ESCoRTS A European network for the Security of Control & Real Time Systems

ESCoRTS A European network for the Security of Control & Real Time Systems Luc Van den Berghe CEN-CENELEC Management Centre 20/05/10 Luxembourg workshop 1

Recommendations from a CEN/BT WG161 Survey in 2006 Encourage best practice, possibly in a joint endeavour between manufacturers and end users. Develop and establish test platforms for SCADA & other process control equipment in Europe. Try to reduce the divergence between current standardisation efforts, especially between process control in general and power system control. Liaise with the US. Promote awareness on security risks by the stakeholders personnel like plant and security managers, researchers, process operators, IT specialists, and the general public. 20/05/10 Luxembourg workshop 2

ESCoRTS to explore/address these survey conclusions Submitted May 2007 to the FP7 Call SEC-207-7.0-02: European Security Research Networks (incl. For standardisation) Start of the contract 16 June 2008 Duration 30 months 20/05/2010 Luxembourg workshop 3

The Consortium CEN, the European Committee for Standardization: co-ordinator JRC: project author Enginet: Italian SME, dissemination and support to co-ordinator Three main EU manufacturers of SCADA equipment: ABB, Areva, Siemens Three important SCADA end-users in different processes: power generation (Italy, Enel Produzione), electricity transmission (Roumenia, Transelectrica), water management (Italy, Mediterranea delle Acque). OPUS publishing (US): Liaison with US UNINFO: Italian ICT standards organization 20/05/2010 Luxembourg workshop 4

Work-package 1 WP1: Complete survey of stakeholder needs and evaluate the market for SCADA security. Complete a survey of the stakeholder needs across the sectors involved Evaluate the market for security related services in EU and structure its key demands Both reports delivered in 2009 20/05/2010 Luxembourg workshop 5

D11 Conclusions Survey of needs EU industry awareness and readiness lags behind US initiatives, but a growing feeling in Europe that security issues are crucial lack of European explicit demand for comprehensive security solutions potential cost of security measures, which might weigh considerably on the overall control equipment cost lack of adoption in Europe of common security references or baselines (be them formal or de facto standards, guidelines, or accepted best practices accepted and applicable across all countries). 6

Report addresses D12 Market for SCADA security services Security assessments of the security organization of an operator, also with respect to the implementation of technical security measures. Security testing: (technical) part of a security assessment (for a infrastructure operator), but also relevant for the vendors of control system components or systems. Security training and awareness; adequate training is the most important factor to discriminate a security induced event from an everyday operational fault. 7

D12 Market for SCADA security services The D12 study concludes that there is, beside managed security services, definitely a market also for other security services, especially for security consulting, which includes security assessments, testing, and training. But the readiness of the actors (mainly the operators of critical infrastructure) depends on the sector (energy, chemical or pharmaceutical: high awareness) 8

Work-package 2 D21 - Survey of current best practice (existing methods, procedures and guidelines, current standardization efforts) D22 Security solutions taxonomy D23 Reports on targeted experiments at the end users (ENEL, Transelectrica, Mediterranea delle Acque) locations (purpose: evaluating a standard for applicability, usability and utility) One targeted experiment still ongoing, rest delivered 9

Per standard/guideline Identifier, Title Status, Type Geographic relevance Addressed Industry Addressed Audience Short Description Cross References D21 Survey of standards (1) 10

D21 Survey of standards (2) 37 standards, guidelines or regulations relevant for operators or manufacturers in the area of control system (cyber) security 13 are international standards or guidelines, 14 are provided by US committees 10 are defined by European groups, or by groups of European countries. Per sector Independent of the addressed industry (generic): 5 Energy sector: 12 energy generic and 2 energy automation specific Automation area (process and/or manufacturing automation): 13 Oil & gas: 4 Chemistry sector: 2 11

D22 Taxonomy of security solutions (1) Report describes the more typical cybersecurity problems encountered by industrial control systems, and the solutions that can be put in place for countering them. It classifies and lists security vulnerabilities, threats and solutions, but is does recommend neither best practices nor possible options(beyond the possibilities of ESCoRTS project) 12

D22 Taxonomy of security solutions (2) Part 1: an overview of SCADA architecture, in order to define a common terminology for the whole document and set the scene regarding the problems under discussion. This part includes also a discussion on SCADA protocols. Part 2: vulnerabilities and attacks, with a classification of the security problems. Part 3: potential attack scenarios 13

D22 Taxonomy of security solutions (2) Part 4: discusses the best-known countermeasures (as of end 2009), with some technical detail regarding their implementation. Three categories of countermeasures are considered: Communication protocol countermeasures, Filtering and Monitoring countermeasures Architectural countermeasures. 14

Work-package 3 WP3: Stimulating convergence of current standardisation efforts. Building on the results of WP1-2, this work package will result into a joint understanding of the way current standardisation efforts are progressing. It will point out and rationalise eventual divergences, and develop a strategic standardisation roadmap so as to structure existing and forthcoming actions. Deliverable: a R&D and standardization Road Map Draft by June 2010; final by October 2010 20/05/2010 Luxembourg workshop 15

Work-package 4 WP4: Requirements for appropriate test platforms for the security of process control equipment and applications. D41 Requirements for a Secure ICT platform for data exchange - delivered D42 - Metrics for cyber security assessment and testing started D43 - Requirements for future cyber security laboratories (following a survey on current test facilities) to start D44 Public results of the verification of the metrics conducted on a replication of a live control system/environment to start 20-05-2010 Luxembourg workshop 16

Work-package 5 WP5: Management and dissemination. a Stakeholders Advisory Board composed of representatives of the relevant industrial sectors, such as power, oil, water, and process automation. The constituency of this board will keep growing along the life of the project: the board has been opened to become a CEN-CENELEC Focus Group 20/05/2010 Luxembourg workshop 17

Between now and end 2010 Meeting of the Focus Group (Torino, 30 June) Draft Roadmap Metrics for cyber security assessment and testing Final conference (Brussels, 27 October) Final Roadmap Verification of the metrics in a test performed on the replication of live environment: public results Requirements for future cyber security laboratories 18

Thank you lvandenberghe@cencenelec.eu 19