ABB s approach concerning IS Security for Automation Systems



Similar documents
HACKING RELOADED. Hacken IS simple! Christian H. Gresser

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

The rocky relationship between safety and security

Critical Controls for Cyber Security.

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

The Protection Mission a constant endeavor

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Document ID. Cyber security for substation automation products and systems

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Best Practices for DanPac Express Cyber Security

Designing a security policy to protect your automation solution

External Supplier Control Requirements

Industrial Security for Process Automation

Patch and Vulnerability Management Program

THE OPEN UNIVERSITY OF TANZANIA

Symphony Plus Cyber security for the power and water industries

ICANWK406A Install, configure and test network security

LogRhythm and NERC CIP Compliance

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Cisco Advanced Services for Network Security

Securing the Service Desk in the Cloud

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Managing internet security

GE Measurement & Control. Cyber Security for NERC CIP Compliance

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

PCI DSS Requirements - Security Controls and Processes

Payment Card Industry Data Security Standard

How To Secure Your System From Cyber Attacks

THE TOP 4 CONTROLS.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cyber Essentials Scheme

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Verve Security Center

Network Instruments white paper

Goals. Understanding security testing

Remote Services. Managing Open Systems with Remote Services

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Protecting productivity with Plant Security Services

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Security Management. Keeping the IT Security Administrator Busy

BMC s Security Strategy for ITSM in the SaaS Environment

SANS Top 20 Critical Controls for Effective Cyber Defense

Standard CIP Cyber Security Systems Security Management

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Network/Cyber Security

Supplier Security Assessment Questionnaire

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Unified Threat Management, Managed Security, and the Cloud Services Model

Client Security Risk Assessment Questionnaire

Patch Management. Is it recommended to patch an Industrial Automation Control System and, if so, why? Siemens AG All Rights Reserved.

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Security Controls What Works. Southside Virginia Community College: Security Awareness

Sygate Secure Enterprise and Alcatel

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

Cyber security tackling the risks with new solutions and co-operation Miikka Pönniö

External Supplier Control Requirements

Vendor Risk Assessment Questionnaire

Critical Security Controls

Network Security Administrator

Information Blue Valley Schools FEBRUARY 2015

Chapter 7 Information System Security and Control

Innovative Defense Strategies for Securing SCADA & Control Systems

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Security for NG9-1-1 SYSTEMS

Best Practices For Department Server and Enterprise System Checklist

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

IT Networking and Security

74% 96 Action Items. Compliance

Click to edit Master title style

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Information Technology Branch Access Control Technical Standard

Chapter 9 Firewalls and Intrusion Prevention Systems

Industrial Security Solutions

Building A Secure Microsoft Exchange Continuity Appliance

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Host/Platform Security. Module 11

GE Measurement & Control. Cyber Security for NEI 08-09

Guide to Vulnerability Management for Small Companies

Integrated Protection for Systems. João Batista Territory Manager

PCI Requirements Coverage Summary Table

Ovation Security Center Data Sheet

Symantec Endpoint Protection Analyzer Report

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Transcription:

ABB s approach concerning IS Security for Automation Systems Copyright 2006 ABB. All rights reserved. Stefan Kubik stefan.kubik@de.abb.com The problem Most manufacturing facilities are more connected (and more vulnerable) than their owners and operators may think Off-the-shelf technology has often been deployed without an adequate understanding of the impact on risk Neither Information Systems nor Process Control departments have all the required skills Problems are similar but not identical Requirements on availability, performance, and immediate access Failures may cause endangerment of employee, public, and environmental safety This is not just a matter of technology it s about people, relationships, organizations, and processes 2005 ABB - 2

The problem A dramatic development from relatively few primarily internally initiated security incidents to large volumes of externally initiated incidents - 2000 2000-2003 2005 ABB - 3 The Myths and Facts behind Cyber Security Risks for Industrial Control Systems, Eric Byres, BCIT The problem World-Wide Attack Trends Infection Attempts 900M 800M 700M 600M 500M 400M 300M 200M 100M Polymorphic Viruses (Tequila) Mass Mailer Viruses (Love Letter/Melissa) Zombies Denial of Service (Yahoo!, ebay) Blended Threats (Code Red, Nimda, Slammer) Malicious Code Infection Attempts Network Intrusion Attempts 0 0 1996 1997 1998 1999 2000 2001 2002 2003 150,000 125,000 100,000 75,000 50,000 25,000 Network Intrusion Attempts 2005 ABB - 4 Source: CERT

Security is not just a technical solution Security Policy Responsibilities Information Security Organization Personnel Job Definitions Training Incident Handling Secure Areas General Controls Equipment Physical Security Process Control Security Access Control User Authorities Firewall Configuration IT Security Monitoring Audits Legal Security Policy Compliance Administration Maintenance Procedures Security Updates System Updates 2005 ABB - 6 2005 ABB - 5 Security Solutions There is no single solution that is effective for all organizations and applications Security begins and ends with human behavior 100% security is not feasible Physical Security Organization Compliance Process Control Security Personnel Administration & Maintenance Access Control Like safety, security is a continuous process, not a once and for all technology solution!

Security is a Continuous Process Risk Analysis Audit Policy 2005 ABB - 7 Goals : Administration Long-term strategy Consistent processes Appropriate technology Qualified and motivated people Implementation Security Solutions Risk reduction should be balanced against the cost of security measures to mitigate the risk risk = (probability of successful attack) x (potential consequences) 2005 ABB - 8

Security Solutions Risk reduction should be balanced against the cost of security measures to mitigate the risk risk = (probability of successful attack) x (potential consequences) Security Usability Low Cost 2005 ABB - 10 2005 ABB - 9 Security Solutions Most (but not all) attacks use known weaknesses Most (but not all) hackers go after easy targets Basic security measures can prevent casual attacks Protection against determined attacks may require extensive security measures Multilayered solutions providing defense-in-depth Prevention + Detection + Response

Good Practices Develop a security policy Define clear organizational responsibilities Plan for incident response, including how to recover from potential disasters Regularly audit security systems and procedures, and compliance with the security policy Use anti-virus SW Keep the system updated Use the concept of security zones 2005 ABB - 11 Security begins and ends with human behavior! Security Zones Different zones for different security levels Resources in same zone have the same minimum level of trust Access between zones only through secure interconnections Corporate network Available to all employees Site intranet Available to local employees Automation system Available to operators and process and control engineers 2005 ABB - 12

Network Security Zones 2005 ABB - 13 A high security zone should be small and independent Separate domain Connect to external networks only if absolutely necessary Limit traffic through firewalls to what s absolutely necessary Apply the principle of minimum privileges Monitor for intrusion attempts Restrict use of laptops and portable memory devices Scan for viruses immediately before connecting Use strict procedures for SW updates Check origin and scan for viruses before introducing No e-mail, instant messaging, or internet surfing in high security zones Network Security Zones - Example 2005 ABB - 14

Security is ultimately the user s responsibility Proper implementation, configuration, operation, and maintenance of security procedures and equipment is the responsibility of the user of the automation system Effective security solutions require support from Automation System and Solution vendors Operating system provider 2005 ABB - 15 The SD 3 Security Framework 2005 ABB - 16 Secure by Design Development processes that specifically address security Conscious efforts to analyze threats and to identify and remove vulnerabilities Secure by Default By default the system presents a minimal attack surface after installation Secure default settings, turn off unused features, Secure in Deployment User documentation and training to ensure that the system is installed, configured, and operated in a secure way Adequate features for Detection of and defense against attacks Disaster recovery Secure system management

ABB s contribution Quality Management System for secure product development Threat analysis Secure coding practices Checklist based design and code reviews Quality assurance testing Penetration testing Product features designed to regulatory requirements Role and location based security on object and attribute level Re-authentication, Double authentication, Log over Audit trail, Digital signatures Automated system installation Secure default settings, incl. Windows hardening 2005 ABB - 18 2005 ABB - 17 ABB s contribution Validation of Microsoft security updates All relevant updates are tested for compatibility Result available within 2 7 days Anti-virus SW configuration guidelines Security related configuration advice, guidelines, and consulting services More information at www.abb.com > Control Systems > Security

ABB s Security Packages Consulting Policy Solution Maintenance 2005 ABB - 19 Security Workshop Risk Assessment Security Training Notification and Update Service Policy implementation Automation Network Security Audit Technology Solutions Disaster Recovery Plan Site to Site Security Workplace Wireless LAN Remote IT Security Enterprise Connection Services Remote Access Antivirus & Patch Management Summary The security of manufacturing and control systems becomes increasingly critical as disparate networks and systems are integrated Users and vendors of automation systems need to pay correspondingly increased attention to these issues Similar to process and safety improvements, security needs to be a continuous activity No security can be 100% effective, but careful planning and implementation of security measures can reduce risks to acceptable levels for each application and organization 2005 ABB - 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information