Upload
vankhanh
View
217
Download
0
Embed Size (px)
Citation preview
Cyber Security in the Process
Industries
Chris Southan– Costain Natural ResourcesChief Engineer Control and Instrumentation
2
Presentation Context/Objectives
• Provide overview of industrial cybersecurity within the
process industries
• Incidents , predominant threats and systems vulnerabilities
• Typical design and procedural countermeasures employed
• IEC 62443
• Industry momentum– Certification ,Products and services
• Key areas of focus for Costain
3
Newsflash
2.46 million cyber incidents reported to last year – National Crime Agency
“Accelerated pace of technology and criminal cyber capability currently exceeds the UK collective response” – UK Government – 7th July 2016
4
Current Predominant Threats
Malware
– Virus, Spyware , Trojans, Worms
– 1000s of new malware being developed every day
Hacks
– Originating from internet
– 2015 - 245 reported attacks on ICS
– 2016 – 295 reported attacks on ICS
Trend is from low complexity attacks from opportunist
amateur hackers to sophisticated multi vector attacks
by criminal gangs and state sponsored groups
Corporate WAN/Business Net - 49%
Internet directly - 17%
VPN - 7%
Dial up node - 7%
Trusted 3rd Party - 10%
Public tel net - 7%
wireless - 3%
5
Cyber Security Case Study
Ukranian Power Grid Hack – Dec 2015
• Affected control centre operator station
• Suddenly remote access of operator screen
• External hacker opened circuit breakers taking 30
substations off line
• Operator not able to take back control
• Logged out of OS and hackers changed operator
password
• Accessed OS in two other centres nearly doubling
number of substations off line, 230,000 residents in the
dark
6
ICS Trends /Challenges
Why the problem?
• Increasing requirement to access to all plant data .
• Trend towards unmanned operation
• Increasing use of use of ethernet based network technologies and embedded COTS
software
• Increasing requirement for interfacing wireless devices
• Many plants have legacy proprietary closed systems where migration strategies
introduce cyber vulnerabilities.
ICS specific response considerations
• Cyber vulnerabilities for control and safety systems very different from business IT
applications.
• Skills Gap . Industrial controls systems generally developed , implemented and
maintained by C&I engineers
Current status
• Mixed response across industry
• Major international process/manufacturing sector operators have been pace setters
7
Vulnerabilities – ICS Design Related
• Direct connection of ICS to unprotected business network – recent scan identified over 400 such systems in less than 8 hours
• Unsecured wi-fi access points / offsite maintenance links
• Use of COTs software such as Windows with history of vulnerabilities emerging following initial release
• Switch/Router firmware
• ICS WAN connections over internet/public networks
• Flat ICS Networks – susceptible to high latency making vulnerable to Denial of Service (DoS) attacks
• Unknown/forgotten unsecure device connections to the ICS
8
Vunerabilities of ICS – Deployment/Procedural
Issues
• Unnecessary services enabled on the ICS workstations
(eg E-mail, RDP, Telnet etc)
• Unauthorised account access (weak user account
management policies auto logout)
• Poor firewall/switch/router configuration
• Unused active network ports
• USB connections (Considered to be cause of Stuxnet
attack)
• Wireless periferal ( eg mouse)
925 July 2016 9
Countermeasures – Focus on Design
Procedural & Technical Barriers Preparedness & Recovery
Th
rea
ts
Co
ns
eq
ue
nc
es
Rising Vulnerabilities
Smarter Hacking
Increase in Worms &
Viruses
Control Hi-jacking
Loss of View
Failure to Trip
Nuisance Trips
10
Application of security to typical
control system
DM
Z
DM
Z
VPNTunneller
Remote Access VPNTunnellerwith encryption IDS
11
Other System Hardening
• Layer 2 and 3 network switches always
managed
• Disable DHCP within PCN
• Remove or disable unused comms ports
• Remove/disable/block unnecessary applications
and services
• Firewall whitelisting
• Intrusion detection system (File Integrity
monitoring)
1225 July 2016 12
Countermeasures -Procedural
Procedural & Technical Barriers Preparedness & Recovery
Th
rea
ts
Co
ns
eq
ue
nc
es
Rising Vulnerabilities
Smarter Hacking
Increase in Worms &
Viruses
Control Hi-jacking
Loss of View
Failure to Trip
Nuisance Trips
13
Procedural Controls
• Cyber security management system
• Risk assessment
• Asset identification and management
• Authentification policies and controls
• Penetration testing
• Patch management and virus protection
Strategy
• Backups and system recovery plans
• Monitoring and incident response
15
UK Industry Momentum - Regulation
Initial industry response ( 2006 onwards)
• US driven in conjunction with DHS.
• Major energy and manufacturing multinationals cooperate and implement solutions ( LOGIIC2 , WIB programs)
2016 as a response to increasing attacks
• Establishment of National Cyber security centre (Autumn 2016)
• Government publish National Cyber Security Strategy
• HSE Attention
• Increasing awareness amongst ICA community. Establishment
– Asset owners/Contractors/Systems Integrators/Vendors
• IEC61511 Issue 2 – Introduction of Cyber Security audit requirement to FSMS
16
Standards , Products and Services
• Focus on products and services in accordance with IEC62443 requirements
• Product certification
– Wurldtech Achilles Accreditation
– WIB Accreditation – Minimum PCD requirements for DCS
– ISA Security Compliance Institute (ISCI) - ISASecure Conformity assessment Schemes.
Certification schemes updated 2016.
• Certified devices – ESDA certification
– PLCs, SCADA, RTUs, other embedded controllers
• Certified Systems – SSA Certification
– Commercial off the shelf ICS (eg DCS /Safety systems)
Trend towards worldwide establishment of ISCI approved CA bodies (eg EXIDA in US, CSSC-CL in
Japan. UK and German applications being processed) .
• Competency Accreditation
– Professional certification – Registered cyber security professional
17
Costain areas of focus
• Leverage internal Costain expertise gained with major operators
• Continuing engagement at cross industry cyber security subject groups
• Integration of IEC62443 methods into E,C&I work processes including:
– Functional Safety Management System
– Hazard and risk assessment processes
– Control System Design
– Promote use of control systems integrators/Vendors with expertise in applying cyber security protection
• Continuing competence development of Engineers
18
Conclusions
• Threats are exceeding the collective response of UK industry at this time and action needs to be taken in order to avoid repeats of recent serious cyber attacks.
• There is a need for manufacturing industries , designers and product suppliers to review response to these threats.
• It is considered that this should be through: Engagement between control and IT disciplines across industry
leveraging user groups as much as possible Experience transfer from major industrial manufacturing
corporations , experienced designers and accredited control systems Vendors
By following designs and procedural controls recommended within recent standards
The adoption of accredited products and services
21
Rapid adoption of Ethernet to the control
and device layers
Ethernet has provided unified communications/transport layer
1990’sBusiness
2010+Device
2000’sControl
RIO
22
Information
Control
Device
IT Penetration By Automation Level
Win
do
ws
Win
do
ws
CE
Java
Embed’d
Java
CO
RB
A &
DC
OM
Eth
ern
et O
PC
Real-
Tim
e O
PC
Em
bed
ded
Web
Serv
ers
Web
Serv
ers
Devic
e N
etw
ork
s
IEE
E 1
451
Bro
wsers
Pu
sh
IEE
E 1
451
23
Cyber Security Technical Authorities
and standards
• Governance
– USA - NIST -National Institute of Standards and Technology
(www.nist.gov/cybersecurityframework) 2014
– UK – CPNI – Centre for the Protection of National Infrastructure
(www.cpni.gov.uk/protectingyourassets)
– ISA - International Society of Automation (www.isa.org)
• Standards
– ISO17799 Information Security Management
– IEC62443 Network and system security for industrial process
measurement and control ( formerly ISA -99 -2007)
– ISA –TR84 Security Countermeasures related to Safety
Instrumented systems
– IEC 61511, Issue 2 , 2016,
24
Cyber Security Technical Authorities
and standards
Differing Performance requirements Differing Reliability Requirements
Business IT PCN Business IT PCN
Non-Real-time Real-time Scheduled
operation
Continuous operation
Response must be
reliable
Response is time
critical
Occasional
failures
tolerated
Outages intolerable
High delay and jitter
accepted
High delay a serious
concern
Beta testing in
the field
acceptable
Thorough QA testing
expected
Differing Risk Management Goals and Approaches
Business IT PCN
Data integrity paramount Human safety paramount
Risk impact is loss of data,
loss of business operations
Risk Impact is loss of life,
equipment or product
Recover by reboot Fault tolerance essential
25
IEC 64223 (ISA 99)
Cyber Security Management System
1) Identify Assets 2) Examine
vunerabilities –probability and criticality
3) Develop Business Case4) IEC 61511 cyber security audit
1) Cyber Security Policy2) Organisational Procedures3) Functional safety management system
1) Network Segregation/firewalls/VPN2) Access Control
- Account administration- User authentification
3) Physical hardening4) Antivirus/patch management