Cyber Security nei prodotti di automazione Marco Biancardi, ABB SpA, Power System Division 11 dicembre 2013, Roma
Why is it an issue? Isolated devices Point to point interfaces Proprietary networks Standard Ethernet/IPbased networks Interconnected systems Distributed systems Modern SCADA, automation, protection and control systems : Leverage standard IT components (i.e. MS Windows, Internet Explorer) Use IP based communication protocols ( Internet technology ) Are connected to external networks Use mobile devices and storage media Modern control systems are specialized IT systems, with multiple vulnerabilities Hacking Employee Mistake Malicious software installed via USB port
IT vs Industry: different! Corporate/Office IT Utilities/Industry Environment Officies and «mobile» «in the field» People/Equipment Ratio # of Equipment ~= # of people Few people, many equipment. Object under protection Information Industrial process: availability Risk Impact Information disclosure, $$$ Safety (life), Health, Environment, Information disclosure, loss of production, downtime, repairing costs, $$$ Availability requirements 95%-99% (accept. downtime/year: 18,25 3,65 days) 99,9%-99,999% (accept. downtime/year: 8,76 hrs 5,25 minutes) System lifetime 3-5 years 15-30 years Security focus Central Servers (CPU, memory, ) and PC Server/PC + distributed systems, Sensors, PLC, Operating systems Windows Windows + proprietary Software Consumer Software, normally used on PC Specific Protocols Well known (HTTP over TCP/IP, ) / mainly web Procedure Well known (password, ) Specific Industrial (TCP/IP, Vendor specific) / polling Main actors IBM, SAP, Oracle, etc. ABB, Siemens, GE, Honeywell, Emerson, etc.
From Product to Plant LC Product Lifecycle Design Implementation Verification Release Support Project Lifecycle Design Engineering FAT Commissioning SAT Plant Lifecycle Operation Maintenance Review Upgrade
Products in ABB Security is an integrated but explicit part of our design & development processes : Security training for developers Security assessments of products Hardening Checklist for Project & Services to ensure Installation is done Engagement in cyber-security related standards
The Process in ABB Education Administer and track security training Process Guide product teams to meet SDL requirements Accountability Establish release criteria and signoff as part of G5 Incident response Training Requirements Design Implementation Verification Release Response Core training Define quality gates/bug bar Analyze cyber security risk Attack surface analysis Threat modeling Specify tools Static analysis Verify treat models/attack surface Response plan Final security review (FSR) Release archive Execute response plan (e.g. vulnerability handling policy)
Cyber Security Training Security Training depending on role: SDL Introduction Training Secure Design Threat Modeling Secure Coding Security Testing And more advanced training
State-of-the-art testing Formally established, centralized and independent security test center Leveraging state-of-the-art open source, commercial and proprietary robustness and vulnerability analysis tools Close collaboration with ABB developers providing indepth analysis and recommendations
Approach to system testing Regular system tests at Idaho National Laboratory SCADA test bed First vendor to have system tested at INL SCADA test bed Different systems Very valuable for both ABB and customers Results go back into requirements on new development and corrections Interoperability tests with third party solutions Verify that solution does not interfere with control system Document configuration and setup Improve third party solutions
Patch Management Product Lifecycle Design Implementation Verification Release Support Project Lifecycle Design Engineering FAT Commissioning SAT Plant Lifecycle Operation Maintenance Review Upgrade Validation of Microsoft security updates All relevant updates are tested for compatibility Dedicated Security Test Lab covers supported ICS versions Other 3rd party SW (e.g. Adobe Reader, McAfee ) Released from SW vendor without schedule Verified with next Microsoft Security Update Verification status published the same way a Microsoft Security Updates Similar process for all ABB products
Vulnerability Handling Product Lifecycle Implementation Design Verification Release Support Project Lifecycle Design Engineering FAT Commissioning SAT Minimize customer risk First Response Plant Lifecycle Operation Maintenance Review Upgrade This requires Cultural change: Accept that vulnerabilities exist (having a vulnerability is acceptable, improperly handling them is not!) Formal processes and policies Proper communication at the right time ABB has established a formal process and vulnerability handling has top priority Initial Triage Investigation Remediation Communication To report a vulnerability: cybersecurity@ch.abb.com Notification
marco.biancardi@it.abb.com cybersecurity@ch.abb.com www.abb.com/cybersecurity