INDUSTRIAL CONTROL SYSTEMS

Transcription

1 INDUSTRIAL CONTROL SYSTEMS PROTECTING YOUR ASSETS Kay Sallee, CIO, Phillips 66 Keith Hall, Manager, IT Audit, Phillips 66 April 11, 2016

2 AGENDA Industrial Control Systems Overview Layered Defense Strategy Risks Governance IT Audit Summary 2

3 WHAT ARE INDUSTRIAL CONTROL SYSTEMS A term used to describe: Distributed Control Systems (DCS) Supervisory Control and Data Acquisition (SCADA) systems Programmable Logic Controllers (PLC) Other interconnected control devices Also referred as Operations Technology (OT) 3

4 PURDUE MODEL Level 4 business network Level 3.5 DMZ process historian, system management services Level 3 manufacturing operations and control Level 2 instrumentation control / HMI Level 1 instrumentation/intelligent devices 4

5 IT AND ICS COMPARISON With identifiable business benefits and rapidly developing technologies that are closing the IT/OT divide, there are functional and operational differences between IT and OT groups Gartner Industrial Control Systems Traditional IT World Main objective Availability Data Integrity Availability Data Integrity Confidentiality Confidentiality Main objective 5

6 INDUSTRY IT AND ICS COMPARISON TOPIC INFORMATION TECHNOLOGY INDUSTRIAL CONTROL SYSTEMS Support Technology Lifetime 3-5 years Up to 20 years Anti-virus Application Common / Widely Used Difficult to Deploy / Maintain Patch Updates & Application Revisions Regular / Routine Schedule Vendor Specific / Slower to Deploy Change Management Regular / Routine Schedule Irregular System Availability Delays Accepted 24 x 7 x 365 Security Awareness Good in private and public sector Generally Weak, Making Progress Physical Security Generally Secured Generally strong, often unmanned Functional / Operational differences exist between IT and ICS AND the underlying technologies are converging 6

7 PHILLIPS 66 A DIVERSIFIED ENERGY MANUFACTURING AND LOGISTICS COMPANY Midstream Chemicals Refining Marketing and Specialties Transports and stores crude oil, refined products, natural gas and natural gas liquids (NGL); Gathers and processes natural gas and NGL. Manufactures petrochemicals, polymers and plastics found in cars, electronics, and other everyday goods. Refines crude oil into products such as gasoline, diesel, aviation fuel. Markets gasoline, diesel and aviation fuel; Manufactures and markets lubricants. 7

8 PHILLIPS 66 LAYERED DEFENSE Firewalls Antivirus Intrusion Detection Event Monitoring (SEIM) Forensic Tools Vulnerability Scanning Data Loss Prevention Security Tools Operating Processes Incident Response Access Management Change Management Patch Management Security Scanning FBI API Department of Homeland Security Vendors Security Specialists External Resources Internal Expertise User Awareness Risk Assessment Forensic Analysis Firewall Management Internal Audit Prevent. Detect. Respond. 8

9 PHILLIPS 66 LAYERED DEFENSE Risk Assessment Internal risk and assurance assessments and third party penetration tests evaluate criticality of IT assets as well as effectiveness of controls Network Firewall Intrusion detection VPN remote access filtering Network forensics Server Antivirus Patch management Password vault Physical security Log monitoring Vulnerability scanning Forensics Intrusion prevention Workstation Antivirus / local firewall Disk encryption Limited user rights Web filtering Patch management Forensics Intrusion prevention Application Application patching User access management Separation of duties Log monitoring Data / Database User access management Database patching Data classification Encryption Records management Common Processes Policy and standards, training and awareness, change management, user access provisioning, incident response, business continuity planning, disaster recovery planning 9

10 ICS CYBERSECURITY RISKS Compromise of control systems could lead to Disruption or degradation of processes Control systems used to deliberately create HSE * event ICS events 2013 Bowman Dam 2015 Ukrainian utility blackout 2014 German steel plant 2008 Turkey pipeline explosion * HSE Health, Safety and Environment 10

11 PHILLIPS 66 IT AND ICS GOVERNANCE Active business and IT participation at all levels Executive Committee Cybersecurity Governance Board Cybersecurity Working Groups Set acceptable risk level & priorities at enterprise level Secure funding & resources for cyber-security projects Manage the scope of cybersecurity projects Approve cybersecurity standards and policies Ensure gap assessment of standards Evaluate new external cyber-threats and recommend actions to mitigate risk Cybersecurity Networks Draft and implement standards & best practices Execute policy and manage exceptions Self-audit performance Communicate and train at the facilities Develop and execute security projects Governance model covers multiple business units (Refining, Midstream, Lubricants) 10 11

12 BEST PRACTICES AT PHILLIPS 66 Shared governance Layered defense strategy Standardization of the network segmentation Internal gap assessment External cyber risk assessments Internal audit 12

13 IT AUDIT APPROACH Process Control and other applications Programmable Logic Controllers (PLC s) Servers and Console Administration Backup and Recovery Network Components Physical Security Remote Access Wireless 13

14 IT AUDIT BEST PRACTICES Schedule additional planning time Consider a guest auditor who knows the business Acknowledge the uniqueness between IT and ICS 14

15 SUMMARY Threat to Industrial Control Systems is real ICS systems and underlying technology are changing - becoming more like traditional IT systems Opportunity to learn from and leverage skills across IT and ICS Organizational and cultural difference exist Strong IT/ICS partnership reduces cybersecurity risk 15