Beruflich Dokumente
Kultur Dokumente
White Paper
Version 1.2
Published August 26, 2013
Authors
John Cusimano, CISSP, CFSE
Director of Security
exida Consulting LLC
jcusimano@exida.com
www.exida.com
Gene Cammack
Director, Gulf Coast Region
exida Consulting, LLC
GCammack@exida.com
www.exida.com
Introduction
With the ever changing threats posed by cyber events of any nature, it has become critical to
recognize these emerging threats, malicious or not, and identify the consequences these threats
may have on the operation of an industrial control system (ICS). Cyber-attacks over time have the
ability to take on many forms and threaten not only industrial but also national security.
Saudi Aramco, the world's largest exporter of crude oil, serves as a perfect example depicting how
devastating a cyber-attack can truly be on an industrial manufacturer. In August 2012, Saudi
Aramco (SA) had 30,000 personal computers on its network infected by a malware attack better
known as the "Shamoon" virus. According to InformationWeek Security this was roughly 75
percent of the companys workstations and took 10 days to complete clean-up efforts.i
The seriousness of cyber-attacks in regards to national security was addressed by former United
States Secretary of Defense Leon W. Panetta in his speech on October 2012. Panetta issued a
strong warning to business executives about cybersecurity as it relates to national security." A
cyber-attack perpetrated by nation states [and] violent extremists groups could be as destructive
as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze
the nation," he stated. "For example, we know that foreign cyber actors are probing America's
critical infrastructure networks. They are targeting the computer control systems that operate
chemical, electricity and water plants and those that guide transportation throughout this
country."ii
In addition to Panettas address, the U.S. Department of Homeland Security has issued several
alerts about coordinated attacks on gas pipeline operators, according to a May 2012 report by
ABC News.iii
This whitepaper will focus on the significance of cyber-attacks on industrial control systems (ICS)
and how these attacks can be prevented by proper practice of the ICS Cybersecurity lifecycle.
well as the inputs to and the outputs from each step. Additionally, there is an overall
Cybersecurity Management Program that must be addressed throughout the lifecycle. This is
visualized as the long white bar that spans all three phases.
INPUT
PROCESS
OUTPUT
exida services
Architecture
Drawing(s)
Regulations
(e.g.
NERC
CIP,
CFATS,
etc.)
(ISA/IEC 62443.3.2)
Cybersecurity
Risk
Assessment
(ISA/IEC 62443.3.2)
Cybersecurity
Target
Selection
(ISA/IEC 62443.3.2)
Standards
(e.g.
ISA/IEC
62443.3.2)
Reference
Architectures
&
Best
Practices
(ISA/IEC 62443.3.2)
Document Requirements
Cybersecurity
Requirements
Specification
(CRS)
Conceptual Design
(ISA/IEC 62443.3.2)
Cybersecurity
Requirements
Specification
(CRS)
(ISA/IEC 62443.3.2)
Design Validation
Validation Report
(ISA/IEC 62443.3.2)
Implement Phase
NO
Cybersecurity
Design
Spec
(CDS)
Adequate
Design?
Detailed Design
Cybersecurity
Requirements
Specification
(CRS)
Security
Manuals
of
ICS
Products
Cybersecurity
Factory
Acceptance
Test
(CFAT)
Plan
Cybersecurity
Site
Acceptance
Test
(CSAT)
Plan
Implement Design
Cybersecurity
Factory
Acceptance
Test
(CFAT)
Plan
Cybersecurity
Factory
Acceptance
Test
(CFAT)
(ISA/IEC 62443.2.4)
Installation/
Commissioning
(ISA/IEC
62443.2.4)
(ISA/IEC 62443.2.4)
To
aappropriate
ppropriate
llifecycle
ifecycle
pphase
hase
To
Maintain Phase
Antivirus
Management
Procedure
Countermeasure
Maintenance
Maintenance Records
Security Monitoring
Change Request
Consultation
CDS
Review
Technology
Investigation
Development
of
Procedures
ACL
Development/Review
Design
Reviews
Cybersecurity
Factory
Acceptance
Test
(CFAT)
Plan
Development
Cybersecurity
Site
Acceptance
Test
(CSAT)
Plan
Development
Test
plan
review
Modifications?
Periodic Assessment
Impact Analysis
Modifications
or
Decommision
YES
Cybersecurity
Vulnerability
Assessment
Report
Cybersecurity
Vulnerability
Assessment
Control System Security Management Program: Policy, Standards, Procedures, Training, Awareness
Assess Phase
Standards
(e.g.
ISA/IEC
62443.3.3)
The Cybersecurity Management Program, as illustrated by the tall white vertical bar in Figure 1,
includes those activities, such as development of policies and procedures as well as deployment
of training and awareness programs, which are vital to the long term success of the program.
The Assess Phase, as illustrated by the red shaded section in Figure 1, is an assessment typically
done early in the project (e.g. as part of the FEED study). It is focused on identifying and
quantifying the current ICS risks allowing for resources to be applied to the highest-risk items
first.
The Implement Phase, as illustrated by the yellow shaded section in Figure 1, includes
engineering, commissioning, and startup phases. This phase focuses on designing and
implementing technical controls or countermeasures to mitigate the identified risks, particularly
those that are unacceptably high. It also consists of verifying and testing the security of the
system before deployment.
The Maintain Phase, as illustrated by the green shaded section in Figure 1, as implied by the
name, includes operating and maintaining the system. Security controls can deteriorate within a
short amount of time because new vulnerabilities/threats appear almost daily. This makes
planning for ongoing maintenance extremely important.
Policies
It is important to establish security policies as a company, as a corporation, or even on a project
specific basis in order to ensure that both the employees and suppliers understand their
expectations and how to achieve them. Establishing security policies also allows for the
demonstration of management support as well as the planning of options in the case of a security
breach. Effective policies should describe what is projected to be achieved rather than how it is
expected to be achieved. That being said, such policies should remain technology independent
and solely focus on what aspects need to be accomplished.
Figure 2 displays the types of items that should be highlighted within security policies. As you can
see, a significant portion of the items tend to coincide with general IT policy security topics.
Although the items between IT and ICS security policies are highly similar, the application of such
to industrial control system environment can vary quite drastically. Patch management for
example is a typical part of both IT security policies and ICS security policies. However, unlike in
an ICS policy, IT policies will advise a rapid response for the implementation and deployment of
security patches from vendors such as Microsoft. As far as an enterprise setting, a rapid response
method is perfectly acceptable if not expected. However, in a control system environment,
patching systems can have significant repercussions if not tested or done properly. Therefore a
rapid response method would not be advised but rather a slower, more cautious response.
Overall, ICS policies may borrow from but must differ from those of the IT department. It is
exidas experience that the best results occur when IT and control system personnel collaborate
and establish what they believe to be the best policies around control system security.
Awareness Programs
Aside from effective policies, the steadfastness of a security system is directly dependent on the
awareness of its personnel. Typically an employee or contractor does not fully understand the
potential impact of his or her actions which leads to a high amount of policy violations and social
engineering involved in most security breaches. This is why it is vital to ensure that employees,
contractors, and any other personnel in contact with the control system are aware of what exactly
an ICS is, what risks/threats are present, and why these risks/threats need to be taken seriously.
The majority of people believe that technical solutions take care of the security concerns
therefore allowing them to come to the conclusion that their actions have little impact on the
control system as a whole. It is important to remind personnel on a regular basis to be vigilant
and attentive to matters of control system security to eliminate this misconception.
Training Programs
It is also vital to an ICS to properly train all its stakeholders and inform them of the reasons
behind specific security policies, the acceptable procedures and practices, and the social
engineering ploys. Training such people can aid in the understanding of updated security
controls, ideas that can be utilized to reduce risks, and impacts on the company if security
methods are not incorporated. The best training programs that have been observed by exida have
been programs that are tailored and role-based providing information for someones specific skill
level and job requirements.
Assess Phase
The Assess phase, as shown in Figure 3, can be divided into three subsections. The first
subsection involves scoping and defining the project. This is followed by assessing the risk and
vulnerability of the system, and lastly documenting the requirements.
The scope definition and project setup can be either a formal or informal process depending on
the current state of the project; greenfield or brownfield. Other factors involved in properly
defining the scope include corporate site policies and procedures, project-specific requirements,
architectural drawings, and relevant regulations and standards.
Once the scope definition and project setup is completed, documentation of all this information
should be placed in a cybersecurity management plan, regardless of whether a corporate security
plan is already in place. The plan should include project-specific issues, such as:
Vulnerability Assessment
A vulnerability assessment is performed in order to identify weaknesses within a system. How
these assessments are conducted can vary greatly depending on whether it is being performed on
a new system or an existing system. Assessments on existing systems involve analyzing actual and
potential security vulnerabilities by reviewing the current design, performing a site visit,
collecting information, and analyzing the system as it is currently running. For new systems, an
assessment can only be performed on the system design.
Some of the important items to investigate while conducting a vulnerability assessment include:
Access control strategies (e.g., how will people and computers access)
10
Implementation Phase
Subsequent to the Assess Phase is the Implementation Phase (Figure 5). The Implementation
Phase consists of two main divisions; conceptual design and detailed design. Unlike conceptual
design, detailed design is focused more on the testing the design rather than the validation of the
design.
Conceptual Design
The conceptual design will view and assess the following:
11
Defense-in-depth strategies
Selection of countermeasures
Revised zone and conduit model
Updated architecture diagrams
Access control strategies
Within the conceptual design, the selection of counter measures can be applied in order to
mitigate risk. ISA 62443-3-3 [Ref. 6] provides excellent guidance on countermeasures. Each
countermeasure is assigned to a category and a Security Level capability. Examples of counter
measures include:
Design Validation
Following the identification and application of proper counter measures, it is essential to verify
that the new secure design has reached its objectives. One method of effectively verifying
whether these objectives have been met is to return back to the risk assessment performed in the
assess phase, document the newly implemented safe guards/mitigations and re-evaluate. If the
new design goals have been achieved the risk following re-evaluation should be reduced to levels
that are tolerable.
12
such testing on operational (i.e. online) control systems as the testing may cause the system to
behave in an unpredictable and thus unsafe manner. However, more aggressive testing can
safely be performed and is encouraged during factory acceptance testing or site acceptance
testing of a new or updated system. Conducting rigorous testing of these systems before
deployment will ensure the safety of the system as well as the overall safety of the company and
its employees.
Maintain Phase
The final stage of the cybersecurity lifecycle is the maintain phase (Figure 6). This phase
encompasses the maintenance of implemented counter measures, monitoring security,
modification/decommissioning, and periodic assessments of the systems in place.
13
Conclusion
A lifecycle approach to cybersecurity will ensure that cybersecurity is properly addressed, not
only during the initial design stage, but throughout the lifecycle of the system. We recommend
that companies adopt this approach for existing systems (i.e. brownfield) as well as for new
systems (i.e. greenfield) and develop and enforce the appropriate policies and procedures to
ensure the process is consistently followed.
14
References
Standards
1.
ANSI/ISA 99.00.01-2007, Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts,
and Models, 2007.
<http://www.isa.org/Template.cfm?Section=Shop_ISA&Template=/Ecommerce/ProductDisplay.cfm&Productid=9
661>.
2.
IEC/TS 62443-1-1 ED. 1.0 EN:2009, Industrial communication networks - Network and system security - Part 1-1:
Terminology, concepts and models", 2009. <http://webstore.iec.ch/webstore/webstore.nsf/Artnum_PK/43215>.
3.
ANSI/ISA 99.02.01-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial
Automation and Control Systems Security Program, 2009.
<http://www.isa.org/Template.cfm?Section=standards2&template=/Ecommerce/ProductDisplay.cfm&ProductID=
10243>.
4.
IEC 62443-2-1 ED. 1.0 EN:2010, Industrial communication networks - Network and system security - Part 2-1:
Establishing an industrial automation and control system security program, 2010
<http://webstore.iec.ch/preview/info_iec62443-2-1%7Bed1.0%7Den.pdf>.
5.
ISA-62443-3-2, Security for Industrial Automation and Control Systems: Security assurance levels for zones and
conduits, Draft for Comment, http://isa99.isa.org/Documents/Drafts/ISA-62443-3-2-WD.pdf
6.
ISA-62443-3-3, Security for Industrial Automation and Control Systems: System security requirements and
security assurance levels, Approved, http://isa99.isa.org/Documents/Drafts/ISA-62443-3-3-WD.pdf
Source Material
The material for this White Paper was adapted from the following exida training courses:
About exida
exida is a world leading engineering services & certification body focused on helping automation suppliers and users
improve the safety, security and reliability of their industrial automation systems. Established by several of the worlds top
safety, security, and reliability experts, the company is owned by these partners and independent of any vendor ownership.
exidas main offices are located in Sellersville, PA, USA and Munich, Germany with service centers worldwide.
www.exida.com/cybersecurity
https://www.informationweek.com/security/attacks/saudi-aramco-restores-network-after-sham/240006278
http://www.defense.gov/speeches/speech.aspx?speechid=1728
iii
http://abcnews.go.com/Blotter/dhs-hackers-mounting-organized-cyber-attack-us-gas/story?id=16304818#.UeX941QFTQ
ii
15