Advancing the Roadmap Implementation May 2011 ICSJWG Spring Meeting Mark Heard, Eastman Chemical Company

Presenter Mark Heard, Eastman Chemical Company Control System Engineer Experience with several kinds of automation systems, especially networking with other plant systems General interest in security and admin issues for ICS Work on Eastman Cybersecurity teams Process Control Network Security, Network Segmentation, Cybersecurity Vulnerability Assessment, Process Automation Systems Authentication, Systems Integrity, Working with ISA S99, ACC Cybersecurity Program (formerly thru ChemITC and CIDX) since 2002

What is the Roadmap? A structured set of priorities which address specific Industrial Control Systems (ICS) needs, over a 10 year timeframe Chemical Sector Coordinating Council (CSCC) signed off in Sept 2009 Agreeing to pursue a focused, coordinated approach to accomplish the activities set forth in the Roadmap

Is the risk real? (ie what is the problem that this is the solution for?) ICS are increasingly interconnected to other plant and business systems ICS vendors continue to rapidly incorporate standard Information Technology into their products These trends expose the ICS to modern malware threats Stuxnet demonstrated that ICS are susceptible to increasingly sophisticated cyber-attacks Potential consequences of ICS incident are similar to those of a safety breach

Roadmap vision “In 10 years, the layers of defense for industrial control systems managing critical applications will be designed, installed and maintained, commensurate with risk, to operate with no loss of critical function during and after a cyber event.” Scope Industrial Control Systems (ICS) in chemical facilities that are part of the critical infrastructure Possible implications for ICS vendors Connection to other systems included if they impact ICS risk

Chemical Sector Roadmap Implementation Working Group est. December 2010 Roadmap Implementation Manager Catalyst 35, under ACC contract CSCC American Chemistry Council (ACC) National Petrochemical & Refiners Association (NPRA) DHS DHS NCSD Control Systems Security Program DHS Chemical SSA Owners/Operators AkzoNobel Dow Chemical Infineum DuPont Eastman Chemical Western Refining Exxon Mobil Air Products Ashland Air Products Vendors Computer Sciences Corporation (CSC)

DHS & Chemical sector working in partnership Chemical Sector Coordinating Council is sponsoring the Roadmap Implementation Working Group RIWG has collected a wealth of resources/reference information designed to assist owners/operators in addressing ICS security

Roadmap Working Group Focus Long Term Improved ICS security across the chemical sector Immediate Build awareness across the chemical sector and ICS vendor industry of resources available to assist the sector in realizing its long term objective. Comprehensive Awareness Campaign Cyber Incident Response Process Secure Information Sharing Forum Metrics

Awareness Campaign Conducting an ICS Security Assessment Developing a Business Case for investing in ICS security Training for employees who work in the ICS environment Implementing existing standards Complying with existing CFATS Regulations Leveraging Best Practices Wherever possible, not Chem sector specific

Training Resources Chemical Sector ICS Security Training Resource Developed by the Roadmap Implementation Committee Designed for professionals in the process control and automation industries. Lists selected and representative security trainings… not a comprehensive list Organized by levels of difficulty (intro; intermediate; adv) Includes links to relevant websites, for ease of training access

Implementing Existing Standards ISA99, Industrial Automation and Control Systems Security A series of 14 standards & technical reports Address all aspects of ICS security 3 work products have been published Several others are available in draft form for review and comment ISO/IEC :2009 Establishes general concepts and principles of IT security evaluation Specifies the general model of evaluation given by its various parts Is intended to be used as the basis for evaluation of security properties of IT products

Relevant Guidance ACC Guidance for Addressing Cyber Security in the Chemical Sector DHS Catalog of Control Systems Security: Recommendations for Standards Developers NIST Special Publication (SP) , Guide to ICS Security, final public draft Sept 29, 2008 NIST SP Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009 NERC Critical Infrastructure Protection –

CFATS RBPS 8 - Cyber There are nine (9) specific risk-based performance metrics under RBPS 8: 8.1 Cyber Security Policies 8.2 Access Control 8.3 Personnel Security 8.4 Awareness and Training 8.5 Cyber Security Controls, Monitoring, Response, and Reporting 8.6 Disaster Recovery and Business Continuity 8.7 System Development and Acquisition 8.8 Configuration Management 8.9 Audits Deter cyber sabotage, including preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control And Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS); critical business systems; and other sensitive computerized systems.

CFATS RBPS 8 - Cyber In addition, cyber security is implicated in other RBPSs: RBPS 2: Secure Site Assets Cyber components can be compromised physically, and thus critical cyber components should be physically secure as well RBPS 6: Diversion For facilities with theft chemicals of interest, cyber components should be designed to prevent diversion of chemicals of interest to unauthorized individuals RBPS 11: Training A comprehensive security training and awareness plan typically will include targeted training on cyber security issues RBPS 12: Personnel Surety Background checks should be performed on individuals with access to critical cyber systems

Leveraging Best Practices Procurement Language Department of Homeland Security: Cyber Security Procurement Language for Control Systems Provides sample recommended language for control systems security requirements, including New SCADA/control systems Legacy systems Maintenance contracts Information and personnel security

Leveraging Best Practices Secure Connectivity Objective is to restrict the highest probable attack path to the ICS. Cyber-attacks on ICS have been most often initiated through the internet to the business system and then to the ICS Adequate firewalls and other isolation methods exist today NIST Catalog of Control Systems Security: Recommendations for Standards Developers / Section 2.15

Leveraging Best Practices Secure Remote Access Objective is to deter cyber-attacks from remote location access devices and control centers Includes devices that have access to the control system and system state sensors, senders and receivers Wireless communication devices Personal communication devices Virtual private network (VPN) connections Authorized vendor and support systems access NIST Catalog of Control Systems Security: Recommendations for Standards Developers / Section 2.15

Leveraging Best Practices Incident Management ICS-CERT definition of Incident: “In the context of cybersecurity, including ICS, an incident typically entails unauthorized access to computer networks and equipment with actions resulting in some form of negative consequence to the asset owners. Damage might include stolen data, exposure of private or business sensitive information, interruption of key services, a shutdown of production operations, damage to physical equipment and the environment, and defaced public websites. The economic and social consequences of a breach could be quite severe when considering negative publicity, loss of customer confidence, potential lawsuits, and direct financial loss caused by interruptions in production operations or equipment replacement and repair.”

Leveraging Best Practices Incident Management Cyber-attack trends have demonstrated how rapid an incident can escalate Many chemical companies have corporate and/or site incident management processes Information Sharing is a two-way street ICS-CERT is available as a resource to assist in addressing an incident In doing so, contacting ICS-CERT will contribute to building situational awareness ICS-CERT Conducts vulnerability and malware analyses Provides onsite support for incident response and forensic analysis, when asked Provides situational awareness with actionable intelligence Coordinates responsible disclosure of vulnerability information and threat analysis For access to the ICS-CERT portal, please

What Can You Do? Ensure someone takes ownership of ICS security and is accountable Open lines of communication between engineering, security, information technology, process safety and manufacturing operations communities within your own company Conduct an audit of current ICS security measures and implement obvious fixes Follow-up with an ICS security vulnerability analysis (risk assessment) Implement an ICS security management program that is integrated with existing company management systems for security, safety, quality, etc Become an advocate in your company on this important issue

20 OCT 2010 Questions?