roadmaps to securing industrial control systems · requirements specific to industrial control...
TRANSCRIPT
Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Insert Photo Here
Rockwell Automation
Process Solutions User Group (PSUG)
November 14-15, 2011
Chicago, IL – McCormick Place West
Roadmaps to Securing
Industrial Control
Systems
Mark Heard
Eastman Chemical Company
Presenter
Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Mark Heard, Eastman Chemical Company
• Recovering Control System Engineer
• Experience with several kinds of automation systems, especially networking with other plant systems
• General interest in security and admin issues for ICS
Work on Eastman Cybersecurity teams
• Process Control Network Security, 2003-
• Network Segmentation, 2004-
• Cybersecurity Vulnerability Assessment, 2005-
• Process Automation Systems Authentication, 2006-
• Systems Integrity, 2008-
• IT Security Team 2011-
Working with ISA S99, ACC Cybersecurity Program (formerly
through ChemITC and CIDX) since 2002
What is an ICS Security Roadmap?
A structured set of priorities, milestones and goals which address security requirements specific to Industrial Control Systems (ICS), over a 10 year timeframe
Published Roadmaps
Energy Sector (revised Sep-11)
“The 2011 Roadmap takes the necessary steps to strengthen the security and reliability of our country’s electric grid, in a climate of increasingly sophisticated cyber incidents.”
“This update marks a continued effort by public and private energy sector stakeholders to reduce cyber vulnerabilities that could disrupt the nation's ability to deliver power and energy.”
Published Roadmaps
Water Sector
Chemical Sector
Dams
Draft/Approval:• Nuclear
• Cross-Sector (recognizing and mapping commonality between sector documents) by Department of Homeland Security’s Industrial Control Systems Joint Working Group
Roadmap Strategies
• Build a Culture of Security
• Assess, Monitor and Mitigate Risk
• Develop and Implement New Protective Measures to Reduce Risk
• Manage Incidents
• Sustain Security Improvements
for…– Asset Owner/Operators
– Vendors/Solution Providers
– Research/Academia
– Government
– Regulators/Standards Organizations
Common Goals Across Roadmaps
• Measure and Assess Security Posture
• Assess Risk
• Develop and Integrate Protective Measures
• Develop and Deploy ICS Security Programs
• Detect Intrusion and Implement Response Strategies
• Develop and Implement Risk Mitigation Measures
• Sustain Security Improvements
• Partnership and Outreach
• Secure-by-Design
Why do We Care?
• ICS are increasingly interconnected to other plant and business systems
• ICS vendors continue to rapidly incorporate standard Information Technology into their products
• These trends expose the ICS to modern malware threats
• Potential consequences of an ICS cyber incident can include:
• Reduction or loss of production at one site or multiple sites simultaneously;
• Injury or death of employees;
• Injury or death of persons in the community;
• Damage to equipment;
• Release, diversion, or theft of hazardous materials; and
• Impact to company’s reputation in the community.
The Risk is Real!!
• Federal agencies reported 30,000 incidents to US-CERT during fiscal year 2009 [U.S. Government Accountability Office report 6/16/2010]
– >400% increase over what was reported in 2006
• 2010 CIP Survey conducted by Symantec– 60% of cyber attacks were “somewhat” to “extremely” effective– Average cost of an attack was estimated at $850,000
• Significant increase in Advanced Persistent Threat (APT)
• Stuxnet signaled a paradigm shift in ICS cyber threats
– Demonstrated that ICS are susceptible to increasingly sophisticated cyber-attacks
Chemical Sector Roadmap
The “voice” of the sector on
improvements to control systems
security
Published September 2009
Following sign off by the
Chemical Sector Coordinating Council
A structured set of priorities spanning a 10-year timeframe specific to needs of Industrial Control Systems (ICS) in the Chemical Sector
10
www.us-cert.gov/control_systems/pdf/ChemSec_Roadmap.pdf
Roadmap Vision
“In 10 years, the layers of defense for industrial control systems managing critical applications will be designed, installed and maintained, commensurate with risk, to operate with no loss of critical function during and after a cyber event.”
Scope• Industrial Control Systems (ICS) in chemical facilities that are part of the critical infrastructure
• Possible implications for ICS vendors
• Connection to other systems included if they impact ICS risk
Chemical Sector Roadmap
Implementation Working Group
Roadmap Implementation Manager
• Catalyst 35, under ACC contract
CSCC
• American Chemistry Council (ACC)
• National Petrochemical & Refiners Association (NPRA)
DHS
• DHS National Cyber Security Division - Control Systems Security Program
• DHS Chemical SSA
Owners/Operators
• AkzoNobel
• Dow Chemical
• Infineum
• DuPont
• Eastman Chemical
• Western Refining
• Exxon Mobil
• Air Products
• Ashland
• Air Products
Vendors
• Computer Sciences Corporation (CSC)
Established December 2010
Roadmap ImplementationIn Partnership with DHS
• DHS Sector Specific Agency (SSA) is supporting our efforts• Utilizing Homeland Security Information Network (HSIN) to share
working documents• Focusing on milestones identified for the first two years• Comprehensive Awareness Package
– Collected a wealth of resources/reference information – Designed to assist owners/operators in addressing ICS security
• Providing speakers at various conferences across the U.S.• Metrics: Working on creating Roadmap Metrics• Secure Information Sharing: Developing a matrix of current forums• Website: in design stage
13
Roadmap Objectives
Long Term• Improved ICS security across the chemical sector
Immediate• Build awareness across the chemical sector and ICS vendor community of the resources available to assist the sector in realizing its long term objective.
Awareness CampaignFocus Areas
• Developing a Business Case for investing in ICS security
• Conducting an ICS Security Assessment
• Training for employees who work in the ICS environment
• Implementing existing standards
• Complying with existing Chemical Facility Anti-Terrorism Standards (CFATS) Regulations
• Leveraging Best Practices– Wherever possible, not Chem sector specific
Developing a Business Case
• The protection of ICS from cyber security threats requires resources and personnel to plan, develop and implement needed security measures
• Companies must develop a business case for investing in ICS security
• A business rationale for justifying this investment is currently under development
• Authored by the Industrial Control Systems Joint Working Group
• Goal is to provide guidance for Developing a Business Case
Awareness Materials
• Case for Action• Cyber Security Evaluation Tool (CSET)• Cyber Security Tabletop Exercise (TTX)• Procurement language• ICS Security Training Resource • ICS-CERT & Cyber Incident Response• Industry standards and additional relevant guidance
A Case for Action
The chemical industry dedicates immense time and resources toward ensuring the safety of its personnel, customers, and surrounding community; but in today’s environment of growing cyber threats, a Chemical plant is not safe unless its control systems are secure.
One of the trends emerging in the current environment of cost efficiencies, is the move from delivery of ICS on “proprietary” system platforms to “open” system platforms. These open platforms carry a greater level of cyber risk due to the rapid growth of cyber threats against them.
CSET - Cyber Security Evaluation Tool
• Available from the Department of Homeland Security• Assists organizations in protecting their key national cyber assets. • Developed under the direction of the DHS National Cyber Security Division (NCSD)– Developed by cybersecurity experts and with assistance from the National Institute of Standards and Technology.
• This tool provides a systematic and repeatable approach for assessing the security posture cyber systems and networks.
• Includes both high-level and detailed questions related to all industrial control and IT systems.
Procurement Language
• Department of Homeland Security: Cyber Security Procurement Language for Control Systems provides sample recommended language for control systems security requirements, including:
• New SCADA/control systems
• Upgrading Legacy systems
• Maintenance contracts
• Information and personnel security
ICS Training ResourcesChemical Sector
• Compiled by the Roadmap Implementation Working Group• Designed for owner/operators in the process control and automation industries.
• Lists selected and representative security trainings… but not a comprehensive list
• Organized by levels of difficulty (intro, intermediate, advanced)• Includes links to relevant websites, for ease of training access
Who Can Benefit from this training?
– ICS Operations
• Routinely interact with the ICS environment
– Security Managers
• Have primary responsibility for securing ICS
– Engineers
• Responsible for design and configuration of ICS functionality
– IT Personnel
• Have responsibility for operation & support of IT infrastructure supporting the ICS
Leveraging Existing Standards
• ANSI/ISA99/IEC 62443, Industrial Automation and Control Systems Security– A series of 11 standards & technical reports– Address all aspects of ICS security– 3 work products have been published– Several others are available in draft form for review and comment
• ISO/IEC 15408-1:2009– Establishes general concepts and principles of IT security evaluation– Specifies the general model of evaluation given by its various parts– Is intended to be used as the basis for evaluation of security properties of IT products
Additional Guidance
• ACC Guidance for Addressing Cyber Security in the Chemical Sector
• DHS Catalog of Control Systems Security: Recommendations for Standards Developers
• NIST Special Publication (SP) 800-82, Guide to ICS Security, final public draft Sept 29, 2008
• NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009
• NERC Critical Infrastructure Protection – 002-009
What Can You Do?
• Pick up a DVD & Case for Action to take with you
• Review the information shared today
• Bring this issue to the attention of your engineering & manufacturing management
• Ask key questions about how your company is addressing ICS security
• And as you begin…
25
Tips for Getting Started
• Ensure one person takes ownership of ICS security and is accountable.
• Open the lines of communication between engineering, security, IT, process safety and manufacturing operations within your own company.
• Conduct an audit of current ICS security measures and implement obvious fixes.
• Follow-up with an ICS security vulnerability analysis (risk assessment).
Tips for Getting Started
• Implement an ICS security management program that is integrated with existing company management systems for security, safety, quality, etc.
• Keep in touch by emailing [email protected] for additional information.
• Become an advocate in your company on this important issue!
Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Insert Photo Here
Rockwell Automation
Process Solutions User Group (PSUG)
November 14-15, 2011
Chicago, IL – McCormick Place West