Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber - - PowerPoint PPT Presentation
ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security
ABB MINING USER CONFERENCE, MAY 02-05, 2017
Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division
Why worry about cyber security? ABB’s approach to cyber security Cyber security roadmap – reaching maturity with ABB Cyber Security Services
May 8, 2017
Slide 2
Why is cyber security an issue?
May 8, 2017
Slide 3
Modern automation, protection, and control systems are highly specialized IT systems – Leverage commercial off the shelf IT components – Use standardized, IP-based communication protocols – Are distributed and highly interconnected – Use mobile devices and storage media – Based on software (> 50% of the ABB offering is software- related) Increased attack surface as compared to legacy, isolated systems Communication with external (non-OT) systems Attacks from/over the IT world
Attacks are real and have an actual safety, health, environmental, and financial impact Power and automation today Cyber security issues
Why is cyber security an issue?
May 8, 2017
Slide 4
Attacks are real and have an actual safety, health, environmental, and financial impact
Subtitle
May 8, 2017
Slide 5
“Small companies and industries outside of media attention are not a relevant target”
– If it’s worth having, it’s worth stealing – Attackers’ business models are often built on economies of scale – Critical infrastructure is often a network of smaller entities “Strong security is a waste of time and money”
– Compromised control systems are NOT reliable and trustworthy and can prevent the customer from achieving its mission. – Misoperations due to cyber events can become a safety issue. – Business continuity insurance can become more expensive or even unavailable.
Anyone can become a target, defenses should be risk-driven Myth #1 – We are not interesting enough to be a target Myth #2 – Security doesn’t pay off
Subtitle
May 8, 2017
Slide 6
“Our system is air-gapped so attackers have no way in”
– Staff needs to get data into and out of the system
– Entirely isolated systems are extremely cumbersome and expensive to operate
improvised, e.g. unapproved networks, temporary connections, portable media “Our system does not have a direct connection to the Internet so attackers have no way in”
– Majority of incidents are staged attacks
enterprise network
Anyone can become a target, defenses should be risk-driven Myth #3 – We are air-gapped so we’re immune Myth #4 – We’re not on the Internet so we’re immune
Addressing a unique set of requirements
May 8, 2017
Slide 7
“Traditional” information technology Power and automation technology
Object under protection Information Physical process Risk impact Information disclosure, financial loss Safety, health, environmental, financial Main security objective Confidentiality, Privacy Availability, Integrity Security focus Central Servers
(fast CPU, lots of memory, …)
Distributed System
(possibly limited resources)
Availability requirements 95 – 99%
(accept. downtime/year: 18.25 - 3.65 days)
99.9 – 99.999%
(accept. downtime/year: 8.76 hrs – 5.25 minutes)
System lifetime 3 – 10 Years 5 – 25 Years
Why worry about cyber security? ABB’s approach to cyber security Cyber security roadmap – reaching maturity with ABB Cyber Security Services
May 8, 2017
Slide 8
Three guiding principles
May 8, 2017
Slide 9
There is no such thing as 100% or absolute security Cyber security is not destination but an evolving target – it is not a product but a process Cyber security is about finding the right balance – it impacts usability and increases cost Reality Process Balance Cyber security is all about risk management
A word from ABB’s CEO
May 8, 2017
Slide 10
”ABB recognizes the importance of cyber security in control-based systems and solutions for infrastructure and industry, and is working closely withour customers to address the new challenges.”
Ulrich Spiesshofer, CEO ABB
Full lifecycle coverage
May 8, 2017
Slide 11
ABB addresses cyber security throughout the entire lifecycle and expects the same from our suppliers Design Implementation Verification Release Support Product Operation Maintenance Review Upgrade Design Engineering FAT Commissioning SAT Project Plant
Why worry about cyber security? ABB’s approach to cyber security Cyber security roadmap – reaching maturity with ABB Cyber Security Services
May 8, 2017
Slide 12
Subtitle
May 8, 2017
Slide 13
Collect information for defined cyber KPIs Identify risk and compliance status with – international standards – relevant regulations – ABB best practices – customer policy and requirements Implement countermeasures to address the identified risks / gaps with defense- in-depth ABB Customer Care service agreements – tailored to fit customer needs for regular maintenance – ensure desired level of security is maintained over time by
improving implemented countermeasures
system and defense-in-depth concept to changed threat landscape
Diagnose Implement Sustain
May 8, 2017
Slide 14
Inspiration
May 8, 2017
Slide 16
Note: IEC 62443-2-1 Ed 2.0 is still a work in progress and only available as draft from ISA here
May 8, 2017
Slide 17
MIL 0: Generally, no practices are performed MIL 1: Initial practices are performed but may be ad hoc MIL 2: Practices are established – Documented practices – Stakeholder involvement – Appropriate resources – Relevant standards used MIL 3: Practices are continuously managed – Policies guide the practices, incl. compliance – Continuous improvement – Assigned responsibility and authority – Role-specific training Approach progression vs. Institutionalization progression
ISO/IEC 62443-2-1
10.Communication Security
maintenance
14.Information security aspects of business continuity management
C2M2 (ONG & ES)
1. Risk Management 2. Asset, Change, and Configuration Management 3. Identity and Access Management 4. Threat and Vulnerability Management 5. Situational Awareness 6. Information Sharing and Communications 7. Event and Incident Response, Continuity
8. Supply Chain and External Dependencies Management 9. Workforce Management
Capability Maturity Indicator Levels Cyber Security Capability Domains
First step: Determine risk and define target maturity level for each domain
Example: Reaching MIL-1
May 8, 2017
Slide 18
Moving from MIL 0 to MIL 1 is a fairly big step
2 6 6 12 3 2 11 9 6 4
Stage 0 – Getting started
May 8, 2017
Slide 19
Raise awareness in management and other relevant levels of the
Identify areas of biggest risk generically Awareness training – Often more effective if done by external entities Security assessment / fingerprint – Doesn‘t have to be a very detailed audit – Leverage general experience with regards to common causes
– Leverage general experience with regards to simple security countermeasures
Objectives ABB Cyber Security Services
Stage 1 – Introduce basic protection
May 8, 2017
Slide 20
Establish a foundation for cyber security in operations Mitigate the most common risks with countermeasures which the organization is capable of operating Demonstrate risk reduction effectiveness by selected examples Establish a context-specific, detailed understanding of risk Awareness training (continued) Security Patch Management Malware Protection Management System Hardening Backup & Recovery Management Network Security Management (at least perimeter) Basic security monitoring (of the above practices) Cyber Security Assessment Cyber Security Risk Assessment
Objectives ABB Cyber Security Services
Stage 2 – Defend your system
May 8, 2017
Slide 21
Establish a security management system based on the risk assessment results Establish security practices systematically Reach compliance to relevant standards (e.g. NERC-CIP IEC 62443-2-1) Focused awareness training Security policy & procedure development Security Patch Management Malware Protection Management System Hardening Backup & Recovery Management Network Security Management User & Access Management Security Monitoring Incident Response* Cyber Security Assessment
Objectives ABB Cyber Security Services
Stage 3 – Manage your risks
May 8, 2017
Slide 22
Continuously adapt and improve the security management system based on evolving threat landscape Maintain & document compliance with relevant standards Security policy & procedure development Security Patch Management Malware Protection Management System Hardening Backup & Recovery Management Network Security Management User & Access Management Security Monitoring Incident Response* Threat Intelligence*
Objectives ABB Cyber Security Services
Subtitle
May 8, 2017
Slide 23
Introducing cyber security management into control system
Early steps must work towards a solid understanding of context- specific risks and prioritize these In parallel, basic controls can be introduced which experience shows will be part of any security management system Competent partners are available on the market to bridge transition periods or continuously provide services
Don‘t be the deer in headlights – get started with small steps and look for partners! Step-by-step to cyber security maturity
Assess & Diagnose
May 8, 2017
Slide 25
Provides a comprehensive view of your site’s cyber security status Identifies strengths and weaknesses for defending against an attack within your plant’s control systems Reduces potential for system and plant disruptions Increases plant and community protection Supplies a solid foundation from which to build a sustainable cyber security strategy
Overview It does NOT make the system completely secure.
Sample results
Cyber Security Fingerprint
May 8, 2017
Slide 26
Consulting
May 8, 2017
Slide 27
Cyber security awareness training – Raise awareness for cyber security threats and risks – For various audiences (technical as well as management) Product related security training – Enables attendees to fully leverage the security capabilities of ABB products, including e.g.
Overview
Implement / Sustain
May 8, 2017
Slide 28
Modern operating systems and embedded software often need to be patched to defend against emerging threats. Efficient patch management is an essential part of any security policy, but one that is often neglected. This service includes the implementation and maintenance of systems that handle security updates for third party software (e.g. Microsoft or Adobe products). Service can include – Patch qualification – Patch delivery (online or offline) – Patch deployment
Overview
Implement / Sustain
May 8, 2017
Slide 29
A common threat to control systems is the infection with malware, often generic malware circulating on the Internet but also target malware for control systems. Common anti-virus solutions are a part of the security architecture recommended by ABB. ABB experts secure your power and automation systems with industry-standard malware and intrusion protection solutions, like anti-virus protection and application whitelisting Service can include – AV signature updates qualification – AV signature updates delivery (online) – AV signature updates deployment
Overview
Offline solution – Security Patch Disc
May 8, 2017
Slide 30
The Security Patch Disc Service provides an efficient way for customers with no remote connectivity with the need to deploy security patches and antivirus data files Benefits:
customers to locate the ABB documentation, find the appropriate patches, download them from the Internet, and transfer them via mobile media to the control system
risk of transferring a virus or malware using mobile media (e.g. USB drive)
Overview
1) Patch Tuesday
monthly patches
month
2) ABB Updates Status Document
patches as tested and marks them as "T" in the Security Updates Validation Status product bulletin's
released to ABB Library, MCS, SolutionsBank
3) Security Patch Testing Executed
and test the various ABB products for compatibility issues with security patches released
4) ABB Updates Status Document
Patches then go from "Testing" to "Qualified". Patches may remain in the testing state if further work is needed.
5) Security Patch Disc Production
Security Patch Disc master is produced, manufactured, and shipped.
Online solution – ABB Security Update Service
May 8, 2017
Slide 31
The ABB Security Update Server is updated with the latest patches validated and approved by ABB: – Microsoft patches (monthly update) – McAfee and Symantec pattern files (as supported for the connected system – daily update) The ABB Security Update Server synchronizes with the plant security server at the customer site. Servers are connected via the ABB’s RAP/RAS service. The plant security server on the customer site distributes the security updates to the connected ABB control system(s).
Overview
Patch monthly deployment
McAfee daily pattern updates 3. Antivirus Symantec daily pattern updates
WSUS (Server)
ePo Server ver (ePol
cy Orche chest strat ator
Symante tec c Endpoin int Prote tectio ction Serve rver Security Update Service for the automated distribution and deployment of ABB validated Cyber Security updates using highly secured methodology
Implement / Sustain
May 8, 2017
Slide 32
An important challenge in any cyber security management system is to maintain a system configuration that is as secure as possible – a task commonly referred to as system hardening. This service lets you benefit from the in-depth expertise of ABB and the hardening policies that have been vetted rigorously by ABB’s product and service teams. Hardening may include for example – removal or deactivation of unused software and services and specific ports – removal or deactivation of unused user accounts – generally proper utilization of security options provided by the system, e.g.
Overview
Implement / Sustain
May 8, 2017
Slide 33
If the worst does happen, and cyber-attack or natural disaster strikes, then ABB’s backup and emergency response services enable a rapid recovery to normal operations. ABB’s back-up solutions ensure the integrity, and availability, of critical data and the system, no matter what happens to the
Overview
Implement / Sustain
May 8, 2017
Slide 34
Firewalls protect the perimeter of a network against outsider intrusion. ABB’s managed firewall service ensures your perimeter protection is actively monitored and maintained. Segregated networks allows for an easier enforcement of the principle of least privilege on a network communication level. Also, it is crucial to contain potential incidents to a defined subsystem and to prevent a single breach of security to spread throughout the entire system and into other systems. A well-designed security policy will separate the network into distinct, controlled zones, protected by internal firewalls to ensure that a compromised server doesn’t mean compromising the entire network.
Overview
Diagnose
May 8, 2017
Slide 35 In-depth survey to obtain detailed information about – the system infrastructure – the effectiveness and status of existing cyber security measures. The assessment is carried out by ABB in close cooperation with the customer and within a clearly defined scope of work. Collected data is compared against industry best practices and standards to detect weaknesses within your system’s defense. Pinpoints areas that require action to help protect your system by ensuring it has multiple layers of security. Proposes a solution that will maintain the system's cyber security at best- practice levels
Overview
Consulting
May 8, 2017
Slide 36
This service contains an IEC 62443 based process for performing a cyber security risk assessments. The assessment shall improve the security of the products and systems, perform a threats / risks based security status evaluation and a plan for prioritizing the threats / risks for the control system. Risk assessment identifies and qualitatively assesses risk an
Security assessment checks compliance with given requirements, e.g. from internal, national or international standards or regulations
Overview
Consulting
May 8, 2017
Slide 37
Cyber Security will always be a challenge on a global scale; no single solution can keep increasingly interconnected systems secure ABB works with customers to understand your processes and procedures, group security policies and computer settings to create a defense-in-depth approach Multiple security layers detect and deter threats – if, where and when they may arise.
Overview
Implement / Sustain
May 8, 2017
Slide 38
Implementing user accounts and access rights is the recommended mechanism to enforce the principle of least privilege on the user level. Defining user access rights and user policies, are all important measures. Typical user definitions to be implemented are accounts of the process control system, demilitarized zone and for remote work. This service gives the customer peace of mind that users of the system always have the approved and relevant access rights.
Overview
Sustain
May 8, 2017
Slide 39
Identifies, classifies and helps prioritize opportunities to improve the security of your control system by comparing data collected against industry best practices and standards to detect security vulnerabilities. Features: – Automatic, non-invasive data gathering – Proactive analysis of KPIs to detect possible security weaknesses – On-demand analysis – On-site or remote access for site personnel and ABB experts – Configurable alerts (locally and e-mail)
Overview
User interface
May 8, 2017
Slide 40
Scan
Raw Data – View shows raw data associated with each channel Notification – Track (event-triggered) generates notifications based on predefined KPIs Math Function – Scan (scheduled) presents KPIs generated from raw data through periodic diagnostic monitoring
View Track