2012 Honeywell Users Group Asia Pacific

Sustain.Ability.

Industrial Control System

Cyber Security
1
 Mike Baldi
• Honeywell Process Solutions
Cyber Security Architect
Global Architect Team

Responsible for integrating security into HPS

Products, security certifications, and compliance

• Honeywell rep on ISA Security Compliance Institute board

• DHS interface for HPS

• 33+ years experience with HPS

• Lead SE for System Test ( 3 years )
• Technical Assistance Center - Server/Client team lead ( 25 years ):

2
 Industrial Control System Cyber Security

• cyber security threat landscape for ICS’s

• Honeywell’s cyber security initiatives

• roles / responsibilities for protecting ICS’s

from cyber attacks

• responding to cyber attacks against your ICS

3
 Cyber Security threat
landscape for ICS’s

Industrial Control System

Cyber Security
4
 How did we get here?
• Security was not a major concern when Legacy ICS
systems were developed
• ICS system lifecycle is typically 15-20 years
• ICS products are incorporating COTS technology from
the business IT sector (Ethernet, Windows OS, SQL,
webservers, etc.)
• Multi-vendor solutions at most ICS sites
• Increasing need to share data between the enterprise,
corporate, and DCS networks
• Lack of experienced security personnel working on ICS’s
• History of separate IT and ICS teams

5
 Business IT vs ICS systems
SECURITY TOPIC
Antivirus
Patch Management
Technology Support Lifetime
Change Management
Security Compliance
Incident Response and
Forensics
Physical and Environmental
Security
Secure Systems Development
6
Information Technology
(IT)
Very common: easily deployed
and updated
Easily defined; enterprise wide
remote
and automated
2-3 years;
Regular and scheduled; aligned with
minimum-use periods
Limited regulatory oversight
Easily developed and deployed;
some regulatory requirements;
embedded in technology
Poor (office systems) to excellent
(critical operations systems)
Integral part of development process
Control Systems (ICS)
Difficult to keep current due to risk
imposed to control process
Patches require exhaustive testing
and qualification prior to installation
on ICS’s. Install lags release.
10-20 years
Strategic scheduling; non trivial
process due potential impact to
process
Specific regulatory guidance
(some sectors)
Uncommon beyond system
resumption activities; no forensics
beyond event re-creation
Good to Excellent (operations
centers; guards, gates, guns)
Special
Has not been an integral part of ICS
systems development
 ICS challenges and security concerns

• Vulnerability to Denial of Service attacks

• Backdoors and “holes” in the network
perimeter
• Devices with little or no security features
(modems, legacy control devices, etc.)
• Common communication protocols
designed without security
• Remote, unmanned sites with challenging
physical security
• Database security vulnerabilities
(proprietary and / or 3rd party )
• Lack of encryption and authentication
• Improper or nonexistent patching of
software and firmware

7
 ICS challenges and security concerns

• Unsecure coding techniques in product

design
• Non-existent cyber security procedures
• Lack of control system-specific security
protection / mitigation technologies
• Security researchers with various
vulnerability disclosure practices
• Publicly available hacking tools make
hacking easier for “novices”
• Increased outside security regulation
• NERC-CIP, CFATS, Pipeline Guidelines, …
• Increase in cyber attacks against ICS’s
• Stuxnet, Duqu, Flame, …

8
 Some typical attack vectors of ICS’s

9
 Some current headlines

• U.S. President Barack Obama is urging the Senate to pass the Cybersecurity Act
of 2012. He believes legislation will help the U.S. fight "the cyber threat to our
nation," which he calls "one of the most serious economic and national security
challenges we face."
July, 2012 - ZDNet

• “Iran Oil Terminal taken offline by Cyber Attack”

April, 2012 - PACE magazine

Pacific Northwest National Laboratory Report Reveals Dramatic Increase in Cyber

Threats and Sabotage on Critical Infrastructure and Key Resources
June 2012 – US Dept of Energy

10
 The Impact of STUXNET
• Provided proof-of-concept and a blueprint for hackers
• Exposed corporate executives, regulators and the public
to the potential dangers of cyber attacks on critical
infrastructure
• Opened the floodgates for “security researchers” to
identify and exploit ICS vulnerabilities for financial gain

11
 Project Basecamp

• Announced at S4 Security Conference in

Jan 2012
• Project Basecamp involved six
researchers looking for vulnerabilities in
embedded ICS devices (PLC’s, RTU’s,
substation controllers)
• The researchers found backdoors, weak
credential storage, ability to change ladder
logic and firmware, command line
interface, buffer overflows, TFTP, etc…
• Posted results publicly – releasing Nessus
plugins and Metasploit modules enabling
anyone to find and exploit these
vulnerabilities

12
12
 Cyber attacks on critical infrastructure

Cyber attacks against US critical infrastructure jumped 383 % in 2011”

13
13
 ICS Specific Vulnerabilities Reported
2001 - 2011

Slide 25 from the presentation “Documenting the ‘Lost Decade’ An Empirical Analysis of
publicly disclosed ICS vulnerabilities since 2001” by Sean McBride

14
14
 Why have ICS systems become targets?

• They’re easy targets

– Security wasn’t designed in
– Running older Operating systems
– Embedded accounts with default passwords
– Systems aren’t updated with security patches

• Notoriety / validation within security research community

• Community “watchdogs”

• Hacktivists

• Competitive advantage

• Nation State / Political motivation

15
 Honeywell’s cyber security
initiatives

Industrial Control System

Cyber Security
16
 What is Honeywell’s security philosophy ?
• Design in Security is a Key initiative at Honeywell
– Security designed in the product from the beginning
– Incorporate people, technology, and process
– Integrate security into our culture
Process Control
System

• Defense in Depth
Cyber
– Security at more than just the perimeter
– Layered / High Security Network Architecture Electronic

Physical

• Security is a journey - not a destination

– Cyber Threat landscape is continuously changing
– Continuous evaluation and improvements required
17
 Product development process
• Product development
– Security is foundational in the product
• HIP process designs security into all products

• Security Development Lifecycle

– Design process is compliant with ISASecure SDSA
» Threat modeling and security risk analysis is part of all projects
» Static code analysis
» Fuzz testing
» Use and abuse case testing
» Load and performance testing
» Independent penetration testing

18
 Product development process

• Product development (Continued)

• Experion Security Model drives security focus
• Security
– Security Core Team – manages security model
– Security Steering Committee – communication / interactive
exchange on security issues impacting HPS systems

• HPS is investing heavily in tools, testing, and training

to improve the security of our products

19
 Incorporating Security into the Software
Development Lifecycle
Security
Security Response
Training Planning
and
Security Execution
Requirements

Security
Validation
Security Testing
Architecture
Design

Security Risk Fuzz testing, Abuse

Assessment case testing
and Threat Modeling

Security Code Reviews &

Security Static Analysis
Coding
Guidelines

20
20
 Continuous security improvements
• Short term improvement
– Qualification of white listing component for Experion
– Virtual Patching solution
– Virtualization

• R410 security improvements

– System mechanism to disable USB storage interface
– Role based access control for process data
• Implements separation of duties at parameter level
– Decouple DSA security credentials from system credentials
• Compartmentalizes Experion clusters
• Allows different mngr passwords in each cluster
• Remove sysadmin privileges from mngr account
• Allow use of user specified domain accounts
21
 Application Whitelisting - overview
• Objective is to provide additional protection against malware,
reduce system maintenance overhead and complexity, and
extend the patching cycle

• Application Whitelisting (AWL) locks down an end node – allowing only

approved files to run
• Significantly improves security against many types of malware attacks
• Can extend patching cycle

• AWL solution must be tightly integrated into control system by ICS

vendor to provide greatest protection with minimum risk
• AWL on Industrial Control Systems will co-exist with Anti Virus
solutions

22
 Patch management lifecycle

Security research -
(e.g. ZDI, DVlabs)
ICS-CERT -
Not always a patch available -
Black hats -
Patch is not always tested in time -
Can we install? -
Often reboots required -

23
 Server / station protection
Allow Known Good Block Known Bad Unknown
(Block All Else) (Allow All Else)

Execution Application
Application Resource Behavioral
Level Control
Control Shielding Containment

Application Application and Antivirus Application

Level System Hardening Anti Virus Inspection

Network Host Attack-Facing

Attack-Facing Vulnerability-Facing
Vulnerability-Facing
Level Firewall Network Inspection
Network Inspection Network Inspection
Network Inspection

Gartner

BL – Black Listing (Honeywell solution - McAfee / Norton)

AWL – Application White Listing (Honeywell solution - Bit9)

VP – Virtual Patching (Honeywell solution - HP Tipping Point)

24
 Continuous security improvements

• Virtualization improves operational efficiency

• Virtualization realizes life cycle extension
• Virtualization poses new security challenges
• Virtualization also facilitates security improvements
– Application virtualization (i.e. eServer) provides sandboxing
– Full virtualization (VMware vSphere)
• Improved data recovery mechanisms
•
Virtualization Layer
Improved patching mechanisms
• Improved virus protection mechanisms
• Hypervisor / Virtual Machine Monitor has small attack surface
– Availability of thin clients

25
 External security certifications
• Wurldtech Achilles certification for C300, SM
• Achilles practices certified ( WIB )
– Honeywell committed to compliance with Achilles practices when it becomes an
approved IEC-62443 -2.4 standard

• ISASecure Embedded Device Security Assessment

(EDSA)
– Safety Manager R145 was first device to achieve EDSA certification (2011)
– C300 and Foundation Fieldbus Interface Module are EDSA Certified (2012)

• Internal evaluation of HPS products for compliance with

numerous external standards:
– NERC-CIP, NIST_sp800_x, FERC_order_x, INGAA Cyber guidelines, TSA
pipeline guidelines

26
 ISA99 / IEC 62443 Structure

Systems

Devices

27 27
 Embedded Device Security Assurance Certification
Provides a common perspective on how threat
scenarios can be sufficiently covered
• Documents the expected resistance of the system to
potential threat agents and threat scenarios
• Clearly documents expected user measures versus
Integrated Threat Analysis inherent product protection measures
(ITA) Detects and Avoids systematic design faults
• The vendor’s software development and maintenance
processes are audited
Software Development
Security Assurance (SDSA) • Ensures the organization follows a robust, secure
software development process

Detects Implementation Errors / Omissions

Functional Security • A component’s security functionality is audited against

Assessment (FSA) its derived requirements for its target security level
• Ensures the product has properly implemented the
security functional requirements

Communications Identifies vulnerabilities in networks and devices

Robustness Testing (CRT) • A component’s communication robustness is tested
against communication robustness requirements
• Tests for vulnerabilities in the 4 layers of OSI Reference
Model

28
28
 Benefits of ISASecure Certification
Structured, auditable, repeatable approach to evaluating
the security of an ICS product and the development
practices of the manufacturer against an established
benchmark
End-user Supplier
• Easy to specify • Evaluated once
• Build security requirement into • Recognition for effort
RFP • Build in security
• Reduced time in FAT/SAT • Product differentiator
• Know security level out of the • Reduce support costs
box
• Enhance credibility

Assurance that automation products, systems and suppliers

meet an industry recognized baseline for cyber security

29
29
 Honeywell’s Industrial IT Solutions

Assess against industry Remediate focuses on the

standards, regulatory actions needed to
requirements and best address issues identified
practices in the Assess phase

Assure addresses methods Manage refers to the

to assure your Industrial IT management of your
solutions are functioning as Industrial IT investment,
designed including network security

30 Evolving services and solutions for a changing Industrial IT environment

 Honeywell’s Industrial IT Solutions
• Continuous improvement of “standard build”
– Consistent security configuration
• Extended remote service portfolio
– Tested AV signature files - daily
– Patch analysis and consolidated patching
– Security incident handling, perimeter management
• Introduction of global service management
– Uniform service delivery Assess

• Compliance management
• Full Whitelisting management and support Assure Remediate

Manage

31
 Partnering with our customers
• Documenting system security configuration
– Includes risks that need external mitigations
• Rapid qualification of security updates
– Microsoft
– Adobe
• Network and security design services
• Assessment services
– ISA99 / CSET security audits / assessments
• Services offering for system security management
– Patch, virus protection, and data recovery management
– Security perimeter management
• Continued investment in building security skills
– Design consultants, project and service engineers
32
 Security Program Dashboard

33
 Security from design to daily operation
• Honeywell Process Solutions….
– builds Security features into our standard products, and is continuously
evaluating and improving our security

– is committed to ISA99 and IEC-62443 standards for industrial control

system security

– works closely with external agencies including Department of Homeland

Security to improve ICS security

– documents secure system best practices and configurations

– provides timely communication of security issues to customers

– offers optional security features to customers who are want additional

protection
34
 roles / responsibilities for
protecting ICS’s from
cyber attacks

Industrial Control System

Cyber Security
35
 Stakeholders per phase in securing ICS’s
- ICS control system manufacturers / Vendors
- ICS automation solution providers
- System integrators and implementers
- Owner/operators or end users
- Local Governments

Phases and Participants in a Typical ICS Project

From ICSJWG Cross Vendor Position Paper

36
 Layers of Responsibility

End User
(Security management system)

System Integrator
(System engineering practices, Qualified Personnel)

Automation Supplier
(Software Development, Vendor Practices)

Automation Products
(Security features, Testing)

37
Vendor / automation supplier responsibilities

• Execute security testing during development cycle

• Integrate security into development lifecycle (SDLC)
• Scan systems for security vulnerabilities before deployment
• Document secure implementation of system
• Manage secure custody chain of assets
• Attain applicable 3rd party security certifications
• Provide timely qualification of security fixes
• Open and timely communication on product security issues
• Be positioned to respond to vulnerability disclosures or cyber
incidents against deployed systems

38
 Integrator / installer responsibilities

• Install system per vendors recommended security

practices
• Segment the Control System Network
• Ensure all software revisions are current during
installation
• Scan systems and network for security vulnerabilities
before final commissioning
• Baseline and document the system security before final
commissioning

39
 Owner / operator responsibilities
• Apply security fixes as soon as they’re qualified
• Keep Anti Virus and related protection technologies current
• Document security configuration, Policies & Procedures
• Provide security Training for operators & Contractors
• Control Access to the Control System
• Harden the Components of the System – apply defense in
depth
• Constantly monitor the security of the system
• Periodic full re-assessment of system security
• Work closely with vendor and integrators to adopt to new
security threats and vulnerabilities

40
 ICS Security responsibilities summary
• Owner / operators have the ultimate responsibility for the
security and safety of their systems
• ICS security must include technology, people, and
processes
• ICS security spans the lifecycle of an automation system
• requires a partnership between all stakeholders

• All the security technology and controls in the world will

not protect an ICS if not properly applied and
continuously managed

41
 responding to cyber attacks
against your ICS

Industrial Control System

Cyber Security
42
 Cyber Incident Response Plan
• Cyber security can no longer be an afterthought

• Question is not “IF” your site will be attacked, but

“WHEN”… be prepared

• Security can be measured by how quickly

you detect, contain, and recover from a
security incident.

• Develop a cyber incident response plan, and

actively “manage” it

43
 Cyber Incident Response Plan
• Create a cyber incident response plan
– Priority is to isolate any suspect component, maintain safe
operation, and preserve forensics where possible
– Operators must be trained on how to respond to a cyber incident
– Appoint a cyber security focal point and “watchdog” – with backup
– Include all levels of “defense in depth” in creating response plan

• Practice the plan ( test it )

• Re-evaluate and update the cyber incident response plan

periodically

44
 Effective Security Plan

45
 How can ICS’s prepare for cyber attacks?
• Do a security assessment of your site, remediate any
gaps identified, and repeat assessments periodically

• Partner with your ICS vendor and specific support

programs / organizations – keep defense plan current

• Consider what your vendor or a security consultant can

provide:
– 24 x 7 support center
– Security Operations Center
– Access to specialty security skill sets
– Develop and maintain a “dashboard” or HMI for security manager
– Actively monitor security trends ( ie: security watchdog )

46
 How can ICS’s prepare for cyber attacks?
• Review your vendor’s security documentation
– Network and Security Planning Guide
– Domain and Workgroup Implementation Guide

• Maintain current security protection technologies on your

system
– Anti-Virus, Application Whitelisting, IPS, Firewalls, …

• Keep security current – timely application of qualified

security updates

• Proactively / continuously monitor site for cyber incidents

47
 Be prepared for cyber attacks
• Integrate security into your culture at site

• An effective security program addresses people,

processes, and technology

• Work with your vendor to create a cyber incident

response plan, and Manage that plan

• Ensure everyone knows the key players, and who to call

• Security protections and incident response plans are only

effective if properly managed
48
 Q&A

Questions?

49
49