Performing a Cybersecurity Risk Assessment on an IACS or SIS. Marco Ayala, aesolutions John Cusimano, aesolutions

Similar documents
Designing an Effective Risk Matrix

Defending Against Data Beaches: Internal Controls for Cybersecurity

Industrial Security for Process Automation

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Does Aligning Cyber Security and Process Safety Reduce Risk?

Cybersecurity Training

Supplier Information Security Addendum for GE Restricted Data

Information Technology Risk Management

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

This is a preview - click here to buy the full publication

State of Oregon. State of Oregon 1

Data Management Policies. Sage ERP Online

Seven Strategies to Defend ICSs

Critical Security Controls

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Top 20 Critical Security Controls

CMS Information Security Risk Assessment (RA) Methodology

Security in the smart grid

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Security Controls in Service Management

CYBER SECURITY RISK ANALYSIS FOR PROCESS CONTROL SYSTEMS USING RINGS OF PROTECTION ANALYSIS (ROPA)

Security Management. Keeping the IT Security Administrator Busy

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

TeleTrusT Bundesverband IT-Sicherheit e.v.

Looking at the SANS 20 Critical Security Controls

Virginia Commonwealth University School of Medicine Information Security Standard

NERC CIP VERSION 5 COMPLIANCE

White Paper. 7 Steps to ICS and SCADA Security. Tofino Security exida Consulting LLC. Contents. Authors. Version 1.0 Published February 16, 2012

Critical Controls for Cyber Security.

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Network Security Guidelines. e-governance

Industrial Control Systems Security Guide

IT Networking and Security

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

On-Site Risk Management Audit Checklist for Program Level 3 Process

March

Security Issues in Cloud Computing

R 143 CYBERSECURITY RECOMMENDATION FOR MEDIA VENDORS SYSTEMS, SOFTWARE & SERVICES

DeltaV System Cyber-Security

Security Risk Assessment

Dr. György Kálmán

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Cyber Security for SCADA/ICS Networks

SANS Top 20 Critical Controls for Effective Cyber Defense

Sample Vulnerability Management Policy

MEDICAL DEVICE Cybersecurity.

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Revision History Revision Date Changes Initial version published to

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

VULNERABILITY MANAGEMENT AND RESEARCH PENETRATION TESTING OVERVIEW

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Information Security Program Management Standard

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

SECURITY. Risk & Compliance Services

HIPAA: Compliance Essentials

Using ISA/IEC Standards to Improve Control System Security

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Taking Information Security Risk Management Beyond Smoke & Mirrors

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Information Technology

HIPAA Security Alert

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Symphony Plus Cyber security for the power and water industries

Redesigning automation network security

A Systems Approach to HVAC Contractor Security

Basic Fundamentals Of Safety Instrumented Systems

Remote Services. Managing Open Systems with Remote Services

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Nessus Agents. October 2015

ISSN: (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies

Decrease your HMI/SCADA risk

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

PCN Cyber-security Considerations for Manufacturers. Based on Chevron Phillips Chemical Company PCN Architecture Design and Philosophy

Document ID. Cyber security for substation automation products and systems

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Alarm Management Standards Are You Taking Them Seriously?

HAZARDOUS MATERIALS MANAGEMENT ISSUE 2

a Post-Stuxnet World The Future of Critical Infrastructure Security Eric Byres, P.Eng.

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

S a f e t y & s e c u r i t y a l i g n m e n t b e n e f i t s f o r h i g h e r o p e r a t i o n a l i n t e g r i t y R A H U L G U P TA

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

The Protection Mission a constant endeavor

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Transcription:

Performing a Cybersecurity Risk Assessment on an IACS or SIS Marco Ayala, aesolutions John Cusimano, aesolutions

Abstract Assessing cybersecurity risk is generally considered to be one of the first and most fundamental steps in any solid IACS cybersecurity management program. ISA 99.02.01 (now ISA 62443-2-1) published in 2009 includes requirements that organizations perform both high-level and detailed cybersecurity risk assessments on all identified IACSs. These requirements were reinforced in 2014 by the NIST Cybersecurity Framework that also specifies cybersecurity risk assessments and directly references the ISA 62443 requirements. While both of these documents require risk assessments neither provide information regarding "how" to perform such an assessment. Guidance on how to perform IACS cybersecurity risk assessments is now available in the recently developed ISA 62443-3-2, "Security Risk Assessment and System Design This presentation will provide an overview of the 62443-3-2 standard and demonstrate the IACS cybersecurity risk assessment process through a chemical industry example.

Updates to 61511 Require a Security Risk Assessment

Updates to 61511 Require a Security Risk Assessment

NIST Cybersecurity Framework Start with Risk Assessment

NIST CSF Mapping to ISA 62443 NIST CSF ISA 62443

NIST CFS Mapping to ISA 62443 IDENTIFY (ID) IDENTIFY (ID)

Risk Assessment Requirements from ISA 62443-2-1 Select a risk assessment methodology Conduct a high-level risk assessment Identify the industrial automation and control systems Develop simple network diagrams Prioritize systems Perform a detailed vulnerability assessment Identify a detailed risk assessment methodology Identify the reassessment frequency and triggering criteria Conduct risk assessments throughout the lifecycle of the IACS Document the risk assessment

ISA 62443-3-2 provide guidance on how to perform IACS cybersecurity risk assessments Note: 62443-3-2 was balloted in Oct. 2015. It did not receive the necessary 2/3 majority to pass. The authoring committee is processing comments and will reissue tor ballot in 2016.

ISA 62443-3-2 Table of Contents

Primary Workflow Start Initial System Architecture Diagrams and Inventory Identify System Under Consideration (SUC) (Section 4.1) Updated System Architecture Diagrams and Inventory Existing PHAs and other relevant risk assessments and Corporate Risk Matrix with Security Level Targets Conduct a High-Level Cybersecurity Risk Assessment (Section 4.2) Initial Security Level Target for SuC Standards and best practices, supplier guidelines, criticality assessments, functional specifications, etc. Partition the SUC into Zones & Conduits (Section 4.3) Initial Zone and Conduit Diagram LEGEND: Perform Detailed Cybersecurity Risk Assessment of Each Zone & Conduit (Section 5.0) Residual Cybersecurity Risk and Security Level Targets for each Zone & Conduit Company policies, regulations, tolerable risk guidelines, etc. Document Security Requirements, Assumptions and Constraints (Section 4.4) Cybersecurity Requirements Specification (CRS)

Establishing Zones and Conduits Requirements Description Definition of System-under- Consideration (SuC) Perform high-level risk assessment Establishment of Zones and Conduits Requirement The organization shall clearly define the System-under-Consideration (SuC) including clear definition of the boundary and all access points to the SuC. The organization shall perform a high-level cybersecurity risk assessment of the SuC (per ISA99.02.01: 2009 Clause 4.2.3.1-4) to identify the worst-case unmitigated risk that the SuC presents to the organization. The organization shall establish zones and conduits by grouping IACS and related assets based upon the results of the high-level cybersecurity risk assessment. Grouping may also be based on criteria such as criticality of assets, operational function, physical or logical location, required access (i.e. least privilege principals) or responsible organization.

Description Separation of Business and Control System Zones Separation of Safety Instrumented System (SIS) Zones Separation of temporarily connected devices Separation of Wireless Communications Separation of Devices Connected Via Untrusted Networks Requirement IACS assets shall be grouped into zones that are separate from business or enterprise system assets. SIS assets should be grouped into zones that are separate from zones with non-sis assets. Devices that are permitted to make temporary connections to the SuC should be grouped into a separate zone(s) from IACS assets. Wireless communications should be in one or more zones that are separated from wired communications. Devices that are permitted to make connections to the SuC via untrusted networks (e.g. remote access) should be grouped into a separate zone(s).

Description Zone and Conduit Drawings Documentation of Zone and Conduit Characteristics Requirement The organization shall produce a drawing or a set of drawings that illustrates the zone and conduit partitioning of the entire SuC. All IACS assets in the SuC must be assigned to a zone or a conduit. The following items shall be documented for each defined zone and conduit: Name and/or unique identifier Logical boundary Physical boundary, if applicable List of all access points and associated boundary devices List of data flows associated with each access point Connected zones or conduits List of assets and associated consequences Applicable security requirements Security Level Target Applicable security policies Assumptions and external dependencies

Description Cybersecurity requirements specification (CRS) Requirement A CRS shall be created to document mandatory security functions of the SuC based on the outcome of the detailed risk assessment as well as general security requirements based upon company or site specific policies, standards and relevant regulations. SuC Description A high level description and depiction of the System under Consideration shall be included in the CRS. At a minimum, the CRS shall include the name, a high-level description of the function and the intended usage of the SuC as well as a description of the equipment or process under control. An illustration of the SuC and the associated dataflows and process flows should be included.

Description Operating Environment Assumptions Threat Landscape Mandatory Security Functions Tolerable Risk Regulatory Requirements Requirement The CRS shall identify and document the physical and logical environment in which the SuC is located or planned to be located. The CRS shall include a description of the threat landscape that impacts the SuC. The description shall include the source(s) of threat intelligence and include both current and emerging threats. Security functions and features that implement the organizational security policies shall be included in the security requirements specification. The organization s tolerable risk for the SuC shall be included in the security requirements specification. Any relevant cybersecurity regulatory requirements with which the SuC must comply shall be included in the security requirements specification.

Detailed Cyber Risk Assessment Process Start Consider Existing Countermeasures (Section 5.7) List of Countermeasures Historical data and other threat information sources Identify Threats (Section 5.1) List of threats [updated] List of Countermeasures Re-evaluate Likelihood and Impact (Section 5.8) Updated likelihood and impact assessment Vulnerability assessment, prior audits, vulnerability databases, etc. Identify Vulnerabilities (Section 5.2) List of vulnerabilities Updated likelihood, impact and Corporate Risk Matrix Calculate Residual Cybersecurity Risk (Section 5.9) Residual Cybersecurity Risk Existing PHAs, other risk assessments Determine Consequences & Impact (Section 5.3) Assessment of impact All Risks Mitigated or Below Tolerable Risk (Section 5.10) No Apply Additional Security Countermeasures (Section 5.11) Updated List of Countermeausures Yes Lists of threats and vulnerabilities Determine Likelihood (Section 5.4) Assessment of likelihood Document Results (Section 5.12) Detailed Risk Assessment Report Likelihood, Impact, Corporate Risk Matrix Calculate Unmitigated Cybersecurity Risk (Section 5.5) Assessment of unmitigated cybersecurity risk Source: ISA 62443-3-2 Draft 5 Edit 2 Corporate Risk Matrix with Tolerable Risk Determine Security Level Target (Section 5.6) Security Level Target

Start Historical data and other threat information sources Identify Threats (Section 5.1) List of threats Vulnerability assessment, prior audits, vulnerability databases, etc. Identify Vulnerabilities (Section 5.2) List of vulnerabilities Existing PHAs, other risk assessments Determine Consequences & Impact (Section 5.3) Assessment of impact Lists of threats and vulnerabilities Determine Likelihood (Section 5.4) Assessment of likelihood Likelihood, Impact, Corporate Risk Calculate Unmitigated Assessment of unmitigated

Existing PHAs, other risk assessments Determine Consequences & Impact (Section 5.3) Assessment of impact Lists of threats and vulnerabilities Determine Likelihood (Section 5.4) Assessment of likelihood Likelihood, Impact, Corporate Risk Matrix Calculate Unmitigated Cybersecurity Risk (Section 5.5) Assessment of unmitigated cybersecurity risk Corporate Risk Matrix with Tolerable Risk Determine Security Level Target (Section 5.6) Security Level Target

Consider Existing Countermeasures (Section 5.7) List of Countermeasures [updated] List of Countermeasures Re-evaluate Likelihood and Impact (Section 5.8) Updated likelihood and impact assessment Updated likelihood, impact and Corporate Risk Matrix Calculate Residual Cybersecurity Risk (Section 5.9) Residual Cybersecurity Risk All Risks Mitigated or Below Tolerable Risk (Section 5.10) No Apply Additional Security Countermeasures (Section 5.11) Updated List of Countermeausures Yes Document Results (Section 5.12) Detailed Risk Assessment Report

Ethylene Oxide Example

Example HAZOP Deviation Causes Consequences Safeguards Motor failure Possible explosion SIS, Rupture disks, Loss of agitation with false due to unmixed Pressure relief valves indication oxides High Temperature High Flow Loss of circulation Loss of cooling water Meter error resulting in excess oxide flow Pump failure with false indication Possible explosion due to runaway reaction Possible explosion due to runaway reaction Possible explosion due to unmixed oxides SIS, Rupture disks, Pressure relief valves SIS, Rupture disks, Pressure relief valves SIS, Rupture disks, Pressure relief valves

Example System Architecture Diagram Corporate Data Center Historian ERP WAN Eng Laptop Plant Staff Laptops Control Room Printer Operator 1 Operator 2 Operator 3 Eng Workstation Router Equipment Room Tag Server A Tag Server B Batch Tank Farm / Loading & Unloading BPCS SIS

Partition the System into Zones and Conduits Corporate Data Center ENTERPRIZE ZONE Historian ERP PROCESS CONTROL ZONE WAN PLANT BUSINESS ZONE Eng Laptop Plant Staff Laptops Control Room Printer Operator 1 Operator 2 Operator 3 Eng Workstation Router Equipment Room Tag Server A Tag Server B Batch SIS ZONE Tank Farm / Loading & Unloading BPCS SIS

Example Risk Matrix Safety Environment Financial Reputation Chance Frequency g Virtually improbable and unrealistic Event could occur at some time greater than 100 years 1 Improbable Conceivably possible, but very unlikely to occur Event could occur at some time within 10 to 100 years 2 Rare Likelihood Unusual but possible Quite possible or not unusual Has occurred Has occurred or is expected or is expected to occur within to occur within 5 to 10 years 1 to 5 years 3 Unlikely 4 Possible g Likely to occur Event expected to occur more than once per year 5 Likely Medical Treatment, Minor Health Effects, First Aid Case, or Less No off site impact Potential equipment or asset damage or financial loss < $100K USD No harm or slight client concern 1 Trivial 1 2 3 4 5 Medical Treatment with Restricted Duty or Medium Health Effects One odor or noise complaint from event Potential equipment or asset damage or financial loss $100K to $ 1M Minor harm to the Company's public reputation; or client concern 2 Minor 2 4 6 8 10 Impact Serious illness or injury resulting in days away from work [LTI]; or a permanent partial Disability On-site or off-site environmental release to soil/ground or multiple odor or noise complaints from event Potential equipment or asset damage or financial loss $1M to $10M Harm to the Company's reputation limited to the local area via local public media reports or local industry news; significant client concern 3 Moderate 3 6 9 12 15 Illness or injury resulting in one fatality; or permanent full disability Illness or injury resulting in multiple (2+) fatalities. On-site or off-site environmental release to surface water Major off-site impact (vapor cloud explosion, fire, major toxic gas release, major offsite environmental release, wildllife kill) Potential equipment or asset damage or financial loss $10M to $100M Potential equipment or asset damage or financial loss >$100M Harm to the Company's reputation extends to the region through regional or national public media outlets or national industry or financial news; multiple significant client concerns Harm to the Company's reputation extends internationally through public media outlets or negative publicity in international industry or financial news; global client concerns 4 Major 5 Critical 4 8 12 16 20 5 10 15 20 25

Example ICS Cyber Risk Assessment Worksheet Zone Process Control Zone Threat Source Authorized personnel Threat Scenario Threat Action Inserts USB into Operator Station with general malware Inserts USB into Operator Station with targeted malware Plugs laptop infected with general malware into the Control LAN Plugs laptop infected with targeted malware into the Control LAN Engineer remotes into the EWS from the Plant Business Zone using VNC and makes changes without knowledge of current process conditions Unauthorized person uses the VNC credentials to gain access to EWS Vulnerabilities * OS Computers are in the Control Room * USB Ports are not blocked or disabled * Autorun not disabled * No antivirus * OS Computers are in the Control Room * USB Ports are not blocked or disabled * Autorun not disabled * No antivirus * Unused ports on Control LAN switch are enabled * No policy governing use of laptops * No antivirus on Tag and Batch servers * Lack of segmentation allows for propogation * Unused ports on Control LAN switch are enabled * No policy governing use of laptops * No antivirus on Tag and Batch servers * Lack of segmentation allows for propogation * By default VNC credentials are in "clear text" * VNC file transfer capabilities * EWS is dual-homed * No lock-out on VNC Consequence Consequence Description * Denial of service on operator station that spreads to all OS on PCN * All OS and Servers need to be rebuilt * 24-72 hours downtime * Rework batch * Supply chain impact * Loss of control with potential compromise of the safety of the process * Runaway reaction leading to explosion * Denial of service on operator station that spreads to all OS on PCN * All OS and Servers need to be rebuilt * 24-72 hours downtime * Rework batch * Supply chain impact * Loss of control with potential compromise of the safety of the process * Runaway reaction leading to explosion * Possible process upset or modification leading to loss of batch * Loss of control with potential compromise of the safety of the process * Runaway reaction leading to explosion Impact S E F R Max UTL Risk SL-T Countermeasures MTL Risk 1 1 2 3 3 5 15 2 5 5 5 5 5 2 10 1 1 1 2 3 3 4 12 2 5 5 5 5 5 2 10 1 * Policies and procedures * Policies and procedures 5 15 2 10 * Laptops are running a supported OS, are patched and running antivirus 4 12 * Laptops are running a supported OS, are patched and running antivirus 2 10 1 1 2 1 2 4 8 1 4 8 5 5 5 5 5 15 2 3 15 Recommendations ATL Risk * Disable unused USB ports (e.g. GPO, registry, SEP, etc.) * Relocate OS computers to the server room and KVM to Control Room * Segment the Tag & Batch servers and EWS from the PCN and Control LAN (e.g. eliminate all dual-homed computers) 2 6 * Install and maintain Antivirus * Stricter enforcement of policies * Upgrade OS and application software to supported version * Disable unused USB ports (e.g. GPO, registry, SEP, etc.) * Relocate OS computers to the server room and KVM to Control Room * Segment the Tag & Batch servers and EWS from the PCN and Control LAN (e.g. eliminate all dual-homed computers) * Install and maintain Antivirus Stricter enforcement of policies 1 5 * Develop policies to prohibit use of laptops on Control LAN * Block unused ports on Control LAN switch * Segment the Tag & Batch servers and EWS from the PCN and Control LAN (e.g. eliminate all dual-homed computers) * Install and maintain Antivirus 1 3 * Develop policies to prohibit use of laptops on Control LAN * Block unused ports on Control LAN switch * Segment the Tag & Batch servers and EWS from the PCN and Control LAN (e.g. eliminate all dual-homed computers) * Install and maintain Antivirus * Develop and enforce MoC process * Eliminate VNC * Develop and enforce MoC process * Eliminate VNC 1 5 3 1 0 25 #VALUE! #VALUE! 1 2 5

Cybersecurity Strategy Considerations Assemble Core Team Internal Cross functional (IT, Operations, Engineering, HSE, Corp Security) External Partner Experience, Reputation External benchmarks, Independent view Core focus, proven work process Standards based approach ISA 99.02/ IEC 62443, NIST Develop an as-built model of the entire system Phased Approach (High Level Assessment first) Cross training opportunity/ common language(e.g. field trip) Document deliverables Sustainable processes and systems

Conclusion With Good Risk Information You Can Determine what plants/processes need to be addressed first Intelligently design and apply countermeasures (e.g. network segmentation, access controls, hardening, detection, etc.) to reduce risk Prioritize activities and resources Evaluate countermeasures based upon their effectiveness of versus their cost/complexity

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information