Post on 12-Jul-2020
Sicherheit im ProduktlebenszyklusVon der Wiege bis zur Bahre
Dr. Ragnar Schierholz, Hannover Messe – Thementag Industrial IT Security, 2014-04-11
Life cycle aspects of cyber security for ICS
PS: Product Supplier
SI: System Integrator
AO: Asset Owner
Draft material from IEC 62443*
April 11, 2014 | Slide 2
© ABB Group
* Based on VDI 2182
Life cycle aspects of cyber security for ICS
PS: Product Supplier
SI: System Integrator
AO: Asset Owner
Draft material from IEC 62443
April 11, 2014 | Slide 3
© ABB Group
How ABB works with Cyber Security An important factor in all phases
Design
Implementation
Verification
Release
Support
Design
Engineering
FAT
Commissioning
SAT
Operation
Maintenance
Review
Upgrade
Product
Lifecycle
Project
LifecyclePlant Lifecycle
April 11, 2014 | Slide 3
© ABB Group
How ABB works with Cyber SecurityAn integral part of ABB’s products and systems
April 11, 2014 | Slide 3
© ABB Group
Security Development LifecycleThe Process
Training Requirements Design Implementation Verification Release Response
Core training Define quality
gates/bug bar
Analyze cyber
security risk
Attack surface
analysis
Threat modeling
Specify tools
Enforce banned
functions
Static analysis
Dynamic/Fuzz
testing (e.g.
DSAC)
Verify treat
models/attack
surface
Response plan
Final security
review (FSR)
Release archive
Execute
response plan
(e.g. vulnerability
handling policy)
Administer and
track security
training
Education
Guide product
teams to meet
SDL
requirements
Process
Establish release
criteria and sign-
off as part of G5
Accountability
Incident
response
April 11, 2014 | Slide 3
© ABB Group
Security Development LifecycleExample: Verification
April 11, 2014 | Slide 7
© ABB Group
Formally established, centralized and independent security
test center
Leveraging state-of-the-art open source, commercial and
proprietary robustness and vulnerability analysis tools
Close collaboration with ABB developers providing in-depth
analysis and recommendations
Secure Development LifecycleExample: Validation of Security Updates
Accreditation of Anti-virus SW for Sentinel Users
McAfee VirusScan® Enterprise with ePO Server and
Symantec Endpoint Protection
Configuration guidelines
Verified in system tests
Node based or centralized management
Updating via server in the Demilitarized zone
Daily verification of Definition files
Update production systems with 48h delay
Redistribution of Symantec definition files
April 11, 2014 | Slide 3
© ABB Group
Secure Development LifecycleExample: Validation of Security Updates
Microsoft security updates for Sentinel Users
All relevant updates are tested for compatibility
Result published typically within 3 – 7 days
Other 3rd party SW (e.g. Adobe Reader)
Validated with next Microsoft Security Update
Deployment
The System 800xA Qualified Security Updates
For node by node deployment
MS Security Updates delivered from ABB
WSUS for centralized management
April 11, 2014 | Slide 3
© ABB Group
Security Development Lifecycle
In case you want to be informed of vulnerabilities found in
ABB products:
Public disclosure on www.abb.com/cybersecurity and ICS-
CERT
In case you have found a vulnerability in our products:
Use the “Contact us” feature on ABB’s Cyber security
webpage www.abb.com/cybersecurity to report any
security issue
Example: Vulnerability handling
April 11, 2014 | Slide 10
© ABB Group
Contact
Cyber Security Analyst
ABB AG
Schillerstr. 72
DE-32425 Minden
Phone +49 517 830 1080
Mobile +49 171 189 2349
E-Mail ragnar.schierholz@de.abb.com
Dr. Ragnar Schierholz