![Page 1: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/1.jpg)
idae
The 7 Things Every Plant Manager Should Know About Control System
Securityy24 February 2011
![Page 2: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/2.jpg)
idae
John A Cusimano CFSE CISSPJohn A. Cusimano, CFSE, CISSP
• Director of Security Solutions for exida• 20+ years experience in industrial automation• Employment History:
• Eastman Kodak• Moore Products • Siemens
• Certifications:CFSE Certified Functional Safety Expert• CFSE, Certified Functional Safety Expert
• CISSP, Certified Information Systems Security Professional• Industry Associations:
• ISA S99 CommitteeISA S99 Committee• ISA S84 Committee• ISA Security Compliance Institute• ICSJWG Workforce Development & Vendor Subgroups
Copyright © 2010 - exida
![Page 3: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/3.jpg)
idae
• We help our clients improve the safety, security and availability of their automation systemsand availability of their automation systems
Copyright © 2010 - exida
![Page 4: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/4.jpg)
idae
AgendaAgenda
• Intro to Control System SecurityIntro to Control System Security• The 7 Things
C St d• Case Study• Summary
![Page 5: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/5.jpg)
idae
What is Control System Security?• Prevention of intentional or unintentional interference
with the proper operation of industrial automation and
What is Control System Security?
p p pcontrol systems through the use of computers, networks, operating systems, applications and other programmable configurable components of the systemprogrammable configurable components of the system
• Goes by many names:– SCADA Security– PCN Security– Industrial Automation and Control System Security– Control System Cyber Security– Industrial Network Security– Electronic Security for Industrial Automation and Control Systems
Copyright © 2010 - exida
![Page 6: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/6.jpg)
idaeControl Systems are more
• Heavy use of Commercial Off the Shelf Technology (COTS) and
yvulnerable today than ever before
• Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols– Integration of technology such as MS Windows, SQL, and TCP/IP means
that process control systems are now vulnerable to the same viruses,that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems
• Increased Connectivity– Enterprise integration (using plant, corporate and even public networks)Enterprise integration (using plant, corporate and even public networks)
means that process control systems (legacy) are now being subjected to stresses they were not designed for
• Demand for Remote Access– 24/7 access for engineering, operations or technical support means more
insecure or rogue connections to control system• Public Information
– Manuals on how to use control system are publicly available
Copyright © 2010 - exida
![Page 7: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/7.jpg)
idae Actual Incident Types
Insider53%
Outsider47%
N/A0%
Hacker
Intentional20%
Hacker
20%Network device,
software
Disgruntled employee
Unintentional80%
IT Dept, Technician
80%Insider14%
Outsider
N/A48% Outsider
38% Malware (virus, worm, trojan)
© 2011 Security Incidents Organization
![Page 8: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/8.jpg)
idae Stuxnet Summary• First malware specifically targeting
industrial control systems• First discovered in June 2010 (in• First discovered in June 2010 (in
circulation since June 2009)• Has the ability reprogram Siemens S7 PLCs• Infects Siemens SIMATIC software running on Win PCs• Uses SIMATIC software to read S7 PLC memory and
it FB ith it d (hidd )overwrite FB with its own code (hidden)• Spreads via USB memory sticks, local networks and Step
7 project files7 project files• Thousands of PC’s infected worldwide (predominantly
Iran, India and Indonesia)
© Copyright 2010 exida 8
• Approximately 22 cases reported on SIMATIC systems
![Page 9: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/9.jpg)
idae Pathways for Stuxnet Infection
Image courtesy of Byres Security Inc.
![Page 10: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/10.jpg)
idae
Stuxnet Mitigation MatrixStuxnet Mitigation Matrix
http://www.tofinosecurity.com/stuxnet-central
![Page 11: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/11.jpg)
idae
FFFTFTTFTFFF
7 things every plant manager should do to secure their facility7 things every plant manager should do to secure their facility from unwanted intrusion
![Page 12: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/12.jpg)
idae THE 7 THINGS
1. Assess Existing Systemsg y2. Document Policies & Procedures3 Train Personnel & Contractors3. Train Personnel & Contractors4. Segment the Control System Network5. Control Access to the System6. Harden the Components of the Systemy7. Monitor & Maintain System Security
© Copyright 2010 exida 12
![Page 13: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/13.jpg)
idae#1 Assess Existing Systems
• Perform control system security assessments of existing systemsg y
• Compare current control system design, architecture, policies and practices to standards & best practicesstandards & best practices
• Identify gaps and provide recommendations for closure
• Benefits:– Provides management with solid understanding of
i i d h f dcurrent situation, gaps and path forward– Helps identify and prioritize investments
First step in developing a security management– First step in developing a security management program
© Copyright 2010 exida 13
![Page 14: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/14.jpg)
idae Standards Efforts
• International Society for Automation (ISA)ISA99 I d t i l A t ti d C t l– ISA99, Industrial Automation and Control System (IACS) Security
• International Electrotechnical Commission (IEC)International Electrotechnical Commission (IEC)– IEC 62443 series of standards (equivalent to
ISA 99)• National Institute for Standards and Technology
(NIST)SP800 82 Guide to Industrial Control– SP800-82 Guide to Industrial Control Systems (ICS) Security
Copyright © 2010 - exida
![Page 15: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/15.jpg)
idaeIndustry Specific Guidancey p
• American Petroleum Institute– API Standard 1164 - SCADA Security
• American Chemistry Council’s Chemical Information Technology Council (ChemITC)™Information Technology Council (ChemITC) Chemical Sector Cyber Security Program – Guidance for Addressing Cyber Security in the Chemical
Industry Version 3 0Industry Version 3.0
• North American Electric Reliability Corporation (NERC)– Critical Infrastructure Protection (CIP) 002 – 009
• Department of Homeland SecurityChemical Facility Anti terrorism Standards (CFATS)– Chemical Facility Anti-terrorism Standards (CFATS)
– Risk-based Performance Standards (RBPS) (RBPS 8)
![Page 16: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/16.jpg)
idaeDHS Control Systems Security Programy y g
![Page 17: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/17.jpg)
idae#2 Document Policies & Procedures
• Establish control system security policies & procedurespolicies & procedures– Scope– Management Supportg pp– Roles & Responsibilities– Specific Policies
• Remote access• Portable media• Patch mgmt g• Anti-virus management• Change Management• Backup & Restore• Backup & Restore
– References© Copyright 2010 exida 17
![Page 18: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/18.jpg)
idae#3 Train Personnel & Contractors
• Make sure personnel are aware of the importance of security and companyimportance of security and company policies
• Provide role-based training – Visitors – Contractors
N hi– New hires – Operations
Maintenance– Maintenance – Engineering – ManagementManagement
© Copyright 2010 exida 18
![Page 19: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/19.jpg)
idae#4 Segment the Network
• Defense-in-Depth strategy• Partition the system into distinctPartition the system into distinct
security zones– Logical grouping of assets sharing common
security requirementsy q– There can be zones within zones, or subzones,
that provide layered security– Zones can be defined physically and/or logically
• Define security objectives and strategy for each zone– Physical– Logical
• Create secure conduits for zone-to-zone communications
– Install boundary or edge devices where communications enter or leave a zone y gto provide monitoring and control capability over which data flows are permitted or denied between particular zones.
© Copyright 2010 exida 19
![Page 20: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/20.jpg)
idae System Architecture
Copyright © 2010 - exida
![Page 21: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/21.jpg)
idae Partitioning into Zonesod
els
ause
6: M
oC
la
Copyright © 2010 -
![Page 22: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/22.jpg)
idae 6.5 Zone & Conduit Modelsde
lsus
e 6:
Mod
Cla
u
Copyright © 2009 - exida 22
![Page 23: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/23.jpg)
idaeSpecifying Zones & Conduits
Image courtesy of Byres Security
![Page 24: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/24.jpg)
idae
Honeywell Reference Architecture
Image Courtesy of Honeywell Process Control
![Page 25: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/25.jpg)
idaeEmerson Reference Architecture
![Page 26: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/26.jpg)
idae
Siemens Reference ArchitectureSiemens Reference Architecture
Image Courtesy of Siemens AG
![Page 27: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/27.jpg)
idaeDuPont Reference Architecture
DUPONTNET Manufacturing Corporate
Business Zone
DuPont Reference Architecture
DUPONTNET Resource Domain
Web.21Server(optional)
latigid Manufacturing ApplicationS
ProcessExplorer
latigidlatigid
DUPONTNET Domain Controller
DNS Server
Message BusAdaptors: SAP,EConnect)
Corporate Patch ManagementServer
PEClients
latigidlatigidlatigidlatigid
WAN
IP.21ServerPM&C
latigid latigid
PEClients
Manufacturing ApplicationServer
3 Co m
Controllers (optional)Server Clients
PCNFirewall
LAN
Operations Management Zone
EthernetSwitch
OMN
PM&C ClientsServer
ProcessExplorerClients
latigid DCS Application
Server
latigid DCS AD Domain
ControllersDCS
consoles
Switch
FBN
Field Bus Gateway
Modem Ban k
DCSControllers
3Com
Field Devices
RCN
M odem Bank
PCN
Field DevicesField Devices
Process Control Zone
SIS
Field Devices
Safety System Zone
M odem Bank
Image Courtesy of DuPont
![Page 28: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/28.jpg)
idae #5 Control Access to System
• Control and monitor access to control system resources
• Logical & Physical• AAA
Ad i i t ti– Administration– Authentication– Authorization
• Review– Who has access?
To what resources?
• Zone-by-zone•Asset-by-Asset
•Role-by-Role– To what resources?– With what privileges?– How is it enforced?
y•Person-by-Person
© Copyright 2010 exida 28
![Page 29: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/29.jpg)
idaeRole-based Access Control
C.S.EEng.
Operator
ViewOnlyOnly
![Page 30: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/30.jpg)
idae #6 Harden System Components
• Remove or disable unused i ti tcommunication ports
• Remove unnecessary applications and services
• Apply patches when and pp y pwhere possible
• Consider ‘whitelisting’ toolsConsider whitelisting tools• Use ISASecure™ certified
productsproducts
© Copyright 2010 exida 30
![Page 31: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/31.jpg)
idae
Port locking devicesPort locking devicesEthernet RJ-45
• Tamper-proof outlet lockUSB
• USB lock physically locksTamper proof outlet lock and lockable patch cord
• Protects against th i d t
USB lock physically locks and blocks the USB Ports.All d funauthorized port access
in unused outlets• Deters patch cord
• Allows secured use of an authorized USB device by capturing the device's Deters patch cord
removal• Removable only with a
p gcable and locking it into the USB port
specially designed key
Kensington USB Port LockSiemon LockIT™
![Page 32: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/32.jpg)
idae
Patch ManagementPatch Management
• Prioritized and categorize all machines into groups that define when and how they are to be patched Example:define when and how they are to be patched. Example:
• “Early Adopters” receive patches as soon as available and act as Test/Quality Assurance ymachines.
• “No Touch” machines require manual intervention and/or detailed vendor consultationand/or detailed vendor consultation.
• Establish a procedure for keeping track of new patches and level of importance to control operations. p p
![Page 33: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/33.jpg)
idae
Patch ManagementPatch Management
• When new vulnerability is announced and/or a patch fix is available conduct a PDA to evaluate the potentialis available, conduct a PDA to evaluate the potential impact on the control system
• This patch is then evaluated and prioritized for adoption p p pbased on its risk evaluation.
Reaction Plan Aggressiveness Implementation Window Level of Testing
Al h Mi i Q t l Hi hAlpha Minimum Quarterly High
Bravo Moderate By end of following week Best Effort
Zebra Maximum Within 48 hours MinimalZebra Maximum Within 48 hours Minimal
![Page 34: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/34.jpg)
idae
Application WhitelistingApplication Whitelisting
• Unlike antivirus solutions, that rely on blacklists of known , ymalware, whitelisting enforces a relatively small list of the authorized applications for each computerA t ti ll bl k ll th i d li ti• Automatically blocks all unauthorized applications including unknown malware and rogue applications installed by users.
• Minimal performance impact• Examples:
– Core Trace Bouncer– Industrial Defender HIPS
Copyright © 2010 - exida
![Page 35: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/35.jpg)
idaeStuxnet Responsep
“Addressing Stuxnet goes beyond using quality security controls The industry needs to demand higher qualitycontrols. The industry needs to demand higher quality software that is free from defects. Companies who develop products and write code need to continue to mature their development processes to become more secure.”
Mark WeatherfordVice president and Chief Security OfficerVice president and Chief Security OfficerNERC
![Page 36: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/36.jpg)
idae ISASecureEmbedded Device Security CertificationEmbedded Device Security Certification
ISA Security ComplianceISA Security Compliance Institute
Software Development Security Assurance
(SDSA)
Functional Security Assessment
(FSA) ISASecure Certification Process
Communications Robustness Testing
(CRT)
1. CRT test all accessible TCP/IP interfaces2. Perform FSA on device and all interfaces3. Audit supplier’s software development process4 Perform integrated threat analysis
Copyright © 2010 - exida
4. Perform integrated threat analysis5. Issue certification
For more information visit: www.isasecure.org
![Page 37: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/37.jpg)
idae #7 Monitor & Maintain
• Install vendor recommended anti-virus and update signaturesvirus and update signatures regularly
• Review system logs periodically• Review system logs periodically• Consider Intrusion Detection (IDS)
or Host Intrusion Prevention (HIPS)or Host Intrusion Prevention (HIPS)• Pen testing (offline only)• Periodic assessments• Periodic assessments
© Copyright 2010 exida 37
![Page 38: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/38.jpg)
idaeAnti-virus Managementg
Stuxnet is not the first malware to infect industrial control systems
© 2010 Security Incidents Organization, The Repository of Industrial Security Incidents (RISI) database
![Page 39: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/39.jpg)
idaeMalware
The intrusion of malware can result in:The intrusion of malware can result in:• Performance degradation• Loss of system availabilityLoss of system availability• The capture, modification, or deletion of data
…and since Stuxnet• Loss of control• Loss of control
![Page 40: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/40.jpg)
idaeMitigation Steps
• Ensure that virus protection and Microsoft it h t fi t d t ll d isecurity hot fixes are up to date on all nodes in
your process control network and the systems connected to itconnected to it
• Ensure that there are no email clients on any nodes of your process control networknodes of your process control network
• Use a firewall and DMZ for the business network to process control network interfaceto process control network interface
![Page 41: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/41.jpg)
idae THE 7 THINGS
1. Assess Existing Systemsg y2. Document Policies & Procedures3 Train Personnel & Contractors3. Train Personnel & Contractors4. Segment the Control System Network5. Control Access to the System6. Harden the Components of the Systemy7. Monitor & Maintain System Security
© Copyright 2010 exida 41
![Page 42: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/42.jpg)
idae
DCS Vi I f tiDCS Virus Infection, Investigation andInvestigation and
ResponsepA Case Studyy
![Page 43: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/43.jpg)
idae Incident
• December 2009December 2009• Petrochemical company in South Africa• Virus (Win32/Sality) infected DCS systemVirus (Win32/Sality) infected DCS system• Two OPC servers shutdown• Operators ran plant partially blind for 8 hours• Operators ran plant partially blind for 8 hours• Engineers rebuild servers• Recovered without loss of production• Recovered without loss of production
![Page 44: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/44.jpg)
idae Scenario1.) Replaced servers and d t d t l li tupdated access control list
2. OPC servers stopped. Virus discovered.
![Page 45: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/45.jpg)
idae Win32/Sality Virus
• Discovered: April 18, 2009Discovered: April 18, 2009• A worm that spreads by infecting executable
files and copying itself to removable drivespy g• Deletes files with .vdb, .avc and .key in the
filename and also files listed under certain registry subkeys
• Ends processes and lowers security settings by modifying the registry
![Page 46: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/46.jpg)
idae Response• Conducted a root-cause investigation• Implemented policy & procedural changesImplemented policy & procedural changes
– Configuration management policy for IT switches– 3rd party software policy
A ti i t li– Anti-virus management policy– Prohibited remote access– Portable media policy
• Hired third-party SME to perform a thorough control system security assessment– Familiar with DCS, SIS and SCADA systems– Knowledgeable of latest standards & technology– Experience in similar plantsp p– Unbiased
![Page 47: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/47.jpg)
idae The Project
• exida hired to perform control system securityexida hired to perform control system security assessment
• Aug 23 – Aug 27, 2010g g ,• Followed ANSI/ISA 99.02.01
![Page 48: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/48.jpg)
idae Assessment Process1. Understand and scope the system under assessment 2 Develop a clear understanding of the network2. Develop a clear understanding of the network
architecture and all traffic flows 3. Develop an inventory of all networked control devices
within the boundary of the system4. Perform device level assessment5 Interview key employees involved in operations and5. Interview key employees involved in operations and
security of the control networks and equipment6. Analyze collected data and compare with corporate y p p
standards and industry best practices to identify gaps7. Recommend solutions to close identified gaps
![Page 49: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/49.jpg)
idae Results• For each item in ISA
99 02 0199.02.01– Requirements– Importance to effective p
security– Industry best practices– Observations– Recommendations
48 d ti• 48 recommendations • 9 critical
recommendationsrecommendations
![Page 50: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/50.jpg)
idae Network Segmentation
Observations:Observations:– Network connections not well documented
Insufficient separation between business LAN– Insufficient separation between business LAN and control system (VLANS & ACL’s)
– Boundaries unclear and no boundary devices– Boundaries unclear and no boundary devices– Several computers were found to have
hundreds of established network connectionshundreds of established network connections– Several dual-zoned servers
![Page 51: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/51.jpg)
idae Weak boundary
Hundreds of computersHundreds of computers in network neighborhood
Dual-homedserversservers
![Page 52: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/52.jpg)
idae DuPont Reference Architecture
DUPONTNET Domain Controller
DNS Server
Manufacturing Message BusAdaptors: SAP,EConnect)
Corporate Patch ManagementServer
PEClients
latigidlatigidlatigidlatigid
Business Zone
3 Co m
DUPONTNET Resource Domain Controllers
Web.21Server(optional)
latigid Manufacturing ApplicationServer
ProcessExplorerClients
latigidlatigid
) Server
WAN
LAN
OMN
IP.21ServerPM&C
latigid latigid
PEClients
Manufacturing ApplicationServer
PCNFirewall
Operations Management Zone
EthernetSwitch
DCS
ProcessExplorerClients
latigid DCS Application
Server
latigid DCS AD Domain
ControllersDCS
consoles
PCN
FBN
Field Bus Gateway
Field Devices
M odem Ban k
DCSControllers
3Com
Field Devices
RCN
M odem Ban k
SISM odem Ban k
Process Control Zone Field Devices
Safety System ZoneImage Courtesy of DuPont
![Page 53: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/53.jpg)
idae
![Page 54: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/54.jpg)
idae System HardeningObservation
• Workstations extensive Recommendation
• Remove all unnecessary number of inappropriate applications– UltraVNC
applications and services• Apply the vendor
recommended or NIST– Microsoft ActiveSync– Internet Explorer
Microsoft Outlook / Outlook
recommended or NIST hardening settings to all workstations and servers
– Microsoft Outlook / Outlook Express
– Windows NetMeetingI t t h k
• Immediately remove any unnecessary shares
– Internet checkers game– Remote access phonebook
• Numerous files shares configured
![Page 55: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/55.jpg)
idae System HardeningObservation
• Numerous active, unused Recommendation
• Disable or lock any Ethernet ports
• USB ports disabled by registry setting
unused ports• Use physical devices to
lock cables into usedregistry setting lock cables into used ports and block access to unused ports
![Page 56: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/56.jpg)
idae Lessons LearnedClient
• Network segmentation is Assessor
• ANSI/ISA 99.02.01 critical
• Anti-virus used per supplier
provides good structure but cannot be used as a checklistsupplier
recommendations• Portable media is
• Zone and conduit modeling works
dangerous• Awareness/training is
important
• Supplier’s reference architectures need to be adjusted for “real”important
• Systems should be hardened and patched
adjusted for real applications
• Data collection must be f d f llper supplier
recommendationsperformed very carefully on a live control system
![Page 57: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/57.jpg)
idaeNext Steps
• Client is developing corporate policies and procedures• Client is preparing to deploy recommended network• Client is preparing to deploy recommended network
changes• Role-based security training is being developed and y g g p
integrated into existing training program• Monitoring technology (e.g. IDS, HIPS) being
investigatedinvestigated• Access control (logical and physical) being reviewed• System hardening being implemented with supplierSystem hardening being implemented with supplier
support• Additional units and sites will be assessed
![Page 58: The 7 things every plant manager should know about control system security](https://reader037.vdocuments.mx/reader037/viewer/2022102921/5411761a7bef0ad2678b59e3/html5/thumbnails/58.jpg)
idaeKey Takeaways
• ‘Security’ is a key component in control system li bilitreliability
• The threats to control system security are real d b i hi ti t dand becoming more sophisticated
• Excellent standards and best practices are available assist users in securing their systemsavailable assist users in securing their systems
• Automation equipment suppliers play an important roleimportant role
• Assessment is the first step
This presentation is available on www.exida.com and www.slideshare.com