Roadmaps to Securing Industrial Control Systems Insert Photo Here Mark Heard Eastman Chemical Company Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011 Chicago, IL McCormick Place West Copyright 2011 Rockwell Automation, Inc. All rights reserved.
Presenter Mark Heard, Eastman Chemical Company Recovering Control System Engineer Experience with several kinds of automation systems, especially networking with other plant systems General interest in security and admin issues for ICS Work on Eastman Cybersecurity teams Process Control Network Security, 2003- Network Segmentation, 2004- Cybersecurity Vulnerability Assessment, 2005- Process Automation Systems Authentication, 2006- Systems Integrity, 2008- IT Security Team 2011- Working with ISA S99, ACC Cybersecurity Program (formerly through ChemITC and CIDX) since 2002 Copyright 2011 Rockwell Automation, Inc. All rights reserved.
What is an ICS Security Roadmap? A structured set of priorities, milestones and goals which address security requirements specific to Industrial Control Systems (ICS), over a 10 year timeframe
Published Roadmaps Energy Sector (revised Sep-11) The 2011 Roadmap takes the necessary steps to strengthen the security and reliability of our country s electric grid, in a climate of increasingly sophisticated cyber incidents. This update marks a continued effort by public and private energy sector stakeholders to reduce cyber vulnerabilities that could disrupt the nation's ability to deliver power and energy.
Published Roadmaps Water Sector Chemical Sector Dams Draft/Approval: Nuclear Cross-Sector (recognizing and mapping commonality between sector documents) by Department of Homeland Security s Industrial Control Systems Joint Working Group
Roadmap Strategies Build a Culture of Security Assess, Monitor and Mitigate Risk Develop and Implement New Protective Measures to Reduce Risk Manage Incidents Sustain Security Improvements for Asset Owner/Operators Vendors/Solution Providers Research/Academia Government Regulators/Standards Organizations
Common Goals Across Roadmaps Measure and Assess Security Posture Assess Risk Develop and Integrate Protective Measures Develop and Deploy ICS Security Programs Detect Intrusion and Implement Response Strategies Develop and Implement Risk Mitigation Measures Sustain Security Improvements Partnership and Outreach Secure-by-Design
Why do We Care? ICS are increasingly interconnected to other plant and business systems ICS vendors continue to rapidly incorporate standard Information Technology into their products These trends expose the ICS to modern malware threats Potential consequences of an ICS cyber incident can include: Reduction or loss of production at one site or multiple sites simultaneously; Injury or death of employees; Injury or death of persons in the community; Damage to equipment; Release, diversion, or theft of hazardous materials; and Impact to company s reputation in the community.
The Risk is Real!! Federal agencies reported 30,000 incidents to US-CERT during fiscal year 2009 [U.S. Government Accountability Office report 6/16/2010] >400% increase over what was reported in 2006 2010 CIP Survey conducted by Symantec 60% of cyber attacks were somewhat to extremely effective Average cost of an attack was estimated at $850,000 Significant increase in Advanced Persistent Threat (APT) Stuxnet signaled a paradigm shift in ICS cyber threats Demonstrated that ICS are susceptible to increasingly sophisticated cyber-attacks
Chemical Sector Roadmap The voice of the sector on improvements to control systems security Published September 2009 Following sign off by the Chemical Sector Coordinating Council A structured set of priorities spanning a 10-year timeframe specific to needs of Industrial Control Systems (ICS) in the Chemical Sector www.us-cert.gov/control_systems/pdf/chemsec_roadmap.pdf 10
Roadmap Vision In 10 years, the layers of defense for industrial control systems managing critical applications will be designed, installed and maintained, commensurate with risk, to operate with no loss of critical function during and after a cyber event. Scope Industrial Control Systems (ICS) in chemical facilities that are part of the critical infrastructure Possible implications for ICS vendors Connection to other systems included if they impact ICS risk
Chemical Sector Roadmap Implementation Working Group Established December 2010 Roadmap Implementation Manager Catalyst 35, under ACC contract CSCC American Chemistry Council (ACC) National Petrochemical & Refiners Association (NPRA) DHS DHS National Cyber Security Division - Control Systems Security Program DHS Chemical SSA Owners/Operators AkzoNobel Dow Chemical Infineum DuPont Eastman Chemical Western Refining Exxon Mobil Air Products Ashland Air Products Vendors Computer Sciences Corporation (CSC)
Roadmap Implementation In Partnership with DHS DHS Sector Specific Agency (SSA) is supporting our efforts Utilizing Homeland Security Information Network (HSIN) to share working documents Focusing on milestones identified for the first two years Comprehensive Awareness Package Collected a wealth of resources/reference information Designed to assist owners/operators in addressing ICS security Providing speakers at various conferences across the U.S. Metrics: Working on creating Roadmap Metrics Secure Information Sharing: Developing a matrix of current forums Website: in design stage 13
Roadmap Objectives Long Term Improved ICS security across the chemical sector Immediate Build awareness across the chemical sector and ICS vendor community of the resources available to assist the sector in realizing its long term objective.
Awareness Campaign Focus Areas Developing a Business Case for investing in ICS security Conducting an ICS Security Assessment Training for employees who work in the ICS environment Implementing existing standards Complying with existing Chemical Facility Anti-Terrorism Standards (CFATS) Regulations Leveraging Best Practices Wherever possible, not Chem sector specific
Developing a Business Case The protection of ICS from cyber security threats requires resources and personnel to plan, develop and implement needed security measures Companies must develop a business case for investing in ICS security A business rationale for justifying this investment is currently under development Authored by the Industrial Control Systems Joint Working Group Goal is to provide guidance for Developing a Business Case icsjwg@dhs.gov
Awareness Materials Case for Action Cyber Security Evaluation Tool (CSET) Cyber Security Tabletop Exercise (TTX) Procurement language ICS Security Training Resource ICS-CERT & Cyber Incident Response Industry standards and additional relevant guidance
A Case for Action The chemical industry dedicates immense time and resources toward ensuring the safety of its personnel, customers, and surrounding community; but in today s environment of growing cyber threats, a Chemical plant is not safe unless its control systems are secure. One of the trends emerging in the current environment of cost efficiencies, is the move from delivery of ICS on proprietary system platforms to open system platforms. These open platforms carry a greater level of cyber risk due to the rapid growth of cyber threats against them.
CSET - Cyber Security Evaluation Tool Available from the Department of Homeland Security Assists organizations in protecting their key national cyber assets. Developed under the direction of the DHS National Cyber Security Division (NCSD) Developed by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides a systematic and repeatable approach for assessing the security posture cyber systems and networks. Includes both high-level and detailed questions related to all industrial control and IT systems.
Procurement Language Department of Homeland Security: Cyber Security Procurement Language for Control Systems provides sample recommended language for control systems security requirements, including: New SCADA/control systems Upgrading Legacy systems Maintenance contracts Information and personnel security
ICS Training Resources Chemical Sector Compiled by the Roadmap Implementation Working Group Designed for owner/operators in the process control and automation industries. Lists selected and representative security trainings but not a comprehensive list Organized by levels of difficulty (intro, intermediate, advanced) Includes links to relevant websites, for ease of training access
Who Can Benefit from this training? ICS Operations Routinely interact with the ICS environment Security Managers Have primary responsibility for securing ICS Engineers Responsible for design and configuration of ICS functionality IT Personnel Have responsibility for operation & support of IT infrastructure supporting the ICS
Leveraging Existing Standards ANSI/ISA99/IEC 62443, Industrial Automation and Control Systems Security A series of 11 standards & technical reports Address all aspects of ICS security 3 work products have been published Several others are available in draft form for review and comment ISO/IEC 15408-1:2009 Establishes general concepts and principles of IT security evaluation Specifies the general model of evaluation given by its various parts Is intended to be used as the basis for evaluation of security properties of IT products
Additional Guidance ACC Guidance for Addressing Cyber Security in the Chemical Sector DHS Catalog of Control Systems Security: Recommendations for Standards Developers NIST Special Publication (SP) 800-82, Guide to ICS Security, final public draft Sept 29, 2008 NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009 NERC Critical Infrastructure Protection 002-009
What Can You Do? Pick up a DVD & Case for Action to take with you Review the information shared today Bring this issue to the attention of your engineering & manufacturing management Ask key questions about how your company is addressing ICS security And as you begin 25
Tips for Getting Started Ensure one person takes ownership of ICS security and is accountable. Open the lines of communication between engineering, security, IT, process safety and manufacturing operations within your own company. Conduct an audit of current ICS security measures and implement obvious fixes. Follow-up with an ICS security vulnerability analysis (risk assessment).
Tips for Getting Started Implement an ICS security management program that is integrated with existing company management systems for security, safety, quality, etc. Keep in touch by emailing chemicalsector@dhs.gov for additional information. Become an advocate in your company on this important issue!
Insert Photo Here Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011 Chicago, IL McCormick Place West Copyright 2011 Rockwell Automation, Inc. All rights reserved.