Performing a Cybersecurity Risk Assessment on an IACS or SIS. Marco Ayala, aesolutions John Cusimano, aesolutions

Transcription

1 Performing a Cybersecurity Risk Assessment on an IACS or SIS Marco Ayala, aesolutions John Cusimano, aesolutions

2 Abstract Assessing cybersecurity risk is generally considered to be one of the first and most fundamental steps in any solid IACS cybersecurity management program. ISA (now ISA ) published in 2009 includes requirements that organizations perform both high-level and detailed cybersecurity risk assessments on all identified IACSs. These requirements were reinforced in 2014 by the NIST Cybersecurity Framework that also specifies cybersecurity risk assessments and directly references the ISA requirements. While both of these documents require risk assessments neither provide information regarding "how" to perform such an assessment. Guidance on how to perform IACS cybersecurity risk assessments is now available in the recently developed ISA , "Security Risk Assessment and System Design This presentation will provide an overview of the standard and demonstrate the IACS cybersecurity risk assessment process through a chemical industry example.

3 Updates to Require a Security Risk Assessment

4 Updates to Require a Security Risk Assessment

5 NIST Cybersecurity Framework Start with Risk Assessment

6 NIST CSF Mapping to ISA NIST CSF ISA 62443

7 NIST CFS Mapping to ISA IDENTIFY (ID) IDENTIFY (ID)

8 Risk Assessment Requirements from ISA Select a risk assessment methodology Conduct a high-level risk assessment Identify the industrial automation and control systems Develop simple network diagrams Prioritize systems Perform a detailed vulnerability assessment Identify a detailed risk assessment methodology Identify the reassessment frequency and triggering criteria Conduct risk assessments throughout the lifecycle of the IACS Document the risk assessment

9 ISA provide guidance on how to perform IACS cybersecurity risk assessments Note: was balloted in Oct It did not receive the necessary 2/3 majority to pass. The authoring committee is processing comments and will reissue tor ballot in 2016.

10 ISA Table of Contents

11 Primary Workflow Start Initial System Architecture Diagrams and Inventory Identify System Under Consideration (SUC) (Section 4.1) Updated System Architecture Diagrams and Inventory Existing PHAs and other relevant risk assessments and Corporate Risk Matrix with Security Level Targets Conduct a High-Level Cybersecurity Risk Assessment (Section 4.2) Initial Security Level Target for SuC Standards and best practices, supplier guidelines, criticality assessments, functional specifications, etc. Partition the SUC into Zones & Conduits (Section 4.3) Initial Zone and Conduit Diagram LEGEND: Perform Detailed Cybersecurity Risk Assessment of Each Zone & Conduit (Section 5.0) Residual Cybersecurity Risk and Security Level Targets for each Zone & Conduit Company policies, regulations, tolerable risk guidelines, etc. Document Security Requirements, Assumptions and Constraints (Section 4.4) Cybersecurity Requirements Specification (CRS)

12 Establishing Zones and Conduits Requirements Description Definition of System-under- Consideration (SuC) Perform high-level risk assessment Establishment of Zones and Conduits Requirement The organization shall clearly define the System-under-Consideration (SuC) including clear definition of the boundary and all access points to the SuC. The organization shall perform a high-level cybersecurity risk assessment of the SuC (per ISA : 2009 Clause ) to identify the worst-case unmitigated risk that the SuC presents to the organization. The organization shall establish zones and conduits by grouping IACS and related assets based upon the results of the high-level cybersecurity risk assessment. Grouping may also be based on criteria such as criticality of assets, operational function, physical or logical location, required access (i.e. least privilege principals) or responsible organization.

13 Description Separation of Business and Control System Zones Separation of Safety Instrumented System (SIS) Zones Separation of temporarily connected devices Separation of Wireless Communications Separation of Devices Connected Via Untrusted Networks Requirement IACS assets shall be grouped into zones that are separate from business or enterprise system assets. SIS assets should be grouped into zones that are separate from zones with non-sis assets. Devices that are permitted to make temporary connections to the SuC should be grouped into a separate zone(s) from IACS assets. Wireless communications should be in one or more zones that are separated from wired communications. Devices that are permitted to make connections to the SuC via untrusted networks (e.g. remote access) should be grouped into a separate zone(s).

14 Description Zone and Conduit Drawings Documentation of Zone and Conduit Characteristics Requirement The organization shall produce a drawing or a set of drawings that illustrates the zone and conduit partitioning of the entire SuC. All IACS assets in the SuC must be assigned to a zone or a conduit. The following items shall be documented for each defined zone and conduit: Name and/or unique identifier Logical boundary Physical boundary, if applicable List of all access points and associated boundary devices List of data flows associated with each access point Connected zones or conduits List of assets and associated consequences Applicable security requirements Security Level Target Applicable security policies Assumptions and external dependencies

15 Description Cybersecurity requirements specification (CRS) Requirement A CRS shall be created to document mandatory security functions of the SuC based on the outcome of the detailed risk assessment as well as general security requirements based upon company or site specific policies, standards and relevant regulations. SuC Description A high level description and depiction of the System under Consideration shall be included in the CRS. At a minimum, the CRS shall include the name, a high-level description of the function and the intended usage of the SuC as well as a description of the equipment or process under control. An illustration of the SuC and the associated dataflows and process flows should be included.

16 Description Operating Environment Assumptions Threat Landscape Mandatory Security Functions Tolerable Risk Regulatory Requirements Requirement The CRS shall identify and document the physical and logical environment in which the SuC is located or planned to be located. The CRS shall include a description of the threat landscape that impacts the SuC. The description shall include the source(s) of threat intelligence and include both current and emerging threats. Security functions and features that implement the organizational security policies shall be included in the security requirements specification. The organization s tolerable risk for the SuC shall be included in the security requirements specification. Any relevant cybersecurity regulatory requirements with which the SuC must comply shall be included in the security requirements specification.

17 Detailed Cyber Risk Assessment Process Start Consider Existing Countermeasures (Section 5.7) List of Countermeasures Historical data and other threat information sources Identify Threats (Section 5.1) List of threats [updated] List of Countermeasures Re-evaluate Likelihood and Impact (Section 5.8) Updated likelihood and impact assessment Vulnerability assessment, prior audits, vulnerability databases, etc. Identify Vulnerabilities (Section 5.2) List of vulnerabilities Updated likelihood, impact and Corporate Risk Matrix Calculate Residual Cybersecurity Risk (Section 5.9) Residual Cybersecurity Risk Existing PHAs, other risk assessments Determine Consequences & Impact (Section 5.3) Assessment of impact All Risks Mitigated or Below Tolerable Risk (Section 5.10) No Apply Additional Security Countermeasures (Section 5.11) Updated List of Countermeausures Yes Lists of threats and vulnerabilities Determine Likelihood (Section 5.4) Assessment of likelihood Document Results (Section 5.12) Detailed Risk Assessment Report Likelihood, Impact, Corporate Risk Matrix Calculate Unmitigated Cybersecurity Risk (Section 5.5) Assessment of unmitigated cybersecurity risk Source: ISA Draft 5 Edit 2 Corporate Risk Matrix with Tolerable Risk Determine Security Level Target (Section 5.6) Security Level Target

18 Start Historical data and other threat information sources Identify Threats (Section 5.1) List of threats Vulnerability assessment, prior audits, vulnerability databases, etc. Identify Vulnerabilities (Section 5.2) List of vulnerabilities Existing PHAs, other risk assessments Determine Consequences & Impact (Section 5.3) Assessment of impact Lists of threats and vulnerabilities Determine Likelihood (Section 5.4) Assessment of likelihood Likelihood, Impact, Corporate Risk Calculate Unmitigated Assessment of unmitigated

19 Existing PHAs, other risk assessments Determine Consequences & Impact (Section 5.3) Assessment of impact Lists of threats and vulnerabilities Determine Likelihood (Section 5.4) Assessment of likelihood Likelihood, Impact, Corporate Risk Matrix Calculate Unmitigated Cybersecurity Risk (Section 5.5) Assessment of unmitigated cybersecurity risk Corporate Risk Matrix with Tolerable Risk Determine Security Level Target (Section 5.6) Security Level Target

20 Consider Existing Countermeasures (Section 5.7) List of Countermeasures [updated] List of Countermeasures Re-evaluate Likelihood and Impact (Section 5.8) Updated likelihood and impact assessment Updated likelihood, impact and Corporate Risk Matrix Calculate Residual Cybersecurity Risk (Section 5.9) Residual Cybersecurity Risk All Risks Mitigated or Below Tolerable Risk (Section 5.10) No Apply Additional Security Countermeasures (Section 5.11) Updated List of Countermeausures Yes Document Results (Section 5.12) Detailed Risk Assessment Report

21 Ethylene Oxide Example

22 Example HAZOP Deviation Causes Consequences Safeguards Motor failure Possible explosion SIS, Rupture disks, Loss of agitation with false due to unmixed Pressure relief valves indication oxides High Temperature High Flow Loss of circulation Loss of cooling water Meter error resulting in excess oxide flow Pump failure with false indication Possible explosion due to runaway reaction Possible explosion due to runaway reaction Possible explosion due to unmixed oxides SIS, Rupture disks, Pressure relief valves SIS, Rupture disks, Pressure relief valves SIS, Rupture disks, Pressure relief valves

23 Example System Architecture Diagram Corporate Data Center Historian ERP WAN Eng Laptop Plant Staff Laptops Control Room Printer Operator 1 Operator 2 Operator 3 Eng Workstation Router Equipment Room Tag Server A Tag Server B Batch Tank Farm / Loading & Unloading BPCS SIS

24 Partition the System into Zones and Conduits Corporate Data Center ENTERPRIZE ZONE Historian ERP PROCESS CONTROL ZONE WAN PLANT BUSINESS ZONE Eng Laptop Plant Staff Laptops Control Room Printer Operator 1 Operator 2 Operator 3 Eng Workstation Router Equipment Room Tag Server A Tag Server B Batch SIS ZONE Tank Farm / Loading & Unloading BPCS SIS

25 Example Risk Matrix Safety Environment Financial Reputation Chance Frequency g Virtually improbable and unrealistic Event could occur at some time greater than 100 years 1 Improbable Conceivably possible, but very unlikely to occur Event could occur at some time within 10 to 100 years 2 Rare Likelihood Unusual but possible Quite possible or not unusual Has occurred Has occurred or is expected or is expected to occur within to occur within 5 to 10 years 1 to 5 years 3 Unlikely 4 Possible g Likely to occur Event expected to occur more than once per year 5 Likely Medical Treatment, Minor Health Effects, First Aid Case, or Less No off site impact Potential equipment or asset damage or financial loss < $100K USD No harm or slight client concern 1 Trivial Medical Treatment with Restricted Duty or Medium Health Effects One odor or noise complaint from event Potential equipment or asset damage or financial loss $100K to $ 1M Minor harm to the Company's public reputation; or client concern 2 Minor Impact Serious illness or injury resulting in days away from work [LTI]; or a permanent partial Disability On-site or off-site environmental release to soil/ground or multiple odor or noise complaints from event Potential equipment or asset damage or financial loss $1M to $10M Harm to the Company's reputation limited to the local area via local public media reports or local industry news; significant client concern 3 Moderate Illness or injury resulting in one fatality; or permanent full disability Illness or injury resulting in multiple (2+) fatalities. On-site or off-site environmental release to surface water Major off-site impact (vapor cloud explosion, fire, major toxic gas release, major offsite environmental release, wildllife kill) Potential equipment or asset damage or financial loss $10M to $100M Potential equipment or asset damage or financial loss >$100M Harm to the Company's reputation extends to the region through regional or national public media outlets or national industry or financial news; multiple significant client concerns Harm to the Company's reputation extends internationally through public media outlets or negative publicity in international industry or financial news; global client concerns 4 Major 5 Critical

26 Example ICS Cyber Risk Assessment Worksheet Zone Process Control Zone Threat Source Authorized personnel Threat Scenario Threat Action Inserts USB into Operator Station with general malware Inserts USB into Operator Station with targeted malware Plugs laptop infected with general malware into the Control LAN Plugs laptop infected with targeted malware into the Control LAN Engineer remotes into the EWS from the Plant Business Zone using VNC and makes changes without knowledge of current process conditions Unauthorized person uses the VNC credentials to gain access to EWS Vulnerabilities * OS Computers are in the Control Room * USB Ports are not blocked or disabled * Autorun not disabled * No antivirus * OS Computers are in the Control Room * USB Ports are not blocked or disabled * Autorun not disabled * No antivirus * Unused ports on Control LAN switch are enabled * No policy governing use of laptops * No antivirus on Tag and Batch servers * Lack of segmentation allows for propogation * Unused ports on Control LAN switch are enabled * No policy governing use of laptops * No antivirus on Tag and Batch servers * Lack of segmentation allows for propogation * By default VNC credentials are in "clear text" * VNC file transfer capabilities * EWS is dual-homed * No lock-out on VNC Consequence Consequence Description * Denial of service on operator station that spreads to all OS on PCN * All OS and Servers need to be rebuilt * hours downtime * Rework batch * Supply chain impact * Loss of control with potential compromise of the safety of the process * Runaway reaction leading to explosion * Denial of service on operator station that spreads to all OS on PCN * All OS and Servers need to be rebuilt * hours downtime * Rework batch * Supply chain impact * Loss of control with potential compromise of the safety of the process * Runaway reaction leading to explosion * Possible process upset or modification leading to loss of batch * Loss of control with potential compromise of the safety of the process * Runaway reaction leading to explosion Impact S E F R Max UTL Risk SL-T Countermeasures MTL Risk * Policies and procedures * Policies and procedures * Laptops are running a supported OS, are patched and running antivirus 4 12 * Laptops are running a supported OS, are patched and running antivirus Recommendations ATL Risk * Disable unused USB ports (e.g. GPO, registry, SEP, etc.) * Relocate OS computers to the server room and KVM to Control Room * Segment the Tag & Batch servers and EWS from the PCN and Control LAN (e.g. eliminate all dual-homed computers) 2 6 * Install and maintain Antivirus * Stricter enforcement of policies * Upgrade OS and application software to supported version * Disable unused USB ports (e.g. GPO, registry, SEP, etc.) * Relocate OS computers to the server room and KVM to Control Room * Segment the Tag & Batch servers and EWS from the PCN and Control LAN (e.g. eliminate all dual-homed computers) * Install and maintain Antivirus Stricter enforcement of policies 1 5 * Develop policies to prohibit use of laptops on Control LAN * Block unused ports on Control LAN switch * Segment the Tag & Batch servers and EWS from the PCN and Control LAN (e.g. eliminate all dual-homed computers) * Install and maintain Antivirus 1 3 * Develop policies to prohibit use of laptops on Control LAN * Block unused ports on Control LAN switch * Segment the Tag & Batch servers and EWS from the PCN and Control LAN (e.g. eliminate all dual-homed computers) * Install and maintain Antivirus * Develop and enforce MoC process * Eliminate VNC * Develop and enforce MoC process * Eliminate VNC #VALUE! #VALUE! 1 2 5

27 Cybersecurity Strategy Considerations Assemble Core Team Internal Cross functional (IT, Operations, Engineering, HSE, Corp Security) External Partner Experience, Reputation External benchmarks, Independent view Core focus, proven work process Standards based approach ISA 99.02/ IEC 62443, NIST Develop an as-built model of the entire system Phased Approach (High Level Assessment first) Cross training opportunity/ common language(e.g. field trip) Document deliverables Sustainable processes and systems

28 Conclusion With Good Risk Information You Can Determine what plants/processes need to be addressed first Intelligently design and apply countermeasures (e.g. network segmentation, access controls, hardening, detection, etc.) to reduce risk Prioritize activities and resources Evaluate countermeasures based upon their effectiveness of versus their cost/complexity