IEC Cyber Security Capabilities

Similar documents
GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Cyber Security for NERC CIP Version 5 Compliance

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for Industrial Controls

GE Measurement & Control. Cyber Security for NERC CIP Compliance

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

How To Secure Your System From Cyber Attacks

CYBER SECURITY. Is your Industrial Control System prepared?

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Cisco Advanced Services for Network Security

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Industrial Security for Process Automation

TRIPWIRE NERC SOLUTION SUITE

Information Technology Branch Access Control Technical Standard

How To Manage Security On A Networked Computer System

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Security Controls for the Autodesk 360 Managed Services

Supplier Information Security Addendum for GE Restricted Data

Payment Card Industry Data Security Standard

Retention & Destruction

Verve Security Center

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Industrial Security Solutions

March

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Protecting productivity with Plant Security Services

IBX Business Network Platform Information Security Controls Document Classification [Public]

Best Practices for DanPac Express Cyber Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Network Security Guidelines. e-governance

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Ovation Security Center Data Sheet

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

INCIDENT RESPONSE CHECKLIST

Are you prepared to be next? Invensys Cyber Security

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Global Partner Management Notice

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Ovation Security Center Data Sheet

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Cybersecurity Health Check At A Glance

LogRhythm and PCI Compliance

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

GFI White Paper PCI-DSS compliance and GFI Software products

Data Management Policies. Sage ERP Online

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Document ID. Cyber security for substation automation products and systems

Achieving PCI-Compliance through Cyberoam

Decrease your HMI/SCADA risk

ManageEngine Desktop Central Training

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Protecting Your Organisation from Targeted Cyber Intrusion

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

System Security Plan University of Texas Health Science Center School of Public Health

TECHNICAL WHITE PAPER. Symantec pcanywhere Security Recommendations

IT Security and OT Security. Understanding the Challenges

Windows Remote Access

Client Security Risk Assessment Questionnaire

Cyber Essentials Questionnaire

Best Practices for DeltaV Cyber- Security

PCI Requirements Coverage Summary Table

IT Security Procedure

This is a preview - click here to buy the full publication

CYBER SECURITY POLICY For Managers of Drinking Water Systems

Security Management. Keeping the IT Security Administrator Busy

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

74% 96 Action Items. Compliance

Network and Security Controls

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

PCI Requirements Coverage Summary Table

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Adobe Systems Incorporated

Data Security and Healthcare

FISMA / NIST REVISION 3 COMPLIANCE

Security Standard: Servers, Server-based Applications and Databases

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

How To Secure An Rsa Authentication Agent

Technology Solutions for NERC CIP Compliance June 25, 2015

Transcription:

GE Oil & Gas GEA32435A March 2016 IEC 62443-2-4 Cyber Security Capabilities

GEA32435A IEC 62443-2-4 Cyber Security Capabilities Cyber Security for IEC 62443-2-4 Standards Background IEC 62443-2-4 is a published international standard, defining cyber security capabilities that Industrial Automation and Control System (IACS) service providers may implement and offer. The standard can help asset owners consistently procure and manage control systems security expertise. IEC 62443-2-4 was developed by IEC Technical Committee 65, in collaboration with the International Instrumentation Users Association (previously WIB) and ISA 99 committee members. GE Oil & Gas Support for IEC 62443-2-4 GE hardens customer systems using a combination of technical and procedural measures that have been certified to meet IEC 62443-2-4 security standards. These standards specify a comprehensive set of security requirements for IACS installation and maintenance. This paper presents an overview of GE s hardening capabilities that meet IEC 62443-2-4 standards. ISO 27002 Support GE is prepared to support customers working toward ISO 27002 compliance. Our documented processes and best practices for cyber security are in place to support companies as they develop their own policies within this regulation framework. Through process and technology, GE has capabilities to partner with customers for 27002 compliance. Security Services and Solutions GE provides security consulting services to asset owners and operators in the oil and gas sector. We also provide technical solutions designed and tested for the industrial controls environment. Our solutions are built with security in mind, and are readily integrated into broader plant-level systems and IT architectures. Together with Wurldtech Security Technologies, GE offers certified security services for the integration and maintenance of these solutions. GE s solutions relevant to IEC 62443-2-4 include the following: SecurityST* Mark* VIe Solution and Commissioning Services This solution set is Achilles Practiced Certified Bronze. This indicates that GE has met strict cyber security best practices, including demonstrating the ability to configure and maintain the solution for secure operation. The solution is built to support best practices in security and to facilitate more efficient compliance to IEC 62443-2-4. Cyber Asset Protection (CAP) Software Update Subscription and SecurityST Appliance This solution set provides multiple capabilities to support cyber security best practices. Functionality includes centralized patch management, anti-virus/host intrusion detection updates, centralized account management, logging and event management, intrusion detection, whitelisting, and automated backup. Wurldtech OpShield Technology This solution is designed to protect critical infrastructure, control systems and operational technology (OT) assets. It monitors and blocks malicious activity and misconfiguration, providing easy-to-apply controls for network segmentation and improved visualization of the Electronic Security Perimeter. It helps mitigate the exploit of known equipment vulnerabilities as operators await vendor patches or patch maintenance windows. These solutions offer an extensive list of features and benefits that are not fully documented in this standards specifications paper. For complete solution functionality information, review solution fact sheets located on our websites: www.gemeasurement.com and www.wurldtech.com. GE s solution capabilities relevant to IEC 62443-2-4 are further specified in the following section. 2

IEC 62443-2-4 Cyber Security Capabilities GEA32435A GE s Capabilities Supporting IEC 62443-2-4 The following table provides an overview of GE s IEC 62443-2-4 supported capabilities and related functionality. Service Type GE s Cyber Security Capabilities Solution Staffing Solution Hardening staffing of automation solutions by service providers. All certification applications must include this conformance block. reducing automation solution attack surface, including risk assessments, detection of threats and vulnerabilities, and management of USB ports. GE Oil & Gas staffs a Product Security team to drive security improvements across our solutions and processes. We have various security subject matter experts to support applicable security solutions and services. Our team maintains a training plan to share security staff knowledge. The training plan identifies roles, training for those roles, and staff members identified for training. Training is conducted on a recurring basis. GE s solutions begin with security-segmented reference architecture and hardening measures designed to reduce exposure to security threats. System hardening evaluations specific to the security environment and policies of each customer are conducted. Firewall and IDS placement and their rules are specified as part of the architecture. Switches can be locked down. Unnecessary ports, services, and programs are removed or disabled from workstations, servers, and controllers, thus eliminating them as an avenue of attack. Workstations employ session locking for protection while unoccupied. Identification of missing security patches is automated. Workstations and servers employ anti-virus software and capabilities for validating and installing the latest virus definition files. Procedures ensure that portable media used during integration and maintenance are authorized, virus-free, and not used for other purposes. Network security and robustness testing is conducted on products used in solutions to ensure reliability and integrity. 3

GEA32435A IEC 62443-2-4 Cyber Security Capabilities Service Type GE s Cyber Security Capabilities Network Security User Security supporting the segmentation and administration of networks. supporting the administration of operating system security and user accounts. GE has a documented network security architecture that can be tailored to customer needs. Secure remote access connectivity is customized upon request, typically through a combination of RDP firewalls and access controls. SecurityST supports administration of network devices and enforces two-way authentication and encryption of network administration traffic. Our network security architecture segments the plant network from the control system by a firewall and Intrusion Detection System (IDS) configured with recommended rules. Cyber Asset Protection (CAP) Subscription Service and SecurityST include Host Intrusion Detection (HIDs) and anti-virus. SecurityST also includes Network Intrusion Detection (NIDs). Our network security architecture protects internal interfaces with managed switches that can be locked down. Wireless access is prohibited on the control system network. Our control systems are designed and installed to reduce interactions between networks, specifically the supervisory/hmi network, the control network, and I/O networks. The I/O network, where control system I/O is located, is physically separated from all other networks. SecurityST provides centralized, role-based access control for both Windows workstations/servers through Active Directory servers running on redundant domain controllers. Active Directory centralizes management of user accounts and machines, as well as provides additional security constraints for managing functional isolation. RADIUS servers integrate with Active Directory to control access to nondomain based elements (such as network switches, firewalls, and NIDs). SecurityST ships preconfigured with a default set of devices, users/passwords, and groups to which both new and default users/devices are assigned. Groups represent roles of users and devices and define an appropriate set of privileges and restrictions for them. Default passwords are configured to be changed on first use to ensure they do not become part of the operational system. In addition, we recommend local and domain user passwords be configured to automatically expire after a set interval. With Active Directory, users will be prompted to change passwords prior to expiration. GE removes all temporary accounts used to deploy or maintain the system once they are no longer needed, and further recommends that all unnecessary accounts, such as back-door, super-user, and guest accounts be removed or disabled prior to system operation. 4

IEC 62443-2-4 Cyber Security Capabilities GEA32435A Service Type GE s Cyber Security Capabilities Application Security Security Information and Event Management (SIEM) specific control and monitoring features of the automation solution. supporting the management of security-related information and events, generally for the purpose of security incident handling and forensics. Configuration of the delivered solution, including architecture drawings and component version numbers, is maintained throughout the solution lifecycle with a combination of automated and manual procedures. Two-way authentication and encryption for HMI access to the Mark VIe controllers is provided by the SecurityST Certificate Authority Server. Configuration of control system parameters is provided through downloads to the Mark* VIe controller. ControlST* and Cimplicity* software enforce rules for development of these downloads. SecurityST User Security limits the ability to create and perform downloads to authorized users at HMI workstations. Configuration downloads set value ranges for runtime parameters, such as setpoints, to ensure operators are unable to dynamically set them to unsafe or undesirable values. Historians can be configured to collect runtime data and events to support process analysis and security forensics. Data collected can be compared to previous values to determine where changes have occurred in the system. The changes can be analyzed and corrective or approval actions can be taken. GE s Product Incident Response team follows a formal process for notifying customers of vulnerabilities discovered in its products. A SIEM system provides a customizable, comprehensive logging and report generation capability. The SIEM supports logical grouping of managed assets, providing the ability to create customizable reports based on event types. The SIEM includes HMI security logs from GE s ICS and security event logs for network equipment, such as logon and logoff and configuration change events. For example, unsuccessful login attempts are logged for HMIs and networking devices (NIDs, firewall, switches, etc.). The SIEM logs NIDs, HIDs and anti-virus security monitoring activities. These logs capture events associated with information flows to help operators with real-time detection and notification of malicious activity. The Mark VIe and SecurityST solution also logs state changes and provides standard event reporting interfaces that provide secure event notification. Custom SIEM reports can be easily generated to support event correlation and review, allowing for rapid incident response. We will work with the customer to define the SIEM logging policy and fine tune event correlation based on defined types of events across user roles, origin host, impacted host, application, alerts on unauthorized or suspicious activity, and other measurements for audit log reduction. 5

GEA32435A IEC 62443-2-4 Cyber Security Capabilities Service Type GE s Cyber Security Capabilities Patch Management Backup/Restore supporting the validation and installation of security patches. supporting the backup and restore functions of the automation solution and its components. SecurityST provides a centralized service to audit and deploy security patches. The SecurityST patching service lab tests and validates all patches for compatibility with the Mark VIe and SecurityST solution before patches are released. GE provides documentation on the SecurityST patching service, including recommended and documented rollout procedures, patching procedures process, workarounds for unapproved patches, and mitigation strategies. Patches are provided monthly via DVD to prevent unnecessary opening of network ports and services required for online distribution. DVDs are distributed using tamper-evident seals and are scanned upon arrival at the customer site. The CAP Patch Applicability report defines criticality information, time required for update and if a reboot is necessary. SecurityST provides documentation for the backup/restore of computers, networking devices, and other components, including scheduling of backups. GE provides a Backup Architecture document that describes storage of onsite backups and provides recommendations for offsite storage. Encryption of backups and their archives is supported. SecurityST provides scripts for configuring and customizing backup configurations. Instructions are provided for adding new components and creating additional backup plans. SecurityST backup capabilities are designed to operate during normal plant operations. The bandwidth of the backups is set to minimize network resources. 6

IEC 62443-2-4 Cyber Security Capabilities GEA32435A 7

Imagination at work For more information please contact: GE Oil & Gas North America: 1-888-943-2272; 1-540-387-8726 Latin America (Brazil): +55-11-3958-0098 Europe (France): +33-2-72-249901 Asia/China (Singapore): +65-6622 1623 Africa/India/Middle East (U.A.E.): +971-2-699 7119 Email: ControlsConnect@ge.com Customer Portal: ge-controlsconnect.com 1800 Nelson Road Longmont, CO, USA 80501 www.gemeasurement.com/machinery-control 2016 General Electric Company. All rights reserved. *Trademark of the General Electric Company. Wurldtech is a trademark of the General Electric Company. Achilles is a registered trademark of Wurldtech Security Technologies Inc. GEA32435A (05/2016)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information