Control System Control System Cyber SecurityCyber SecurityControl System Control System Cyber SecurityCyber SecurityA different approachBob HubaSr. Product ManagerEmerson Process Management

Emerson Confidential2

GoalsGoalsGoalsGoals Discuss security in context of people part of the

solution

Beyond the technical solution

The human side of Security– Your security culture– Policies and Procedures

Help bridge the gap between IT and Operations

Why – because SCADA security requires people involvement to suceed.

Emerson Confidential3

What is SCADA Cyber SecurityWhat is SCADA Cyber SecurityWhat is SCADA Cyber SecurityWhat is SCADA Cyber Security Protection from intentional computer misuse that

would cause inability for you to properly control the process

Protecting your process– IT security protects information– SCADA security protects physical assets– SCADA security protects production

Protects your control system– Needed to manage your process

Emerson Confidential4

ThreatsThreatsThreatsThreats

Undirected automatic attacks– Worms, viruses, malware– Accidental or deliberate– Most concern on these types

Deliberate attack– Internal– External– Undirected attack – disrupt system somehow– Directed attack – take over and cause problems– Is becoming a much larger concern for some

Impending Government Regulations

Emerson Confidential5

Cyber-Security StrategyCyber-Security StrategyCyber-Security StrategyCyber-Security Strategy Implement a layered security strategy

This solution hardens the boundary between Control system and the plant LAN – Maintain the “open” connections within control system

Defense in depth• Layered security – harden the perimeter(s)• Internal system security solutions

– Anti-virus scanner– Security Hardened Workstations and Controllers– Security Patch management

Emerson Confidential6

Develop a Security Policy Develop a Security Policy Develop a Security Policy Develop a Security Policy

They “gotta know da rules” Leverage off the corporate policy Modify where appropriate

– User Access maintenance– Patch and AV update procedures– Physical Access to equipment– Software Installation– Wireless Access – Remote Access

Train users Coordinate with IT

Emerson Confidential7

Goals for control system securityGoals for control system securityGoals for control system securityGoals for control system security Enable users to implement a secure system by working

with site IT – Our users are the process/operations personnel

– Allow our users to communicate our needs to IT

– Use SCADA recommended practices

– Use layered security solutions

Provide a framework for security procedures to be implemented– Tested, documented solutions to wrap procedures around– Documentation on recommended practices for security

deployment for consistent solutions

Emerson Confidential8

Use a familiar ModelUse a familiar ModelUse a familiar ModelUse a familiar Model What seems to be lacking is a model for

implementing control systems security that we can understand and easily explain to plant personnel

IT models may not be the best fit-– Confidentially vs. Availability – Information assets vs. Operations Physical assets – Highly technically oriented – Emphasis on IT protecting the assets– Managed by IT – without user involvement

Emerson Confidential9

Develop a “Culture of Security”Develop a “Culture of Security”Develop a “Culture of Security”Develop a “Culture of Security” A Security program can

be modeled after a Plant Safety program

A plant safety program creates an “culture of safety” within the plant

Security is a “way of life” A way to manage risk around user actions

– Includes all people who come into the plant

Like a successful safety program a successful security program requires that users develop a culture of security

Emerson Confidential10

Why this Model?Why this Model?Why this Model?Why this Model? Easily Understood by Operations

Implemented at right levels in organization– People’s behavior promotes security

Processes and procedures are localized– Plant site – plant department – process units

Procedures are control system specific – Different vendors, different system versions

Emerson Confidential11

Model Fits into overall Security ProgramModel Fits into overall Security ProgramModel Fits into overall Security ProgramModel Fits into overall Security Program Provides a foundation to support an overall

program

Elements of the model are required to implement overall program anyway – for example a operations person is required to help with:– Risk assessment– Priorities – which assets to protect – in what order– How much “protection” to implement on each

Provides a person with the process expertise to make the security program successful– Process is secure and available

Emerson Confidential12

Program ElementsProgram ElementsProgram ElementsProgram ElementsTreat “security” like we treat “safety”

Responsibility– People (operators, engineers, supervisors) take

responsibility for security of their areas– Security does not just “happen”

Procedures– Documented control system security policies

Training– People are trained on security– Understand security processes – Understand risks

Emerson Confidential13

Awareness– People recognize/prevent insecure behavior– Report problems

Measurement– Report security incidents – insecure actions – Reporting results

Audits/Enforcement– Are procedures being followed– Actions to correct audit results

On-Going Effort– Environment is always changing

Program ElementsProgram ElementsProgram ElementsProgram Elements

Emerson Confidential14

A MOST IMPORTANT PERSONA MOST IMPORTANT PERSONA MOST IMPORTANT PERSONA MOST IMPORTANT PERSON

Operations security champion

Emerson Confidential15

Got to have an ownerGot to have an ownerGot to have an ownerGot to have an owner

Control System security “champion”– Site – department – process – unit– Somebody (in operations) has

to be responsible– Not delegated to IT

May be more than one person– Team with different responsibilities

Their job to “make security happen”

Emerson Confidential16

SummarySummarySummarySummary Security Program Model = plant safety program

– Easy for Operations to understand

Operations people have to be involved– Success depends on training and awareness

Have to have a security champion– Somebody in operations takes responsibility

Champion provides the “Operations view” on security solutions

Plant has to have a “culture of security” for the security program to be successful