applying iso 27001 in an industrial control environment
DESCRIPTION
Applying ISO 27001 in an industrial control environment. Riemer Brouwer – Head IT Security ADCO [email protected]. Doha , Febr uary 2014. A basic IT security principle is to follow a risk-based approach. …yet SCADA systems are often overlooked, despite their huge significance. SCADA - PowerPoint PPT PresentationTRANSCRIPT
Applying ISO 27001 in an industrial control environment
Riemer Brouwer – Head IT Security [email protected]
Doha, February 2014
A basic IT security principle is to follow a risk-based approach
…yet SCADA systems are often overlooked, despite their huge significance
Corporate IT
SCADASystems
“Somehow risk assessment for SCADA went terribly wrong: Pantries are often better protected than control rooms”
IT Security out of balance
SCADA systems are used to control complex industries such as utility plants (water, electricity), oil & gas refineries etc.
As a result, SCADA systems usually seem highly complex, and understanding them takes time and effort
Above 23.0
Below 22.0
Start Cooling
Start Heating
Continuous Loop
Yet….SCADA systems are actually quite basic in nature
The network, connecting the
sensors with the actuators
Above 23.0
Below 22.0
Start Cooling
Start Heating
Continuous Loop
Industrial control systems have a few core elements that are critical to cybersecurity
Sensors: in this case the
thermometer
Actuators: in this case the
ventilator
Main Control Server, monitoring the sensors and controlling the actuators
Set points: upper and lower limits that
initiate action
Some “reasons” for ignoring the IT security aspects of control systems, are the result of fundamental misconceptions
• In reality, SCADA networks and corporate IT systems are often bridged through remote access which allows engineers to monitor and control the system from points on the corporate network. Also, many utilities have added connections to allow corporate decision makers to obtain instant access to critical data about the status of their operational systems
Misconception: “The SCADA system resides on a physically separate, standalone network.”
1.FALSE!
• Many of the interconnections between corporate networks and SCADA systems require the integration of systems with different communications standards. The complexity of integrating disparate systems often creates security risks that are not taken into account.
Misconception: “Connections between SCADA systems and other corporate networks are protected by strong access controls.”
2.FALSE!
• The above misconception assumes that all attackers of a SCADA system lack the ability to access information about their design and implementation. These assumptions are inappropriate given the changing nature of process system vulnerabilities in an interconnected environment. Also, most SCADA system providers publish their training on the internet, making it accessible to the general public.
Misconception: “SCADA systems require specialized knowledge, making them difficult for network intruders to access and control.”
3.FALSE!
Gauss (2012)One of the most sophisticated pieces of malware yet designed to
monitor bank account information and the money flow for various Middle Eastern banks.
Shamoon (2012)Saudi Aramco, the worlds largest oil producer, was targeted by hackers for the government’s supposed support of “oppressive
measures” in the Middle East.
Flame / FinSpy (2012)Highly advanced spyware kits mostly found in the Middle East
that can intercept and record communications.
The most important reason for ignoring IT security in control systems is the impression that “hackers don’t care about us”
Mahdi (2012)Trojan espionage attack designed to target Middle Eastern critical infrastructure firms, engineering students, financial services firms,
and government embassies.
Source: Booz Allen Hamilton
FALSE!
Target AttractivenessExamples of Recent Attacks
ISO27001 provides an excellent framework to implement IT security controls and a risk management program
Figure: Areas covered by ISO27001/2
Information System Acquisition,Development and Maintenance
Communications andOperations Mgmt.
Business Continuity Mgmt.Human Resources
Security
Physical and EnvironmentalSecurity
Compliance
SecurityPolicy
Organization ofInformation Security
Asset Management
Access Control
Information SecurityIncident Management
Operations
Management
Organizational
Technical
Physical
Nature of controls
ISO27001 provides an excellent framework to implement IT security controls and a risk management program
Grouping resulted in 18 policies
ISMS Policy 000
Acceptable Use Policy 001
Antivirus Policy 002
Network Security Policy 003
Asset Management and Classification Policy 004
Personnel Security Policy 005
Physical and Environmental Security Policy 006
IT Operations Management Policy 007
Security Incident Handling Policy 008
Access Control Policy 009
Systems Development and Maintenance Policy
010
Business Continuity Management Policy 011
Compliance Monitoring Policy 012
Security Testing and Auditing Policy 013
Encryption Policy 014
Security Patch Management Policy 015
Third Party Policy 016
Wireless Policy 017
But…but…but… isn’t ISO27001 for corporate IT only?!
ISO27001’s core objectives are to:Understand organization’s information security requirements
Implement and operate controls to manage risk
Monitor and review
Continuous improvement
Applicable to SCADA?
In addition, using a well-renowned framework facilitates communication with senior management
ISO27001 are not best practices,they are minimum practices
Metrics to provide insight in current security posture
SCADA environments present their own unique challenges to implementing IT security measures
SCADA systems usually not under control of IT
Liaise with Engineering team in charge of SCADA systems
SCADA systems are “always on”Include IT security updates in
maintenance windows
SCADA systems were never built with security in mind
Identify work-around solutions to mitigate the risks
SCADA systems can be in remote areas
Physical security controls deserve full attention from IT security
SCADA systems are not always well-documented and studied
Build partnership with vendors to obtain relevant information
IT Security Team
• Establish and lead procedure development team
• Invite ad-hoc specialists depending on the procedure
• Responsible for effective review mechanism
Engineering / Vendors
• Provide in-depth knowledge on IT systems and processes
• Must be able to evaluate feasibility of proposed security procedures
Operators
• Ultimately responsible for following IT security policies
• Essential to have security-minded contributors
Internal Audit
• Responsible for IT security compliance review
• Provide input on enforceability of suggest procedures
HR/Legal/Others
• Other departments must be involved depending on topic
• Main task is to ensure IT security procedures are aligned with policies/procedures
Key to a successful SCADA Security program is collaboration between all stakeholders within IT and related departments
In summary, an ISO27001 based SCADA security program leverages existing skills and technologies, supplemented with tailored considerations
ISO 27001 – ISA 99 Roadmap
Start
Towards a secure future
Obtain support fromsenior management
Co-develop procedures with in-house SCADA staff
Provide awareness training toSCADA staff and others
Become integrated partof security operations
Tailor corporate IT security policies
Develop procedures / Risk Management process
ImplementPolicies & procedures
Key to success is ensuring policies and procedures are realistic and doable
Risk Management framework must be tailored, e.g., access rights and backup will most likely differ
SCADA Security Roadmap to Success
Thank you