
production, material use, delivery, and
shipping. Determining inventory levels.
Time Frame
Months, weeks, days
Level 0 0 - The actual production process
7.
8. Sicurezza Impianti
Oltre alla safety (EN ISO 13849-1/2,
IEC/EN 62061, IEC/EN 61508,
IEC/EN61511)…
• valutiamo la security?
• Life Cycle dei sistemi?
• Documentazione di progetto?
• Cambiamenti sull’impianto?
• Reti, PLC, DCS, SCADA?
• Chi? Quando? Dove? Perchè?
9. • un repository per la versione
“validata” del sw
• la documentazione di progetto
• per eventuali variazioni,
manutenzioni, ripartenze?
10. • Ho fatto Risk Analysis per
rischio cyber?
• Ho protetto rete e sistemi di
fabbrica?
• Ho una copia completa, back-up
del sistema (e dei dati) ?
• Ho mai provato il recovery?
14. Esempio di “Security Architecture” nei sistemi di
automazione e controllo
Enterprise
Control
Network
Manufacturing
Operations
Network
Perimeter
Control
Network
Control
System
Network
Process
Control
Network
Source: Byres - Tofino
15. Protezione di Zone & Conduits con Firewalls
(multilayered defence)
Corporate Firewall
Industrial Firewall
Source: Byres - Tofino
16. … e molto altro
HW e SW di varie marche,
provenienze, epoche, uso…
19. 19
Il vero problema?
…“Control system staff often have no skill and time for
security practices…”
Steve Meyer, System Security Expert says:
“... Hackers and exploits are an inconvenience and can cost
money but plant downtime will kill a business…”
20. Enzo Maria Tieghi
Amministratore Delegato di ServiTecno
(da oltre 20 anni software industriale)
Consigliere AIIC, attivo in associazioni e gruppi di studio
per la cyber security industriale (ISA s99 member)
In Advisory Board, gruppi e progetti internazionali su
Industrial Security e CIP (Critical Infrastructure Protection)
Co-autore ed autore pubblicazioni, articoli e memorie
20