Does Aligning Cyber Security and Process Safety Reduce Risk?

Transcription

1 Does Aligning Cyber Security and Process Safety Reduce Risk? How can we align them to protect Operational Integrity? Schneider Electric September 15, 2015 Hosted by Greg Hale, Founder & Editor of Industrial Safety & Security Source 1

2 Host: Greg Hale ISS Source Over 30 years in the publishing industry covering manufacturing automation 10 years as the Chief Editor of InTech magazine Formerly Editor in Chief at Post Newsweek s Reseller Management magazine co-author of the book, Automation Made Easy Everything You Wanted to Know About Automation and Need to Ask Confidential Property of Schneider Electric 2

3 Both disciplines aim to protect Operational Integrity Process Safety > Prevent or minimize risk of personnel injury & damage to plant, property, environment Cyber Security > Prevent or minimize risk of personnel injury & damage to plant, property, environment > Applied through: > Standards & regulations > Process & system design > Plant hardware & software > Procedures & controls > Shared knowledge & experience > Regular reviews & updates > Applied through: > Standards & regulations > Process & system design > Plant hardware & software > Procedures & controls > Shared knowledge & experience > Regular reviews & updates Confidential Property of Schneider Electric 3

4 With key differences.. Process Safety Cyber Security > Primary focus is on internal processes > Mature discipline Safety always an issue > Standards & regulations quite rigorous > Widespread adoption common practice > Knowledge widely shared to apply new lessons > Issues and sources relatively stable and well understood Confidential Property of Schneider Electric Applied Rigor > Primary focus is on external threats > Relatively new field > Limited standards, spotty regulations > Varied application and attention > Information less likely to be shared > Issues and sources continually changing and not well understood > A Cyber incident can cause a safety incident Controlled Reaction 4

5 Operational Integrity depends on: Asset Owners > Responsible to operate & maintain systems Automation Equipment Suppliers > Deliver safe, secure & reliable products System Integrators > Engineer & implement safe, secure & reliable systems Confidential Property of Schneider Electric 5

6 But. If everything is not working together, with the same goals in mind.. Disaster can occur e.g. Turkish pipeline blast CAPECO fire (Caribbean Petroleum Corp.) Link to CSB Report Confidential Property of Schneider Electric 6 "Caribbean Petroleum Corporation Disaster" by CSB

7 From the boardroom down companies must ask themselves these three questions: 1 Do we understand what could go wrong? 2 Do we know what systems we have in place to prevent this from happening? 3 Do we have the information to assure us they are working effectively? Confidential Property of Schneider Electric 7 Health and Safety Executive (HSE)

8 All roles need to work together with Security AND Safety in mind Suppliers Design and Manufacture COTS Control Systems Asset Owners Operate and Maintain Site Specific Systems Integrators/Asset Owners Engineer and Integrate COTS into Site Specific Systems Confidential Property of Schneider Electric 8

9 Steve Elliott Andre Ristaino John Cusimano Asset Owner Supplier Integrator 9

10 Process Design Identify Hazards Consequence Analysis Layer of Protection Analysis Develop Non-SIS Layers Define Target SIL Document Requirements Process Hazards Analysis (PHA) Allocate Safety Functions and Protection Layers Safety Requirements Specification Management of Functional Safety Systems Lifecycle Management Confidential Property of Schneider Electric 10

11 Process Design Identify Hazards Consequence Analysis Layer of Protection Analysis Develop Non-SIS Layers Define Target SIL Document Requirements Unmitigated Risk Mitigated Risk Confidential Property of Schneider Electric 11

12 Supplier SDLA Phasesfor design and manufacture Supplier SDLA Phases Security Development Lifecycle Assurance for design and manufacture Design & Assess 1. Security Management Process 2. Security Requirements Specification 3. Security Architecture Design 4. Security Risk Assessment (Threat Model) 5. Detailed Software Design 6. Document Security Guidelines 7. Module Implementation & Verification 8. Security Integration Testing 9. Security Process Verification 10. Security Response Planning 11. Security Validation Testing 12. Security Response Execution Confidential Property of Schneider Electric 12

13 Detects & Avoids systematic design faults Audit development and maintenance processes Ensure a robust, secure development process Detects Implementation Errors / Omissions Audit components security functionality Identifies vulnerabilities in networks and devices Test components communication robustness Test for vulnerabilities Embedded Device Security Assurance (EDSA) Software Development Security Assessment (SDSA) Functional Security Assessment (FSA) Communications Robustness Testing (CRT) Confidential Property of Schneider Electric 13

14 Many companies don t have a true understanding of their cyber risk There is a lot that can be learned from process safety risk management Integrating cybersecurity into process safety is key Understanding cyber risk starts with a risk assessment Process Safety Lifecycle (ISA 84 / IEC 61511) Analysis Implementation Operation Cybersecurity Lifecycle (ISA / IEC 62443) Assess Implement Maintain Confidential Property of Schneider Electric 14

15 Help is on the way: ISA Security Risk Assessment and System Design ICS Cybersecurity Risk Assessment (a.k.a. Cyber PHA) ISA-TR Security Countermeasures Related to Safety Instrumented Systems (SIS) & Associated IACS Illustration aesolutions 2014 Confidential Property of Schneider Electric 15

16 Summary: Do we understand what could go wrong? Do we know what systems we have in place to prevent this from happening? Do we have the information to assure us they are working effectively? Asset Owner: Understand the Risk; Learn What to Protect Supplier: Create Threat Model System Integrator: Risk Assessment Confidential Property of Schneider Electric 16

17 2 Do we know what systems we have in place to prevent this from happening? Select SIS Architecture Systems Detailed Design Hardware Build Software Programming Testing Systems Installation Commissioning Full System Validation Design & Engineering Layers of Protection & Safe Guards Testing of Systems Prior to Installations Factory Acceptance Test (FAT) Systems Installation and Commissioning Systems Safety Validation Management of Functional Safety Systems Lifecycle Management Confidential Property of Schneider Electric 17

18 2 Do we know what systems we have in place to prevent this from happening? Supplier SDLA Phases Security Development Lifecycle Assurance for design and manufacture Build 1. Security Management Process 2. Security Requirements Specification 3. Security Architecture Design 4. Security Risk Assessment (Threat Model) 5. Detailed Software Design 6. Document Security Guidelines 7. Module Implementation & Verification 8. Security Integration Testing 9. Security Process Verification 10. Security Response Planning 11. Security Validation Testing 12. Security Response Execution Confidential Property of Schneider Electric 18

19 2 Do we know what systems we have in place to prevent this from happening? Asset Discovery Scan scan to discover network components Communications Robustness Test verify operation under high network load and malformed packets Network Stress Test verify that essential functions continue to operate under high network load Vulnerability Identification Test scan for the presence of known vulnerabilities using NESSUS and US Cert national vulnerability database Confidential Property of Schneider Electric 19

20 2 Do we know what systems we have in place to prevent this from happening? One of the biggest challenges industry faces is a insufficient integration of security into systems (e.g. defense-in-depth) Concepts are well recognized Slow process Engineering, implementation and testing Defense-in-Depth Confidential Property of Schneider Electric 20

21 Summary: Do we understand what could go wrong? Do we know what systems we have in place to prevent this from happening? Do we have the information to assure us they are working effectively? Asset Owner: Full System Validation Supplier: Test, Test, Test System Integrator: Integration of Security; Defense in Depth Confidential Property of Schneider Electric 21

22 Startup System Operation Bypassing & MOC Maintenance Periodic Proof Tests Modifications Systems Operation and Maintenance Systems Modification Systems Decommissioning Management of Functional Safety Systems Lifecycle Management Confidential Property of Schneider Electric 22

23 Startup System Operation Bypassing & MOC Maintenance Periodic Proof Tests Modifications Unmitigated Risk Overdue maintenance Bypass Mitigated Risk Confidential Property of Schneider Electric 23

24 Supplier SDLA Phases Security Development Lifecycle Assurance for design and manufacture Run 1. Security Management Process 2. Security Requirements Specification 3. Security Architecture Design 4. Security Risk Assessment (Threat Model) 5. Detailed Software Design 6. Document Security Guidelines 7. Module Implementation & Verification 8. Security Integration Testing 9. Security Process Verification 10. Security Response Planning 11. Security Validation Testing 12. Security Response Execution Confidential Property of Schneider Electric 24

25 Suppliers Design and Manufacture COTS Control Systems Asset Owners Operate and Maintain Site Specific Systems Integrators/Asset Owners Engineer and Integrate COTS into Site Specific Systems Confidential Property of Schneider Electric 25

26 There are plenty of security monitoring tools available Most are designed for enterprise IT Need to be tested and carefully applied to ICS systems Plant personnel need to be trained on how to use these tools to effectively detect and respond to security incidents Security Tools > Network monitoring > Host intrusion detection > Endpoint threat detection > Network intrusion detection > Network access control > Security information and event management > Application control / whitelisting > Vulnerability scanners Confidential Property of Schneider Electric 26

27 Summary: Do we understand what could go wrong? Do we know what systems we have in place to prevent this from happening? Do we have the information to assure us they are working effectively? Asset Owner: Use Risk Matrix Supplier: Security Process Verification System Integrator: Train Personnel on How to Use Monitoring Tools Confidential Property of Schneider Electric 27

28 Aligning Cyber Security and Process Safety Reduces Risk Prevent More similar than different Stronger Together Control Mitigate Safety Prevent Emergency Security Control Mitigate Approach security the same way that you do safety Emergency Confidential Property of Schneider Electric 28

29 Takeaways. What are some specific actions you can take to: Better align Cyber Security & Process Safety approaches? Confidential Property of Schneider Electric 29

30 Q & A 30

31 Where to get more information Schneider Electric ISSSource ISA Secure ae Solutions Confidential Property of Schneider Electric 31

32 John Cusimano Director of Industrial Cybersecurity aesolutions Contacts Glen Bounds Global Director, Cyber Security Services Schneider Electric Andre Ristaino Managing Director Automation Standards Compliance Institute Steve Elliott Senior Director, Offer Marketing Schneider Electric Farshad Hendi Safety Services Practice Leader Schneider Electric Confidential Property of Schneider Electric 32

33 33