integrating electronic security into the control systems
TRANSCRIPT
Integrating Electronic Security into theControl Systems Environment:
differencesIT vs. Control Systems
Enzo M. Tieghi – [email protected]
Security IT & Control System Security: where are we?
Some cases about industrial -infrastructure Cyber incidents:
In January, 2003, the SQL Slammer Worm penetrateda computer network at Ohio’s Davis-Besse nuclearpower plant and disabled a safety monitoring system for nearly five hours; SQL Slammer Worm downedone utility’s critical SCADA network in US; anotherutility lost its Frame Relay Network used for communications; some petrochemical plants lostHuman Machine Interfaces (HMIs) and data historians; a 911 call center was taken offline; Airline flights weredelayed and cancelledin 2001, a series of cyber attacks were conducted on a computerized waste water treatment system by a disgruntled contractor in Queensland, Australia. One of these attacks caused the diversion of millions of gallons of raw sewage into a local river and park. There were 46 intrusions before the perpetrator wasarrested.
Some cases about industrial -infrastructure Cyber incidents:
In September, 2001, a teenager allegedly hacked into a computer server at the Port of Houston: the port’s web service, which contained crucial data for shipping pilots, mooring companies and support firms responsible for helping ships navigate in and out of the harbor, was leftinaccessible1997: Shutdown at traffic air control system tower at Worchester Regional Airport (MA) USAItaly 2004: Sasser halts 40 PCs in production plant of leading pharmaceutical company (batches to rework, week-end spent to restart plants, reinstall and revalidatesystems etc.)Water distribution SCADA system in California attacked and down (2005)…No official statistical source: database with 20-30 trackedincidents in 2002-2004 in California (USA)Database at BCIT (CA) in construction
The 3 security faces
Phisical Security (Perimeter):Guard on duty, gates, ports, etc.
Human factor Security (Organization):Security policySecurity proceduresAwareness and training
Cyber-Security (Technology):AntivirusAcces control, authentication, …Firewalls, …
Internet
Network Vulnerability: examples
Controller or PLC
Process Control Network(Proprietary or Ethernet)
HMIControl System Application Server
Ethernet
SAP
Corporate Network
MailServer
Browser Clients
Desktops
Plant Network
HistorianWeb
Server
MES
Firewall
Remote Access ServerMobile
Operator
ResourceConstraints
Wireless AP
DisgruntledEmployee
Browser MalwareEmail
Viruses IM Downloads
Protocol Vulnerabilities
VPN Penetration
VulnerabilityExploit
FirewallPenetration
Unauthorized Access
Vendor Diagnostics
POTSRemote Access
EMS/ Indirect System Penetration
ContractorHacking/Malware
Flat Networks
eSecurity in control systems: industrial and infrastructure
consideration about security (not only “Safety”)
11 items why Security in control systems (DCS, PLC, SCADA/HMI, plant networks, etc. )
is different from IT Security
BS7799 vs. ISA-99.00.01Comparison of Objectives
Manufacturing and Control Systems
Traditional IT Systems
Priority
Availability Confidentiality
Integrity
Confidentiality
Integrity
Availability
ANSI/ISA-95 Functional Hierarchy
Level 4
Level 1
Level 2
Level 3
Business Planning & Logistics
Plant Production Scheduling,Operational Management, etc
Manufacturing Operations Management
Dispatching Production, Detailed ProductionScheduling, Reliability Assurance, ...
BatchControl
DiscreteControl
ContinuousControl
1 - Sensing the production process, manipulating the production process
2 - Monitoring, supervisory control and automated control of the production process
3 - Work flow / recipe control to produce the desired end products. Maintaining records and optimizing the production process.
Time FrameDays, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -production, material use, delivery, and shipping. Determining inventory levels.
Time FrameMonths, weeks, days
Level 0 0 - The actual production process
Level 4
Level 1
Level 2
Level 3
Business Planning & Logistics
Plant Production Scheduling,Operational Management, etc
Manufacturing Operations Management
Dispatching Production, Detailed ProductionScheduling, Reliability Assurance, ...
BatchControl
DiscreteControl
ContinuousControl
1 - Sensing the production process, manipulating the production process
2 - Monitoring, supervisory control and automated control of the production process
3 - Work flow / recipe control to produce the desired end products. Maintaining records and optimizing the production process.
Time FrameDays, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -production, material use, delivery, and shipping. Determining inventory levels.
Time FrameMonths, weeks, days
Level 0 0 - The actual production process
ANSI/ISA—TR99.00.02—2004
Art. 6.5Special Considerations for Manufacturing and
Control SystemsManufacturing and Control System electronic security plans and programs are consistent with, and build on, existing IT security experience, programs, and practices. However, there are critical operational differences between IT and Manufacturing and Control Systems that influence how specific measures should be applied. (……).
Why eSec is different - 1
Differing risk management goalsRirsk Definition: Human safety and fault toleranceto prevent loss of life or endangerment of public health or confidence, loss of equipment, loss of intellectual property, or lost or damaged product.
Perché la Sicurezza è diversa? /2
Differing architecture security focusIn a typical IT system, the primary focus of security is protecting the information stored on the central server. In manufacturing systems, the situation isreversed. Edge clients (e.g., PLC, operator station, or DCS controller) are typically more importantthan the central server.
Why eSec is different - 2
Perché la Sicurezza è diversa?/3
Differing availability requirementsMany manufacturing processes are continuous in nature. Unexpected outages of systems that control manufacturing processes are not acceptable. Exhaustive pre-deploymenttesting is essential to ensure high availability for the Manufacturing and Control System. In addition to unexpected outages, many control systems cannot beeasily stopped and started without affecting production. In some cases, the products produced or equipment beingused is more important than the information being relayed. The requirement for high availability, reliability, and maintainability reduces the effectiveness of IT strategieslike rebooting.
Why eSec is different - 3
Perché la Sicurezza è diversa?/4
Unintended consequencesManufacturing and Control Systems can be verycomplex in the way that they interact with physicalprocesses. All security functions integrated into the process control system must be tested to prove thatthey do not introduce unacceptable vulnerabilities. Adding any physical or logical component to the system may reduce reliability of the control system, but the resulting reliability should be kept to acceptable levels.
Why eSec is different -4
Perché la Sicurezza è diversa?/5
Time critical responsesFor some systems, automated response time or system response to human interaction is critical. For example, emergency actions on regulatoryprocess control systems should not be hampered by requiring password authentication and authorization. Information flow must not be interrupted or compromised.
Why eSec is different- 5
Perché la Sicurezza è diversa?/6
Differing response time requirementsManufacturing and Control Systems are generallytime criticalDelay is not acceptable for the delivery of information, and high throughput is typically notessential.
Why eSec is different -6
Perché la Sicurezza è diversa?/7
System softwareDiffering and “custom” operating systems and applications may not tolerate typical IT practices.Networks are often more complex and require a different level of expertise (e.g., control networks are typically managed by control engineers, not IT personnel). Software and hardware applications are more difficult to upgrade in a control system network.Many systems may not have desired featuresincluding encryption capabilities, error logging, and password protection.
Why eSec is different -7
Perché la Sicurezza è diversa?/8
Resource constraintsControl systems and their real time operatingsystems are resource constrained systems that do not include typical IT security technologies. There may not be available computing resources to retrofit these security technologies.
Why eSec is different -8
Perché la Sicurezza è diversa?/9
Information integrityIn-bound information is highly essential to the control system operation.It is important to take practical precautions to eliminate malicious in-bound information in aneffort to maintain control operation.
Why eSec is different -9
Perché la Sicurezza è diversa?/10
CommunicationsCommunication protocols and media used by control systems environments are typicallydifferent from the generic IT environment, and may be proprietary. Examples include radio telemetry usingasynchronous serial protocols and proprietarycommunication networks.
Why eSec is different -10
Perché la Sicurezza è diversa?/11
Software UpdatesSecurity patches cannot always be implementedon a timely basis because software changes needto be thoroughly tested by the vendor of the manufacturing control application and the end user of the application before being implementedChange management control is necessary to maintain integrity of the control systems.
Why eSec is different - 11
Perché la Sicurezza è diversa?
These differences require careful assessment by Manufacturing and Control System experts working in conjunction with security and IT personnel. This team of people should carefully evaluate the applicability of IT and specific Manufacturing and Control Systems electronic security features, including thorough testing before application, wherenecessary.
Why eSec is different: final
Network Segregation
“Rings of Defense” for Corporate and SCADA Networks – www.dyonyx.com
What to do: ad hoc methodology and tools
Industrial Security AssessmentIndustrial Security Vulnerability TestsIndustrial Security PolicyIndustrial Incident Response PlansBusiness Continuity & Disaster Recovery PlansIndustrial Protection (Industrial IDS/IPS)Monitoring and Managed Services for IndustryAudit
Where Control Systems are?
Everywhere…Industrial but also InfrastructureProduction and Distribution: Water, Oil & Gas, Power, etc.Traffic control: Railways, Highways, Tunnels, Air, etc. Buildings: Airports, Hospitals, Schools, Governament, Research Centers, Universities, Municipalities, etc.TLCs
What’s moving…
“21 Steps to improve Cyber Security of SCADA Networks”(USA White House)
“Common vulnerabilities in critical infrastructure control systems”(U.S. Dept. Of Energy’s National NuclearSecurity Administration)
Securing Process Control Systems - IT Security (European Commission)
Industrial security and international standards
•BS7799-ISO27000 Information security management systems –Specification with guidance for use•ISO/IEC 17799:2005 Information Technology – Code of practice for information security management •ANSI/ISA SP99 TR1 Security for Manufacturing and Control Systems•ANSI/ISA SP99 TR2 Integrating Electronic Security into Manufacturing and Control Systems Environment•ISO/IEC 15408 Common Criteria•NIST System Protection Profile for Industrial Control Systems (SPP-ICS)•CIDX Chemical Industry Data Exchange - Cibersecurity Vulnerability Assessment Methodology (VAM) Guidance•ISPE/GAMP4 – Good Automated Manufacturing Practices – App. O Guideline for Automated System Security•NERC standards•AGA standards