Professional Documents
Culture Documents
Sustain.Ability.
2
Industrial Control System Cyber Security
3
Cyber Security threat
landscape for ICS’s
5
Business IT vs ICS systems
Information Technology
Control Systems (ICS)
SECURITY TOPIC (IT)
Very common: easily deployed Difficult to keep current due to risk
Antivirus and updated imposed to control process
Easily defined; enterprise wide Patches require exhaustive testing
Patch Management remote and qualification prior to installation
and automated on ICS’s. Install lags release.
6
ICS challenges and security concerns
7
ICS challenges and security concerns
8
Some typical attack vectors of ICS’s
9
Some current headlines
• U.S. President Barack Obama is urging the Senate to pass the Cybersecurity Act
of 2012. He believes legislation will help the U.S. fight "the cyber threat to our
nation," which he calls "one of the most serious economic and national security
challenges we face."
July, 2012 - ZDNet
10
The Impact of STUXNET
• Provided proof-of-concept and a blueprint for hackers
• Exposed corporate executives, regulators and the public
to the potential dangers of cyber attacks on critical
infrastructure
• Opened the floodgates for “security researchers” to
identify and exploit ICS vulnerabilities for financial gain
11
Project Basecamp
12
12
Cyber attacks on critical infrastructure
13
13
ICS Specific Vulnerabilities Reported
2001 - 2011
Slide 25 from the presentation “Documenting the ‘Lost Decade’ An Empirical Analysis of
publicly disclosed ICS vulnerabilities since 2001” by Sean McBride
14
14
Why have ICS systems become targets?
• Community “watchdogs”
• Hacktivists
• Competitive advantage
15
Honeywell’s cyber security
initiatives
• Defense in Depth
Cyber
– Security at more than just the perimeter
– Layered / High Security Network Architecture Electronic
Physical
18
Product development process
19
Incorporating Security into the Software
Development Lifecycle
Security
Security Response
Training Planning
and
Security Execution
Requirements
Security
Validation
Security Testing
Architecture
Design
20
20
Continuous security improvements
• Short term improvement
– Qualification of white listing component for Experion
– Virtual Patching solution
– Virtualization
22
Patch management lifecycle
Security research -
(e.g. ZDI, DVlabs)
ICS-CERT -
Not always a patch available -
Black hats -
Patch is not always tested in time -
Can we install? -
Often reboots required -
23
Server / station protection
Allow Known Good Block Known Bad Unknown
(Block All Else) (Allow All Else)
Execution Application
Application Resource Behavioral
Level Control
Control Shielding Containment
Gartner
24
Continuous security improvements
25
External security certifications
• Wurldtech Achilles certification for C300, SM
• Achilles practices certified ( WIB )
– Honeywell committed to compliance with Achilles practices when it becomes an
approved IEC-62443 -2.4 standard
26
ISA99 / IEC 62443 Structure
Systems
Devices
27 27
Embedded Device Security Assurance Certification
Provides a common perspective on how threat
scenarios can be sufficiently covered
• Documents the expected resistance of the system to
potential threat agents and threat scenarios
• Clearly documents expected user measures versus
Integrated Threat Analysis inherent product protection measures
(ITA) Detects and Avoids systematic design faults
• The vendor’s software development and maintenance
processes are audited
Software Development
Security Assurance (SDSA) • Ensures the organization follows a robust, secure
software development process
28
28
Benefits of ISASecure Certification
Structured, auditable, repeatable approach to evaluating
the security of an ICS product and the development
practices of the manufacturer against an established
benchmark
End-user Supplier
• Easy to specify • Evaluated once
• Build security requirement into • Recognition for effort
RFP • Build in security
• Reduced time in FAT/SAT • Product differentiator
• Know security level out of the • Reduce support costs
box
• Enhance credibility
29
29
Honeywell’s Industrial IT Solutions
• Compliance management
• Full Whitelisting management and support Assure Remediate
Manage
31
Partnering with our customers
• Documenting system security configuration
– Includes risks that need external mitigations
• Rapid qualification of security updates
– Microsoft
– Adobe
• Network and security design services
• Assessment services
– ISA99 / CSET security audits / assessments
• Services offering for system security management
– Patch, virus protection, and data recovery management
– Security perimeter management
• Continued investment in building security skills
– Design consultants, project and service engineers
32
Security Program Dashboard
33
Security from design to daily operation
• Honeywell Process Solutions….
– builds Security features into our standard products, and is continuously
evaluating and improving our security
36
Layers of Responsibility
End User
(Security management system)
System Integrator
(System engineering practices, Qualified Personnel)
Automation Supplier
(Software Development, Vendor Practices)
Automation Products
(Security features, Testing)
37
Vendor / automation supplier responsibilities
38
Integrator / installer responsibilities
39
Owner / operator responsibilities
• Apply security fixes as soon as they’re qualified
• Keep Anti Virus and related protection technologies current
• Document security configuration, Policies & Procedures
• Provide security Training for operators & Contractors
• Control Access to the Control System
• Harden the Components of the System – apply defense in
depth
• Constantly monitor the security of the system
• Periodic full re-assessment of system security
• Work closely with vendor and integrators to adopt to new
security threats and vulnerabilities
40
ICS Security responsibilities summary
• Owner / operators have the ultimate responsibility for the
security and safety of their systems
• ICS security must include technology, people, and
processes
• ICS security spans the lifecycle of an automation system
• requires a partnership between all stakeholders
41
responding to cyber attacks
against your ICS
43
Cyber Incident Response Plan
• Create a cyber incident response plan
– Priority is to isolate any suspect component, maintain safe
operation, and preserve forensics where possible
– Operators must be trained on how to respond to a cyber incident
– Appoint a cyber security focal point and “watchdog” – with backup
– Include all levels of “defense in depth” in creating response plan
44
Effective Security Plan
45
How can ICS’s prepare for cyber attacks?
• Do a security assessment of your site, remediate any
gaps identified, and repeat assessments periodically
46
How can ICS’s prepare for cyber attacks?
• Review your vendor’s security documentation
– Network and Security Planning Guide
– Domain and Workgroup Implementation Guide
47
Be prepared for cyber attacks
• Integrate security into your culture at site
Questions?
49
49