Does Aligning Cyber Security and Process Safety Reduce Risk? How can we align them to protect Operational Integrity? Schneider Electric September 15, 2015 Hosted by Greg Hale, Founder & Editor of Industrial Safety & Security Source www.isssource.com 1
Host: Greg Hale ISS Source Over 30 years in the publishing industry covering manufacturing automation 10 years as the Chief Editor of InTech magazine Formerly Editor in Chief at Post Newsweek s Reseller Management magazine co-author of the book, Automation Made Easy Everything You Wanted to Know About Automation and Need to Ask Confidential Property of Schneider Electric 2
Both disciplines aim to protect Operational Integrity Process Safety > Prevent or minimize risk of personnel injury & damage to plant, property, environment Cyber Security > Prevent or minimize risk of personnel injury & damage to plant, property, environment > Applied through: > Standards & regulations > Process & system design > Plant hardware & software > Procedures & controls > Shared knowledge & experience > Regular reviews & updates > Applied through: > Standards & regulations > Process & system design > Plant hardware & software > Procedures & controls > Shared knowledge & experience > Regular reviews & updates Confidential Property of Schneider Electric 3
With key differences.. Process Safety Cyber Security > Primary focus is on internal processes > Mature discipline Safety always an issue > Standards & regulations quite rigorous > Widespread adoption common practice > Knowledge widely shared to apply new lessons > Issues and sources relatively stable and well understood Confidential Property of Schneider Electric Applied Rigor > Primary focus is on external threats > Relatively new field > Limited standards, spotty regulations > Varied application and attention > Information less likely to be shared > Issues and sources continually changing and not well understood > A Cyber incident can cause a safety incident Controlled Reaction 4
Operational Integrity depends on: Asset Owners > Responsible to operate & maintain systems Automation Equipment Suppliers > Deliver safe, secure & reliable products System Integrators > Engineer & implement safe, secure & reliable systems Confidential Property of Schneider Electric 5
But. If everything is not working together, with the same goals in mind.. Disaster can occur e.g. Turkish pipeline blast CAPECO fire (Caribbean Petroleum Corp.) Link to CSB Report Confidential Property of Schneider Electric 6 "Caribbean Petroleum Corporation Disaster" by CSB
From the boardroom down companies must ask themselves these three questions: 1 Do we understand what could go wrong? 2 Do we know what systems we have in place to prevent this from happening? 3 Do we have the information to assure us they are working effectively? Confidential Property of Schneider Electric 7 Health and Safety Executive (HSE)
All roles need to work together with Security AND Safety in mind Suppliers Design and Manufacture COTS Control Systems Asset Owners Operate and Maintain Site Specific Systems Integrators/Asset Owners Engineer and Integrate COTS into Site Specific Systems Confidential Property of Schneider Electric 8
Steve Elliott Andre Ristaino John Cusimano Asset Owner Supplier Integrator 9
Process Design Identify Hazards Consequence Analysis Layer of Protection Analysis Develop Non-SIS Layers Define Target SIL Document Requirements Process Hazards Analysis (PHA) Allocate Safety Functions and Protection Layers Safety Requirements Specification Management of Functional Safety Systems Lifecycle Management Confidential Property of Schneider Electric 10
Process Design Identify Hazards Consequence Analysis Layer of Protection Analysis Develop Non-SIS Layers Define Target SIL Document Requirements Unmitigated Risk Mitigated Risk Confidential Property of Schneider Electric 11
Supplier SDLA Phasesfor design and manufacture Supplier SDLA Phases Security Development Lifecycle Assurance for design and manufacture Design & Assess 1. Security Management Process 2. Security Requirements Specification 3. Security Architecture Design 4. Security Risk Assessment (Threat Model) 5. Detailed Software Design 6. Document Security Guidelines 7. Module Implementation & Verification 8. Security Integration Testing 9. Security Process Verification 10. Security Response Planning 11. Security Validation Testing 12. Security Response Execution Confidential Property of Schneider Electric 12
Detects & Avoids systematic design faults Audit development and maintenance processes Ensure a robust, secure development process Detects Implementation Errors / Omissions Audit components security functionality Identifies vulnerabilities in networks and devices Test components communication robustness Test for vulnerabilities Embedded Device Security Assurance (EDSA) Software Development Security Assessment (SDSA) Functional Security Assessment (FSA) Communications Robustness Testing (CRT) Confidential Property of Schneider Electric 13
Many companies don t have a true understanding of their cyber risk There is a lot that can be learned from process safety risk management Integrating cybersecurity into process safety is key Understanding cyber risk starts with a risk assessment Process Safety Lifecycle (ISA 84 / IEC 61511) Analysis Implementation Operation Cybersecurity Lifecycle (ISA / IEC 62443) Assess Implement Maintain Confidential Property of Schneider Electric 14
Help is on the way: ISA 62443-3-2 Security Risk Assessment and System Design ICS Cybersecurity Risk Assessment (a.k.a. Cyber PHA) ISA-TR84.00.09-2013 Security Countermeasures Related to Safety Instrumented Systems (SIS) & Associated IACS Illustration aesolutions 2014 Confidential Property of Schneider Electric 15
Summary: 1 2 3 Do we understand what could go wrong? Do we know what systems we have in place to prevent this from happening? Do we have the information to assure us they are working effectively? Asset Owner: Understand the Risk; Learn What to Protect Supplier: Create Threat Model System Integrator: Risk Assessment Confidential Property of Schneider Electric 16
2 Do we know what systems we have in place to prevent this from happening? Select SIS Architecture Systems Detailed Design Hardware Build Software Programming Testing Systems Installation Commissioning Full System Validation Design & Engineering Layers of Protection & Safe Guards Testing of Systems Prior to Installations Factory Acceptance Test (FAT) Systems Installation and Commissioning Systems Safety Validation Management of Functional Safety Systems Lifecycle Management Confidential Property of Schneider Electric 17
2 Do we know what systems we have in place to prevent this from happening? Supplier SDLA Phases Security Development Lifecycle Assurance for design and manufacture Build 1. Security Management Process 2. Security Requirements Specification 3. Security Architecture Design 4. Security Risk Assessment (Threat Model) 5. Detailed Software Design 6. Document Security Guidelines 7. Module Implementation & Verification 8. Security Integration Testing 9. Security Process Verification 10. Security Response Planning 11. Security Validation Testing 12. Security Response Execution Confidential Property of Schneider Electric 18
2 Do we know what systems we have in place to prevent this from happening? Asset Discovery Scan scan to discover network components Communications Robustness Test verify operation under high network load and malformed packets Network Stress Test verify that essential functions continue to operate under high network load Vulnerability Identification Test scan for the presence of known vulnerabilities using NESSUS and US Cert national vulnerability database Confidential Property of Schneider Electric 19
2 Do we know what systems we have in place to prevent this from happening? One of the biggest challenges industry faces is a insufficient integration of security into systems (e.g. defense-in-depth) Concepts are well recognized Slow process Engineering, implementation and testing Defense-in-Depth Confidential Property of Schneider Electric 20
Summary: 1 2 3 Do we understand what could go wrong? Do we know what systems we have in place to prevent this from happening? Do we have the information to assure us they are working effectively? Asset Owner: Full System Validation Supplier: Test, Test, Test System Integrator: Integration of Security; Defense in Depth Confidential Property of Schneider Electric 21
Startup System Operation Bypassing & MOC Maintenance Periodic Proof Tests Modifications Systems Operation and Maintenance Systems Modification Systems Decommissioning Management of Functional Safety Systems Lifecycle Management Confidential Property of Schneider Electric 22
Startup System Operation Bypassing & MOC Maintenance Periodic Proof Tests Modifications Unmitigated Risk Overdue maintenance Bypass Mitigated Risk Confidential Property of Schneider Electric 23
Supplier SDLA Phases Security Development Lifecycle Assurance for design and manufacture Run 1. Security Management Process 2. Security Requirements Specification 3. Security Architecture Design 4. Security Risk Assessment (Threat Model) 5. Detailed Software Design 6. Document Security Guidelines 7. Module Implementation & Verification 8. Security Integration Testing 9. Security Process Verification 10. Security Response Planning 11. Security Validation Testing 12. Security Response Execution Confidential Property of Schneider Electric 24
Suppliers Design and Manufacture COTS Control Systems Asset Owners Operate and Maintain Site Specific Systems Integrators/Asset Owners Engineer and Integrate COTS into Site Specific Systems Confidential Property of Schneider Electric 25
There are plenty of security monitoring tools available Most are designed for enterprise IT Need to be tested and carefully applied to ICS systems Plant personnel need to be trained on how to use these tools to effectively detect and respond to security incidents Security Tools > Network monitoring > Host intrusion detection > Endpoint threat detection > Network intrusion detection > Network access control > Security information and event management > Application control / whitelisting > Vulnerability scanners Confidential Property of Schneider Electric 26
Summary: 1 2 3 Do we understand what could go wrong? Do we know what systems we have in place to prevent this from happening? Do we have the information to assure us they are working effectively? Asset Owner: Use Risk Matrix Supplier: Security Process Verification System Integrator: Train Personnel on How to Use Monitoring Tools Confidential Property of Schneider Electric 27
Aligning Cyber Security and Process Safety Reduces Risk Prevent More similar than different Stronger Together Control Mitigate Safety Prevent Emergency Security Control Mitigate Approach security the same way that you do safety Emergency Confidential Property of Schneider Electric 28
Takeaways. What are some specific actions you can take to: Better align Cyber Security & Process Safety approaches? Confidential Property of Schneider Electric 29
Q & A 30
Where to get more information Schneider Electric www.real-time-answers.com/ ISSSource www.isssource.com ISA Secure www.isasecure.org ae Solutions www.aesolns.com Confidential Property of Schneider Electric 31
John Cusimano Director of Industrial Cybersecurity aesolutions john.cusimano@aesolns.com Contacts Glen Bounds Global Director, Cyber Security Services Schneider Electric glen.bounds@schneider-electric.com Andre Ristaino Managing Director Automation Standards Compliance Institute aristaino@isa.org Steve Elliott Senior Director, Offer Marketing Schneider Electric steve.j.elliott@schneider-electric.com Farshad Hendi Safety Services Practice Leader Schneider Electric farshad.hendi@schneider-electric.com Confidential Property of Schneider Electric 32
33