Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications February 17, 2015
Agenda
Agenda Introductions
Agenda Introductions Discussion of the current state of Cybersecurity for Controls Systems with discussions from outside sources
Agenda Introductions Discussion of the current state of Cybersecurity for Controls Systems with discussions from outside sources New Cybersecurity Guidance ebook and Engineering Services available from InduSoft
Agenda Introductions Discussion of the current state of Cybersecurity for Controls Systems with discussions from outside sources New Cybersecurity Guidance ebook and Engineering Services available from InduSoft Deeper dive into the Security ebook a look inside.
Agenda Introductions Discussion of the current state of Cybersecurity for Controls Systems with discussions from outside sources New Cybersecurity Guidance ebook and Engineering Services available from InduSoft Deeper dive into the Security ebook a look inside. Discussion of the new SCADA Cybersecurity Framework ebook and the associated certificate courses at Eastern New Mexico University-Ruidoso
Agenda Introductions Discussion of the current state of Cybersecurity for Controls Systems with discussions from outside sources New Cybersecurity Guidance ebook and Engineering Services available from InduSoft Deeper dive into the Security ebook a look inside. Discussion of the new SCADA Cybersecurity Framework ebook and the associated certificate courses at Eastern New Mexico University-Ruidoso Q&A Session
Speakers Today (in order of presentation) Richard Clark Technical Marketing and Cybersecurity Engineer
Richard H Clark Cybersecurity Background Mr. Clark has been in Automation, Process System, and Control System design and implementation for more than 25 years and was employed by Wonderware where he developed a non-proprietary means of using IP-Sec for securing current and legacy Automation, SCADA, and Process Control Systems, and developed non-proprietary IT security techniques. Industry expert by peer review and spokesperson on IT security; consultant, analyst and voting member of ISA- SP99. Contributor to PCSF Vendor Forum. Consultant to NIST and other government labs and NSA during the development of NIST Special Publication 800-82. Published engineering white papers, manuals, and instruction documents, developed and given classes and lectures on the topic of ICS/SCADA Security. Participated in forming the NIST Cybersecurity Framework during the workshops last year along with our second speaker today
Speakers Today (in order of presentation) Richard Clark Technical Marketing and Cybersecurity Engineer Stephen Miller Associate Professor and Department Chair of Business and Information Systems/Cybersecurity Center of Excellence at Eastern New Mexico University-Ruidoso
Stephen Miller Cybersecurity Background Mr. Miller (Associate Professor/Director of Eastern New Mexico University- Ruidoso Cybersecurity Center of Excellence) has been in the Information Systems profession since 1966 working in many business, government, and educational sectors; including being IT/Technology Manager and Advisor at ExxonMobil Global Information Systems. Mr. Miller worked for Univac Corp at NASA Mission Control for the Apollo Mission, including Apollo 13 and Skylab missions, he also worked for Ford Tech-rep Division and TRW Controls, among others. Stephen developed the online computer and network Cybersecurity Certification program at ENMU-Ruidoso, and revised the Information Systems Associates Applied Science Degree Programs under INFOSEC 4011, 4016E, and Center of Academics (CAE-2Y) certifications
RICHARD H CLARK Cybersecurity ebooks/guidance
Introduction
Introduction InduSoft is used in various Oil and Gas, Refinery, and Pipeline applications around the world
Introduction InduSoft is used in various Oil and Gas, Refinery, and Pipeline applications around the world We strive to assist customers in designing and building safe, secure and functional applications
Introduction InduSoft is used in various Oil and Gas, Refinery, and Pipeline applications around the world We strive to assist customers in designing and building safe, secure and functional applications We have condensed a great deal of our security guidance and discussions into a single ebook
Introduction InduSoft is used in various Oil and Gas, Refinery, and Pipeline applications around the world We strive to assist customers in designing and building safe, secure and functional applications We have condensed a great deal of our security guidance and discussions into a single ebook InduSoft has recently added On-Demand Engineering Services to assist your development and engineering teams
Introduction InduSoft is used in various Oil and Gas, Refinery, and Pipeline applications around the world We strive to assist customers in designing and building safe, secure and functional applications We have condensed a great deal of our security guidance and discussions into a single ebook InduSoft has recently added On-Demand Engineering Services to assist your development and engineering teams InduSoft has assisted in creating the NIST Cybersecurity Framework and collaborated with ENMU-Ruidoso in creating a curriculum textbook
The Scope of the Problem
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity.
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t.
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach Major Problems that I have with this Unified Approach :
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach Major Problems that I have with this Unified Approach : They ve thrown the SME s (plant engineers) under the bus
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach Major Problems that I have with this Unified Approach : They ve thrown the SME s (plant engineers) under the bus They are only addressing security patches and antivirus
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach Major Problems that I have with this Unified Approach : They ve thrown the SME s (plant engineers) under the bus They are only addressing security patches and antivirus It is being managed from a central location which is the same entry vector used in the retail and healthcare cyberattacks
The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren t. Example: AutomationWorld, February 10, 2015, Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach Major Problems that I have with this Unified Approach : They ve thrown the SME s (plant engineers) under the bus They are only addressing security patches and antivirus It is being managed from a central location which is the same entry vector used in the retail and healthcare cyberattacks They are considering the refinery as part of the IOT, which is to say that they think it is just as important as Mrs. Fitsby s new hot water heater, not critical infrastructure.
New SCADA Cybersecurity ebooks InduSoft Security Guide NIST Cybersecurity Framework ISBN 978-1311-49042-1 ISBN 978-1310-30996-0 Available at Smashwords.com and other major booksellers
Available to you as Name Your Price InduSoft Security Guide NIST Cybersecurity Framework ISBN 978-1311-49042-1 ISBN 978-1310-30996-0 Download at Smashwords.com to Name Your Price
All ebook Proceeds Benefit the Eastern New Mexico University-Ruidoso Foundation
InduSoft Security Guide Why?
InduSoft Security Guide Why? The ebook is a compilation of InduSoft cybersecurity guidance making it available in one place
InduSoft Security Guide Why? The ebook is a compilation of InduSoft cybersecurity guidance making it available in one place There is a chapter on guidelines for designing and building your projects
InduSoft Security Guide Why? The ebook is a compilation of InduSoft cybersecurity guidance making it available in one place There is a chapter on guidelines for designing and building your projects Includes reprints of many InduSoft white papers and published articles on cybersecurity guidance describing everything from runtime servers and IT guidance for control system networks, to handheld smart devices and wireless networks
InduSoft Security Guide Why? The ebook is a compilation of InduSoft cybersecurity guidance making it available in one place There is a chapter on guidelines for designing and building your projects Includes reprints of many InduSoft white papers and published articles on cybersecurity guidance describing everything from runtime servers and IT guidance for control system networks, to handheld smart devices and wireless networks The ebook contains transcripts of many InduSoft webinars on securing InduSoft Web Studio as well as broader IT and SCADA security guidance
InduSoft Security Guide Why? The ebook is a compilation of InduSoft cybersecurity guidance making it available in one place There is a chapter on guidelines for designing and building your projects Includes reprints of many InduSoft white papers and published articles on cybersecurity guidance describing everything from runtime servers and IT guidance for control system networks, to handheld smart devices and wireless networks The ebook contains transcripts of many InduSoft webinars on securing InduSoft Web Studio as well as broader IT and SCADA security guidance Also contains an Appendix with NIST Framework information
InduSoft Security Guide Why? The ebook is a compilation of InduSoft cybersecurity guidance making it available in one place There is a chapter on guidelines for designing and building your projects Includes reprints of many InduSoft white papers and published articles on cybersecurity guidance describing everything from runtime servers and IT guidance for control system networks, to handheld smart devices and wireless networks The ebook contains transcripts of many InduSoft webinars on securing InduSoft Web Studio as well as broader IT and SCADA security guidance Also contains an Appendix with NIST Framework information Available in.mobi (Kindle),.epub,.pdf,.html, and.doc formats
Contents of Security Guidance ebook The Chapters and Sections contain many useful topics Chapter 1: New Projects and Security as a Design Consideration Section 1: Building your Project Extract from the InduSoft Technical Note: Application Guidelines Chapter 2: Existing Projects Chapter 3: Cloud Based Applications Section 1: Working with Cloud Based Applications The following is an extract from the InduSoft White Paper: Cloud Computing for SCADA Chapter 4: InduSoft Application Security Section 1: SCADA System Security Best Practices The following is a transcript extract from the InduSoft Webinar: SCADA System Security Webinar Chapter 5: InduSoft Security Discussion for Web Based Applications Section 1: Using Security with Distributed Web Applications Extract 1 - From InduSoft White Paper: Security Issues with Distributed Web Applications Section 2 Using Security with Web-Based Applications Extract 2 - From the InduSoft Tech Note: IWS Security System for Web Based Applications Section 3 Using Security with Web-Based Applications Reprint - Control Engineering Magazine - August 2014: Cybersecurity for Smart Mobile Devices Chapter 6: InduSoft Recommendations for IT Security Section 1: Firewalls and other SCADA Security Considerations Transcript extract from the InduSoft Webinar: SCADA and HMI Security in InduSoft Web Studio Section 2: Control Systems Security Overview Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Overview Section 3: SCADA Security - Operational Considerations Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Operational Section 4: SCADA Security - Management Considerations Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Management Appendix A: NIST Cybersecurity Framework Core Appendix B: Cyber Security Evaluation Tool (CSET) Information
Examples of topics and subjects covered
New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following:
New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration
New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation
New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation Functionality should be moderated based on the first two design goals
New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation Functionality should be moderated based on the first two design goals
Diverse SCADA Projects Require Different Types of Security Profiles
Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways.
Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways. This fact presents many differing security scenarios for our customers
Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways. This fact presents many differing security scenarios for our customers A specific type of security implementation to a particular SCADA system may be entirely inappropriate for a differing system.
Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways. This fact presents many differing security scenarios for our customers A specific type of security implementation to a particular SCADA system may be entirely inappropriate for a differing system. We have recommended many different ways that security can be implemented into SCADA and HMIs
Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways. This fact presents many differing security scenarios for our customers A specific type of security implementation to a particular SCADA system may be entirely inappropriate for a differing system. We have recommended many different ways that security can be implemented into SCADA and HMIs Talks, classes, white papers, webinars, forums, Technical Support, and individualized guidance on projects has been available for quite some time
Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways. This fact presents many differing security scenarios for our customers A specific type of security implementation to a particular SCADA system may be entirely inappropriate for a differing system. We have recommended many different ways that security can be implemented into SCADA and HMIs Talks, classes, white papers, webinars, forums, Technical Support, and individualized guidance on projects has been available for quite some time InduSoft now has on-demand engineering assistance available on our website!
Services On Demand is Now Live! Engineering assistance is available when designing projects and implementing project security
Stay Informed How to get Product Update and Webinar Announcements
Stay Informed How to get Product Update Announcements
THANKS FOR ATTENDING! Here s how to contact us
Contact InduSoft Today Email (US) info@indusoft.com (Brazil) info@indusoft.com.br (Germany) info@indusoft.com.de Support support@indusoft.com Web site (English) www.indusoft.com (Portuguese) www.indusoft.com.br (German) www.indusoft.com.de Phone (512) 349-0334 (US) +55-11-3293-9139 (Brazil) +49 (0) 6227-732510 (Germany) Toll-Free 877-INDUSOFT (877-463-8763) Fax (512) 349-0375 Brazil USA Germany
Contact Email InduSoft richard.indusoft@gmail.com Today if you would like to request a copy of this presentation or with other questions. Email (US) info@indusoft.com (Brazil) info@indusoft.com.br (Germany) info@indusoft.com.de Support support@indusoft.com Web site (English) www.indusoft.com (Portuguese) www.indusoft.com.br (German) www.indusoft.com.de Phone (512) 349-0334 (US) +55-11-3293-9139 (Brazil) +49 (0) 6227-732510 (Germany) Toll-Free 877-INDUSOFT (877-463-8763) Fax (512) 349-0375 Brazil USA Germany
Contact Email InduSoft richard.indusoft@gmail.com Today if you would like to request a copy of this presentation or with other questions. Email (US) info@indusoft.com (Brazil) info@indusoft.com.br (Germany) info@indusoft.com.de Support support@indusoft.com Web site (English) www.indusoft.com (Portuguese) www.indusoft.com.br (German) www.indusoft.com.de Phone (512) 349-0334 (US) +55-11-3293-9139 (Brazil) +49 (0) 6227-732510 (Germany) Toll-Free 877-INDUSOFT (877-463-8763) Fax (512) 349-0375 The upcoming InduSoft webinar tomorrow (Feb 18 th ) month will focus on Engineering Services and how you can get the most out of them. Visit: http://www.indusoft.com Brazil USA Germany
Contact Email InduSoft richard.indusoft@gmail.com Today if you would like to request a copy of this presentation or with other questions. Email (US) info@indusoft.com (Brazil) info@indusoft.com.br (Germany) info@indusoft.com.de Support support@indusoft.com Web site (English) www.indusoft.com (Portuguese) www.indusoft.com.br (German) www.indusoft.com.de Phone (512) 349-0334 (US) +55-11-3293-9139 (Brazil) +49 (0) 6227-732510 (Germany) Toll-Free 877-INDUSOFT (877-463-8763) Fax (512) 349-0375 The upcoming InduSoft webinar tomorrow (Feb 18 th ) month will focus on Engineering Services and how you can get the most out of them. Visit: http://www.indusoft.com Join our webinars and we will send you an InduSoft webinar series Tee-Shirt! Brazil USA Germany
Next: STEPHEN MILLER SCADA Cybersecurity Framework
CAE-2Y Accredited
Topics Covered E-Book Purpose Key Objectives Outline Of Content Training Plans Cybersecurity Programs Boot Camp About ENMU-Ruidoso Q & A? CAE-2Y Accredited 70
E-Book Purpose Provide a quick reference guide to the framework Promote awareness of Cybersecurity Critical Infrastructure Framework SCADA Cybersecurity threats and vulnerabilities The importance of risk assessments How to use the framework CAE-2Y Accredited Look into applying security to Indusoft Web Studio 71
Key Objectives Knowledge of SCADA and cybersecurity environment Types of SCADA systems Threats and risks Understanding of framework CAE-2Y Accredited Knowledge of tools and processes for risk analysis Ability to apply risk management processes to obtain the right framework tier for an organization 72
Outline Of Content Chapter 1 - SCADA Cybersecurity Introduction and Review What is SCADA How it works, In Depth Look, field devices, control units, HMI Overview of Cybersecurity Vulnerabilities CAE-2Y Accredited Security Challenges, Understanding & defining information security, Cyber Threat Source to Control/SCADA Systems, GAO Threats, Attacks & Defenses, Vulnerability Scanning vs Penetration Testing Understanding Control System Cyber Vulnerabilities Gaining control of SCADA Systems, Categories of SCADA Systems 73
Information security components
Gov t Acct. Office Threat Table
Steps of a cyberattack
Geographic Layer
Physical Network Layer
Logical Network Layer
Cyber Organization/Personal Layer Internet of Things
One individual with multiple, complex relationships to other levels of the environment... that also change over time.
Control System Environment
Three Categories of SCADA Systems Modern/Common Diagram Modern/Proprietary Diagram Legacy/Proprietary Diagram
Outline Of Content Chapter 2 Cybersecurity Framework Introduction Framework Introduction Executive Order 13636 (EO), Improving Critical Infrastructure Cybersecurity Risk Management Process The Cybersecurity Framework CAE-2Y Accredited 84
Overview of the Framework
Risk Management Decomposition Diagram
Outline Of Content Chapter 3 Cybersecurity Framework Basics Basic framework overview Framework core CAE-2Y Accredited
Business Process Management (BPM) Approach to the Framework
How Does it All Come Together?
Outline Of Content Chapter 4 How to Use the Framework Basic Review of Cybersecurity Practices Establishing or Improving a Cybersecurity Program Communicating Cybersecurity Requirements with Stakeholders CAE-2Y Accredited
Using the CSET Tool for Risk Management and Future Framework Analysis
Select Standard(s) NIST Framework for Improving Critical Infrastructure Cybersecurity V1 (Recommended) NIST Special Publication 800-53 Rev 3 and NIST Special Publication 800-53 Rev 3 App l NIST Special Publication 800-53 Rev 4 and NIST Special Publication 800-53 Rev 4 App l Consensus Audit Guidelines (CAG) Components Questions Set CFATS Risk Based Performance Standard (RBPS) 8: Chemical Facilities Anti-Terrorism Standard, Risk- Based Performance Standards Guidance 8 - Cyber, 6 CFR Part 27 CNSSI No. 1253 Baseline CNSSI No. 1253 Industrial Control System (ICS) Overlay V1 Catalog of Recommendations Rev 7 (DHS Catalog of Control Systems Security: Recommendations for Standards Developers, Revisions 6 and 7) INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry Key Questions Set DoD Instruction 8500.2 Information Assurance Implementation, February 2, 2003 ISO/IEC 15408 revision 3.1: Common Criteria for Information Technology Security Evaluation, Revision 3.1 NERC Reliability Standards CIP-002-009 Revisions 3 and 4 NIST Special Publication 800-82 Guide to Industrial Control Systems Security, June 2011 NIST Special Publication 800-82 Rev 1 NIST Special Publication 800-82 Rev 2 (Draft) NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems Rev 3 and with Appendix I, ICS Controls NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010 NEI 0809 Cyber Security Plan for Nuclear Power Reactors TSA Pipeline Security Guidelines April 2011 Universal Questions Set
Outline Of Content Chapter 5 Indusoft Security Guide Embedded in this chapter. CAE-2Y Accredited Appendix (Framework Core, CSET Tool, References, and Glossary)
CSET 6.1 Tool CAE-2Y Accredited https://ics-cert.us-cert.gov/assessments 94
ENMU-Ruidoso Cybersecurity Programs Computer and Network Security Certification Program (Online) Credited or Self-paced ($2,495) Associates of Applied Science Degree - Information Systems Cybersecurity The programs are designed to prepare students as: Information Systems Security (INFOSEC) Professionals NSTISSI No. 4011 CNSSI No. 4016 Entry Level Risk Analysts CAE-2Y Information Assurance/Cyber Defense Accredited IS 131: Network Security Fundamentals-3 IS 136: Guide to Disaster Recovery- 3 IS 153/L: Introduction to Information System- 4 IS 253: Firewalls and How They Work- 3 IS 257: Network Defense and Counter Measures- 3 IS 258: Cyber Ethics, Professionalism, and Career Development- 3 IS 285: Ethical Hacking 3 IS 289: Capstone/Internship/NCL Cybersecurity Challenge CAE-2Y Accredited
Training Plans: Boot Camp CAE-2Y Accredited Four day Boot Camp covering: Course Orientation and Introduction to Cybersecurity and SCADA CompTIA-Security+ Key Topics SCADA Cybersecurity Recommended Practice/ Infrastructure Guiding Principles/National Infrastructure Protection Plan IS-821 Critical Infrastructure and Key Resources Support Annex IS-860.a National Infrastructure Protection Plan (NIPP) Cybersecurity Critical Infrastructure Framework / CAP Process/Intro to a SCADA Product (IDUSOFT) CSET Department of Homeland Security Risk Assessment Process and Tools Using the Cybersecurity Critical Infrastructure Framework 96
About ENMU-Ruidoso The National Security Agency and the Department of Homeland Security have designated Eastern New Mexico University - Ruidoso National Center of Academic Excellence in Information Assurance/Cybersecurity Defense through academic year 2019. CAE-2Y Based on the universities ability to meet the increasing demands of the program criteria will serve the nation well in contributing to the protection of the National Information Infrastructure. Meets the eleven Knowledge Units learning objectives Recognized by the National Initiative in Cybersecurity Education (NICE) as a certified Training Institution for the NIST National Cybersecurity Workforce Framework. http://csrc.nist.gov/nice/index.htm CAE-2Y Accredited 97
ENMU-Ruidoso Foundation Foundation, as noted below. If you find this ebook useful in your business, tax deductable donations to the university 501 (c) (3) foundation are encouraged by contacting:
CAE-2Y Accredited http://www.us-cert.gov/control_systems/csstandards.html