Control System SecurityControl System SecurityTechnology Update Meetings
February, 2011
© ABB Inc.February 27, 2012 | Slide 1
Cyber Security @ ABBy y @
@ ABB GroupFebruary 27, 2012 | slide 2
The foundation of Cyber SecurityWhat does it mean for ABB as an organizationWhat does it mean for ABB as an organization
Organizational priority at top management level
Global cross functional and long term initiative
“(Cyber) Security issues are here to stay” Joe Hogan, CEO ABB Group, ABB Automation and Power World, 2011
Global, cross-functional and long-term initiativeFormally established - it is not just a side taskStarts with improving operational readiness
ess
rchnt
nse
rity
ngmen
tor
t
nal ch
Aw
aren
e
Res
ear
Inci
den
Res
pon
IT S
ecur
Trai
nin
Man
agm
Supp
o
Exte
rnO
utre
a
@ ABB GroupFebruary 27, 2012 | slide 3
Corporate foundation
Group Cyber Security CouncilOrganizationOrganization
Group Head of Cyber Security
Head of Cyber Security Head of Cyber Security Head of Cyber Security Head of Cyber Securityead o Cybe Secu ty
PS / PPead o Cybe Secu ty
PAead o Cybe Secu ty
DMead o Cybe Secu ty
LP
Cyber Security Manager
Power GenerationCyber Security Manager
Control Technologies
Cyber Security Manager
Substation Automation
Cyber Security Manager
Cyber Security Manager
Oil, Gas & Petrochemicals
g
Cyber Security Manager
Cyber Security Manager
Network Mgmt
y y g
Grid SystemsCyber Security Manager
Service
@ ABB GroupFebruary 27, 2012 | slide 4
Global cyber security demandThe ABB perspectiveThe ABB perspective
High demand seen by ABB, requirements clear
Little demand seen by ABB, requirements unclear
@ ABB GroupFebruary 27, 2012 | slide 5
Map does not reflect global players such as BP, ExxonMobil, Shell, Daimler
February 27, 2012
Product Lifecycle - VerificationABB’s device security assurance centerABB s device security assurance center
Achilles S t llit
Vulnerability Assessment
Flooding Mu8000
Satellite
Device Profiling
ABB proprietary
tools
Formally established centralized & independent testing facilityFormalized part of all device developmentFormalized part of all device development Assures well-defined, consistent approachUtilizes commercial, open-source and proprietary toolsIn 2010: > 120 tests performed
@ ABB GroupFebruary 27, 2012 | slide 6
In 2010: > 120 tests performed
Customer SupportSecurity Patch ValidationSecurity Patch Validation
Start ABB CycleSecond Tuesday of the Month (Microsoft
patch release)
Publish relevance and test plan (~ 2
days)
3rd party releases patch (e.g. Adobe), will be tested in next
cycle.
3rd party releases patch (e.g. Oracle), will be tested in next
cycle
Publish validation
results (~14 d )
@ ABB GroupFebruary 27, 2012 | slide 7
cycle.days)
Plant Lifecycle - MaintenanceVulnerability handling & Incident response
Minimize customer risk
Vulnerability handling & Incident response
InformationCollection
This requires Cultural change: Accept that vulnerabilities exist
Co
Collection
Triageg p
(having a vulnerability is acceptable, improperly handling them is not!)
Formal processes and policiesP i ti t th i ht ti
omm
unic
Investigation
Proper communication at the right time
ABB has established a formal process and vulnerability handling has top priority
cationResolution
vulnerability handling has top priority
To report a vulnerability: b it @ h bb
Release
@ ABB GroupFebruary 27, 2012 | slide 8
Cyber Security for Industrial y yControl Systems
@ ABB GroupFebruary 27, 2012 | slide 9
Why is cyber security an issue?
Isolateddevices
Point to pointinterfaces
Proprietarynetworks
StandardEthernet/IP-
based networks
Inter-connectedsystems
Distributedsystems
Modern automation, protection and control systems leverage commercial off the shelf IT components use standardized IP based communication protocolsuse standardized, IP based communication protocols are distributed and highly interconnected use mobile devices and storage media are highly specialized IT systems
@ ABB GroupFebruary 27, 2012 | slide 10
What are the unique challenges?
Enterprise IT Industrial Control Enterprise IT Systems
Object under protection Information Physical process
Risk impact Information disclosure, financial loss
Safety, health, environment, financial
Main security Confidentiality Privacy Availability Privacyobjective Confidentiality, Privacy Availability, Privacy
Security focus Central Servers(fast CPU, lots of memory, …)
Distributed System(possibly limited resources)
95 99% 99 9 99 999%Availability requirements
95 – 99% (accept. downtime/year: 18.25 - 3.65 days)
99.9 – 99.999%(accept. downtime/year: 8.76 hrs –5.25 minutes)
System 3 – 10 Years 5 – 25 Years
@ ABB GroupFebruary 27, 2012 | slide 11
Lifetime 3 10 Years 5 25 Years
Cyber Security vs. SafetySimilar but differentSimilar but different
Cyber Security = Safety Both require(d) a culture change Both are all about processes Both require training Both require top management support
Cyber Security ≠ Safety Safety is static and predictable (threats don’t change) Cyber Security is constantly changing (threats change) For Cyber Security the attacker evolves Safety solutions can be certified
@ ABB GroupFebruary 27, 2012 | slide 12
Demand for Cyber SecurityBy industry and applicationsBy industry and applications
Customers1 Network Management (EMS, SCADA)
2 Process Automation (Oil & Gas)
4 Substation Automation
3 Power Generation DCS
21High demand
3Low demand
Standards &
4
@ ABB GroupFebruary 27, 2012 | slide 13
VendorsStandards &
Regulations
How big is the risk?Potential consequencesPotential consequences
Blackout in North America (2003)Not a c ber attack•Not a cyber attack
•50 million people without power•Blackout lasted 2 days•At least11 people dead•Estimted costs 6 Billion US$•Estimted costs 6 Billion US$
Texas City Refinery Explosion (2005)•Not a cyber attack•Poor alarm management•Poor alarm management•15 people dead, 170 injured•Estimated costs exceed 500 Million US$
Stuxnet (2010)S u e ( 0 0)•Cyber attack•100’000+ hosts infected•Delayed nuclear program of Iran by 1 – 2 years•Estimated costs for Control System Vendor unclear
@ ABB GroupFebruary 27, 2012 | slide 14
How big is the risk?
Stephen Cummings, director of the British government's Centre for the Protection of National InfrastructureNational Infrastructure,
“Cyberterrorism is a myth”
Denial Panic
Reality
Cyber incidents are real and cyber security for
Reality
industrial control systems must be taken seriously
but it is a challenge that can be met
@ ABB GroupFebruary 27, 2012 | slide 15
NERC-CIP Compliancep
@ ABB GroupFebruary 27, 2012 | slide 16
NERC – CIP Update What Version of NERC CIP?What Version of NERC CIP?
Version 4 of the CIP StandardsCurrent Plan:
Version 4 does NOT go into effect CIP-002-4 through CIP-009-4 do not become effective.
Version 3 to remain in effect until Version 5CIP 002 3 th h CIP 009 3 i i ff t d t ti d CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.
Version 5 of the CIP Standards of the Cyber SecurityVersion 5 of the CIP Standards of the Cyber Security Standards is currently posted on the NERC website.
@ ABB GroupFebruary 27, 2012 | slide 17
NERC – CIP Update Transition – Version 5 is ComingTransition Version 5 is Coming
Implementation Plan for Version 5 of CIP Cyber Security StandardsImplementation Plan for Version 5 of CIP Cyber Security Standards
@ ABB GroupFebruary 27, 2012 | slide 18
NERC – CIP Update NERC CIP NEW for Version 4 & 5
NERC-CIP Revision 4 – Bright Line replaces
NERC CIP NEW for Version 4 & 5
ambiguous approach Transmission lines operating at greater than 300-500
KV depending on their connectivityKV, depending on their connectivity,
Reactive power assets larger than 1000 MVAR,
Generation sites larger than 1500 MW in a single g ginterconnection,
Certain assets essential to Blackstart capabilities,
A t bl t t ti ll h d l d f 300MW Assets able to automatically shed load of 300MW or more, and
A number of types of Control Centers.
@ ABB GroupFebruary 27, 2012 | slide 19
NERC – CIP Update New “Levels of Impact” to Bulk Electric System for V5New Levels of Impact to Bulk Electric System for V5
High Impact Large Control Centers
CIP-003 through 009+
Medium Impact Medium Impact Generation and Transmission
Other Control Centers
Similar to CIP-003 to 009 v4
All other BES Cyber SystemsSecurity Policy Security Policy
Security Awareness
Incident Response
@ ABB GroupFebruary 27, 2012 | slide 20
Boundary Protection
NERC – CIP Update Needs & ChallengesNeeds & Challenges
Protecting plant systems against current & future security th tthreats
Demonstrating & maintaining compliance with NERC CIP standards
Managing operational reliability requirements
Implementing security consistently across the fleet
Managing security & compliance programs with existing Managing security & compliance programs with existing resources
@ ABB GroupFebruary 27, 2012 | slide 21
ABB Foundational Solutions
@ ABB GroupFebruary 27, 2012 | slide 22
Main Challenges for End Users
WHY to protect WHAT from WHOM and HOW
Assessment of existing systems
Making cyber security part of risk management process
Definition of security requirements for vendors & system integratorsDefinition of security requirements for vendors & system integrators
Operation and management of security architectureContinuous monitoring of the infrastructureR l l i f l filRegular analysis of log filesRegular reevaluation of security architecture Continuous threat modeling & risk managementDevelopment of IT-security policies and processesDevelopment of IT-security policies and processes
Training of employees
Evaluation and planning of “new” costs
@ ABB GroupFebruary 27, 2012 | slide 23
Don’t fall for myths
Cyber security is only an issue for TCP/IP based systemssystems
Serial links are just as vulnerable Even isolated systems have entry points
(e.g. portable media)
Cyber attacks will not come from within the physical perimeter because a physical attack would be easier
C b tt k b h hi ti t d Cyber attack can be much more sophisticated Substation could be used as entry point into system Cyber attack can be “accidental”
Security of “isolated” systems Most systems are NOT really isolated Virtual connections always exists (e.g. portable media,
@ ABB GroupFebruary 27, 2012 | slide 24
laptops)
ABB Foundation Security SolutionsUser Roles, Access Control and HardeningUser Roles, Access Control and Hardening
Establish hierarchy of Accounts (operator, tech, admin, etc)
Domain wide policy to enforce:
Password Requirements and Role Association
Define Remote Access Sec rit Define Remote Access Security
Operator Group Policy that restricts access to Desktop and Applications
Provide hardening services as applicable
Close un-necessary ports
Disable non essential services Disable non-essential services
Establish minimum required software components
@ ABB GroupFebruary 27, 2012 | slide 25
ABB Foundation Security SolutionsPatch & Anti-Malware ManagementPatch & Anti Malware Management
Monthly distribution of patches on DVD
Optional service under ServiceGrid Software Support
On-site services to deploy and document patches
Installation of an update server for automating roll-out of both Windows Security Patches and Anti-Virus updates
Application Whitelisting
@ ABB GroupFebruary 27, 2012 | slide 26
ABB Foundation Security SolutionsConfiguration Change ManagementConfiguration Change Management
Enable Security Event logging
Set-Up a maintenance back-up schedule
Audit Trail Feature logs specified events and includes time stamp when changes were made, which changes were p g , gmade, on which node the changes were made and who made the changes.
Installation of a security event log server for automating y g gcollection and reporting.
@ ABB GroupFebruary 27, 2012 | slide 27
ABB Foundation Security SolutionsCompliance Documentation ServiceCompliance Documentation Service
ABB can work to develop custom documentation for i l i i NERC CIP C li Pinclusion in a NERC-CIP Compliance Program
Documents compile information from multiple sources and also include project specific instructions
Examples include:
Password change procedures
Back up and Restore procedures Back-up and Restore procedures
Detail of node software components
User Maintenance Instructions
Detailed reporting on Ports and Services
@ ABB GroupFebruary 27, 2012 | slide 28
ABB Foundation Security SolutionsDisaster RecoveryDisaster Recovery
Disk Imaging and selective application Back Up/Restores iblare possible
Set-up scheduled back up routine
Can use Local or Network Access Storage (NAS) devicesg ( )
Comprehensive documentation developed for customer use in the event of performing a recovery.
On Line imaging software with Server Based storage array On-Line imaging software with Server Based storage array.
Server can be set-up as image backup testing bed
@ ABB GroupFebruary 27, 2012 | slide 29
Industrial Defender Partnership
@ ABB GroupFebruary 27, 2012 | slide 30
ABB - Industrial Defender Partnership
Unquestioned expert in securing the systems we build. That’s
our focus – delivering inherently secure systems for
industrial and power
Combined know-how
True integrationindustrial and power automation
g
Aligned technologies
Tested and verified solutions
Unified support
Efficient, effective and sustainable cyber securityLeader in developing platform- sustainable cyber security
solutionsp g p
agnostic technologies that monitor, manage and protect
automation systems – centrally, and across mixed For more information visit
@ ABB GroupFebruary 27, 2012 | slide 31
environmentsFor more information visit
www.abb.com/cybersecurity & www.industrialdefender.com
Monitor – Manage – ProtectUnified approach to security & complianceUnified approach to security & compliance
• Monitor security & health activity in real-time
• Manage critical activity, including configurations, changes, policy and security events
• Protect against threats to vital automation systems
Enhancing operational excellence, sustaining it & li
Enhancing operational excellence, sustaining it & li
@ ABB GroupFebruary 27, 2012 | slide 32
security & compliancesecurity & compliance
MonitorReal-time monitoring across system infrastructure
Customer goals• Monitor across automation systems networks
Real time monitoring across system infrastructure
• Monitor across automation systems, networks and applications
• Identify & respond to events that threaten operational excellence, security and compliance
Industrial Defender capabilities• Collect the events that matter• Collect the events that matter • Real-time visibility into performance
degradation, operational and system health, critical changes and security events
Industrial Defender technology• Security event management (SEM)• Automation system agents
@ ABB GroupFebruary 27, 2012 | slide 33
• Automation system agents• Network intrusion detection system (NIDS)
ManageManaging critical activity across the infrastructureManaging critical activity across the infrastructure
Customer goals• Reduce the manual effort of collection of• Reduce the manual effort of collection of
configuration, system status, security events and logs
• Enable and ongoing internal and external compliance posture
Industrial Defender capabilities• Collect the events that matter enabling• Collect the events that matter, enabling
monitoring, understanding and response• Analyze and report on activity to demonstrate
compliance with established policies
Industrial Defender technology• Compliance Manager• Automation system agents
@ ABB GroupFebruary 27, 2012 | slide 34
• Automation system agents
ProtectDefend against threats to the automation infrastructureDefend against threats to the automation infrastructure
Customer goals• Implement a defense-in-depth layered• Implement a defense-in-depth, layered
security strategy
Industrial Defender capabilitiesp• Enforce policies to protect against rogue
applications• Establish hardened and segmented electronic
security perimeterssecurity perimeters• Enact secure access and authentication at
remote sites
Industrial Defender technology• Host intrusion prevention system (HIPS)• Automation system agents• Unified threat management (UTM)
@ ABB GroupFebruary 27, 2012 | slide 35
• Unified threat management (UTM)• Secure remote access & authentication
Monitor – Manage – ProtectUnified approach to security & complianceUnified approach to security & compliance
• Monitor security & health activity in real-time
• Manage critical activity, including configurations, changes, policy and security events
• Protect against threats to vital automation systems
Enhancing operational excellence, sustaining it & li
Enhancing operational excellence, sustaining it & li
@ ABB GroupFebruary 27, 2012 | slide 36
security & compliancesecurity & compliance
ABB & Industrial Defender
@ ABB GroupFebruary 27, 2012 | slide 37
Security & Compliance ManagementFleet ManagementFleet ManagementStrategic approach for long-term sustainability & operational excellence
agem
ent
Flee
t Man Monitor, Manage
& Protect Services• Program Mgt.• Managed Svcs.
F
Technology• MMP
Solutions• SEM, CM,
HIPSHIPS
FoundationalServices
@ ABB GroupFebruary 27, 2012 | slide 38
Industrial DefenderExperience across many automation environmentsp y
• Security performance monitoringo ABB 800xA, ABB Symphony/Harmony,
ABB Infi90, ABB Network Manager, ABB
• Operating systemso HP-UX PA-RISC & Itaniumo WinNT, W2K, XP, Win 7, W2003, W2008
FACTS and ABB SYS600C & MicroSCADA
o Automsoft RAPID Historiano Areva EMSo Emerson DeltaV and Emerson Ovation
o WinNT, W2K, XP, Win 7, W2003, W2008o Linuxo DEC Tru-64o Sun Solariso IBM AIX
o Emerson DeltaV and Emerson Ovationo Emerson/Westinghouse WDPFo GE XA / 21o Foxboro I/A Serieso Honeywell Experion
• Industrial ruleso DNP3o Modbus
ICCPy p
o Itron OpenWay Systemo Rockwell RSView, o Schneider Momentum, Quantumo Siemens PCS7
o ICCPo IEC o Siemens S7 Protocolo TCP/IP
o Yokogawa Centrum CS 3000
@ ABB GroupFebruary 27, 2012 | slide 39
Conclusion
@ ABB GroupFebruary 27, 2012 | slide 40
Conclusions
Cyber security for critical infrastructures must become a high priority item for all involved stakeholderspriority item for all involved stakeholders
Modern control systems bring new challenges in the form of increased connectivity and protection privacy of end user datauser data
Effective cyber security solutions require a joint effort by vendors, integrators, operating system providers, end users and governmentsusers and governments
Effective cyber security will require solutions that cover both legacy and new installations
Security is about risk management - perfect security is neither existent nor economically feasible
@ ABB GroupFebruary 27, 2012 | slide 41
Contact informationQuestions, Comments, etc.Questions, Comments, etc.
www.abb.com/cybersecurity
@ ABB GroupFebruary 27, 2012 | slide 42
@ ABB GroupFebruary 27, 2012 | slide 43
Top Related