Cyber Security nei prodotti di automazione



Similar documents
Cyber Security focus in ABB: a Key issue. 03 Luglio 2014, Roma 1 Conferenza Nazionale Cyber Security Marco Biancardi, ABB SpA, Power System Division

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Dr. Markus Braendle, Head of Cyber Security, ABB Group 10 Steps on the Road to a Successful Cyber Security Program Asia Pacific ICS Security SUMMIT

IT Security and OT Security. Understanding the Challenges

ICS Cyber Security Briefing

Claes Rytoft, ABB, Security in Power Systems. ABB Group October 29, 2009 Slide 1

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

Document ID. Cyber security for substation automation products and systems

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

DeltaV System Cyber-Security

Microsoft Technologies

The State-of-the-State of Control System Cyber Security

Symphony Plus Cyber security for the power and water industries

Protecting Your Organisation from Targeted Cyber Intrusion

Industrial Security for Process Automation

Linux Technologies QUARTER 1 DESKTOP APPLICATIONS - ESSENTIALS QUARTER 2 NETWORKING AND OPERATING SYSTEMS ESSENTIALS. Module 1 - Office Applications

Goals. Understanding security testing

Energy sector control centers across the nation, such as this one at Kansas City Power & Light, benefit from the system security assessments

ABB s approach concerning IS Security for Automation Systems

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

26 January, 2012 U.S. Department of Energy Office of Electricity Delivery and Energy Reliability

Ovation Security Center Data Sheet

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Are you prepared to be next? Invensys Cyber Security

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Facilitated Self-Evaluation v1.0

Testing Control Systems

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Session 14: Functional Security in a Process Environment

Critical Infrastructure Cybersecurity

WWHMI SCADA-12 Cyber Security Best Practices in the Industrial World

A Tactical Approach to Continuous Compliance. Walt Sikora, Vice President Security Solutions EMMOS 2013

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

CYBER SECURITY. Is your Industrial Control System prepared?

How To Secure Your System From Cyber Attacks

Code of Practice for Cyber Security in the Built Environment

Patch and Vulnerability Management Program

GE Measurement & Control. Cyber Security for NEI 08-09

Reducing the cost and complexity of endpoint management

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

OPC & Security Agenda

SCADA Security Training

UNIDIRECTIONAL SECURITY GATEWAYS. Utilizing Unidirectional Security Gateways to Achieve Cyber Security for Industrial Environments

Remote Services. Managing Open Systems with Remote Services

California Department of Technology, Office of Technology Services AIX/LINUX PLATFORM GUIDELINE Issued: 6/27/2013 Tech.Ref No

Virtual Desktop Infrastructure

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Cybersecurity in a Mobile IP World

PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft

Cyber security measures in protection and control IEDs

future data and infrastructure

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Ovation Security Center Data Sheet

Decrease your HMI/SCADA risk

Industrial Security Solutions

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

INFORMATION SECURITY TRAINING CATALOG (2015)

Why Use ThinManager to Manage Thin Clients? White Paper. For more information, please visit:

Optimizing and Securing an Industrial DCS with VMware

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

Protecting productivity with Plant Security Services

i Network, Inc Technology Solutions, Products & Services Providing the right information, to the right customer, at the right time.

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Customer Responsibilities

Challenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG All rights reserved

Critical IT-Infrastructure (like Pipeline SCADA systems) require cyber-attack protection

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Cyber Security for NERC CIP Version 5 Compliance

Intro to Firewalls. Summary

Verve Security Center

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Feature. SCADA Cybersecurity Framework

Designing a security policy to protect your automation solution

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Choosing Between Whitelisting and Blacklisting Endpoint Security Software for Fixed Function Devices

Cyber Security and Privacy - Program 183

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

TRIPWIRE NERC SOLUTION SUITE

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

ICS CYBER SECURITY RKNEAL, INC. Protecting Industrial Control Systems: An Integrated Approach. Critical Infrastructure Protection

SAFECode Security Development Lifecycle (SDL)

MANAGED FIREWALL SERVICE. Service definition

An International Perspective on Security and Compliance

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

167 th Air Wing Fast Track Cyber Program Blue Ridge Community and Technical College

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

Locking down a Hitachi ID Suite server

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Transcription:

Cyber Security nei prodotti di automazione Marco Biancardi, ABB SpA, Power System Division 11 dicembre 2013, Roma

Why is it an issue? Isolated devices Point to point interfaces Proprietary networks Standard Ethernet/IPbased networks Interconnected systems Distributed systems Modern SCADA, automation, protection and control systems : Leverage standard IT components (i.e. MS Windows, Internet Explorer) Use IP based communication protocols ( Internet technology ) Are connected to external networks Use mobile devices and storage media Modern control systems are specialized IT systems, with multiple vulnerabilities Hacking Employee Mistake Malicious software installed via USB port

IT vs Industry: different! Corporate/Office IT Utilities/Industry Environment Officies and «mobile» «in the field» People/Equipment Ratio # of Equipment ~= # of people Few people, many equipment. Object under protection Information Industrial process: availability Risk Impact Information disclosure, $$$ Safety (life), Health, Environment, Information disclosure, loss of production, downtime, repairing costs, $$$ Availability requirements 95%-99% (accept. downtime/year: 18,25 3,65 days) 99,9%-99,999% (accept. downtime/year: 8,76 hrs 5,25 minutes) System lifetime 3-5 years 15-30 years Security focus Central Servers (CPU, memory, ) and PC Server/PC + distributed systems, Sensors, PLC, Operating systems Windows Windows + proprietary Software Consumer Software, normally used on PC Specific Protocols Well known (HTTP over TCP/IP, ) / mainly web Procedure Well known (password, ) Specific Industrial (TCP/IP, Vendor specific) / polling Main actors IBM, SAP, Oracle, etc. ABB, Siemens, GE, Honeywell, Emerson, etc.

From Product to Plant LC Product Lifecycle Design Implementation Verification Release Support Project Lifecycle Design Engineering FAT Commissioning SAT Plant Lifecycle Operation Maintenance Review Upgrade

Products in ABB Security is an integrated but explicit part of our design & development processes : Security training for developers Security assessments of products Hardening Checklist for Project & Services to ensure Installation is done Engagement in cyber-security related standards

The Process in ABB Education Administer and track security training Process Guide product teams to meet SDL requirements Accountability Establish release criteria and signoff as part of G5 Incident response Training Requirements Design Implementation Verification Release Response Core training Define quality gates/bug bar Analyze cyber security risk Attack surface analysis Threat modeling Specify tools Static analysis Verify treat models/attack surface Response plan Final security review (FSR) Release archive Execute response plan (e.g. vulnerability handling policy)

Cyber Security Training Security Training depending on role: SDL Introduction Training Secure Design Threat Modeling Secure Coding Security Testing And more advanced training

State-of-the-art testing Formally established, centralized and independent security test center Leveraging state-of-the-art open source, commercial and proprietary robustness and vulnerability analysis tools Close collaboration with ABB developers providing indepth analysis and recommendations

Approach to system testing Regular system tests at Idaho National Laboratory SCADA test bed First vendor to have system tested at INL SCADA test bed Different systems Very valuable for both ABB and customers Results go back into requirements on new development and corrections Interoperability tests with third party solutions Verify that solution does not interfere with control system Document configuration and setup Improve third party solutions

Patch Management Product Lifecycle Design Implementation Verification Release Support Project Lifecycle Design Engineering FAT Commissioning SAT Plant Lifecycle Operation Maintenance Review Upgrade Validation of Microsoft security updates All relevant updates are tested for compatibility Dedicated Security Test Lab covers supported ICS versions Other 3rd party SW (e.g. Adobe Reader, McAfee ) Released from SW vendor without schedule Verified with next Microsoft Security Update Verification status published the same way a Microsoft Security Updates Similar process for all ABB products

Vulnerability Handling Product Lifecycle Implementation Design Verification Release Support Project Lifecycle Design Engineering FAT Commissioning SAT Minimize customer risk First Response Plant Lifecycle Operation Maintenance Review Upgrade This requires Cultural change: Accept that vulnerabilities exist (having a vulnerability is acceptable, improperly handling them is not!) Formal processes and policies Proper communication at the right time ABB has established a formal process and vulnerability handling has top priority Initial Triage Investigation Remediation Communication To report a vulnerability: cybersecurity@ch.abb.com Notification

marco.biancardi@it.abb.com cybersecurity@ch.abb.com www.abb.com/cybersecurity

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information