Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Control System Cyber Security - A Different Approach


Published on

This excerpt was developed and presented by Emerson's Bob Huba at 63rd Annual Instrumentation Symposium for the Process Industries in January 2009.

Published in: Business
  • Be the first to comment

Control System Cyber Security - A Different Approach

  1. 1. Control System Cyber Security A different approach Bob Huba Sr. Product Manager Emerson Process Management
  2. 2. Goals <ul><li>Discuss security in context of people part of the solution </li></ul><ul><li>Beyond the technical solution </li></ul><ul><li>The human side of Security </li></ul><ul><ul><li>Your security culture </li></ul></ul><ul><ul><li>Policies and Procedures </li></ul></ul><ul><li>Help bridge the gap between IT and Operations </li></ul><ul><li>Why – because SCADA security requires people involvement to suceed. </li></ul>
  3. 3. What is SCADA Cyber Security <ul><li>Protection from intentional computer misuse that would cause inability for you to properly control the process </li></ul><ul><li>Protecting your process </li></ul><ul><ul><li>IT security protects information </li></ul></ul><ul><ul><li>SCADA security protects physical assets </li></ul></ul><ul><ul><li>SCADA security protects production </li></ul></ul><ul><li>Protects your control system </li></ul><ul><ul><li>Needed to manage your process </li></ul></ul>
  4. 4. Threats <ul><li>Undirected automatic attacks </li></ul><ul><ul><li>Worms, viruses, malware </li></ul></ul><ul><ul><li>Accidental or deliberate </li></ul></ul><ul><ul><li>Most concern on these types </li></ul></ul><ul><li>Deliberate attack </li></ul><ul><ul><li>Internal </li></ul></ul><ul><ul><li>External </li></ul></ul><ul><ul><li>Undirected attack – disrupt system somehow </li></ul></ul><ul><ul><li>Directed attack – take over and cause problems </li></ul></ul><ul><ul><li>Is becoming a much larger concern for some </li></ul></ul>Impending Government Regulations
  5. 5. Cyber-Security Strategy <ul><li>Implement a layered security strategy </li></ul><ul><li>This solution hardens the boundary between Control system and the plant LAN </li></ul><ul><ul><li>Maintain the “open” connections within control system </li></ul></ul><ul><li>Defense in depth </li></ul><ul><ul><ul><li>Layered security – harden the perimeter(s) </li></ul></ul></ul><ul><ul><ul><li>Internal system security solutions </li></ul></ul></ul><ul><ul><ul><ul><li>Anti-virus scanner </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Security Hardened Workstations and Controllers </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Security Patch management </li></ul></ul></ul></ul>
  6. 6. Develop a Security Policy <ul><li>They “gotta know da rules” </li></ul><ul><li>Leverage off the corporate policy </li></ul><ul><li>Modify where appropriate </li></ul><ul><ul><li>User Access maintenance </li></ul></ul><ul><ul><li>Patch and AV update procedures </li></ul></ul><ul><ul><li>Physical Access to equipment </li></ul></ul><ul><ul><li>Software Installation </li></ul></ul><ul><ul><li>Wireless Access </li></ul></ul><ul><ul><li>Remote Access </li></ul></ul><ul><li>Train users </li></ul><ul><li>Coordinate with IT </li></ul>
  7. 7. Goals for control system security <ul><li>Enable users to implement a secure system by working with site IT </li></ul><ul><ul><li>Our users are the process/operations personnel </li></ul></ul><ul><ul><li>Allow our users to communicate our needs to IT </li></ul></ul><ul><ul><li>Use SCADA recommended practices </li></ul></ul><ul><ul><li>Use layered security solutions </li></ul></ul><ul><li>Provide a framework for security procedures to be implemented </li></ul><ul><ul><li>Tested, documented solutions to wrap procedures around </li></ul></ul><ul><ul><li>Documentation on recommended practices for security deployment for consistent solutions </li></ul></ul>
  8. 8. Use a familiar Model <ul><li>What seems to be lacking is a model for implementing control systems security that we can understand and easily explain to plant personnel </li></ul><ul><li>IT models may not be the best fit- </li></ul><ul><ul><li>Confidentially vs. Availability </li></ul></ul><ul><ul><li>Information assets vs. Operations Physical assets </li></ul></ul><ul><ul><li>Highly technically oriented </li></ul></ul><ul><ul><li>Emphasis on IT protecting the assets </li></ul></ul><ul><ul><li>Managed by IT – without user involvement </li></ul></ul>
  9. 9. Develop a “Culture of Security” <ul><li>A Security program can be modeled after a Plant Safety program </li></ul><ul><li>A plant safety program creates an “culture of safety” within the plant </li></ul><ul><li>Security is a “way of life” </li></ul><ul><li>A way to manage risk around user actions </li></ul><ul><ul><li>Includes all people who come into the plant </li></ul></ul><ul><li>Like a successful safety program a successful security program requires that users develop a culture of security </li></ul>
  10. 10. Why this Model? <ul><li>Easily Understood by Operations </li></ul><ul><li>Implemented at right levels in organization </li></ul><ul><ul><li>People’s behavior promotes security </li></ul></ul><ul><li>Processes and procedures are localized </li></ul><ul><ul><li>Plant site – plant department – process units </li></ul></ul><ul><li>Procedures are control system specific </li></ul><ul><ul><li>Different vendors, different system versions </li></ul></ul>
  11. 11. Model Fits into overall Security Program <ul><li>Provides a foundation to support an overall program </li></ul><ul><li>Elements of the model are required to implement overall program anyway – for example a operations person is required to help with: </li></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><ul><li>Priorities – which assets to protect – in what order </li></ul></ul><ul><ul><li>How much “protection” to implement on each </li></ul></ul><ul><li>Provides a person with the process expertise to make the security program successful </li></ul><ul><ul><li>Process is secure and available </li></ul></ul>
  12. 12. Program Elements <ul><li>Treat “security” like we treat “safety” </li></ul><ul><li>Responsibility </li></ul><ul><ul><li>People (operators, engineers, supervisors) take responsibility for security of their areas </li></ul></ul><ul><ul><li>Security does not just “happen” </li></ul></ul><ul><li>Procedures </li></ul><ul><ul><li>Documented control system security policies </li></ul></ul><ul><li>Training </li></ul><ul><ul><li>People are trained on security </li></ul></ul><ul><ul><li>Understand security processes </li></ul></ul><ul><ul><li>Understand risks </li></ul></ul>
  13. 13. <ul><li>Awareness </li></ul><ul><ul><li>People recognize/prevent insecure behavior </li></ul></ul><ul><ul><li>Report problems </li></ul></ul><ul><li>Measurement </li></ul><ul><ul><li>Report security incidents – insecure actions </li></ul></ul><ul><ul><li>Reporting results </li></ul></ul><ul><li>Audits/Enforcement </li></ul><ul><ul><li>Are procedures being followed </li></ul></ul><ul><ul><li>Actions to correct audit results </li></ul></ul><ul><li>On-Going Effort </li></ul><ul><ul><li>Environment is always changing </li></ul></ul>Program Elements
  14. 14. A MOST IMPORTANT PERSON <ul><li>Operations security champion </li></ul>
  15. 15. Got to have an owner <ul><li>Control System security “champion” </li></ul><ul><ul><li>Site – department – process – unit </li></ul></ul><ul><ul><li>Somebody (in operations) has to be responsible </li></ul></ul><ul><ul><li>Not delegated to IT </li></ul></ul><ul><li>May be more than one person </li></ul><ul><ul><li>Team with different responsibilities </li></ul></ul><ul><li>Their job to “make security happen” </li></ul>
  16. 16. Summary <ul><li>Security Program Model = plant safety program </li></ul><ul><ul><li>Easy for Operations to understand </li></ul></ul><ul><li>Operations people have to be involved </li></ul><ul><ul><li>Success depends on training and awareness </li></ul></ul><ul><li>Have to have a security champion </li></ul><ul><ul><li>Somebody in operations takes responsibility </li></ul></ul><ul><li>Champion provides the “Operations view” on security solutions </li></ul><ul><li>Plant has to have a “culture of security” for the security program to be successful </li></ul>