Sie sind auf Seite 1von 49

2012 Honeywell Users Group Asia Pacific

Sustain.Ability.

Industrial Control System


Cyber Security
1
Mike Baldi
Honeywell Process Solutions
Cyber Security Architect
Global Architect Team

Responsible for integrating security into HPS


Products, security certifications, and compliance

Honeywell rep on ISA Security Compliance Institute board


DHS interface for HPS

33+ years experience with HPS


Lead SE for System Test ( 3 years )
Technical Assistance Center - Server/Client team lead ( 25 years ):

2
Industrial Control System Cyber Security

cyber security threat landscape for ICSs

Honeywells cyber security initiatives

roles / responsibilities for protecting ICSs


from cyber attacks

responding to cyber attacks against your ICS

3
Cyber Security threat
landscape for ICSs

Industrial Control System


Cyber Security
4
How did we get here?
Security was not a major concern when Legacy ICS
systems were developed
ICS system lifecycle is typically 15-20 years
ICS products are incorporating COTS technology from
the business IT sector (Ethernet, Windows OS, SQL,
webservers, etc.)
Multi-vendor solutions at most ICS sites
Increasing need to share data between the enterprise,
corporate, and DCS networks
Lack of experienced security personnel working on ICSs
History of separate IT and ICS teams

5
Business IT vs ICS systems
Information Technology
Control Systems (ICS)
SECURITY TOPIC (IT)
Very common: easily deployed Difficult to keep current due to risk
Antivirus and updated imposed to control process
Easily defined; enterprise wide Patches require exhaustive testing
Patch Management remote and qualification prior to installation
and automated on ICSs. Install lags release.

Technology Support Lifetime 2-3 years; 10-20 years

Strategic scheduling; non trivial


Regular and scheduled; aligned with
Change Management minimum-use periods
process due potential impact to
process
Specific regulatory guidance
Security Compliance Limited regulatory oversight
(some sectors)

Easily developed and deployed; Uncommon beyond system


Incident Response and
some regulatory requirements; resumption activities; no forensics
Forensics embedded in technology beyond event re-creation
Good to Excellent (operations
Physical and Environmental Poor (office systems) to excellent
centers; guards, gates, guns)
Security (critical operations systems)
Special
Has not been an integral part of ICS
Secure Systems Development Integral part of development process
systems development

6
ICS challenges and security concerns

Vulnerability to Denial of Service attacks


Backdoors and holes in the network
perimeter
Devices with little or no security features
(modems, legacy control devices, etc.)
Common communication protocols
designed without security
Remote, unmanned sites with challenging
physical security
Database security vulnerabilities
(proprietary and / or 3rd party )
Lack of encryption and authentication
Improper or nonexistent patching of
software and firmware

7
ICS challenges and security concerns

Unsecure coding techniques in product


design
Non-existent cyber security procedures
Lack of control system-specific security
protection / mitigation technologies
Security researchers with various
vulnerability disclosure practices
Publicly available hacking tools make
hacking easier for novices
Increased outside security regulation
NERC-CIP, CFATS, Pipeline Guidelines,
Increase in cyber attacks against ICSs
Stuxnet, Duqu, Flame,

8
Some typical attack vectors of ICSs

9
Some current headlines

U.S. President Barack Obama is urging the Senate to pass the Cybersecurity Act
of 2012. He believes legislation will help the U.S. fight "the cyber threat to our
nation," which he calls "one of the most serious economic and national security
challenges we face."
July, 2012 - ZDNet

Iran Oil Terminal taken offline by Cyber Attack


April, 2012 - PACE magazine

Pacific Northwest National Laboratory Report Reveals Dramatic Increase in Cyber


Threats and Sabotage on Critical Infrastructure and Key Resources
June 2012 US Dept of Energy

10
The Impact of STUXNET
Provided proof-of-concept and a blueprint for hackers
Exposed corporate executives, regulators and the public
to the potential dangers of cyber attacks on critical
infrastructure
Opened the floodgates for security researchers to
identify and exploit ICS vulnerabilities for financial gain

11
Project Basecamp

Announced at S4 Security Conference in


Jan 2012
Project Basecamp involved six
researchers looking for vulnerabilities in
embedded ICS devices (PLCs, RTUs,
substation controllers)
The researchers found backdoors, weak
credential storage, ability to change ladder
logic and firmware, command line
interface, buffer overflows, TFTP, etc
Posted results publicly releasing Nessus
plugins and Metasploit modules enabling
anyone to find and exploit these
vulnerabilities

12
12
Cyber attacks on critical infrastructure

Cyber attacks against US critical infrastructure jumped 383 % in 2011

13
13
ICS Specific Vulnerabilities Reported
2001 - 2011

Slide 25 from the presentation Documenting the Lost Decade An Empirical Analysis of
publicly disclosed ICS vulnerabilities since 2001 by Sean McBride

14
14
Why have ICS systems become targets?

Theyre easy targets


Security wasnt designed in
Running older Operating systems
Embedded accounts with default passwords
Systems arent updated with security patches

Notoriety / validation within security research community

Community watchdogs

Hacktivists

Competitive advantage

Nation State / Political motivation

15
Honeywells cyber security
initiatives

Industrial Control System


Cyber Security
16
What is Honeywells security philosophy ?
Design in Security is a Key initiative at Honeywell
Security designed in the product from the beginning
Incorporate people, technology, and process
Integrate security into our culture
Process Control
System

Defense in Depth
Cyber
Security at more than just the perimeter
Layered / High Security Network Architecture Electronic

Physical

Security is a journey - not a destination


Cyber Threat landscape is continuously changing
Continuous evaluation and improvements required
17
Product development process
Product development
Security is foundational in the product
HIP process designs security into all products

Security Development Lifecycle


Design process is compliant with ISASecure SDSA
Threat modeling and security risk analysis is part of all projects
Static code analysis
Fuzz testing
Use and abuse case testing
Load and performance testing
Independent penetration testing

18
Product development process

Product development (Continued)


Experion Security Model drives security focus
Security
Security Core Team manages security model
Security Steering Committee communication / interactive
exchange on security issues impacting HPS systems

HPS is investing heavily in tools, testing, and training


to improve the security of our products

19
Incorporating Security into the Software
Development Lifecycle
Security
Security Response
Training Planning
and
Security Execution
Requirements

Security
Validation
Security Testing
Architecture
Design

Security Risk Fuzz testing, Abuse


Assessment case testing
and Threat Modeling

Security Code Reviews &


Security Static Analysis
Coding
Guidelines

20
20
Continuous security improvements
Short term improvement
Qualification of white listing component for Experion
Virtual Patching solution
Virtualization

R410 security improvements


System mechanism to disable USB storage interface
Role based access control for process data
Implements separation of duties at parameter level
Decouple DSA security credentials from system credentials
Compartmentalizes Experion clusters
Allows different mngr passwords in each cluster
Remove sysadmin privileges from mngr account
Allow use of user specified domain accounts
21
Application Whitelisting - overview
Objective is to provide additional protection against malware,
reduce system maintenance overhead and complexity, and
extend the patching cycle

Application Whitelisting (AWL) locks down an end node allowing only


approved files to run
Significantly improves security against many types of malware attacks
Can extend patching cycle

AWL solution must be tightly integrated into control system by ICS


vendor to provide greatest protection with minimum risk
AWL on Industrial Control Systems will co-exist with Anti Virus
solutions

22
Patch management lifecycle

Security research -
(e.g. ZDI, DVlabs)
ICS-CERT -
Not always a patch available -
Black hats -
Patch is not always tested in time -
Can we install? -
Often reboots required -

23
Server / station protection
Allow Known Good Block Known Bad Unknown
(Block All Else) (Allow All Else)

Execution Application
Application Resource Behavioral
Level Control
Control Shielding Containment

Application Application and Antivirus Application


Level System Hardening Anti Virus Inspection

Network Host Attack-Facing


Attack-Facing Vulnerability-Facing
Vulnerability-Facing
Level Firewall Network Inspection
Network Inspection Network Inspection
Network Inspection

Gartner

BL Black Listing (Honeywell solution - McAfee / Norton)

AWL Application White Listing (Honeywell solution - Bit9)

VP Virtual Patching (Honeywell solution - HP Tipping Point)

24
Continuous security improvements

Virtualization improves operational efficiency


Virtualization realizes life cycle extension
Virtualization poses new security challenges
Virtualization also facilitates security improvements
Application virtualization (i.e. eServer) provides sandboxing
Full virtualization (VMware vSphere)
Improved data recovery mechanisms

Virtualization Layer
Improved patching mechanisms
Improved virus protection mechanisms
Hypervisor / Virtual Machine Monitor has small attack surface
Availability of thin clients

25
External security certifications
Wurldtech Achilles certification for C300, SM
Achilles practices certified ( WIB )
Honeywell committed to compliance with Achilles practices when it becomes an
approved IEC-62443 -2.4 standard

ISASecure Embedded Device Security Assessment


(EDSA)
Safety Manager R145 was first device to achieve EDSA certification (2011)
C300 and Foundation Fieldbus Interface Module are EDSA Certified (2012)

Internal evaluation of HPS products for compliance with


numerous external standards:
NERC-CIP, NIST_sp800_x, FERC_order_x, INGAA Cyber guidelines, TSA
pipeline guidelines

26
ISA99 / IEC 62443 Structure

Systems

Devices

27 27
Embedded Device Security Assurance Certification
Provides a common perspective on how threat
scenarios can be sufficiently covered
Documents the expected resistance of the system to
potential threat agents and threat scenarios
Clearly documents expected user measures versus
Integrated Threat Analysis inherent product protection measures
(ITA) Detects and Avoids systematic design faults
The vendors software development and maintenance
processes are audited
Software Development
Security Assurance (SDSA) Ensures the organization follows a robust, secure
software development process

Detects Implementation Errors / Omissions

Functional Security A components security functionality is audited against


Assessment (FSA) its derived requirements for its target security level
Ensures the product has properly implemented the
security functional requirements

Communications Identifies vulnerabilities in networks and devices


Robustness Testing (CRT) A components communication robustness is tested
against communication robustness requirements
Tests for vulnerabilities in the 4 layers of OSI Reference
Model

28
28
Benefits of ISASecure Certification
Structured, auditable, repeatable approach to evaluating
the security of an ICS product and the development
practices of the manufacturer against an established
benchmark
End-user Supplier
Easy to specify Evaluated once
Build security requirement into Recognition for effort
RFP Build in security
Reduced time in FAT/SAT Product differentiator
Know security level out of the Reduce support costs
box
Enhance credibility

Assurance that automation products, systems and suppliers


meet an industry recognized baseline for cyber security

29
29
Honeywells Industrial IT Solutions

Assess against industry Remediate focuses on the


standards, regulatory actions needed to
requirements and best address issues identified
practices in the Assess phase

Assure addresses methods Manage refers to the


to assure your Industrial IT management of your
solutions are functioning as Industrial IT investment,
designed including network security

30 Evolving services and solutions for a changing Industrial IT environment


Honeywells Industrial IT Solutions
Continuous improvement of standard build
Consistent security configuration
Extended remote service portfolio
Tested AV signature files - daily
Patch analysis and consolidated patching
Security incident handling, perimeter management
Introduction of global service management
Uniform service delivery Assess

Compliance management
Full Whitelisting management and support Assure Remediate

Manage

31
Partnering with our customers
Documenting system security configuration
Includes risks that need external mitigations
Rapid qualification of security updates
Microsoft
Adobe
Network and security design services
Assessment services
ISA99 / CSET security audits / assessments
Services offering for system security management
Patch, virus protection, and data recovery management
Security perimeter management
Continued investment in building security skills
Design consultants, project and service engineers
32
Security Program Dashboard

33
Security from design to daily operation
Honeywell Process Solutions.
builds Security features into our standard products, and is continuously
evaluating and improving our security

is committed to ISA99 and IEC-62443 standards for industrial control


system security

works closely with external agencies including Department of Homeland


Security to improve ICS security

documents secure system best practices and configurations

provides timely communication of security issues to customers

offers optional security features to customers who are want additional


protection
34
roles / responsibilities for
protecting ICSs from
cyber attacks

Industrial Control System


Cyber Security
35
Stakeholders per phase in securing ICSs
- ICS control system manufacturers / Vendors
- ICS automation solution providers
- System integrators and implementers
- Owner/operators or end users
- Local Governments

Phases and Participants in a Typical ICS Project


From ICSJWG Cross Vendor Position Paper

36
Layers of Responsibility

End User
(Security management system)

System Integrator
(System engineering practices, Qualified Personnel)

Automation Supplier
(Software Development, Vendor Practices)

Automation Products
(Security features, Testing)

37
Vendor / automation supplier responsibilities

Execute security testing during development cycle


Integrate security into development lifecycle (SDLC)
Scan systems for security vulnerabilities before deployment
Document secure implementation of system
Manage secure custody chain of assets
Attain applicable 3rd party security certifications
Provide timely qualification of security fixes
Open and timely communication on product security issues
Be positioned to respond to vulnerability disclosures or cyber
incidents against deployed systems

38
Integrator / installer responsibilities

Install system per vendors recommended security


practices
Segment the Control System Network
Ensure all software revisions are current during
installation
Scan systems and network for security vulnerabilities
before final commissioning
Baseline and document the system security before final
commissioning

39
Owner / operator responsibilities
Apply security fixes as soon as theyre qualified
Keep Anti Virus and related protection technologies current
Document security configuration, Policies & Procedures
Provide security Training for operators & Contractors
Control Access to the Control System
Harden the Components of the System apply defense in
depth
Constantly monitor the security of the system
Periodic full re-assessment of system security
Work closely with vendor and integrators to adopt to new
security threats and vulnerabilities

40
ICS Security responsibilities summary
Owner / operators have the ultimate responsibility for the
security and safety of their systems
ICS security must include technology, people, and
processes
ICS security spans the lifecycle of an automation system
requires a partnership between all stakeholders

All the security technology and controls in the world will


not protect an ICS if not properly applied and
continuously managed

41
responding to cyber attacks
against your ICS

Industrial Control System


Cyber Security
42
Cyber Incident Response Plan
Cyber security can no longer be an afterthought

Question is not IF your site will be attacked, but


WHEN be prepared

Security can be measured by how quickly


you detect, contain, and recover from a
security incident.

Develop a cyber incident response plan, and


actively manage it

43
Cyber Incident Response Plan
Create a cyber incident response plan
Priority is to isolate any suspect component, maintain safe
operation, and preserve forensics where possible
Operators must be trained on how to respond to a cyber incident
Appoint a cyber security focal point and watchdog with backup
Include all levels of defense in depth in creating response plan

Practice the plan ( test it )

Re-evaluate and update the cyber incident response plan


periodically

44
Effective Security Plan

45
How can ICSs prepare for cyber attacks?
Do a security assessment of your site, remediate any
gaps identified, and repeat assessments periodically

Partner with your ICS vendor and specific support


programs / organizations keep defense plan current

Consider what your vendor or a security consultant can


provide:
24 x 7 support center
Security Operations Center
Access to specialty security skill sets
Develop and maintain a dashboard or HMI for security manager
Actively monitor security trends ( ie: security watchdog )

46
How can ICSs prepare for cyber attacks?
Review your vendors security documentation
Network and Security Planning Guide
Domain and Workgroup Implementation Guide

Maintain current security protection technologies on your


system
Anti-Virus, Application Whitelisting, IPS, Firewalls,

Keep security current timely application of qualified


security updates

Proactively / continuously monitor site for cyber incidents

47
Be prepared for cyber attacks
Integrate security into your culture at site

An effective security program addresses people,


processes, and technology

Work with your vendor to create a cyber incident


response plan, and Manage that plan

Ensure everyone knows the key players, and who to call

Security protections and incident response plans are only


effective if properly managed
48
Q&A

Questions?

49
49

Das könnte Ihnen auch gefallen