Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advancing the Roadmap Implementation May 2011 ICSJWG Spring Meeting Mark Heard, Eastman Chemical Company.

Published byTamsyn Blankenship Modified over 8 years ago

Similar presentations

Presentation on theme: "Advancing the Roadmap Implementation May 2011 ICSJWG Spring Meeting Mark Heard, Eastman Chemical Company."— Presentation transcript:

1 Advancing the Roadmap Implementation May 2011 ICSJWG Spring Meeting Mark Heard, Eastman Chemical Company

2 Presenter Mark Heard, Eastman Chemical Company Control System Engineer Experience with several kinds of automation systems, especially networking with other plant systems General interest in security and admin issues for ICS Work on Eastman Cybersecurity teams Process Control Network Security, 2003- Network Segmentation, 2004- Cybersecurity Vulnerability Assessment, 2005- Process Automation Systems Authentication, 2006- Systems Integrity, 2008- Working with ISA S99, ACC Cybersecurity Program (formerly thru ChemITC and CIDX) since 2002

3 What is the Roadmap? A structured set of priorities which address specific Industrial Control Systems (ICS) needs, over a 10 year timeframe Chemical Sector Coordinating Council (CSCC) signed off in Sept 2009 Agreeing to pursue a focused, coordinated approach to accomplish the activities set forth in the Roadmap

4 Is the risk real? (ie what is the problem that this is the solution for?) ICS are increasingly interconnected to other plant and business systems ICS vendors continue to rapidly incorporate standard Information Technology into their products These trends expose the ICS to modern malware threats Stuxnet demonstrated that ICS are susceptible to increasingly sophisticated cyber-attacks Potential consequences of ICS incident are similar to those of a safety breach

5 Roadmap vision “In 10 years, the layers of defense for industrial control systems managing critical applications will be designed, installed and maintained, commensurate with risk, to operate with no loss of critical function during and after a cyber event.” Scope Industrial Control Systems (ICS) in chemical facilities that are part of the critical infrastructure Possible implications for ICS vendors Connection to other systems included if they impact ICS risk

6 Chemical Sector Roadmap Implementation Working Group est. December 2010 Roadmap Implementation Manager Catalyst 35, under ACC contract CSCC American Chemistry Council (ACC) National Petrochemical & Refiners Association (NPRA) DHS DHS NCSD Control Systems Security Program DHS Chemical SSA Owners/Operators AkzoNobel Dow Chemical Infineum DuPont Eastman Chemical Western Refining Exxon Mobil Air Products Ashland Air Products Vendors Computer Sciences Corporation (CSC)

7 DHS & Chemical sector working in partnership Chemical Sector Coordinating Council is sponsoring the Roadmap Implementation Working Group RIWG has collected a wealth of resources/reference information designed to assist owners/operators in addressing ICS security www.chemicalcybersecurity.com/ICSroadmap

8 Roadmap Working Group Focus Long Term Improved ICS security across the chemical sector Immediate Build awareness across the chemical sector and ICS vendor industry of resources available to assist the sector in realizing its long term objective. Comprehensive Awareness Campaign Cyber Incident Response Process Secure Information Sharing Forum Metrics

9 Awareness Campaign Conducting an ICS Security Assessment Developing a Business Case for investing in ICS security Training for employees who work in the ICS environment Implementing existing standards Complying with existing CFATS Regulations Leveraging Best Practices Wherever possible, not Chem sector specific

10 Training Resources Chemical Sector ICS Security Training Resource Developed by the Roadmap Implementation Committee Designed for professionals in the process control and automation industries. Lists selected and representative security trainings… not a comprehensive list Organized by levels of difficulty (intro; intermediate; adv) Includes links to relevant websites, for ease of training access

11 Implementing Existing Standards ISA99, Industrial Automation and Control Systems Security A series of 14 standards & technical reports Address all aspects of ICS security 3 work products have been published Several others are available in draft form for review and comment ISO/IEC 15408-1:2009 Establishes general concepts and principles of IT security evaluation Specifies the general model of evaluation given by its various parts Is intended to be used as the basis for evaluation of security properties of IT products

12 Relevant Guidance ACC Guidance for Addressing Cyber Security in the Chemical Sector DHS Catalog of Control Systems Security: Recommendations for Standards Developers NIST Special Publication (SP) 800- 82, Guide to ICS Security, final public draft Sept 29, 2008 NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009 NERC Critical Infrastructure Protection – 002-009

13 CFATS RBPS 8 - Cyber There are nine (9) specific risk-based performance metrics under RBPS 8: 8.1 Cyber Security Policies 8.2 Access Control 8.3 Personnel Security 8.4 Awareness and Training 8.5 Cyber Security Controls, Monitoring, Response, and Reporting 8.6 Disaster Recovery and Business Continuity 8.7 System Development and Acquisition 8.8 Configuration Management 8.9 Audits Deter cyber sabotage, including preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control And Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS); critical business systems; and other sensitive computerized systems.

14 CFATS RBPS 8 - Cyber In addition, cyber security is implicated in other RBPSs: RBPS 2: Secure Site Assets Cyber components can be compromised physically, and thus critical cyber components should be physically secure as well RBPS 6: Diversion For facilities with theft chemicals of interest, cyber components should be designed to prevent diversion of chemicals of interest to unauthorized individuals RBPS 11: Training A comprehensive security training and awareness plan typically will include targeted training on cyber security issues RBPS 12: Personnel Surety Background checks should be performed on individuals with access to critical cyber systems

15 Leveraging Best Practices Procurement Language Department of Homeland Security: Cyber Security Procurement Language for Control Systems Provides sample recommended language for control systems security requirements, including New SCADA/control systems Legacy systems Maintenance contracts Information and personnel security

16 Leveraging Best Practices Secure Connectivity Objective is to restrict the highest probable attack path to the ICS. Cyber-attacks on ICS have been most often initiated through the internet to the business system and then to the ICS Adequate firewalls and other isolation methods exist today NIST Catalog of Control Systems Security: Recommendations for Standards Developers / Section 2.15

17 Leveraging Best Practices Secure Remote Access Objective is to deter cyber-attacks from remote location access devices and control centers Includes devices that have access to the control system and system state sensors, senders and receivers Wireless communication devices Personal communication devices Virtual private network (VPN) connections Authorized vendor and support systems access NIST Catalog of Control Systems Security: Recommendations for Standards Developers / Section 2.15

18 Leveraging Best Practices Incident Management ICS-CERT definition of Incident: “In the context of cybersecurity, including ICS, an incident typically entails unauthorized access to computer networks and equipment with actions resulting in some form of negative consequence to the asset owners. Damage might include stolen data, exposure of private or business sensitive information, interruption of key services, a shutdown of production operations, damage to physical equipment and the environment, and defaced public websites. The economic and social consequences of a breach could be quite severe when considering negative publicity, loss of customer confidence, potential lawsuits, and direct financial loss caused by interruptions in production operations or equipment replacement and repair.”

19 Leveraging Best Practices Incident Management Cyber-attack trends have demonstrated how rapid an incident can escalate Many chemical companies have corporate and/or site incident management processes Information Sharing is a two-way street ICS-CERT is available as a resource to assist in addressing an incident In doing so, contacting ICS-CERT will contribute to building situational awareness ICS-CERT Conducts vulnerability and malware analyses Provides onsite support for incident response and forensic analysis, when asked Provides situational awareness with actionable intelligence Coordinates responsible disclosure of vulnerability information and threat analysis For access to the ICS-CERT portal, please email: chemicalsector@dhs.gov

20 What Can You Do? Ensure someone takes ownership of ICS security and is accountable Open lines of communication between engineering, security, information technology, process safety and manufacturing operations communities within your own company Conduct an audit of current ICS security measures and implement obvious fixes Follow-up with an ICS security vulnerability analysis (risk assessment) Implement an ICS security management program that is integrated with existing company management systems for security, safety, quality, etc Become an advocate in your company on this important issue www.chemicalcybersecurity.com/ICSroadmap

21 20 OCT 2010 Questions?

Download ppt "Advancing the Roadmap Implementation May 2011 ICSJWG Spring Meeting Mark Heard, Eastman Chemical Company."

Similar presentations

Course Material Overview of Process Safety Compliance with Standards

Course Material Overview of Process Safety Compliance with Standards
Khammar Mrabit Director Office of Nuclear Security

Khammar Mrabit Director Office of Nuclear Security
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Securing the Chemical Sector: An Outline of the Chemical Facility Anti-Terrorism Standards (CFATS) Program May 2008.

Securing the Chemical Sector: An Outline of the Chemical Facility Anti-Terrorism Standards (CFATS) Program May 2008.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.

PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google