Cyber Security in the Process

Industries

Chris Southan– Costain Natural ResourcesChief Engineer Control and Instrumentation

2

Presentation Context/Objectives

• Provide overview of industrial cybersecurity within the

process industries

• Incidents , predominant threats and systems vulnerabilities

• Typical design and procedural countermeasures employed

• IEC 62443

• Industry momentum– Certification ,Products and services

• Key areas of focus for Costain

3

Newsflash

2.46 million cyber incidents reported to last year – National Crime Agency

“Accelerated pace of technology and criminal cyber capability currently exceeds the UK collective response” – UK Government – 7th July 2016

4

Current Predominant Threats

Malware

– Virus, Spyware , Trojans, Worms

– 1000s of new malware being developed every day

Hacks

– Originating from internet

– 2015 - 245 reported attacks on ICS

– 2016 – 295 reported attacks on ICS

Trend is from low complexity attacks from opportunist

amateur hackers to sophisticated multi vector attacks

by criminal gangs and state sponsored groups

Corporate WAN/Business Net - 49%

Internet directly - 17%

VPN - 7%

Dial up node - 7%

Trusted 3rd Party - 10%

Public tel net - 7%

wireless - 3%

5

Cyber Security Case Study

Ukranian Power Grid Hack – Dec 2015

• Affected control centre operator station

• Suddenly remote access of operator screen

• External hacker opened circuit breakers taking 30

substations off line

• Operator not able to take back control

• Logged out of OS and hackers changed operator

password

• Accessed OS in two other centres nearly doubling

number of substations off line, 230,000 residents in the

dark

6

ICS Trends /Challenges

Why the problem?

• Increasing requirement to access to all plant data .

• Trend towards unmanned operation

• Increasing use of use of ethernet based network technologies and embedded COTS

software

• Increasing requirement for interfacing wireless devices

• Many plants have legacy proprietary closed systems where migration strategies

introduce cyber vulnerabilities.

ICS specific response considerations

• Cyber vulnerabilities for control and safety systems very different from business IT

applications.

• Skills Gap . Industrial controls systems generally developed , implemented and

maintained by C&I engineers

Current status

• Mixed response across industry

• Major international process/manufacturing sector operators have been pace setters

7

Vulnerabilities – ICS Design Related

• Direct connection of ICS to unprotected business network – recent scan identified over 400 such systems in less than 8 hours

• Unsecured wi-fi access points / offsite maintenance links

• Use of COTs software such as Windows with history of vulnerabilities emerging following initial release

• Switch/Router firmware

• ICS WAN connections over internet/public networks

• Flat ICS Networks – susceptible to high latency making vulnerable to Denial of Service (DoS) attacks

• Unknown/forgotten unsecure device connections to the ICS

8

Vunerabilities of ICS – Deployment/Procedural

Issues

• Unnecessary services enabled on the ICS workstations

(eg E-mail, RDP, Telnet etc)

• Unauthorised account access (weak user account

management policies auto logout)

• Poor firewall/switch/router configuration

• Unused active network ports

• USB connections (Considered to be cause of Stuxnet

attack)

• Wireless periferal ( eg mouse)

925 July 2016 9

Countermeasures – Focus on Design

Procedural & Technical Barriers Preparedness & Recovery

Th

rea

ts

Co

ns

eq

ue

nc

es

Rising Vulnerabilities

Smarter Hacking

Increase in Worms &

Viruses

Control Hi-jacking

Loss of View

Failure to Trip

Nuisance Trips

10

Application of security to typical

control system

DM

Z

DM

Z

VPNTunneller

Remote Access VPNTunnellerwith encryption IDS

11

Other System Hardening

• Layer 2 and 3 network switches always

managed

• Disable DHCP within PCN

• Remove or disable unused comms ports

• Remove/disable/block unnecessary applications

and services

• Firewall whitelisting

• Intrusion detection system (File Integrity

monitoring)

1225 July 2016 12

Countermeasures -Procedural

Procedural & Technical Barriers Preparedness & Recovery

Th

rea

ts

Co

ns

eq

ue

nc

es

Rising Vulnerabilities

Smarter Hacking

Increase in Worms &

Viruses

Control Hi-jacking

Loss of View

Failure to Trip

Nuisance Trips

13

Procedural Controls

• Cyber security management system

• Risk assessment

• Asset identification and management

• Authentification policies and controls

• Penetration testing

• Patch management and virus protection

Strategy

• Backups and system recovery plans

• Monitoring and incident response

14

IEC 62443 (ISA 99)

Cyber Security Management System

15

UK Industry Momentum - Regulation

Initial industry response ( 2006 onwards)

• US driven in conjunction with DHS.

• Major energy and manufacturing multinationals cooperate and implement solutions ( LOGIIC2 , WIB programs)

2016 as a response to increasing attacks

• Establishment of National Cyber security centre (Autumn 2016)

• Government publish National Cyber Security Strategy

• HSE Attention

• Increasing awareness amongst ICA community. Establishment

– Asset owners/Contractors/Systems Integrators/Vendors

• IEC61511 Issue 2 – Introduction of Cyber Security audit requirement to FSMS

16

Standards , Products and Services

• Focus on products and services in accordance with IEC62443 requirements

• Product certification

– Wurldtech Achilles Accreditation

– WIB Accreditation – Minimum PCD requirements for DCS

– ISA Security Compliance Institute (ISCI) - ISASecure Conformity assessment Schemes.

Certification schemes updated 2016.

• Certified devices – ESDA certification

– PLCs, SCADA, RTUs, other embedded controllers

• Certified Systems – SSA Certification

– Commercial off the shelf ICS (eg DCS /Safety systems)

Trend towards worldwide establishment of ISCI approved CA bodies (eg EXIDA in US, CSSC-CL in

Japan. UK and German applications being processed) .

• Competency Accreditation

– Professional certification – Registered cyber security professional

17

Costain areas of focus

• Leverage internal Costain expertise gained with major operators

• Continuing engagement at cross industry cyber security subject groups

• Integration of IEC62443 methods into E,C&I work processes including:

– Functional Safety Management System

– Hazard and risk assessment processes

– Control System Design

– Promote use of control systems integrators/Vendors with expertise in applying cyber security protection

• Continuing competence development of Engineers

18

Conclusions

• Threats are exceeding the collective response of UK industry at this time and action needs to be taken in order to avoid repeats of recent serious cyber attacks.

• There is a need for manufacturing industries , designers and product suppliers to review response to these threats.

• It is considered that this should be through: Engagement between control and IT disciplines across industry

leveraging user groups as much as possible Experience transfer from major industrial manufacturing

corporations , experienced designers and accredited control systems Vendors

By following designs and procedural controls recommended within recent standards

The adoption of accredited products and services

Cybersecurity Industrial Systems –

Process Contractor Perspective

Thank You

20

IEC62443.02.01 is “Zones and Conduits

21

Rapid adoption of Ethernet to the control

and device layers

Ethernet has provided unified communications/transport layer

1990’sBusiness

2010+Device

2000’sControl

RIO

22

Information

Control

Device

IT Penetration By Automation Level

Win

do

ws

Win

do

ws

CE

Java

Embed’d

Java

CO

RB

A &

DC

OM

Eth

ern

et O

PC

Real-

Tim

e O

PC

Em

bed

ded

Web

Serv

ers

Web

Serv

ers

Devic

e N

etw

ork

s

IEE

E 1

451

Bro

wsers

Pu

sh

IEE

E 1

451

23

Cyber Security Technical Authorities

and standards

• Governance

– USA - NIST -National Institute of Standards and Technology

(www.nist.gov/cybersecurityframework) 2014

– UK – CPNI – Centre for the Protection of National Infrastructure

(www.cpni.gov.uk/protectingyourassets)

– ISA - International Society of Automation (www.isa.org)

• Standards

– ISO17799 Information Security Management

– IEC62443 Network and system security for industrial process

measurement and control ( formerly ISA -99 -2007)

– ISA –TR84 Security Countermeasures related to Safety

Instrumented systems

– IEC 61511, Issue 2 , 2016,

24

Cyber Security Technical Authorities

and standards

Differing Performance requirements Differing Reliability Requirements

Business IT PCN Business IT PCN

Non-Real-time Real-time Scheduled

operation

Continuous operation

Response must be

reliable

Response is time

critical

Occasional

failures

tolerated

Outages intolerable

High delay and jitter

accepted

High delay a serious

concern

Beta testing in

the field

acceptable

Thorough QA testing

expected

Differing Risk Management Goals and Approaches

Business IT PCN

Data integrity paramount Human safety paramount

Risk impact is loss of data,

loss of business operations

Risk Impact is loss of life,

equipment or product

Recover by reboot Fault tolerance essential

25

IEC 64223 (ISA 99)

Cyber Security Management System

1) Identify Assets 2) Examine

vunerabilities –probability and criticality

3) Develop Business Case4) IEC 61511 cyber security audit

1) Cyber Security Policy2) Organisational Procedures3) Functional safety management system

1) Network Segregation/firewalls/VPN2) Access Control

- Account administration- User authentification

3) Physical hardening4) Antivirus/patch management