An IACS user viewpoint for Cyber Security Management System

Transcription

1 An IACS user viewpoint for Cyber Security Management System 15-Jul-2014 Hironobu Takeda Mitsubishi Chemical Engineering Corporation IACS : Industrial Automation and control System Agenda Why Cyber Security Management System? How to build CSMS(1) What to do at first How to build CSMS(2) Risk assessment How to build CSMS(3) Key points, remarks

2 Objects you should protect for IACS Cyber Security For Cyber security Management System is indispensable in addition to technical protection of hard/software What to protect? CSMS HSE(Health, Safety, Environment) Priority : Availability I>C ISMS Information assets Priority : A<I<Confidentiality CSMS : Cyber Security Management System ISMS : Information Security Management System

3 Effort to P.A. system security up to CSMS In-house PA Network security guidelines(the first edition,2009) - by Work Gr. among process control tech. Grs. of four plants Outline of in-house PA network security guidelines Clarifying PA NW security management section Ideal network configuration Guidance of firewall setting Remarks about PA network usage Change control. FW registration review on a regular basis User education PA : Process automation, FW : Firewall Check, Action was insufficient after established it. PDCA cycle delayed, and far from procedure unification

4 Motive of the CSMS Activity Motive of participation of CSMS pilot authentication project (*1) 1Current issues: IACS Cyber Security Maintenance and sophistication Enhancement of IACS cyber security by following management system based on IEC Investment for the future (from standpoint as a system integrator) 3Business Preparation for clients demand in the future like SIS (Safety instrument system), especially on overseas work Early acquisition of IACS Cyber Security techniques Making company reputation better e.g. CSR, BCP Expansion of business scope Consultation IACS : Industrial Automation and control System CSR : Corporate social responsibility BCP : Business continuity plan (*1) METI 2013

5 Cyber Security Management System Continuous brushing up of security measures is necessary. Gathering information, orchestration Other sections Suppliers, external experts Clarification of object scope Maintenance Education Organization Incident response Object scope Change management Risk evaluation Improvement Risk countermeasures Technical response System enhancement Rule of network usage Standards Check list Evidence of the activity Raising consciousness and knowledge acquirement Consistent emergence of vulnerability and threat Update and apply new countermeasures.

6 Outline of IACS cyber security standard IEC62443 series outline Manufacturer, user System integrator standardization Evaluation, Certification Management, operation Standardization target Generalpurpose control system Petroleum and chemical plant System for special use Power Technology supply system Smart grid Railway sysytem Organization Components, devices Suppliers System Component The source : IPA/Information-technology Promotion Agency Japan HP Standard map for control system Explanatory notes International standard Industry-wide standard

7 To obtain leadership support Business rationale Detailed control Develop a business rationale Detailed control The organization should develop a high-level business rationale, as a basis for its effort to manage IACS cyber security, which addresses the unique dependence of the organization on IACS Clarify business rationale and obtain executive s support Leadership commitment and support Authorizing the team carrying it out

8 Scope of CSMS Common Historian OA PC The scope of CSMS OA Network FW PA network PDB OPC APC Computer terminal in control room This CSMS covers both Kashima and Mizushima plants PDB:Plant database APC:Advanced process control system OPC:OPC server of DCS OA:Office automation

9 Project team Aug-2013 ~ The CSMS certification pilot project team is as follows. Project manager (1 person)communication to the executive Office staffs (2 persons) General affairs Operation leader (1 person) Development of standards. Reconciliation in views Promoters in site(1 prsn/site)operation for CSMS in site Technical support members(2 persons) Technical support. In-house auditing Getting support from the Information system section and facilities maintenance section by communicating appropriately

10 Top level activities for establishing a CSMS Initiate CSMS program High-level risk assessment Establish policy, organization and awareness Maintain the CSMS Detailed risk assessment Select and implement countermeasures The source:iec Annex B A rational risk evaluation brings a feeling of assent Standardize a risk estimation method. Design a management plan based on the risk estimation.

11 High-level risk assessment Conduct a high-level risk assessment A high-level system risk assessment shall be performed to understand the financial and HSE consequences in the event that availability, integrity, or confidentiality of the IACS is compromised Identify the IACS The organization shall identify the various IACS, gather data about the devices to characterize the nature of the security risk and group the devices into logical systems. Classify Managed IACS information assets into categories based on each character. Classify common vulnerable items into each IACS category - Operational management, human mistake, environment and virus, etc. points of view Assume and recognize average risk from each viewpoint.

12 Detailed risk assessment Inventory IACS systems, Networks and devices Screen and prioritize High-level risk assessment Identify detailed vulnerabilities Identify and prioritize associated risks Update high level risk assessment The source:iec Annex B

13 Detailed risk assessment Integrate physical, HSE and cyber security risk assessment results The results of physical, HSE and cyber security risk assessments shall be integrated to understand the assets overall risk Conduct risk assessments throughout the lifecycle of the IACS Risk assessments shall be conducted through all stages of the technology lifecycle including developments, implementation, changes and retirement.

14 Informational asset inventory Plant name Category of IACS group Asset name Priority of the information asset Priority about Availability, Integrity, Confidentiality etc. Incorporate a viewpoint of HSE into priority evaluation. e.g. Influence on safety, environment, production, quality when the information asset fails.

15 Detailed risk assessment in Operate detailed risk assessment based on the high-level risk assessment that is carried out in each IACS category and on characteristics of each information asset. Example of characteristics of information assets Issues for setting environment of facilities e.g.: Uninhabited room. General power supply (not for instrumentation) Operational issues e.g.: Use in a large number of operators Regular use basis (7days24hour)

16 Determining the IACS risk rating Identify a detailed risk assessment methodology The organization s risk assessment methodology shall include methods for prioritizing detailed vulnerabilities identified in the detailed vulnerability assessment Determine the organization s tolerance for risk The organization shall determine and document its risk tolerance as a basis for creation of policy and risk management activities. Risk rating=f(priority of the information asset, residual risk) Classify risk rank from A to D. Reflect it to countermeasures

17 Risk rating and countermeasures Risk rating=f(priority of the information asset, residual risk) class A situation countermeasure B C Clarify description of risk rating Show the countermeasure to each risk rating D

18 Key points for CSMS (for the CSMS certification) What we felt through CSMS building : Build CSMS by harmonizing existing cyber security activity without denying it. On this occasion, use existing work items that can adapt to the certification standard continuously. Carry out high-level/detailed risk assessment. And determine controls to be adopted. Carry out CA in a review. And turn PDCA cycle. Check and Action Make medium-and long term plan that needs time and cost. And carry out it.

19 Remarks A frame to continue activity was made. PDCA cycle of the security maintenance and enhancement has begun rotating by CSMS operation. A rational controls with a feeling of assent were built by risk assessment. We realized a need of incident training. - Do possible training even if on the desk. - Consider about utilizing knowledge and facilities of outsource such as CSSC, especially when you need large scale training.

20 Resdidual issues Work load balance between detailed control and continuous activity - If detailed controls brings excessive work load, it influences on the activity itself. Re-check if there are excessive controls. Simplify controls in the range that does not lose standards essence. Sense of balance among risk, effect and work load is important. The review of the detailed controls is apart of PDCA in CSMS.