dupont's practices and expectations - tom good

ISA–The Instrumentation, Systems, and Automation Society

Process Control Network Security Activities in DuPont Process Control Network Security Activities in DuPont

ISA 2002

Panel on Control Systems Security Tom Good

DuPont Engineering

October 21, 2002

2

Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product direction

Topics Covered

3

What is a process control system? The set of devices that directly control the

manufacturing processes. Typically include: DCS (Distributed Control Systems)

• Continuous manufacturing PLC (Programmable Logic Controllers)

• Discrete manufacturing SCADA (Supervisory Control and Data Acquisition

System) Hybrid systems

Within DuPont Online analyzers Online thickness gauging systems Identification and tracking systems etc.

4

What is a Process Control Network in DuPont?

Process Control Network (PCN) The PCN is a proprietary network that acts as

the communication link between the operator consoles and the control devices like DCS controllers and PLCs.

The Ethernet network that links all critical manufacturing computer systems and devices.

5

Architecture of the 80’s and early 90’s

ProcessController

Proprietary Control Network

Operator ControlStation

ApplicationServer

OperatorConsole

ProcessController

ProcessController

OperatorConsole

OperatorConsole

Modem Modem

Not Secure

Not Secure

SecureSecure

6

Changing Technology

Operating Systems:

Data Communication:

Information Flow:

Computing Solutions:

Architecture:

Operating Systems:

Data Communication:

Information Flow:

Computing Solutions:

Architecture:

Proprietary

Proprietary

Segmented

Monolithic

Closed

Proprietary

Proprietary

Segmented

Monolithic

Closed

Open

Standard Protocols

Integrated

Modular

Open

Open

Standard Protocols

Integrated

Modular

Open

Evolution of TechnologyEvolution of Technology

7

Architecture of the late 90’s and present day

Process

Controller

Proprietary Control Network

Operator Control

Station PC

ApplicationServer PC

OPC Serve(PC)

ProcessController

Operator Control

Station PCs

Operator Control

Station PC

Process

Controller

Process

Controller

Process Control Ethernet LAN

ApplicationServer

Not Secure

Not Secure

SecureSecure

Site Ethernet LAN

EthernetSwitch

EthernetSwitch

Desktop PC

Desktop PC

Desktop PC

Desktop PC

Desktop PC

Desktop PC

FirewallFirewall

Modem Modem

8

Process

Controller

Proprietary Control Network

Operator Control

Station PC

ApplicationServer PC

OPC Serve(PC)

ProcessController

Operator Control

Station PCs

Operator Control

Station PC

Process

Controller

Process

Controller

Process Control Ethernet LAN

ApplicationServer

Modem Modem

Not Secure

Not Secure

SecureSecure

Site Ethernet LAN

EthernetSwitch

EthernetSwitch

Desktop PC

Desktop PC

Desktop PC

Desktop PC

Desktop PC

Desktop PC

FirewallFirewall

Router

Internet

FirewallFirewall

DuPont WAN Modem Modem

9

Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product direction

Topics Covered

10

History of PCN Security Initiative in DuPont

Ground up activity

Jan 00 - Formed work group to study PCN Security

Nov 00 - Published guidance document

11

DuPont Realization

Lack of Cyber Security is a threat to our manufacturing assets:

Threat to safety both on and off-site Threat to continuity of production Threat to production equipment Threat of adverse public opinion

Community can withdraw sanction for company to operate.

Technology exists to significantly reduce vulnerabilities of our PCNs

12

History of PCN Security Initiative in DuPont

Jan 00 - Formed work group to study PCN Security

Nov 00 - Published guidance document

Aug 01 - Obtained support from IT Org.

13

History of PCN Security Initiative in DuPont

Jan 00 - Formed work group to study PCN Security

Nov 00 - Published guidance document

Aug 01 - Obtained support from IT Org.

Oct 01 - Mandatory security policy

Top Down Support from CIO

Nov 01 - Obtained corporate funds to address PCN security at all locations

14

Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product direction

Topics Covered

15

PCN Security Policy (Highlights)

All high and medium risk PCNs must be firewalled or disconnected from any external network (LAN, WAN, Internet).

High Risk PCNs secured by 12/31/02.

Access to PCN requires 2 factor authentication

Participate in corporate firewall program Standard firewall w/std. configuration policy Centralized firewall monitoring Centralized backup for disaster recovery

16

Existing Security Controls

E-Pass = Two Factor Authentication (RSA)

Security Weaknesses

• Over 500 entrances into Intranet perimeter

• Lack workable authentication and authorization mechanism for control room operation at operators consoles

• Weak Windows application authorization

17

New Perimeter Based Security Controls

E-Pass = Two Factor Authentication (RSA)

Security Strengths

Between Intranet and PCN perimeter

• Secure authentication

• Destination authorization

Security Weaknesses

• Lack workable authentication and authorization mechanism for control room operation at operators consoles

• Weak Windows application authorization

18

Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product direction

Topics Covered

19

Security Project Activities

Front-End Loading Inventory and characterize each PCN Develop PCN network diagram Conduct a Risk Analysis of vulnerabilities.

Design Consider alternative security measures

Implement Adopt appropriate security practices to comply

with security policy

20

Characterized PCN in spreadsheet (portion shown) SBUBusinessSiteOperating UnitSite ITContact

Phone #

Site Process Control Contact Phone #CS Contact Phone #Last Updated

PLEASE ANSWER THE FOLLOWING QUESTIONS :Are process control systems currently interfaced to site or corporateLANs?Are process control systems remotely accessed from outside the processcontrol domain?

IF THE ANSWER TO EITHER OF THE ABOVE QUESTIONS IS YES PLEASECOMPLETETHE REMAINDER OF THIS FORM.

Process Control DomainTotal Number of IP addressableNodesNumber of IP addressable nodes to be accessed from outside process controldomainNumber of Concurrent Users inside Process Control DomainNumber of Concurrent Users inside Process Control Domain requiring access toexternal resourcesNumber of Total Users outside Process Control Domain requiring access toProcess Control ResourcesNumber of Concurrent Users outside Process Control Domain requiring accessto Process Control ResourcesIP Addressing (check all that apply)

DHCPStatic

Control Platforms

21

Develop Logical PCN Block Diagram

Site xyz

Advanced Process Manager

Honeywell LCN

Honeywell TDC3000 System

Plant Ethernet LAN

NIM

Cisco RouterUser

Site Workstation (Win2K Professional)

Redundant

FHRS1ResourceDomain

Controller(WinNT Server)

DuPont Intranet Ethernet WAN

High Performance Process Manager

Redundant

Honeywell

UniversalStation #1

Honeywell

Universal Station 2-3

UserSite Workstation

(Win95/98)

HoneywellGUS

Win2K Prof.

NIM

Honeywell UCN

22

Risk Assessment

Probability Criticality

A = Very likely 1 = Severe impact

B = Likely 2 = Major impact

C = Not likely 3 = Minor impact

D = Remote chance 4 = No impact

Network Segment Threat Probability

Internet, Wireless, Direct Dial-in A = Very likely

Intranet, Secure Dial-in B = Likely

Integrated PCN C = Not likely

Isolated PCN D = Remote Chance

Impact Category 1=Severe impact 2=Major impact 3=Minor impact 4=No impact

Injury Loss of life or limb Requiringhospitalization

Cuts, bruises,requiring first aid

None

Financial loss Millions $100,000s $1000s None

Environmentalrelease

Permanent damage/Off-site damage

Lasting damage/On-site damage

Temporary damage/Local damage

None

Interruption ofproduction

Weeks Days Hours None

Public image Permanent damage Lasting blemish Temporary tarnish None

Key Learning - Involve all stakeholders to build consensus on vulnerability.

23

Identified Assets

The threat is the theft, corruption, or falsification of thefollowing data:

Probability Criticality

Production schedule B 3

Production summary data (rates, yields) B 2

Process variables B 3

Product quality, raw material and shipment information A 3

Tuning data/set points C 4

Product Recipes and Formularies B 2

Standard operating conditions (SOC) B 3

Area operating procedures (AOP) C 4

Historical process data B 3

Data Assets

Application & Device Assets

The threat is the corruption, denial of service, or destruction of thefollowing PCN applications/devices:

Probability Criticality

Operator control station B 2

Engineering workstation B 2

PM&C B 3

Process controller D 2

External applications gateway B 3

Control room printer B 4

24

Mitigation Strategies

Data Assets

Criticality

DATA Assets1

Severe2

Major3

Minor4

None

A—Very Likely

Encryptionrequired

Encryptionrequired

Encryptionrequired(to Intranetperimeter)

Encryptionrequired(to Intranetperimeter)

B—LikelyEncryptionrequired

Encryptionrequired

C—Not Likely Encryptionrequired

Pro

ba

bil

ity

D—Remote Chance

Data Assets

Criticality

DATA Assets1

Severe2

Major3

Minor4

None

A—Very Likely

Encryptionrequired

Encryptionrequired

Encryptionrequired(to Intranetperimeter)

Encryptionrequired(to Intranetperimeter)

B—LikelyEncryptionrequired

Encryptionrequired

C—Not Likely Encryptionrequired

Pro

ba

bil

ity

D—Remote Chance

PCN Application/Device Assets

CriticalityPCN Application/DeviceAssets 1

Severe2

Major3

Minor4

None

A—Very Likely Firewallrequired

Firewallrequired

Firewallrequired

B—Likely Firewallrequired

Firewallrequired

Firewallrequired

C—Not Likely Firewallrequired

Firewallrequired

Firewallrequired

Pro

ba

bil

ity

D—Remote Chance

Key Learning - Involve all stakeholders to build consensus on mitigation plan.

25

(Asside - DNSAM)

DuPont developed a risk analysis process to meet the internal needs for process control systems.

Making available to industry.

Partnered with Rockwell Automation to offer DNSAM(DuPont Network Security Analysis Methodology) as part of their services business.

26

Prioritize Implementation

Businesses set overall priorities for each PCN based upon:

Safety Criticality to business

Key Learning - Availability of business knowledgeable resources is required.

27

Deployment Strategy for PCN Firewalls

Manage as one project worldwide

Standardize on single firewall vendor

Using single vendor to design, install, and commission all firewalls

Sites managing network re-engineering

Site ownership of firewall

Ongoing co-management of firewall

28

Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product directions

Topics Covered

29

Key Learnings PCN vulnerabilities exist

More than 300 PCNs, > 200 connected to LAN

Need management endorsement and support Commitment of resources and $ to mitigate vulnerabilities Asset owner is accountable

Project Execution Network analysis and re-engineering are the bottleneck for

firewall deployment. (typically 3-4 mo.) May require manufacturing shutdown depending upon

system integration and nature of the process

30

Key Learnings Cont’d

Site Manufacturing

IT & Security Organization

To be SuccessfulTypical in many companies

31

Key Learnings Cont’d

PCN firewalls are the meeting point of two different cultures and security policies.

Co-accountability and co-responsibility for administration of PCN firewalls.

Security is an evergreen task

New cooperative team approach is needed to steer direction (Process control, IT, Security, Safety, Engineering)

32

Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product directions

Topics Covered

33

Product Direction Concerns

Web enable process information Microsoft IIS many vulnerabilities (Not desired on

PCN) Full feature web based GUIs using Active X

controls and other scripts (Difficult to protect PCN against malicious code)

Wireless connectivity to process information 802.11b based products (subject to hacker

access)

Not addressing secure authentication and authorization for control room operators

Must allow response to emergencies by designated operators

34

?