Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems Enzo M. Tieghi etieghi@visionautomation.it
Security IT & Control System Security: where are we?
Some cases about industrial - infrastructure Cyber incidents: In January, 2003, the SQL Slammer Worm penetrated a computer network at Ohio s Davis-Besse nuclear power plant and disabled a safety monitoring system for nearly five hours; SQL Slammer Worm downed one utility s critical SCADA network in US; another utility lost its Frame Relay Network used for communications; some petrochemical plants lost Human Machine Interfaces (HMIs) and data historians; a 911 call center was taken offline; Airline flights were delayed and cancelled in 2001, a series of cyber attacks were conducted on a computerized waste water treatment system by a disgruntled contractor in Queensland, Australia. One of these attacks caused the diversion of millions of gallons of raw sewage into a local river and park. There were 46 intrusions before the perpetrator was arrested.
Some cases about industrial - infrastructure Cyber incidents: In September, 2001, a teenager allegedly hacked into a computer server at the Port of Houston: the port s web service, which contained crucial data for shipping pilots, mooring companies and support firms responsible for helping ships navigate in and out of the harbor, was left inaccessible 1997: Shutdown at traffic air control system tower at Worchester Regional Airport (MA) USA Italy 2004: Sasser halts 40 PCs in production plant of leading pharmaceutical company (batches to rework, week-end spent to restart plants, reinstall and revalidate systems etc.) Water distribution SCADA system in California attacked and down (2005) No official statistical source: database with 20-30 tracked incidents in 2002-2004 in California (USA) Database at BCIT (CA) in construction
The 3 security faces Phisical Security (Perimeter): Guard on duty, gates, ports, etc. Human factor Security (Organization): Security policy Security procedures Awareness and training Cyber-Security (Technology): Antivirus Acces control, authentication, Firewalls,
Network Vulnerability: examples SAP MES Mail Server Browser Clients VPN Penetration Corporate Network Firewall Internet Email Viruses Browser Malware IM Downloads Firewall Penetration Unauthorized Access Desktops Historian Mobile Operator Protocol Vulnerabilities Vendor Diagnostics Web Server Wireless AP Vulnerability Exploit Flat Networks Plant Network Resource Constraints Ethernet Control System Application Server Contractor Hacking/Malware Remote Access Server EMS/ Indirect System Penetration HMI Disgruntled Employee POTS Remote Access Process Control Network (Proprietary or Ethernet) Controller or PLC
esecurity in control systems: industrial and infrastructure consideration about security (not only Safety ) 11 items why Security in control systems (DCS, PLC, SCADA/HMI, plant networks, etc. ) is different from IT Security
BS7799 vs. ISA-99.00.01 Comparison of Objectives Manufacturing and Control Systems Availability Integrity Traditional IT Systems Confidentiality Integrity Confidentiality Availability Priority
ANSI/ISA-95 Functional Hierarchy Level 4 Level 3 Business Planning & Logistics Plant Production Scheduling, Operational Management, etc Manufacturing Operations Management Dispatching Production, Detailed Production Scheduling, Reliability Assurance,... 4 - Establishing the basic plant schedule - production, material use, delivery, and shipping. Determining inventory levels. Time Frame Months, weeks, days 3 - Work flow / recipe control to produce the desired end products. Maintaining records and optimizing the production process. Time Frame Days, Shifts, hours, minutes, seconds Level 2 Level 1 Batch Control Continuous Control Discrete Control 2 - Monitoring, supervisory control and automated control of the production process 1 - Sensing the production process, manipulating the production process Level 0 0 - The actual production process
ANSI/ISA TR99.00.02 2004 Art. 6.5 Special Considerations for Manufacturing and Control Systems Manufacturing and Control System electronic security plans and programs are consistent with, and build on, existing IT security experience, programs, and practices. However, there are critical operational differences between IT and Manufacturing and Control Systems that influence how specific measures should be applied. ( ).
Why esec is different - 1 Differing risk management goals Rirsk Definition: Human safety and fault tolerance to prevent loss of life or endangerment of public health or confidence, loss of equipment, loss of intellectual property, or lost or damaged product.
Perché Why la esec Sicurezza is different è diversa? - 2 /2 Differing architecture security focus In a typical IT system, the primary focus of security is protecting the information stored on the central server. In manufacturing systems, the situation is reversed. Edge clients (e.g., PLC, operator station, or DCS controller) are typically more important than the central server.
Perché Whyla esec Sicurezza is different è diversa?/3-3 Differing availability requirements Many manufacturing processes are continuous in nature. Unexpected outages of systems that control manufacturing processes are not acceptable. Exhaustive pre-deployment testing is essential to ensure high availability for the Manufacturing and Control System. In addition to unexpected outages, many control systems cannot be easily stopped and started without affecting production. In some cases, the products produced or equipment being used is more important than the information being relayed. The requirement for high availability, reliability, and maintainability reduces the effectiveness of IT strategies like rebooting.
Perché Why la esec Sicurezza is different è diversa?/4-4 Unintended consequences Manufacturing and Control Systems can be very complex in the way that they interact with physical processes. All security functions integrated into the process control system must be tested to prove that they do not introduce unacceptable vulnerabilities. Adding any physical or logical component to the system may reduce reliability of the control system, but the resulting reliability should be kept to acceptable levels.
Perché Why la esec Sicurezza is different- è diversa?/5 5 Time critical responses For some systems, automated response time or system response to human interaction is critical. For example, emergency actions on regulatory process control systems should not be hampered by requiring password authentication and authorization. Information flow must not be interrupted or compromised.
Perché Why la esec Sicurezza is different è diversa?/6-6 Differing response time requirements Manufacturing and Control Systems are generally time critical Delay is not acceptable for the delivery of information, and high throughput is typically not essential.
Perché Whyla esec Sicurezza is different è diversa?/7-7 System software Differing and custom operating systems and applications may not tolerate typical IT practices. Networks are often more complex and require a different level of expertise (e.g., control networks are typically managed by control engineers, not IT personnel). Software and hardware applications are more difficult to upgrade in a control system network. Many systems may not have desired features including encryption capabilities, error logging, and password protection.
Perché Why la esec Sicurezza is different è diversa?/8-8 Resource constraints Control systems and their real time operating systems are resource constrained systems that do not include typical IT security technologies. Theremaynotbeavailablecomputing resourcesto retrofit these security technologies.
Perché Whyla esec Sicurezza is different è diversa?/9-9 Information integrity In-bound information is highly essential to the control system operation. It is important to take practical precautions to eliminate malicious in-bound information in an effort to maintain control operation.
Perché Why la esec Sicurezza is different è diversa?/10-10 Communications Communication protocols and media used by control systems environments are typically different from the generic IT environment, and may be proprietary. Examples include radio telemetry using asynchronous serial protocols and proprietary communication networks.
Perché Why la esec Sicurezza is different è diversa?/11 - Software Updates Security patches cannot always be implemented on a timely basis because software changes need to be thoroughly tested by the vendor of the manufacturing control application and the end user of the application before being implemented Change management control is necessary to maintain integrity of the control systems.
Perché Why esec la Sicurezza is different: è diversa? final These differences require careful assessment by Manufacturing and Control System experts working in conjunction with security and IT personnel. This team of people should carefully evaluate the applicability of IT and specific Manufacturing and Control Systems electronic security features, including thorough testing before application, where necessary.
Network Segregation Rings of Defense for Corporate and SCADA Networks www.dyonyx.com
What to do: ad hoc methodology and tools Industrial Security Assessment Industrial Security Vulnerability Tests Industrial Security Policy Industrial Incident Response Plans Business Continuity & Disaster Recovery Plans Industrial Protection (Industrial IDS/IPS) Monitoring and Managed Services for Industry Audit
Where Control Systems are? Everywhere Industrial but also Infrastructure Production and Distribution: Water, Oil & Gas, Power, etc. Traffic control: Railways, Highways, Tunnels, Air, etc. Buildings: Airports, Hospitals, Schools, Governament, Research Centers, Universities, Municipalities, etc. TLCs
What s moving 21 Steps to improve Cyber Security of SCADA Networks (USA White House) Common vulnerabilities in critical infrastructure control systems (U.S. Dept. Of Energy s National Nuclear Security Administration) Securing Process Control Systems - IT Security (European Commission)
Industrial security and international standards BS7799-ISO27000 Information security management systems Specification with guidance for use ISO/IEC 17799:2005 Information Technology Code of practice for information security management ANSI/ISA SP99 TR1 Security for Manufacturing and Control Systems ANSI/ISA SP99 TR2 Integrating Electronic Security into Manufacturing and Control Systems Environment ISO/IEC 15408 Common Criteria NIST System Protection Profile for Industrial Control Systems (SPP-ICS) CIDX Chemical Industry Data Exchange - Cibersecurity Vulnerability Assessment Methodology (VAM) Guidance ISPE/GAMP4 Good Automated Manufacturing Practices App. O Guideline for Automated System Security NERC standards AGA standards
need more information? www.visionautomation.it Enzo M. Tieghi - etieghi@visionautomation.it