2012 Honeywell Users Group Asia Pacific Sustain.Ability. Industrial Control System Cyber Security 1
Honeywell Process Solutions Cyber Security Architect Global Architect Team Mike Baldi Responsible for integrating security into HPS Products, security certifications, and compliance Honeywell rep on ISA Security Compliance Institute board DHS interface for HPS 33+ years experience with HPS Lead SE for System Test ( 3 years ) Technical Assistance Center - Server/Client team lead ( 25 years ): 2
Industrial Control System Cyber Security cyber security threat landscape for ICS s Honeywell s cyber security initiatives roles / responsibilities for protecting ICS s from cyber attacks responding to cyber attacks against your ICS 3
Cyber Security threat landscape for ICS s Industrial Control System Cyber Security 4
How did we get here? Security was not a major concern when Legacy ICS systems were developed ICS system lifecycle is typically 15-20 years ICS products are incorporating COTS technology from the business IT sector (Ethernet, Windows OS, SQL, webservers, etc.) Multi-vendor solutions at most ICS sites Increasing need to share data between the enterprise, corporate, and DCS networks Lack of experienced security personnel working on ICS s History of separate IT and ICS teams 5
Business IT vs ICS systems SECURITY TOPIC Antivirus Patch Management Information Technology (IT) Very common: easily deployed and updated Easily defined; enterprise wide remote and automated Control Systems (ICS) Difficult to keep current due to risk imposed to control process Patches require exhaustive testing and qualification prior to installation on ICS s. Install lags release. Technology Support Lifetime 2-3 years; 10-20 years Change Management Security Compliance Incident Response and Forensics Physical and Environmental Security Secure Systems Development Regular and scheduled; aligned with minimum-use periods Limited regulatory oversight Easily developed and deployed; some regulatory requirements; embedded in technology Poor (office systems) to excellent (critical operations systems) Integral part of development process Strategic scheduling; non trivial process due potential impact to process Specific regulatory guidance (some sectors) Uncommon beyond system resumption activities; no forensics beyond event re-creation Good to Excellent (operations centers; guards, gates, guns) Special Has not been an integral part of ICS systems development 6
ICS challenges and security concerns Vulnerability to Denial of Service attacks Backdoors and holes in the network perimeter Devices with little or no security features (modems, legacy control devices, etc.) Common communication protocols designed without security Remote, unmanned sites with challenging physical security Database security vulnerabilities (proprietary and / or 3 rd party ) Lack of encryption and authentication Improper or nonexistent patching of software and firmware 7
ICS challenges and security concerns Unsecure coding techniques in product design Non-existent cyber security procedures Lack of control system-specific security protection / mitigation technologies Security researchers with various vulnerability disclosure practices Publicly available hacking tools make hacking easier for novices Increased outside security regulation NERC-CIP, CFATS, Pipeline Guidelines, Increase in cyber attacks against ICS s Stuxnet, Duqu, Flame, 8
9 Some typical attack vectors of ICS s
Some current headlines U.S. President Barack Obama is urging the Senate to pass the Cybersecurity Act of 2012. He believes legislation will help the U.S. fight "the cyber threat to our nation," which he calls "one of the most serious economic and national security challenges we face." July, 2012 - ZDNet Iran Oil Terminal taken offline by Cyber Attack April, 2012 - PACE magazine Pacific Northwest National Laboratory Report Reveals Dramatic Increase in Cyber Threats and Sabotage on Critical Infrastructure and Key Resources June 2012 US Dept of Energy 10
The Impact of STUXNET Provided proof-of-concept and a blueprint for hackers Exposed corporate executives, regulators and the public to the potential dangers of cyber attacks on critical infrastructure Opened the floodgates for security researchers to identify and exploit ICS vulnerabilities for financial gain 11
Project Basecamp Announced at S4 Security Conference in Jan 2012 Project Basecamp involved six researchers looking for vulnerabilities in embedded ICS devices (PLC s, RTU s, substation controllers) The researchers found backdoors, weak credential storage, ability to change ladder logic and firmware, command line interface, buffer overflows, TFTP, etc Posted results publicly releasing Nessus plugins and Metasploit modules enabling anyone to find and exploit these vulnerabilities 12 12
Cyber attacks on critical infrastructure Cyber attacks against US critical infrastructure jumped 383 % in 2011 13 13
ICS Specific Vulnerabilities Reported 2001-2011 Slide 25 from the presentation Documenting the Lost Decade An Empirical Analysis of publicly disclosed ICS vulnerabilities since 2001 by Sean McBride 14 14
Why have ICS systems become targets? They re easy targets Security wasn t designed in Running older Operating systems Embedded accounts with default passwords Systems aren t updated with security patches Notoriety / validation within security research community Community watchdogs Hacktivists Competitive advantage Nation State / Political motivation 15
Honeywell s cyber security initiatives Industrial Control System Cyber Security 16
What is Honeywell s security philosophy? Design in Security is a Key initiative at Honeywell Security designed in the product from the beginning Incorporate people, technology, and process Integrate security into our culture Defense in Depth Security at more than just the perimeter Layered / High Security Network Architecture Process Control System Cyber Electronic Physical Security is a journey - not a destination Cyber Threat landscape is continuously changing Continuous evaluation and improvements required 17
Product development process Product development Security is foundational in the product HIP process designs security into all products Security Development Lifecycle Design process is compliant with ISASecure SDSA» Threat modeling and security risk analysis is part of all projects» Static code analysis» Fuzz testing» Use and abuse case testing» Load and performance testing» Independent penetration testing 18
Product development process Product development (Continued) Experion Security Model drives security focus Security Security Core Team manages security model Security Steering Committee communication / interactive exchange on security issues impacting HPS systems HPS is investing heavily in tools, testing, and training to improve the security of our products 19
Security Training Security Requirements Incorporating Security into the Software Development Lifecycle Security Response Planning and Execution Security Architecture Design Security Validation Testing Security Risk Assessment and Threat Modeling Fuzz testing, Abuse case testing Security Coding Guidelines Security Code Reviews & Static Analysis 20 20
Continuous security improvements Short term improvement Qualification of white listing component for Experion Virtual Patching solution Virtualization R410 security improvements System mechanism to disable USB storage interface Role based access control for process data Implements separation of duties at parameter level Decouple DSA security credentials from system credentials Compartmentalizes Experion clusters Allows different mngr passwords in each cluster Remove sysadmin privileges from mngr account Allow use of user specified domain accounts 21
Application Whitelisting - overview Objective is to provide additional protection against malware, reduce system maintenance overhead and complexity, and extend the patching cycle Application Whitelisting (AWL) locks down an end node allowing only approved files to run Significantly improves security against many types of malware attacks Can extend patching cycle AWL solution must be tightly integrated into control system by ICS vendor to provide greatest protection with minimum risk AWL on Industrial Control Systems will co-exist with Anti Virus solutions 22
Patch management lifecycle Security research - (e.g. ZDI, DVlabs) ICS-CERT - Black hats - Not always a patch available - Patch is not always tested in time - Can we install? - Often reboots required - 23
Server / station protection Allow Known Good (Block All Else) Block Known Bad (Allow All Else) Unknown Execution Level Application Control Resource Shielding Behavioral Containment Application Level Application and System Hardening Anti Antivirus Virus Application Inspection Network Level Host Firewall Attack-Facing Network Inspection Vulnerability-Facing Network Inspection Gartner BL Black Listing AWL Application White Listing VP Virtual Patching (Honeywell solution - McAfee / Norton) (Honeywell solution - Bit9) (Honeywell solution - HP Tipping Point) 24
Continuous security improvements Virtualization improves operational efficiency Virtualization realizes life cycle extension Virtualization poses new security challenges Virtualization also facilitates security improvements Application virtualization (i.e. eserver) provides sandboxing Full virtualization (VMware vsphere) Improved data recovery mechanisms Improved patching mechanisms Improved virus protection mechanisms Hypervisor / Virtual Machine Monitor has small attack surface Availability of thin clients Virtualization Layer 25
External security certifications Wurldtech Achilles certification for C300, SM Achilles practices certified ( WIB ) Honeywell committed to compliance with Achilles practices when it becomes an approved IEC-62443-2.4 standard ISASecure Embedded Device Security Assessment (EDSA) Safety Manager R145 was first device to achieve EDSA certification (2011) C300 and Foundation Fieldbus Interface Module are EDSA Certified (2012) Internal evaluation of HPS products for compliance with numerous external standards: NERC-CIP, NIST_sp800_x, FERC_order_x, INGAA Cyber guidelines, TSA pipeline guidelines 26
ISA99 / IEC 62443 Structure Systems Devices 27 27
Embedded Device Security Assurance Certification Integrated Threat Analysis (ITA) Software Development Security Assurance (SDSA) Functional Security Assessment (FSA) Communications Robustness Testing (CRT) Provides a common perspective on how threat scenarios can be sufficiently covered Documents the expected resistance of the system to potential threat agents and threat scenarios Clearly documents expected user measures versus inherent product protection measures Detects and Avoids systematic design faults The vendor s software development and maintenance processes are audited Ensures the organization follows a robust, secure software development process Detects Implementation Errors / Omissions A component s security functionality is audited against its derived requirements for its target security level Ensures the product has properly implemented the security functional requirements Identifies vulnerabilities in networks and devices A component s communication robustness is tested against communication robustness requirements Tests for vulnerabilities in the 4 layers of OSI Reference Model 28 28
Benefits of ISASecure Certification Structured, auditable, repeatable approach to evaluating the security of an ICS product and the development practices of the manufacturer against an established benchmark End-user Supplier Easy to specify Build security requirement into RFP Reduced time in FAT/SAT Know security level out of the box Evaluated once Recognition for effort Build in security Product differentiator Reduce support costs Enhance credibility Assurance that automation products, systems and suppliers meet an industry recognized baseline for cyber security 29 29
Honeywell s Industrial IT Solutions Assess against industry standards, regulatory requirements and best practices Remediate focuses on the actions needed to address issues identified in the Assess phase Assure addresses methods to assure your Industrial IT solutions are functioning as designed Manage refers to the management of your Industrial IT investment, including network security 30 Evolving services and solutions for a changing Industrial IT environment
Honeywell s Industrial IT Solutions Continuous improvement of standard build Consistent security configuration Extended remote service portfolio Tested AV signature files - daily Patch analysis and consolidated patching Security incident handling, perimeter management Introduction of global service management Uniform service delivery Compliance management Full Whitelisting management and support Assure Assess Remediate Manage 31
Partnering with our customers Documenting system security configuration Includes risks that need external mitigations Rapid qualification of security updates Microsoft Adobe Network and security design services Assessment services ISA99 / CSET security audits / assessments Services offering for system security management Patch, virus protection, and data recovery management Security perimeter management Continued investment in building security skills Design consultants, project and service engineers 32
33 Security Program Dashboard
Security from design to daily operation Honeywell Process Solutions. builds Security features into our standard products, and is continuously evaluating and improving our security is committed to ISA99 and IEC-62443 standards for industrial control system security works closely with external agencies including Department of Homeland Security to improve ICS security documents secure system best practices and configurations provides timely communication of security issues to customers offers optional security features to customers who are want additional protection 34
roles / responsibilities for protecting ICS s from cyber attacks Industrial Control System Cyber Security 35
Stakeholders per phase in securing ICS s - ICS control system manufacturers / Vendors - ICS automation solution providers - System integrators and implementers - Owner/operators or end users - Local Governments Phases and Participants in a Typical ICS Project From ICSJWG Cross Vendor Position Paper 36
Layers of Responsibility End User (Security management system) System Integrator (System engineering practices, Qualified Personnel) Automation Supplier (Software Development, Vendor Practices) Automation Products (Security features, Testing) 37
Vendor / automation supplier responsibilities Execute security testing during development cycle Integrate security into development lifecycle (SDLC) Scan systems for security vulnerabilities before deployment Document secure implementation of system Manage secure custody chain of assets Attain applicable 3rd party security certifications Provide timely qualification of security fixes Open and timely communication on product security issues Be positioned to respond to vulnerability disclosures or cyber incidents against deployed systems 38
Integrator / installer responsibilities Install system per vendors recommended security practices Segment the Control System Network Ensure all software revisions are current during installation Scan systems and network for security vulnerabilities before final commissioning Baseline and document the system security before final commissioning 39
Owner / operator responsibilities Apply security fixes as soon as they re qualified Keep Anti Virus and related protection technologies current Document security configuration, Policies & Procedures Provide security Training for operators & Contractors Control Access to the Control System Harden the Components of the System apply defense in depth Constantly monitor the security of the system Periodic full re-assessment of system security Work closely with vendor and integrators to adopt to new security threats and vulnerabilities 40
ICS Security responsibilities summary Owner / operators have the ultimate responsibility for the security and safety of their systems ICS security must include technology, people, and processes ICS security spans the lifecycle of an automation system requires a partnership between all stakeholders All the security technology and controls in the world will not protect an ICS if not properly applied and continuously managed 41
responding to cyber attacks against your ICS Industrial Control System Cyber Security 42
Cyber Incident Response Plan Cyber security can no longer be an afterthought Question is not IF your site will be attacked, but WHEN be prepared Security can be measured by how quickly you detect, contain, and recover from a security incident. Develop a cyber incident response plan, and actively manage it 43
Cyber Incident Response Plan Create a cyber incident response plan Priority is to isolate any suspect component, maintain safe operation, and preserve forensics where possible Operators must be trained on how to respond to a cyber incident Appoint a cyber security focal point and watchdog with backup Include all levels of defense in depth in creating response plan Practice the plan ( test it ) Re-evaluate and update the cyber incident response plan periodically 44
45 Effective Security Plan
How can ICS s prepare for cyber attacks? Do a security assessment of your site, remediate any gaps identified, and repeat assessments periodically Partner with your ICS vendor and specific support programs / organizations keep defense plan current Consider what your vendor or a security consultant can provide: 24 x 7 support center Security Operations Center Access to specialty security skill sets Develop and maintain a dashboard or HMI for security manager Actively monitor security trends ( ie: security watchdog ) 46
How can ICS s prepare for cyber attacks? Review your vendor s security documentation Network and Security Planning Guide Domain and Workgroup Implementation Guide Maintain current security protection technologies on your system Anti-Virus, Application Whitelisting, IPS, Firewalls, Keep security current timely application of qualified security updates Proactively / continuously monitor site for cyber incidents 47
Be prepared for cyber attacks Integrate security into your culture at site An effective security program addresses people, processes, and technology Work with your vendor to create a cyber incident response plan, and Manage that plan Ensure everyone knows the key players, and who to call Security protections and incident response plans are only effective if properly managed 48
Q&A Questions? 49 49