3BSE072454

Tomas Lindström Cyber Security Manager BU Control Technologies 2013-01-16

Cyber Security for System 800xAThe SD3+C framework

© ABB Group September 27/28, 2012 | Slide 3

Security – Not just a technical solution …

There is no single solution that is effective for all organizations and applications

Security is a continuous process, not a once and for all technology solution

Security begins and ends with human behavior

100% security is not feasible

AccessControl

Administration&

Maintenance

PhysicalSecurity

Organization Personnel

Compliance

Process Control Security

© ABB Group September 27/28, 2012 | Slide 4

Security is ultimately the user’s responsibility

Proper implementation, configuration, operation, and maintenance of security procedures and equipment is the responsibility of the user of the automation system

However …

Effective security solutions require the joint efforts of

User’s IT and Process Control organizations

Control System vendors

Teams for Commissioning and Maintenance

Vendor support needed in complete System Lifecycle

System Capabilities(from Product organization, main focus for this presentation)

SAT & Commissioning

Maintenance & Support

© ABB Group September 27/28, 2012 | Slide 5

Good Security PracticesImplement a Security Management System

Use standards e.g. as guidelines:IEC 27000, ISA/IEC62443 (ISA99)

Do a risk assessment

Develop a security policy and define clear organizational responsibilities

Select security countermeasures as an “risk insurance”:Balance Value for me Value for X Mitigation cost:

Who should use the system for what Protect the system Detect problems Manage system resource availability

Plan for incident response and disaster recovery

Audit security systems and procedures for compliance with the security policy

© ABB Group September 27/28, 2012 | Slide 6

Defense in depth

The coordinated use of multiple lines of prevention and detection measures to protect the integrity of a system

Examples Security policy and procedures Perimeter firewalls Network segregation with Security zones

Resources in the same zone: same minimum security levelAccess between zones only through secure conduits

Intrusion detection Host based firewalls Host hardening Malware protection User authentication and authorization Data encryption Secure application development …

Policies and Procedures

Physical Security

Perimeter DefensesNetwork Defenses

Host DefensesApplication Defenses

Data Defenses

© ABB Group September 27/28, 2012 | Slide 7

Security for System 800xAThe SD3 + C Security Framework

Security in the Product Development Process:Requirements, Design, Implementation, Verification

Default installation with minimal attack surface Defense in Depth Least privileges used

Product support for Secure Configuration, Operation, Maintenance

Support for system updating

Openly and responsibly communicate with users about detected security flaws:Implications, corrections and/or workarounds

Secure by Design

Secure by Default

Secure in Deployment

Communication

© ABB Group September 27/28, 2012 | Slide 8

Secure by DesignSecurity in the Product Development Process

Security integrated in the Quality Management System

Security check points at Project Gates

Threat modeling

On existing products Finding Vulnerabilities?

For new products Identifying Requirements

Secure coding guidelines

Design and code reviews with checklists with security checkpoints and tool support

Aligning with Microsoft’s SDL

Testing (next slide)

© ABB Group September 27/28, 2012 | Slide 9

Secure by DesignTesting in Product Development

Requirement verification by R&D

Functional and non functional

Security Testing in R&D Projects (more next slide)

1) by R&D

Some tools

Scope: Single products and the whole system

2) by Device Security Assurance Center

More tools

Scope: Devices

3rd party testing

Achilles Communications Certification by Wurldtech

MUSIC certification by Mu Dynamics

© ABB Group September 27/28, 2012 | Slide 10

Secure by DesignABB’s Device Security Assurance Center

Product independent center for Device Robustness Testing

Controllers, Communication Interfaces, Field Devices, …

Assisting R&D Projects e.g. Improving methods

State-of-the-art security testing tools (commercial and open source): Mu8000, Achilles Satellite Unit, Nessus,…

Multi-test method approach with defined policies

Profiling Tools to determine vulnerable services

Check for well-known flaws

Resource Starvation Testing (DoS attacks)

Robustness testing (protocol fuzzing)

Systematically subjecting the target to a set of invalid packets that violate the protocol’s specification

More than Achilles/MUSIC Certification!

© ABB Group September 27/28, 2012 | Slide 11

Secure by DefaultSecure Default settings out of the box

Automated installation with System Installer

Consistent and repeatable

Secure default settings and hardening

Unnecessary services disabled or not installed

Windows FirewallEnabled and Configured for used functions

Secure default settings for user privileges

Embedded OS with only needed features

© ABB Group September 27/28, 2012 | Slide 12

Secure by Default, Defense in DepthNetwork Defenses

Network Redundancy with Dual Separated Networks

Client-Server communication protected with IPSec

IPSec Configuration Tool in SV 5.1 Rev A

For installed systems with SV 5.1 or later

For new systems

Storm protection in Network Switches(Recommended 3rd party addition)

Redundancy withSeparated networks

IPSecprotection

© ABB Group September 27/28, 2012 | Slide 13

Secure by Default, Defense in DepthHost Defenses

Windows Firewall in Servers and Workstations

Network filter in Controllers and Communication Modules

Blocks unsupported traffic

Network Storm protection

RNRP’s Network Loop Protection in Servers and Workstations

System supervision

Controller self supervision

PNSM (PC Network and Software Monitoring)

Storm/Loop protection action: Disable affected network.Communication survives Network Loops/Storms Thanks to Architecture with Separated Networks!

© ABB Group September 27/28, 2012 | Slide 15

Secure by Default, Defense in Depth User Authentication and Access Control

Product features designed to meet regulatory requirements

User Authentication based on Windows

Active Directory or Workgroup

800xA Access Control

Based on User, Role, and Location

Set on Structure, Object and Attribute level

Special Authentication functions

Re-authentication, Double authentication

Log over

Audit trail of user actions

Digital signatures

© ABB Group September 27/28, 2012 | Slide 17

Secure in DeploymentProduct Organization Support overview

Primarily a task for Project/Support organizations.

Supported from product organization:

User manuals, guidelines and system functions

Recommendations for Secure Architectures

Backup/Restore solutions

Malware Protection solutions

Patch Management solutions

Security Event Management solutions

Asset Inventory/Management solutions

Product Support organization

© ABB Group September 27/28, 2012 | Slide 18

Secure in DeploymentSecure Architecture: Security Zones

Security Zones: Multiple Network layers

© ABB Group September 27/28, 2012 | Slide 24

Secure in DeploymentPatch Management, Security Updates

Validation of Microsoft security updates

All relevant updates are tested for compatibility

At least every month

Dedicated Security Test Labcovering all supported 800xA system versions

Result published typically within 3 – 7 days

Available through ABB Automation Sentinel

Other 3rd party SW (e.g. Adobe Reader)

Released from SW vendor without schedule

Verified with next Microsoft Security Update

© ABB Group September 27/28, 2012 | Slide 25

Secure in DeploymentPatch Management, Deployment solutions

800xA System Revisions

The System Update Tool

Microsoft Security Updates

The System 800xA Qualified Security Updates

for node by node deployment

Security Updates delivered from ABB

WSUS for centralized management(Recommended 3rd party additions)

© ABB Group September 27/28, 2012 | Slide 26

Secure in DeploymentMalware Protection solutions (Qualified 3rd party additions)

Accreditation of Anti-virus SW

McAfee VirusScan® Enterprise and Symantec Endpoint Protection

Configuration guidelines

Verified in system tests

Node based or centralized management

‘Daily’ verification of Definition files

Update production systems with 48h delay

Application Whitelisting

SE46: To be released with FP4 Q1 2013

Industrial Defender HIPS: Under testing

© ABB Group September 27/28, 2012 | Slide 31

CommunicationCyber security response, Reporting

Cyber security response system to handle security vulnerabilities and incidents (issues)

Customers and other stakeholders are encouraged to use the “Contact us” feature on ABB’s Cyber security webpage http://www.abb.com/cybersecurity to report any security issue

© ABB Group September 27/28, 2012 | Slide 32

CommunicationCyber security response, Issue handling

When reportingProvide contact information with short message (without details of the security issue)

ABB Cyber security response team Contacts the user to get details of the issue and

provide responses via a protected communication method.

Analyses the issue involving security and product experts and provides mitigation measures.

Product responsible provide final mitigation solution and/or product correction.

© ABB Group September 27/28, 2012 | Slide 33

CommunicationCyber security response, Vulnerability disclosure

When mitigation solution or product correction exists: Confidentially reported or internally found vulnerability Disclosure to ABB and customers

Publically announced vulnerability Public disclosure on www.abb.com and ICS-CERT

© ABB Group September 27/28, 2012 | Slide 34

CommunicationVulnerability disclosure for Customers

To all customers known to ABB regardless of maintenance contracts

Security BulletinSecurity related Product defect or problem not related to safetyMy Control System planned to be used

Safety ReportProduct defect or problem which has the potential to cause a loss of safety in the use of the product

Product AlertProduct defect that may result in, although not directly cause or create, a safety issue or a process misbehavior.

A security problem which is or may result in asafety problem will be announced as Safety Report or Product Alert

© ABB Group September 27/28, 2012 | Slide 35

CommunicationSecurity via ABB Automation Sentinel

Product Bulletins with Security Validation status

Microsoft Security Updates (monthly update)

Virus Definition files (after each update, almost daily)

3rd party SW (after each update)

E-mail notification service on updates

Product Updates

© ABB Group September 27/28, 2012 | Slide 37

What do I get from where? Solutions from ABB

System 800xA Covering your essential needs/The good start…

ABB Automation Sentinel Keeps you up to date

ABB’s Cyber Security Fingerprint Configuration compliance management service

E163 – Cyber Security for System 800xA Expert Workshop training

© ABB Group September 27/28, 2012 | Slide 38

What do I get from where? Solutions from ABB’s partners

Malware protection: AntiVirus Anti Virus Enterprise and ePO Server from McAfee Symantec Endpoint Protection

Malware protection: Application Whitelisting SE46 from Cryptzone (Q1 2013) …

Security Event Monitoring Industrial Defender Monitor …

Configuration compliance management (24*7) Industrial Defender Manage (Q1 2013) …

© ABB Group September 27/28, 2012 | Slide 39

SD3 + C for System 800xAFor current solutions and future improvements

Project gates, Threat modeling, Static Code analysis, Reviews, Testing

Automated installation Default settings and hardening Host defenses, Network defenses

Architecture recommendations Malware protection, Patch Management Centralized security monitoring

Cyber Security Response Vulnerability disclosure ABB Automation Sentinel

Secure by Design

Secure by Default

Secure in Deployment

Communication

© ABB Group September 27/28, 2012 | Slide 40