Title: Integrating Electronic Security into the Control Systems Environment: differences IT vs' Control Sys
1Integrating Electronic Security into theControl
Systems Environment differences IT vs. Control
Systems Enzo M. Tieghi etieghi_at_visionautomatio
n.it
2Security IT Control System Security where are
we?
3Some cases about industrial -infrastructure Cyber
incidents
- In January, 2003, the SQL Slammer Worm penetrated
a computer network at Ohios Davis-Besse nuclear
power plant and disabled a safety monitoring
system for nearly five hours SQL Slammer Worm
downed one utilitys critical SCADA network in
US another utility lost its Frame Relay Network
used for communications some petrochemical
plants lost Human Machine Interfaces (HMIs) and
data historians a 911 call center was taken
offline Airline flights were delayed and
cancelled - in 2001, a series of cyber attacks were conducted
on a computerized waste water treatment system by
a disgruntled contractor in Queensland,
Australia. One of these attacks caused the
diversion of millions of gallons of raw sewage
into a local river and park. There were 46
intrusions before the perpetrator was arrested.
4Some cases about industrial -infrastructure Cyber
incidents
- In September, 2001, a teenager allegedly hacked
into a computer server at the Port of Houston
the ports web service, which contained crucial
data for shipping pilots, mooring companies and
support firms responsible for helping ships
navigate in and out of the harbor, was left
inaccessible - 1997 Shutdown at traffic air control system
tower at Worchester Regional Airport (MA) USA - Italy 2004 Sasser halts 40 PCs in production
plant of leading pharmaceutical company (batches
to rework, week-end spent to restart plants,
reinstall and revalidate systems etc.) - Water distribution SCADA system in California
attacked and down (2005) -
- No official statistical source database with
20-30 tracked incidents in 2002-2004 in
California (USA) - Database at BCIT (CA) in construction
5The 3 security faces
- Phisical Security (Perimeter)
- Guard on duty, gates, ports, etc.
- Human factor Security (Organization)
- Security policy
- Security procedures
- Awareness and training
- Cyber-Security (Technology)
- Antivirus
- Acces control, authentication,
- Firewalls,
6Network Vulnerability examples
Firewall
Browser Clients
SAP
Mail Server
Corporate Network
MES
Desktops
Plant Network
Web Server
Historian
Wireless AP
Remote Access Server
Mobile Operator
Ethernet
HMI
Control System Application Server
Process Control Network (Proprietary or Ethernet)
Controller or PLC
7eSecurity in control systems industrial and
infrastructure consideration about security
(not only Safety)
- 11 items why Security in control systems (DCS,
PLC, SCADA/HMI, plant networks, etc. ) - is different from IT Security
8BS7799 vs. ISA-99.00.01Comparison of Objectives
9ANSI/ISA-95 Functional Hierarchy
10ANSI/ISATR99.00.022004
- Art. 6.5
- Special Considerations for Manufacturing and
Control Systems - Manufacturing and Control System electronic
security plans and programs are consistent with,
and build on, existing IT security experience,
programs, and practices. However, there are
critical operational differences between IT and
Manufacturing and Control Systems that influence
how specific measures should be applied. ().
11Why eSec is different - 1
- Differing risk management goals
- Rirsk Definition Human safety and fault
tolerance to prevent loss of life or endangerment
of public health or confidence, loss of
equipment, loss of intellectual property, or lost
or damaged product.
12Perché la Sicurezza è diversa? /2
Why eSec is different - 2
- Differing architecture security focus
- In a typical IT system, the primary focus of
security is protecting the information stored on
the central server. - In manufacturing systems, the situation is
reversed. Edge clients (e.g., PLC, operator
station, or DCS controller) are typically more
important than the central server.
13Perché la Sicurezza è diversa?/3
Why eSec is different - 3
- Differing availability requirements
- Many manufacturing processes are continuous in
nature. Unexpected outages of systems that
control manufacturing processes are not
acceptable. Exhaustive pre-deployment testing is
essential to ensure high availability for the
Manufacturing and Control System. In addition to
unexpected outages, many control systems cannot
be easily stopped and started without affecting
production. In some cases, the products produced
or equipment being used is more important than
the information being relayed. The requirement
for high availability, reliability, and
maintainability reduces the effectiveness of IT
strategies like rebooting.
14Perché la Sicurezza è diversa?/4
Why eSec is different -4
- Unintended consequences
- Manufacturing and Control Systems can be very
complex in the way that they interact with
physical processes. All security functions
integrated into the process control system must
be tested to prove that they do not introduce
unacceptable vulnerabilities. Adding any physical
or logical component to the system may reduce
reliability of the control system, but the
resulting reliability should be kept to
acceptable levels.
15Perché la Sicurezza è diversa?/5
Why eSec is different- 5
- Time critical responses
- For some systems, automated response time or
system response to human interaction is critical.
- For example, emergency actions on regulatory
process control systems should not be hampered by
requiring password authentication and
authorization. - Information flow must not be interrupted or
compromised.
16Perché la Sicurezza è diversa?/6
Why eSec is different -6
- Differing response time requirements
- Manufacturing and Control Systems are generally
time critical - Delay is not acceptable for the delivery of
information, and high throughput is typically not
essential.
17Perché la Sicurezza è diversa?/7
Why eSec is different -7
- System software
- Differing and custom operating systems and
applications may not tolerate typical IT
practices. - Networks are often more complex and require a
different level of expertise (e.g., control
networks are typically managed by control
engineers, not IT personnel). - Software and hardware applications are more
difficult to upgrade in a control system network. - Many systems may not have desired features
including encryption capabilities, error logging,
and password protection.
18Perché la Sicurezza è diversa?/8
Why eSec is different -8
- Resource constraints
- Control systems and their real time operating
systems are resource constrained systems that do
not include typical IT security technologies. - There may not be available computing resources to
retrofit these security technologies.
19Perché la Sicurezza è diversa?/9
Why eSec is different -9
- Information integrity
- In-bound information is highly essential to the
control system operation. - It is important to take practical precautions to
eliminate malicious in-bound information in an
effort to maintain control operation.
20Perché la Sicurezza è diversa?/10
Why eSec is different -10
- Communications
- Communication protocols and media used by control
systems environments are typically different from
the generic IT environment, and may be
proprietary. - Examples include radio telemetry using
asynchronous serial protocols and proprietary
communication networks.
21Perché la Sicurezza è diversa?/11
Why eSec is different - 11
- Software Updates
- Security patches cannot always be implemented on
a timely basis because software changes need to
be thoroughly tested by the vendor of the
manufacturing control application and the end
user of the application before being implemented - Change management control is necessary to
maintain integrity of the control systems.
22Perché la Sicurezza è diversa?
Why eSec is different final
- These differences require careful assessment by
Manufacturing and Control System experts working
in conjunction with security and IT personnel. - This team of people should carefully evaluate the
applicability of IT and specific Manufacturing
and Control Systems electronic security features,
including thorough testing before application,
where necessary.
23Network Segregation
Rings of Defense for Corporate and SCADA
Networks www.dyonyx.com
24What to do ad hoc methodology and tools
- Industrial Security Assessment
- Industrial Security Vulnerability Tests
- Industrial Security Policy
- Industrial Incident Response Plans
- Business Continuity Disaster Recovery Plans
- Industrial Protection (Industrial IDS/IPS)
- Monitoring and Managed Services for Industry
- Audit
25Where Control Systems are?
- Everywhere
- Industrial but also Infrastructure
- Production and Distribution Water, Oil Gas,
Power, etc. - Traffic control Railways, Highways, Tunnels,
Air, etc. - Buildings Airports, Hospitals, Schools,
Governament, Research Centers, Universities,
Municipalities, etc. - TLCs
26Whats moving
- 21 Steps to improve Cyber Security of SCADA
Networks(USA White House) - Common vulnerabilities in critical
infrastructure control systems(U.S. Dept. Of
Energys National Nuclear Security
Administration) - Securing Process Control Systems - IT Security
(European Commission)
27Industrial security and international standards
- BS7799-ISO27000 Information security management
systems Specification with guidance for use - ISO/IEC 177992005 Information Technology Code
of practice for information security management - ANSI/ISA SP99 TR1 Security for Manufacturing and
Control Systems - ANSI/ISA SP99 TR2 Integrating Electronic Security
into Manufacturing and Control Systems
Environment - ISO/IEC 15408 Common Criteria
- NIST System Protection Profile for Industrial
Control Systems (SPP-ICS) - CIDX Chemical Industry Data Exchange -
Cibersecurity Vulnerability Assessment
Methodology (VAM) Guidance - ISPE/GAMP4 Good Automated Manufacturing
Practices App. O Guideline for Automated System
Security - NERC standards
- AGA standards
28need more information?www.visionautomation.it
Enzo M. Tieghi - etieghi_at_visionautomation.it