INFORMATION SECURITY MANAGEMENTGUIDANCE FOR AUTOMATIONDEPARTMENTS IN DISCRETEMANUFACTURINGJohnny Welch                    ...
Abstract        The rise in awareness of, and concern for, the security of industrial control systems hascoincided with th...
with common-off-the-shelf (COTS) PCs used as operator interfaces before therealities of the modern malware era:      non-...
traditional electro-mechanical safety circuits, separate from the software-controlled portions of the equipment.       The...
vendors in Europe and North America, Siemens [6] and Rockwell [7], referencethe preceding sources.       As these sources ...
 Introduction     Overview of Industrial Control Systems     ICS Characteristics, Threats and Vulnerabilities     ICS ...
functions well where needed—or where the ISA document may fall short.Likewise, references are made between the publication...
The previously mentioned section on threats and vulnerabilities in NISTSP 800-82, and the system vulnerabilities portion o...
welcome one as the scope, depth, and apparent complexity, of some of theelements become evident. It is easy to see where h...
claim to satisfy the ISA zone and conduit model [15, 16]. Yet any independenceoffered by the latter solution is tempered b...
2. Selected security countermeasures    3. Implementation [3]5.4 Policy       The issue of the lack of usage policy is add...
implementation element [3]. The determination to patch or not is determined by acombination of the consideration of the se...
References1.   Johnny L. Welch.: Information technology curriculum and practical opportunities in     automation. In Proce...
15. Cisco.: Converged Plantwide Ethernet (CPwE) Design and Implementation Guide.    http://www.cisco.com/en/US/docs/soluti...
Upcoming SlideShare
Loading in …5
×

Information security management guidance for discrete automation

277 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
277
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Information security management guidance for discrete automation

  1. 1. INFORMATION SECURITY MANAGEMENTGUIDANCE FOR AUTOMATIONDEPARTMENTS IN DISCRETEMANUFACTURINGJohnny Welch 1
  2. 2. Abstract The rise in awareness of, and concern for, the security of industrial control systems hascoincided with the publication of standards from private sector organizations, and free guidancedocuments via government sources. As automation departments have managed to navigate the ITskills gap over the past few years, the question arises as to whether the emerging information, nowreadily available, will allow for a likewise segregated security approach. However, an analysis ofthe guidance reveals that not only do none of the publications stand on their own, theirimplementation requires extensive inter-departmental knowledge sharing and cooperation.KeywordsIndustrial Automation and Control Systems, Security Standards, Cross-functionalTeams 1 Introduction A maintenance department, charged with the care of industrial automationand control systems (IACS), requires technicians capable of maintaining andrepairing the information technology (IT) that is integral to the systems’ operationand control, including:  Computer systems used to run operator interface applications, as well as programming applications for programmable logic controllers (PLCs) and intelligent motor drives.  TCP/IP/Ethernet interconnection networks for communications and control between the control system and operator PCs.  Data interconnections between the control system and the business network.That systems to ensure the integrity and security of these IT systems are lacking,speaks to the fact that even though the technology and equipment have fullymoved into automation departments, the methods that have ensured theirlongevity and success elsewhere have not. A quick survey of the IT systems inquestion, consisting at times largely of legacy systems installed by OEMs, revealstheir weaknesses to the trained eye. Examples are the vulnerabilities associated 2
  3. 3. with common-off-the-shelf (COTS) PCs used as operator interfaces before therealities of the modern malware era:  non-existent user access policies  internet/remote network access on the plant floor  non-existent or automatic update policiesYet, more telling may be the failures of procedures and practices of thedepartment itself:  well-meaning, unsuccessful update efforts  inadvertent infection of field laptops via careless internet usage.These deficiencies were pointed out in previous research, where the author citedthe need for either further integration of information technology coursework intothe curricula for automation technicians, or integration of the technicians/departments themselves. This was presented as a means of addressing theknowledge and skills gap associated with emerging training needs brought aboutby the proliferation of information technology in automation [1]. While the realization of widespread improvements in organizationalstructures or technical school curricula remains to be seen, high-profile securityconcerns about infrastructure utilizing automation and control systems, hasbrought the issue to forefront [2]. With the publication of standards and reports over the past few years,alongside rising concerns about the security of industrial controls, this researchseeks to investigate whether the emerging avenues of discovery and guidanceprovide a ready solution addressable by maintenance departments (with theexisting aforementioned challenges), or one that further justifies the integration ofIT and automation.1.1 Audience The author’s experience is in discrete manufacturing sectors, notnecessarily constrained by regulations to develop and implement cyber securityprograms. The consequences of failures in these plants do not rise to the levelsassociated with critical infrastructure, nor will they suffer the associatedregulatory penalties if they are found lacking in policy or procedures. Likewise,the safety concerns associated with cyber security are mitigated due to the use of 3
  4. 4. traditional electro-mechanical safety circuits, separate from the software-controlled portions of the equipment. The drive for connectivity with other networks is for productioninformation that is closer to real time and automated in its timeliness andformulation. This is the first step in an interconnectivity that can scale toenterprise and partner levels, in what Dzung et al. point out is a response to theneed for ―fast and cost effective decisions‖…[based on] ―accurate and up-to-dateinformation about the plant and process status..[18].‖ The impetus for investigation into the use of IT security standards orguidance may be due to the increased awareness of the vulnerabilities of the ITsystems involved, or due to an inordinate amount of downtime suffered due to afailure associated with the previously enumerated deficiencies. The inclination to attempt to create a stand-alone program, utilizing readilyavailable documents, is in no way mitigated by the fact that structures pre-exist inthe maintenance department that can readily incorporate new requirements forreliability of equipment and systems. Preventative Maintenance checks onequipment and systems whose failures threaten profitability, as well as personaland equipment safety are continuously performed. Maintenance is likewise, bynature, indirectly related to profitable functions within the organization.Therefore, the aforementioned inclination towards quick, self-reliability is equallyrelated to cost conscientiousness. Though a quick integration of IT security procedures and checks into thedepartment is an attractive proposal, it will be seen that the methodologiespresented by the guidance under consideration is extremely cross functional in itsprescription, as well as detailed and time consuming.2 Guidance Along with the reports of contemporary security incidents andvulnerabilities, standards and reports aimed specifically at IACS security can befound via simple searches for the same. In the United States, one will findstandards available from the International Society for Automation (ISA),alongside government-sponsored publications from the Department ofCommerce’s National Institute of Standards and Technology (NIST), and theDepartment of Homeland Security (DHS) [3-5]. Likewise the leading automation 4
  5. 5. vendors in Europe and North America, Siemens [6] and Rockwell [7], referencethe preceding sources. As these sources formed the core of search results, are not specific to acertain sector, and are largely available online, they formed the basis for theresearch at hand.2.1 ISA With members from diverse corporate, government and academic entities(including Rockwell, Siemens and NIST), the ISA 99 committee’s latestpublication, is ANSI/ISA-99.02.01-2009, Security for Industrial Automation andControl Systems: Establishing an Industrial Automation and Control SystemsSecurity Program [3], henceforth referred to as ISA 99-2009. In his overview ofthe International Electrotechnical Commission (IEC) approach to industrialsecurity, Naedele points out that ISA standards ―are also used as best practicesinternationally [19]‖. In fact, the ISA 99 family of standards is being used as thebasis for the IEC’s 62443 series with the same title [3]. Referencing ISO 17799 (now 27002, a popular IT security standard) [8]extensively, and at times roughly follows its outline. ISA 99-2009 is divided intofour clauses and two annexes. The informative portion of the standard, and by farthe largest, is Annex A, which provides guidance for developing the elements of acyber security management system (CSMS) [3]. ISA 99-2009 is actually the third in a series that is continuing. The twoprevious documents are:  ANSI/ISA-99.00.01-2007, Terminology, Concepts, and Models (part one of the series).  ANSI/ISA-TR99.00.01-2007, Security Technologies for Industrial Automation and Control Systems (a technical report). [3]The three ISA 99 publications are each available for purchase and are all madeavailable online, for viewing only, to members. [9]2.2 NIST Special Publication (SP) 800-82, Guide to Industrial Control SystemsSecurity, published in June 2011, is available free via download from NIST. Thedocument is divided into six sections: 5
  6. 6.  Introduction  Overview of Industrial Control Systems  ICS Characteristics, Threats and Vulnerabilities  ICS Security Program Development and Deployment  Network Architecture  ICS Security Controls [4]In addition, there are six appendices, including Appendix C, Current Activities inIndustrial Control System Security, which contains an extensive list oforganizations, references, standards, etc., involved in industrial control systemssecurity [4].2.3 DHS Another recent free publication, from the United States Department ofHomeland Security (DHS) Control Systems Security Program (CSSP), is the May2011 report, Common Cybersecurity Vulnerabilities in Industrial ControlSystems. The report is broken into four parts:  Introduction  Vulnerability Information Sources  Understanding Common Industrial Control System (ICS) Vulnerabilities  ICS Security Recommendations [5] The report draws from the experiences of the DHS CSSP [12], whichperforms assessments of ICS, and from self-assessments via their free softwaretool, Cyber Security Evaluation Tool (CSET) [5]. The reports on vulnerabilities are divided between assessments of ICSsoftware and systems. Likewise, the recommendations are divided amongvendors and ICS system owners [5].3 Implementation While one might be inclined to attempt to utilize the preceding publiclyavailable documents as standards for developing an industrial cyber securityprogram, the only one presented as such is ISA 99-2009. NIST SP 800-82 isdescribed as a guidance document, and the DHS publication as a report. While acomplete standard, it becomes apparent as one works through ISA 99-2009, that itis not meant to serve as an exhaustive guide. However, free resources can serve 6
  7. 7. functions well where needed—or where the ISA document may fall short.Likewise, references are made between the publications [3-5]. What is likewise evident is that the recommendations given are meant foran inter-disciplinary/inter-departmental approach within the target organizations.While the aforementioned IT knowledge/skills gap in automation is possiblybeing addressed by technicians seeking further education/certificationopportunities, or engineers graduating from modern programs wherecomputer/digital communications knowledge is inseparable from electricalengineering, the proliferation of IT security guidance aimed at industry has notproduced methods by which automation departments can fix their security issuesby themselves.3.1 Guidance interaction Both SP 800-82 and ISA 99-2009 begin the process of implementing acyber security program with the development of a compelling business case fordoing so. ISA 99-2009 documents were used as a reference for development ofthe corresponding section in SP 800-82, as well as other sections. However, theNIST document has the added clarity of referring to its own section three, ICSCharacteristics, Threats and Vulnerabilities, when discussing detailed sources ofthreats and vulnerabilities to be used in the business case. [3,4] If the sourceslisted at the end of the ISA-2009 section are meant to provide further details of thesame, they appear to be no longer available or at least not readily retrievable [10].Following the section on developing a business rationale, SP 800-82 gives a briefoverview of the remaining elements in system development and refers to ISA 99-2009 for details. ISA 99-2009 continues the process by requiring both a high-leveland detailed risk assessment [3,4]. Issues noted in the business rationale drive the high-level risk assessment.Though no specific methodology is prescribed, a general description of thecomponents desired is given. Unfortunately, the tool referenced for choosing amethodology, is one of the aforementioned elusive documents. However, a freelyavailable NIST document on risk assessment, SP 800-30, is listed in thereferences at the end of the section [3]. The general descriptions/recommendationsfor risk assessment steps given in the ISA standard tend to resemble the NISTdocument as well [3, 11]. 7
  8. 8. The previously mentioned section on threats and vulnerabilities in NISTSP 800-82, and the system vulnerabilities portion of the DHS publication can beutilized for the enumeration of threats and vulnerabilities during the riskassessments required by ISA 99-2009 [4,5]. Likewise, the free DHS CSETsoftware tool includes a drag-and-drop drawing program specifically tailored forcontrol systems that can be used to generate the simple network diagrams calledfor in the detailed risk assessment [3, 12]. The output from the detailed assessment is used to assign ratings todevices within systems, and subsequently to assign target security levels for zonescontaining the equipment/systems. The zones need to be added to the diagramsproduced earlier. The DHS CSET drawing tool has this capability available aswell [3,12]. Various NIST publications are referenced throughout the remainder of ISA99-2009, from business continuity planning and incident response planning, toconformance reviews [3].3.2 Departmental interaction SP 800-82 calls for controls system security programs that are ―consistentwith and integrated with existing IT security experience, programs, and practices,but…tailored to the specific requirements and characteristics of industrial controlsystems technologies and environments [4]‖. It further states that ―while controlengineers will play a large role in securing the [control system], they will not beable to do so without collaboration and support from both the IT department andmanagement [4]‖. ISA 99-2009 states, when addressing the cross-functional teamthat will put the program into action once management has approved theendeavor, that the ―goal is to develop a cost-effective cyber security managementsystem that...will...leverage existing business processes and organizations ratherthan create a whole new organization [3]‖. This team is called upon as well in thesteps for organizing for the security program and defining the scope of the same.The subsequent training and education, business continuity planning, and policygeneration sections likewise prescribe the utilization of existing organizationalframeworks [3]. This overriding theme, though far from the do-it-yourself direction thatcontrols personnel may initially approach this endeavor from, will become a 8
  9. 9. welcome one as the scope, depth, and apparent complexity, of some of theelements become evident. It is easy to see where having someone familiar withrisk assessment available to help identify the general point in the process wherethe high-level assessment ends and the detailed begins would be of no smallconsequence. Likewise, Dzung et al. point out that a system not grounded inpolicy and based upon appropriate, local assessments is probably fraught with―effort…wasted on securing system aspects that do not need protection from thebusiness point of view [18].‖ Fortunately, the guidance given is an across-the-board utilization ofexisting resources and structures, that if absent in an organization, may makeconcerns about cyber security for IACS moot. Holstein and Stouffer see the ISA99 committee’s approach to the standard as a ―bold‖ endeavor. ―Rather thandevelop a stove-pipe framework for Industrial Automation Control Systems, theybuilt the framework as an extension of the enterprise Information Security (IS)security policy and procedures [17]‖. If an approach is taken to attack the issue piecemeal, the aforementioneddearth of IT knowledge and skills makes the endeavor questionable. Along theselines is the recurring subject of network segmentation, found in DHS, NIST andISA documents alike. [3-5] In the risk management portion of ISA 99-2009,reference is made to the zone and conduit models of network segmentationoutlined in the 2007 ISA 99 technical report. The prescription is for barrierdevices, such as firewalls, routers, or layer-three switches to act as restrictiveconduits between zones [3]. The ISA 99-2009 demands for segmentation run from a firewall to managecommunication between the control zone and the business zone, for medium tohigh-level risk systems, to the use of a demilitarized zone (DMZ) to reduce oreliminate communications directly between the zones for high-level risk systems[3]. SP 800-82 ties the progression from firewall to DMZ to the increasing relativeoverall effectiveness of the solutions [4]. Answers to the issue of skills, needed to implement these barrierseffectively, range from automation vendors who have partnered with traditionalIT equipment vendors (therefore providing a familiar equipment platform for ITpersonnel to assist with) [13], to third party vendors offering barrier devicesaimed at being programmable by controls personnel [14]. Both of these solutions 9
  10. 10. claim to satisfy the ISA zone and conduit model [15, 16]. Yet any independenceoffered by the latter solution is tempered by the ISA 99-2009 requirement that arisk assessment be conducted to define the zones beforehand [3], bringing thefocus back to the tasks that will likely require the most inter-disciplinary resourcesand cooperation regardless.4 Conclusions The proliferation of policies and guidance, aimed at IACS security, havenot created a situation in which IACS security issues can be fixed by IACSpersonnel alone, nor can they be fixed without them. Implementing a standards-based, comprehensive controls security program, at its core, requires theacquisition of new knowledge by controls personnel, obtained from differentguidance sources. Yet, much of the knowledge gained, is in the form ofguidelines, that others in the organization will be needed to assist in executing. Though the IT and security issues between departments may be largelycommon, the environment, priorities, and attached equipment are not. Thesecurity/policy/IT knowledge that the IT department brings to the equation will beas indispensable as the automation/equipment knowledge brought by automation.5 Afterword The preceding discussion began with an enumeration of a few of the issuesreadily obvious to departments, engaged in the maintenance of IACS, whichwould illuminate the need for IT security policy for the same. While the thrust ofthis paper has been an investigation of the means by which emerging standardscan be employed in IACS security, it is instructive to list the portions of ISA 99-2009 that would actually address the aforementioned issues. As previously stated, the standard is divided into three main categories:  Risk analysis  Addressing risk with the CSMS  Monitoring and improving the CSMSThe issues cited before are all addressed, as would be expected, in the secondcategory. The category is likewise divided into three groups of elements: 1. Security policy, organization, and awareness 10
  11. 11. 2. Selected security countermeasures 3. Implementation [3]5.4 Policy The issue of the lack of usage policy is addressed in the first elementgroup, by the element, Security Policy and Procedures. As the thrust is largely oneof utilizing existing IT policy frameworks [3], the same policies can easily beapplied to the IT equipment in the automation department. This is an area wherethe next issue, user access, as well as the tenet of least privilege, likewise comesinto play.5.1 User Access The issue of poor or non-existent planning for user access frame works isaddressed in the second element group, Selected Security Countermeasures. Threeof the seven elements in the group are concerned with access control:  Account administration  Authentication  Authorization [3]The issues of operators, maintenance and administrators, requiring different levelsof access, is of course easily addressed by the element of Account administrationpolicies. One of the aspects probably not considered by most automationdepartments, yet addressed in this section, is that of the administration of accountswith regard to departing automation personnel.5.2 Network segmentation Internet/remote network access at the plant floor is also an element of theselected countermeasures group. It is addressed by the element of NetworkSegmentation. The principle of least privilege drives the communications allowedbetween zones via the conduits [3].5.3 Patch Management The issue of poorly executed or non-existent patch application is coveredin the third element group of Implementation by the Risk management and 11
  12. 12. implementation element [3]. The determination to patch or not is determined by acombination of the consideration of the security level needs of theequipment/zone and vendor testing and approval of the patches [3]. 12
  13. 13. References1. Johnny L. Welch.: Information technology curriculum and practical opportunities in automation. In Proceedings of the 2010 ACM conference on Information technology education(SIGITE 10). ACM, New York, NY, USA, 85-88. DOI=10.1145/1867651.18676742. CNBC.com.: CNBC Presents ―Code Wars: America’s Cyber Threat‖. http://www.cnbc.com/id/43008973/CNBC_PRESENTS_CODE_WARS_AMERICA_S_CYB ER_THREAT. (2011). Accessed 13 July 2011.3. International Society for Automation.: ANSI/ISA-99.02.01-2009 Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program. ISA, Research Triangle (2009).4. U.S. Department of Commerce, National Institute of Standards and Technology.: Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security. NIST, Gaithersburg (2011).5. U.S. Department of Homeland Security (DHS), National Cyber Security Division, Control Systems Security Program.: Common Cybersecurity Vulnerabilities in Industrial Control Systems. U.S. DHS (2011).6. Siemens. Process Automation Security. http://www.sea.siemens.com/us/Products/Process- Automation/safetyandsecurity/industrialsecurity/Pages/Process-Automation- SafetyandSecurity_Security.aspx. (n.d.). Accessed 5 July 2011.7. Rockwell Automation:. Security Solutions. http://www.rockwellautomation.com/solutions/security/. (n.d.) Accessed 5 July 2011.8. Whitman, M.E., Matford, H.J.: Management of Information Security, Third Edition. Course Technology, Boston (2010). p. 225.9. International Society for Automation: Standards ISA. http://www.isa.org/Template.cfm?Section=Standards2&Template=/customsource/isa/Standar ds/AutomationStandards.cfm#accessing. (n.d.) Accessed 12 July 2011.10. American Chemistry Council, Chemical Information Technology Center: CHEMITC. http://chemitc.americanchemistry.com/. (n.d.) Accessed 11 July 2011.11. U.S. Department of Commerce, National Institute of Standards and Technology.: Special Publication 800-30, Risk Management Guide for Information Technology Systems. NIST, Gaithersburg (2011).12. U.S. Department of Homeland Security (DHS), National Cyber Security Division, Control Systems Security Program.: CSET3_Assessment_Fact_Sheet. http://www.us- cert.gov/control_systems/pdf/CSET3_Assessment_Fact_Sheet.pdf. (n.d.) Accessed 29 June 2011.13. Cisco.com: cisco-rockwell_automation. http://www.cisco.com/web/strategy/manufacturing/cisco-rockwell_automation.html. (n.d.) Accessed 7 July 2011.14. Tofino Security: Security for SCADA, and industrial automation control systems. http://www.tofinosecurity.com /. (n.d.) Accessed 26 June 2011. 13
  14. 14. 15. Cisco.: Converged Plantwide Ethernet (CPwE) Design and Implementation Guide. http://www.cisco.com/en/US/docs/solutions/Verticals/CPwE/CPwE_DIG.pdfCPwE_DIG.pdf (2011). Accessed 14 June 2011.16. Tofino Security:ansi-isa-99.http://www.tofinosecurity.com/why/ansi-isa-99 (n.d.) Accessed 12 July 2011.17. Holstein, D., Stouffer, K.: Trust but Verify Critical Infrastructure Cyber Security Solutions. In Proceedings of the 43rd Hawaii International Conference on System Sciences. (2010).18. Dzung, D., Naedele, M., Von Hoff, T., Crevatin, M.: Security for Industrial Automation Systems. In Proceedings of the IEE, Vol. 93, No. 6, June 2005.19. Naedele, M.: Standardizing Industrial IT Security – A First Look at the IEC Approach. In 10th IEE Conference on Emerging Technologies and Factory Automation. (2005). 14

×