Control System Control System Cyber SecurityCyber SecurityControl System Control System Cyber SecurityCyber SecurityA different approachBob HubaSr. Product ManagerEmerson Process Management
Emerson Confidential2
GoalsGoalsGoalsGoals Discuss security in context of people part of the
solution
Beyond the technical solution
The human side of Security– Your security culture– Policies and Procedures
Help bridge the gap between IT and Operations
Why – because SCADA security requires people involvement to suceed.
Emerson Confidential3
What is SCADA Cyber SecurityWhat is SCADA Cyber SecurityWhat is SCADA Cyber SecurityWhat is SCADA Cyber Security Protection from intentional computer misuse that
would cause inability for you to properly control the process
Protecting your process– IT security protects information– SCADA security protects physical assets– SCADA security protects production
Protects your control system– Needed to manage your process
Emerson Confidential4
ThreatsThreatsThreatsThreats
Undirected automatic attacks– Worms, viruses, malware– Accidental or deliberate– Most concern on these types
Deliberate attack– Internal– External– Undirected attack – disrupt system somehow– Directed attack – take over and cause problems– Is becoming a much larger concern for some
Impending Government Regulations
Emerson Confidential5
Cyber-Security StrategyCyber-Security StrategyCyber-Security StrategyCyber-Security Strategy Implement a layered security strategy
This solution hardens the boundary between Control system and the plant LAN – Maintain the “open” connections within control system
Defense in depth• Layered security – harden the perimeter(s)• Internal system security solutions
– Anti-virus scanner– Security Hardened Workstations and Controllers– Security Patch management
Emerson Confidential6
Develop a Security Policy Develop a Security Policy Develop a Security Policy Develop a Security Policy
They “gotta know da rules” Leverage off the corporate policy Modify where appropriate
– User Access maintenance– Patch and AV update procedures– Physical Access to equipment– Software Installation– Wireless Access – Remote Access
Train users Coordinate with IT
Emerson Confidential7
Goals for control system securityGoals for control system securityGoals for control system securityGoals for control system security Enable users to implement a secure system by working
with site IT – Our users are the process/operations personnel
– Allow our users to communicate our needs to IT
– Use SCADA recommended practices
– Use layered security solutions
Provide a framework for security procedures to be implemented– Tested, documented solutions to wrap procedures around– Documentation on recommended practices for security
deployment for consistent solutions
Emerson Confidential8
Use a familiar ModelUse a familiar ModelUse a familiar ModelUse a familiar Model What seems to be lacking is a model for
implementing control systems security that we can understand and easily explain to plant personnel
IT models may not be the best fit-– Confidentially vs. Availability – Information assets vs. Operations Physical assets – Highly technically oriented – Emphasis on IT protecting the assets– Managed by IT – without user involvement
Emerson Confidential9
Develop a “Culture of Security”Develop a “Culture of Security”Develop a “Culture of Security”Develop a “Culture of Security” A Security program can
be modeled after a Plant Safety program
A plant safety program creates an “culture of safety” within the plant
Security is a “way of life” A way to manage risk around user actions
– Includes all people who come into the plant
Like a successful safety program a successful security program requires that users develop a culture of security
Emerson Confidential10
Why this Model?Why this Model?Why this Model?Why this Model? Easily Understood by Operations
Implemented at right levels in organization– People’s behavior promotes security
Processes and procedures are localized– Plant site – plant department – process units
Procedures are control system specific – Different vendors, different system versions
Emerson Confidential11
Model Fits into overall Security ProgramModel Fits into overall Security ProgramModel Fits into overall Security ProgramModel Fits into overall Security Program Provides a foundation to support an overall
program
Elements of the model are required to implement overall program anyway – for example a operations person is required to help with:– Risk assessment– Priorities – which assets to protect – in what order– How much “protection” to implement on each
Provides a person with the process expertise to make the security program successful– Process is secure and available
Emerson Confidential12
Program ElementsProgram ElementsProgram ElementsProgram ElementsTreat “security” like we treat “safety”
Responsibility– People (operators, engineers, supervisors) take
responsibility for security of their areas– Security does not just “happen”
Procedures– Documented control system security policies
Training– People are trained on security– Understand security processes – Understand risks
Emerson Confidential13
Awareness– People recognize/prevent insecure behavior– Report problems
Measurement– Report security incidents – insecure actions – Reporting results
Audits/Enforcement– Are procedures being followed– Actions to correct audit results
On-Going Effort– Environment is always changing
Program ElementsProgram ElementsProgram ElementsProgram Elements
Emerson Confidential14
A MOST IMPORTANT PERSONA MOST IMPORTANT PERSONA MOST IMPORTANT PERSONA MOST IMPORTANT PERSON
Operations security champion
Emerson Confidential15
Got to have an ownerGot to have an ownerGot to have an ownerGot to have an owner
Control System security “champion”– Site – department – process – unit– Somebody (in operations) has
to be responsible– Not delegated to IT
May be more than one person– Team with different responsibilities
Their job to “make security happen”
Emerson Confidential16
SummarySummarySummarySummary Security Program Model = plant safety program
– Easy for Operations to understand
Operations people have to be involved– Success depends on training and awareness
Have to have a security champion– Somebody in operations takes responsibility
Champion provides the “Operations view” on security solutions
Plant has to have a “culture of security” for the security program to be successful
Top Related