TeleTrusT Bundesverband IT-Sicherheit e.v.



Similar documents
Security Levels in ISA-99 / IEC 62443

This is a preview - click here to buy the full publication

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Cyber Security Implications of SIS Integration with Control Networks

PCI Requirements Coverage Summary Table

ABB s approach concerning IS Security for Automation Systems

Network Security Guidelines. e-governance

PCI Requirements Coverage Summary Table

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Intelligent Security Design, Development and Acquisition

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

How To Manage Security On A Networked Computer System

Dr. György Kálmán

Protecting Your Organisation from Targeted Cyber Intrusion

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Basics of Internet Security

Effective Defense in Depth Strategies

How Reflection Software Facilitates PCI DSS Compliance

Central Agency for Information Technology

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

Automate PCI Compliance Monitoring, Investigation & Reporting

05.0 Application Development

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Fundamentals of Network Security - Theory and Practice-

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

The rocky relationship between safety and security

Seven Strategies to Defend ICSs

Network and Security Controls

Security Management. Keeping the IT Security Administrator Busy

Medical Device Security Health Group Digital Output

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Critical Controls for Cyber Security.

How To Protect Your Network From Attack

TECHNICAL SPECIFICATION

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

A Decision Maker s Guide to Securing an IT Infrastructure

Security Controls for the Autodesk 360 Managed Services

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Best Practices for DanPac Express Cyber Security

THE BLUENOSE SECURITY FRAMEWORK

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

IBX Business Network Platform Information Security Controls Document Classification [Public]

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Network Security Administrator

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Cloud security architecture

Cisco Advanced Services for Network Security

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

GE Measurement & Control. Cyber Security for NEI 08-09

Recommended IP Telephony Architecture

Security + Certification (ITSY 1076) Syllabus

Performing a Cybersecurity Risk Assessment on an IACS or SIS. Marco Ayala, aesolutions John Cusimano, aesolutions

Industrial Cyber Security 101. Mike Spear

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Payment Card Industry Data Security Standard

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

The Next Generation of Security Leaders

Securing VoIP Networks using graded Protection Levels

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

SonicWALL PCI 1.1 Implementation Guide

Achieving PCI-Compliance through Cyberoam

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

SCP - Strategic Infrastructure Security

Security in the PEPPOL

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

1B1 SECURITY RESPONSIBILITY

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

White Paper. 7 Steps to ICS and SCADA Security. Tofino Security exida Consulting LLC. Contents. Authors. Version 1.0 Published February 16, 2012

March

Guide to Vulnerability Management for Small Companies

Cyber Security From product to system solution

SUPPLIER SECURITY STANDARD

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Achieving PCI Compliance Using F5 Products

Did you know your security solution can help with PCI compliance too?

Pentests more than just using the proper tools

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

An Analysis of the Capabilities Of Cybersecurity Defense

Transcription:

TeleTrusT Bundesverband IT-Sicherheit e.v. TeleTrusT-Workshop "Industrial Security" 2015 München, 11.06.2015 Einführung Industrial Security anhand des IEC 62443; Bedrohungslage für Betreiber von ICS (Industrial Control System) Dr. Thomas Störtkuhl TÜV SÜD

Einführung Industrial Security anhand des IEC 62443; Bedrohungslage für Betreiber von ICS (Industrial Control System) TeleTrusT-Workshop "Industrial Security" Dr. Thomas Störtkuhl Teamleiter Industrial IT Security TÜV SÜD Rail GmbH 11. Juni 2015 Slide 1

Agenda 1 Introduction Industrial IT Security Team 2 Security: Status quo 3 Introduction to IEC 62443 4 Best practices and concepts 5 Summary Slide 2

TÜV SÜD in numbers: Growing from strength to strength 1 One-stop technical solution provider 150 years of experience 800 locations worldwide 1,800 18,800 million Euro in sales revenue 2012 employees worldwide TÜV SÜD 11/06/2015 Rail Presentation Slide 3

TÜV SÜD: Global expertise. Local experience. Global Headquarters: Munich, Germany Legend: Countries with TÜV SÜD offices Regional headquarters GERMANY Revenue: Euro 1,100 mio Headcount: 9,900 staff INTERNATIONAL Revenue: Euro 580 mio Headcount: 7,300 staff Slide 4

TÜV SÜD s Business Unit Rail: a Partner for homologation bodies 1 one-stop technical solution provider 50 years of experience 28 locations worldwide 500 employees worldwide TÜV SÜD 11/06/2015 Rail Presentation Slide 5

TÜV SÜD Rail: End-to-end solutions across all rail sectors CONVENTIONAL HIGH SPEED METRO LIGHT RAIL Slide 6

TÜV SÜD Rail: Delivering value-added solutions and expertise INFRASTRUCTURE Understructure Superstructure Civil works & tunnels ELECTRICAL AND MECHANICAL (E&M) SYSTEMS Signalling & telecom Rail power supply Catenary ROLLING STOCK High speed Conventional rail Light rail/metro GENERIC SAFETY SYSTEM Programmable electronics Safety components Rail automation (HW, SW) Industrial IT Security Slide 7

Agenda 1 Introduction Industrial IT Security Team 2 Security: Status quo 3 Introduction to IEC 62443 4 Best practices and concepts 5 Summary Slide 8

Current security incidents Slide 9

Attacks: Stuxnet Slide 10

Security Shortfalls in Industrial IT Environments General Personnel without security awareness / skills No or only limited processes (policies, procedures, guidelines) Limited understanding of the information to be protected Risk management? Asset management? Complete overview of the network topology and communication channels are missing No or only a minimum of network segmentation Periodic IT security audits? Security monitoring? Incident handling (technology & process)? Patch management? Slide 11

Security Shortfalls in Industrial IT Environments Applications Authentication Security is not integrated into the development process Security is not covered in the procurement process Missing Change and Configuration Management No security testing, incl. 3 rd party software Security through Obscurity Incorrect implementation of cryptographic algorithms Possibility of attacks (DoS, Cross Site Scripting, ) Default passwords Weak / trivial passwords Password in clear text Passwords on Post it Generic password for user groups Root passwords are group passwords for suppliers No Two / Multi-Factor-Authentication Slide 12

Security Shortfalls in Industrial IT Environments Use of Engineering Workstations (EWS) Remote Access & Maintenance Any accessible interfaces in the industrial IT infrastructure is used EWS is used in different networks for different customers EWS is often used as a standard computer Different supplier solutions are implemented and allowed Remote Access without dedicated DMZ Remote access is always enabled and therefore can be used at any time without control Group accounts Multi-factor authentication not used Slide 13

Security Shortfalls in Industrial IT Environments Protocols USB-Token Unprotected communication channels Use of weak cipher suites Wireless communication without authentication and encryption Incorrectly implemented cryptographic algorithms No regulations for the use of USB Tokens Uncontrolled USB tokens are used by suppliers No virus scanning for USB tokens (not to think about Bad USB!) Slide 14

Agenda 1 Introduction Industrial IT Security Team 2 Security: Status quo 3 Introduction to IEC 62443 4 Best practices and concepts 5 Summary Slide 15

Holistic approach of IEC 62443 IEC 62443 Series General Management System Industrial IT Security, IACS Embedded Security, Component 1-1 Terminology, concepts and models 2-1 Establishing an IACS security program 3-1 Security technologies for IACS 4-1 Product development requirements 1-2 Master glossary of terms and abbreviations 2-2 Operating an IACS security program 3-2 Security risk assessment and system design 4-2 Technical security requirements for IACS components 1-3 System security compliance metrics 2-3 Patch management in the IACS environment 3-3 System security requirements and security levels 2-4 Requirements for IACS solution suppliers Relevant documents for assessment / certification Slide 16

Systems Acquisition & Development Holistic Approach Industrial Control System IACS Remote Maintenance Threat Applications (Controlling, Measurement) TCP / IP Threat Services Integration (Middleware, Database) Threat Infrastructure / Data Processing (Network, Network Devices, Facilities) Threat Control System Threat Operational Services Embedded Security Industrial IT Security Slide 17

Rules for ICS (Industrail Control Systems) Safety first, Security for Safety SAFETY Real-time systems Security measures must not affect the safety functions SECURITY Without security measures the safety functions might be compromised Availability first Slide 18

People, Process, Technology define, use People Process roles & responsibilities tasks Technology Slide 19

IEC 62443: Roles Industrial Automation and Control System (IACS) Asset Owner operates Operational and maintenance capabilities (policies and procedures) + System Integrator integration capabilities (design and deployment) Basic Process Control System (BPCS) Automation Solution Safety Instrumented System (SIS) Complementary hardware and software IACS environment / project specific Includes a configured instance of the Control System Product Product Supplier develops Supporting Applications Control System Product as a combination of Embedded devices Network components Host devices Independent of IACS environment Slide 20

Agenda 1 Introduction Industrial IT Security Team 2 Security: Status quo 3 Introduction to IEC 62443 4 Best practices and concepts 5 Summary Slide 21

Quality Improvement Continuous Improvement Act Plan Act Plan Check Do Check Do Time TÜV SÜD Rail GmbH 6/11/2015 Folie 22

Defense-in-depth strategy Security policies and guidelines Physical protection (physical zoning) Network segregation (zones and conduits) Need-to-Know: Restriction Firewall of access to components, systems, zones and conduits Minimum installation: hardening of components Living processes Security Policies IDS / Patched OS Skilled and trained employees Security Risk Host Layer Network Layer Operational Layer cf. Homeland Security (2009) Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies figure 5 Slide 23

Zones & Conduits Zone Collection of entities that represents partitioning of a System under Consideration on the basis of their functional, logical and physical (including location) relationship. Conduit Grouping of logical or physical assets that share common security requirements Logical grouping of communication channels, between connecting two or more zones, that share common security requirements Control Center C1 C2 Industrial Control Systems C3 S1 R1 R2 ICS1 Zone 1 Conduit Zone 2, Safety functions Slide 24

General Concepts of IEC 62443: Security Levels Security Level Measure of confidence that the IACS is free from vulnerabilities and functions in the intended manner. Definition of risk-based Security Levels: Security Level 0 (SL0) No protection requirements. Security Level 1 (SL1) Protection against casual or coincidental violation. Security Level 2 (SL2) Protection against intentional violation using simple means with low resources, generic skills and low motivation. Security Level 3 (SL3) Protection against intentional violation using sophisticated means with moderate resources, system specific skills and moderate motivation. Security Level 4 (SL4) Protection against intentional violation using sophisticated means with extended resources, system specific skills and high motivation. 11.06.2015 TÜV SÜD Rail GmbH Slide 25

Security Requirements (Example) SL1 SL2 SL3 SL4 FR 1 Identification and Authentication Control (IAC) SR 1.1 Human user identification and authentication X X X X The control system shall provide the capability to identify and authenticate all human users. This capability shall enforce such identification and authentication on all interfaces which provide human user access to the control system to support segregation of duties and least privilege in accordance with applicable security policies and procedures. RE (1) Unique identification and authentication X X X The control system shall provide the capability to uniquely identify and authenticate all human users. RE (2) Multifactor authentication for untrusted networks X X The control system shall provide the capability to employ multifactor authentication for human user access to the control system via an untrusted network (see 4.14, SR 1.12 Access via untrusted networks). RE (3) Multifactor authentication for all networks The control system shall provide the capability to employ multifactor authentication for all human user access to the control system. X Slide 26

IEC 62443-3-2: Detailed Security Risk Assessment Target attractiveness, historical data, or common sources Identify Threats List of Threats Prior audits, vendors, vulnerability databases, government sources, etc. List of Threats List of Vulnerabilities Historical data Prozess Hazard Assessment (e.g. HAZOP) Identify Vulnerabilities Determine Likelihood Determine Impact List of Vulnerabilities Qualitative / Quantitative assessment of likelihood Qualitative / Quantitative assessment of financial & social impact Corporate risk matrix Calculate Risk Qualitative / Quantitative assessment of residual risk Slide 27

Probability Definition: Risk Matrix Risk Matrix System / Domain specific!! Frequent Probable Negligible Marginal Critical Catastrophic Occasional Minor Remote Improbable Risk mitigation activities required Risk needs further analysis and discussion Acceptable risk Severity TÜV SÜD Rail GmbH 6/11/2015 Slide 28

Agenda 1 Introduction Industrial IT Security Team 2 Security: Status quo 3 Introduction to IEC 62443 4 Best practices and concepts 5 Summary Slide 29

Benefits of IEC 62443 The benefits of IEC 62443 Risk based approach Process oriented Combination with other standards possible Defined requirements International Best Practice approach for Industrial IT Security Basis for assessment and certification Slide 30

IEC 62443 standards family IEC 62443-1-1, Industrial communication networks - Network and system security - Part 1-1: Terminology, concepts and models. Bearbeitungsstand: IEC/TS 62443-1- 1:2009, Überarbeitung geplant IEC 62443-1-2, Industrial communication networks - Network and system security - Part 1-2: Glossary. Bearbeitungsstand: 65/465/NP:2011 IEC 62443-1-3, Industrial communication networks - Network and system security - Part 1-3: System security compliance metrics. Bearbeitungsstand: Entwurf IEC 65/557/DTS IEC 62443-2-1, Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program. Bearbeitungsstand: IEC 62443-2-1:2010, Als Entwurf zur Überarbeitung liegt vor: 65/514/DC:2012 Slide 31

IEC 62443 standards family IEC 62443-2-2, Industrial communication networks - Network and system security - Part 2-2: Implementation guidance for an industrial automation and control system security program. Bearbeitungsstand: geplant IEC 62443-2-3, Industrial communication networks - Network and system security - Part 2-3: Patch Management. Bearbeitungsstand: Entwurf IEC 65/554/DTR:2014 IEC 62443-2-4, Industrial communication networks - Network and system security - Part 2-4: Requirements for IACS solution providers. Bearbeitungsstand: Entwurf IEC 65/545A/CDV:2014 IEC 62443-3-1, Industrial communication networks - Network and system security - Part 3-1: Security technologies for industrial automation and control systems. Bearbeitungsstand: IEC/TR 62443-3-1:2009-07. Überarbeitung geplant. Slide 32

IEC 62443 standards family IEC 62443-3-2 Industrial communication networks - Network and system security - Part 3-2: Security levels for zones and conduits. Bearbeitungsstand: Entwurf IEC 65/534/DC:2013 IEC 62443-3-3 Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels. Bearbeitungsstand: IEC 62443-3-3:2013 IEC 62443-4-1 Industrial communication networks - Network and system security - Part 4-1: Product development requirements. Bearbeitungsstand: 65/546/NP:2014 IEC 62443-4-2 Industrial communication networks - Network and system security - Part 4-1: Technical security requirements for industrial automation and control system components. Bearbeitungsstand: 65/546/NP:2014 NP: New work item proposal CD: Committee draft CDV: Committee draft for vote DTR: Draft technical report TR: Technical report DTS: Draft technical specification Slide 33

Security standards / guidelines / RFCs RFC 5246, The Transport Layer Security (TLS) Protocol, Version 1.2, http://tools.ietf.org/html/rfc5246 ETSI, European Telecommunications Standards Institute, http://www.etsi.org/website/homepage.aspx RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, May 2008, http://tools.ietf.org/html/rfc5280 RFC 5055, Server-Based Certificate Validation Protocol (SCVP), http://www.rfceditor.org/rfc/rfc5055.txt RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol OCSP, http://www.ietf.org/rfc/rfc2560.txt RFC 4210, Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP), http://tools.ietf.org/html/rfc4210 RFC 5273, Certificate Management over CMP (CMC): Transport Protocols, http://tools.ietf.org/html/rfc5273 Slide 34

Security standards / guidelines / RFCs VDI/VDE 2182, Informationssicherheit in der industriellen Automatisierung, Allgemeines Vorgehensmodell, Blatt 1, Januar 2011 Slide 35

Contact Dr. Thomas Störtkuhl thomas.stoertkuhl@tuev-sued.de Phone: +49 89 5791-1930 Fax: +49 89 5791-2933 TÜV SÜD Rail GmbH Barthstr. 16 80339 Munich Germany www.tuev-sued.com Slide 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information