Presentation on theme: "Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems Enzo M. Tieghi –"— Presentation transcript:
Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems Enzo M. Tieghi –
Security IT & Control System Security: where are we?
Some cases about industrial - infrastructure Cyber incidents: In January, 2003, the SQL Slammer Worm penetrated a computer network at Ohios Davis-Besse nuclear power plant and disabled a safety monitoring system for nearly five hours; SQL Slammer Worm downed one utilitys critical SCADA network in US; another utility lost its Frame Relay Network used for communications; some petrochemical plants lost Human Machine Interfaces (HMIs) and data historians; a 911 call center was taken offline; Airline flights were delayed and cancelled in 2001, a series of cyber attacks were conducted on a computerized waste water treatment system by a disgruntled contractor in Queensland, Australia. One of these attacks caused the diversion of millions of gallons of raw sewage into a local river and park. There were 46 intrusions before the perpetrator was arrested.
Some cases about industrial - infrastructure Cyber incidents: In September, 2001, a teenager allegedly hacked into a computer server at the Port of Houston: the ports web service, which contained crucial data for shipping pilots, mooring companies and support firms responsible for helping ships navigate in and out of the harbor, was left inaccessible 1997: Shutdown at traffic air control system tower at Worchester Regional Airport (MA) USA Italy 2004: Sasser halts 40 PCs in production plant of leading pharmaceutical company (batches to rework, week-end spent to restart plants, reinstall and revalidate systems etc.) Water distribution SCADA system in California attacked and down (2005) … No official statistical source: database with tracked incidents in in California (USA) Database at BCIT (CA) in construction
The 3 security faces Phisical Security (Perimeter): Guard on duty, gates, ports, etc. Human factor Security (Organization): Security policy Security procedures Awareness and training Cyber-Security (Technology): Antivirus Acces control, authentication, … Firewalls, …
Internet Network Vulnerability: examples Controller or PLC Process Control Network (Proprietary or Ethernet) HMIControl System Application Server Ethernet SAP Corporate Network Mail Server Browser Clients Desktops Plant Network Historian Web Server MES Firewall Remote Access Server Mobile Operator Resource Constraints Wireless AP Disgruntled Employee Browser Malware Viruses IM Downloads Protocol Vulnerabilities VPN Penetration Vulnerability Exploit Firewall Penetration Unauthorized Access Vendor Diagnostics POTS Remote Access EMS/ Indirect System Penetration Contractor Hacking/Malware Flat Networks
eSecurity in control systems: industrial and infrastructure consideration about security (not only Safety) 11 items why Security in control systems (DCS, PLC, SCADA/HMI, plant networks, etc. ) is different from IT Security
BS7799 vs. ISA Comparison of Objectives Manufacturing and Control Systems Traditional IT Systems Priority AvailabilityConfidentiality Integrity Confidentiality Integrity Availability
ANSI/ISA-95 Functional Hierarchy
ANSI/ISATR Art. 6.5 Special Considerations for Manufacturing and Control Systems Manufacturing and Control System electronic security plans and programs are consistent with, and build on, existing IT security experience, programs, and practices. However, there are critical operational differences between IT and Manufacturing and Control Systems that influence how specific measures should be applied. (……).
Why eSec is different - 1 Differing risk management goals Rirsk Definition: Human safety and fault tolerance to prevent loss of life or endangerment of public health or confidence, loss of equipment, loss of intellectual property, or lost or damaged product.
Perché la Sicurezza è diversa? /2 Differing architecture security focus In a typical IT system, the primary focus of security is protecting the information stored on the central server. In manufacturing systems, the situation is reversed. Edge clients (e.g., PLC, operator station, or DCS controller) are typically more important than the central server. Why eSec is different - 2
Perché la Sicurezza è diversa?/3 Differing availability requirements Many manufacturing processes are continuous in nature. Unexpected outages of systems that control manufacturing processes are not acceptable. Exhaustive pre-deployment testing is essential to ensure high availability for the Manufacturing and Control System. In addition to unexpected outages, many control systems cannot be easily stopped and started without affecting production. In some cases, the products produced or equipment being used is more important than the information being relayed. The requirement for high availability, reliability, and maintainability reduces the effectiveness of IT strategies like rebooting. Why eSec is different - 3
Perché la Sicurezza è diversa?/4 Unintended consequences Manufacturing and Control Systems can be very complex in the way that they interact with physical processes. All security functions integrated into the process control system must be tested to prove that they do not introduce unacceptable vulnerabilities. Adding any physical or logical component to the system may reduce reliability of the control system, but the resulting reliability should be kept to acceptable levels. Why eSec is different -4
Perché la Sicurezza è diversa?/5 Time critical responses For some systems, automated response time or system response to human interaction is critical. For example, emergency actions on regulatory process control systems should not be hampered by requiring password authentication and authorization. Information flow must not be interrupted or compromised. Why eSec is different- 5
Perché la Sicurezza è diversa?/6 Differing response time requirements Manufacturing and Control Systems are generally time critical Delay is not acceptable for the delivery of information, and high throughput is typically not essential. Why eSec is different -6
Perché la Sicurezza è diversa?/7 System software Differing and custom operating systems and applications may not tolerate typical IT practices. Networks are often more complex and require a different level of expertise (e.g., control networks are typically managed by control engineers, not IT personnel). Software and hardware applications are more difficult to upgrade in a control system network. Many systems may not have desired features including encryption capabilities, error logging, and password protection. Why eSec is different -7
Perché la Sicurezza è diversa?/8 Resource constraints Control systems and their real time operating systems are resource constrained systems that do not include typical IT security technologies. There may not be available computing resources to retrofit these security technologies. Why eSec is different -8
Perché la Sicurezza è diversa?/9 Information integrity In-bound information is highly essential to the control system operation. It is important to take practical precautions to eliminate malicious in-bound information in an effort to maintain control operation. Why eSec is different -9
Perché la Sicurezza è diversa?/10 Communications Communication protocols and media used by control systems environments are typically different from the generic IT environment, and may be proprietary. Examples include radio telemetry using asynchronous serial protocols and proprietary communication networks. Why eSec is different -10
Perché la Sicurezza è diversa?/11 Software Updates Security patches cannot always be implemented on a timely basis because software changes need to be thoroughly tested by the vendor of the manufacturing control application and the end user of the application before being implemented Change management control is necessary to maintain integrity of the control systems. Why eSec is different - 11
Perché la Sicurezza è diversa ? These differences require careful assessment by Manufacturing and Control System experts working in conjunction with security and IT personnel. This team of people should carefully evaluate the applicability of IT and specific Manufacturing and Control Systems electronic security features, including thorough testing before application, where necessary. Why eSec is different: final
Network Segregation Rings of Defense for Corporate and SCADA Networks –
What to do: ad hoc methodology and tools Industrial Security Assessment Industrial Security Vulnerability Tests Industrial Security Policy Industrial Incident Response Plans Business Continuity & Disaster Recovery Plans Industrial Protection (Industrial IDS/IPS) Monitoring and Managed Services for Industry Audit
Where Control Systems are? Everywhere… Industrial but also Infrastructure Production and Distribution: Water, Oil & Gas, Power, etc. Traffic control: Railways, Highways, Tunnels, Air, etc. Buildings: Airports, Hospitals, Schools, Governament, Research Centers, Universities, Municipalities, etc. TLCs
Whats moving… 21 Steps to improve Cyber Security of SCADA Networks (USA White House) Common vulnerabilities in critical infrastructure control systems (U.S. Dept. Of Energys National Nuclear Security Administration) Securing Process Control Systems - IT Security (European Commission)
Industrial security and international standards BS7799-ISO27000 Information security management systems – Specification with guidance for use ISO/IEC 17799:2005 Information Technology – Code of practice for information security management ANSI/ISA SP99 TR1 Security for Manufacturing and Control Systems ANSI/ISA SP99 TR2 Integrating Electronic Security into Manufacturing and Control Systems Environment ISO/IEC Common Criteria NIST System Protection Profile for Industrial Control Systems (SPP-ICS) CIDX Chemical Industry Data Exchange - Cibersecurity Vulnerability Assessment Methodology (VAM) Guidance ISPE/GAMP4 – Good Automated Manufacturing Practices – App. O Guideline for Automated System Security NERC standards AGA standards