Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

037 Prosalus Easton

Download as pdf or txt
Download as pdf or txt
You are on page 1of 23

Theme 3: Cyber Security

Just How Vulnerable is Your Safety System?


Colin Easton
MSc, CEng, FInstMC, MIET, ISA Senior Member
TUV Rhienland FS Senior Expert PHRA & SIS

6th July 2017

1
Safety System Security 2

Safety Systems are now more accessible and “open”


than ever before, due to the increasing use of COTS
solutions for networking and HMI purposes.

Business needs drive the interconnectivity between


between OT and IT systems at the same time as we
see control and safety system architectures merging.

This interconnectivity and merging of systems opens


up vulnerabilities in our systems that can be exploited
by cyber and physical threats.
Safety System Security 3

Safety Systems operate in real time to protect


our processes, tampering with them, either
intentionally or unintentionally, can lead to:
 Loss of Production
 Environmental releases
 Heath & Safety consequences
Industrial Automation and Control System
(IACS) security is about preventing or mitigating
the exploitation of the vulnerabilities in our
control and safety systems.
What is the Problem? 4

2010 – Stuxnet – Siemens S7 PLCs access for reconfiguration


2012 - Project Basecamp looking for vulnerabilities in 6
specific IACS devices found several including the ability to
access PLC configurations and modify it.
These vulnerabilities have been released and are included in
publicly available databases for us to identify and protect
against threats, but also enabling anyone to find and exploit
them.
But, not all threats originate from the internet - maintenance
activities, software upgrades / patches, remote access,
wireless, physical security and unauthorised access are just as
big an issue for safety systems
IEC 62443 – Security for IACS 5

Therefore, the SIS must be secure from both physical


or cyber damage as a result of malicious acts or
accidental events that would impact on the SIS’s ability
to maintain its functional and safety integrity on
demand.

To prevent both physical or cyber damage the risk


reduction must be based on a mix of technical,
procedural and managerial protection measures taken
from the guidance in IEC 61511, IEC 62443 (ISA99) and
in ISA TR84.00.09.
Security Risk Assessment – IEC 61511 2ED Clause 8.2.4 6

States that a SRA must be carried out to identify the security vulnerabilities of the SIS.
The SRA output needs to include:
1. A description of the devices covered by the SRA – What is the scope of the System Under
Assessment (SuC);
2. A description of the identified threats that could exploit vulnerabilities and result in security
events;
3. The potential consequences resulting form the security events and the likelihood of these
events occurring;
4. Consideration of vulnerabilities and threats at all of the lifecycle phases;
5. The determination of requirements for additional risk reduction;
6. A description of, or references to information on, the security and compensating measures to be
taken to reduce or remove the threats.
A description of the devices covered by the SRA 7
Consequence Likelihood IACS Device
IACS Device Asset
Rating rating Risk Level
Clearly document the IACS and
Operator control room HMI associated assets.
Remote operator Panel Gather and organise information such
as:
Engineering Workstation
 System architecture diagrams –
Historian Server components, connectivity & location
Controller  Network diagrams – physical
construct and assignments
Pressure Sensor
 Devices (Ethernet & IP Address)
Valve Positioner
 Configurations – hardware & software
Gateway - Scan & MAP tools
 Identify known vulnerabilities
IEC 62443-2-1 Example IACS Asset table
Security Vulnerability Assessments (The clever stuff) 8
 High Level – Gap Assessment:
 Assessment of existing operational procedures and practices
 Interviews, site audit, review of drawings, sample configurations,
questionaire
 (Questionnaire could make use of US - Cyber Security Evaluation Tool
– ICS-CERT)
 Passive vulnerability assessment:
 Review architecture & network drawings & traffic analysis tools,
Research using vulnerability databases – ICS-CERT, NVD, Nessus
 Active vulnerability assessment
 Active network scanning
 Active vulnerability scanning
 Penetration test.
 Metasploit
Zones and Conduits – 31 – ISA-TR84.00.09-2013 9
WLAN Enterprise
Web
Server
Enterprise
Firewall
Internet

Maintenance Plant DMZ


Workstation
Data
Historian ` Domain
Controller

Review the system boundaries and


break it down into zones and Control
Center
conduits.
Domain
Controller

The zones and conduits should


SIS BPCS
include assets that will be assumed SIS HMI

`
SIS
BPCS
Engineering
Workstation
IAMS

Engineering

to require the same Security Level: IAMS


Workstation
`

Domain
Controller

Then carry out a High-level SRA. Handheld


Programmer
BPCS HMI

SIS-PES Control PES

24 VDC
4-20 mA 24 VDC
Block Control
Valve 4-20 mA
Valve 4-20 mA

Pump
Controller

Transmitter Transmitter

Figure A.3 – Example Network Security Architecture with Integrated 2 Zone SIS
A description of the identified threats that could 10
exploit vulnerabilities and result in security events

 Stored data (e.g. history, programs) is intentionally modified or corrupted by unauthorised


individual through local access
 Malware:
 unintentionally installed on control system through remotely connected computer;
 intentionally installed on control system through a remotely connected computer;
 enters the system through a laptop connected to the control system network
 enters the system through infected media (e.g. USB sticks etc.);
 enters the system through the business network.
 Confidential controls system data is intentionally disclosed through local or remote access
 A network device fails causing a network storm impacting system communication
 A denial of service attack is intentionally launched through remote access
High-level Risk Assessment Tools 11

IEC 62443-2-1 Example tables


The potential consequences resulting form the security
events and the likelihood of these events occurring 12

IACS Device Asset Consequence Likelihood IACS Device Risk


Rating rating Level

Operator control room HMI A Medium High-Risk

Remote operator Panel C High Medium-Risk

Engineering Workstation A High High-Risk

Historian Server B Medium Medium-Risk

Controller A Medium High-Risk

Pressure Sensor A Medium High-Risk

Valve Positioner A Medium High-Risk

Gateway B Low Low-Risk

Firewall B Low Low-Risk

IEC 62443-2-1 Example IACS Asset table with results


The determination of requirements for additional risk
reduction 13

Draft IEC 62443-3-2 – Security for IACS

Workflow diagram to establish zones


and conduits

ZCR – Zone & Conduit Requirement

SuC – System under consideration

PHA – Process Hazard Analysis


The determination of requirements for additional risk
September 2016 – 24 – ISA-62443-3-2, D6E3

reduction Start
14
Historical data and other List of threats
DRAR 1 – Identify threats
threat information sources

Vulnerability assessment,
DRAR 2 – Identify List of vulnerabilities
prior audits, vulnerability
vulnerabilities

IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
databases, etc.

BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Draft IEC 62443-3-2 – Security for IACS Threats, vulnerabilities,
DRAR 3 – Determine Assessment of impact

This document includes working drafts of, or extracts from documents in the ISA-62443 series.
existing PHAs, other risk
consequences and impact
assessments

New versions will be generated periodically as individual documents are revised.


Assessment of
Lists of threats and DRAR 4 – Determine
likelihood

Workflow diagram for detailed


vulnerabilities unmitigated likelihood

Assessment of

cyber security risk assessment


Likelihood, impact, DRAR 5 – Calculate
unmitigated cyber
corporate risk matrix unmitigated cyber security
security risk
risk

Corporate risk matrix


DRAR 6 – Determine Security level target
with tolerable risk
security level target

DRAR – Detailed Risks Assessment DRAR 7 – Identify and


evaluate existing
List of countermeasures

Requirement
countermeasures

[Updated] List of Updated likelihood and


DRAR 8 – Reevaluate
countermeasures impact assessment
likelihood and impact

Updated likelihood,
Residual cyber security
impact and corporate DRAR 9 – Calculate residual
risk
risk matrix risk

DRAR 10 – Are all DRAR 11 – Apply additional Updated list of


residual risks at or No cyber security countermeasures
below tolerable risk countermeasures

Yes

Detailed risk
DRAR 12 – Document and
assessment report
communicate results
612
The determination of requirements for additional risk 15
reduction

IEC 62443-3-2 Example table for mapping Cyber Risk Reduction Factor to Target Security Level
Description of information on the security & compensating
16
measures taken to reduce / remove the threats
The counter measures to address a specific risk will be different depending on the system. For example,
different “Authentication” rules will apply for controllers and HMI etc.
Counter measures must be documented along with the procedure / guidance for using them.
IEC 62443 approach similar to IEC 61508 – identified control measures that can be used to demonstrate
risk is reduced broken down by requirements – IEC 62443-3-3.
Consideration of vulnerabilities and threats at all of 17
the lifecycle phases
ISA TR84.00.09 Management Process - Identifies additional requirements for Cyber security, including:
 Clause 5 - Management of FS – Inventory of vulnerabilities, risk assessment, security of operation, host protection, patch
upgrade management, confidentiality of cyber security information;
 Clause 8 – Additional requirements for security protection, potential threats taken from IEC 62443 guidance;
 Clause 9 – To include security counter measures and compensating measures for when it is not possible to implement
security counter measures in the SIS;
 Clause 10 – SRS should have a section dedicated to counter measures specifically considering that the counter measures
do not degrade SIS performance such as response time or field devices;
 Clause 11 & 12 – Additional requirements for when full independence and segregation is not feasible based on air gap,
integrated zone hierarchy, firewalls & vendor to supply security concepts that cover the SIS lifecycle;
 Clause 14 and 15 – consideration of mechanical integrity and ongoing cyber security;

 Clause 16 - Ongoing cyber security, such protection during back up and restoration, patches and upgrades, remote access,
bypasses and checking of tools .

 Clause 17 & 18 – Modifications to the SIS related security counter measures should follow the MOC programme and an
impact analysis carried out to include access control, authorisation and reasons for access, virus checking and control
Cyber Security - Competency and Training for C&I Engineers 18

It is critical that C&I Engineers acquire the skill set to be able to


communicate and work along side Cyber Security Specialists.
 ISA Europe has introduced the ISA Industrial Cyber security
Certificate Program this provides practical hands training
using IACS network hardware, firewalls, switches and
Rockwell & Siemens PLCs to work on.
 The training is tiered to ISA/IEC 62443:
 ISA/IEC 62443 Cyber security Fundamentals Specialist
 ISA/IEC 62443Cyber security Risk Assessment Specialist
 ISA/IEC 62443 Cyber security Design Specialist
 ISA/IEC 62443 Cyber security Maintenance Specialist
 TÜV Rhienland are also developing a Cyber Security scheme
for C&I and FS Eng that will be introduced in early 2018
Additional Guidance (UK HSE) 19

Compliance with OG-0086 will contribute towards a suitable demonstration of


compliance with UK H&S legislation and as part of the cyber security ALARP
demonstration for the facility.

OG-0086 – Cyber Security for IACS identifies BS EN 61511 as the recognised good
practice (RGP).

The reference is related to 2nd Edition Clause 8.2.4 requirements for a Security
Risk Assessment (SRA).

Both OG-0086 & IEC 61511 reference IEC 62443 as the applicable international
standard as well as ISA-TR84.00.09-2013 – Security Countermeasures Related to
SIS as the relevant standards for IACS SRA and implementation.
20

OG-0086 Framework
Process for the
management of Cyber
Security for IACS
21
Framework for Cyber Security
The OG-0086 approach is similar to the US NIST 800 Cyber security Framework of:

The UK HSE guiding principles are:

 Protect, detect and respond - It is important to be able to detect possible attacks and respond in an
appropriate and timely manner in order to minimise the impacts.

 Defence in depth. No single security countermeasure provides absolute protection as new threats
and vulnerabilities can be identified at any time. To reduce these risks, implementing multiple
protection measures in series avoids single point failures.

 Technical, procedural and managerial protection measures. Technology is insufficient on its own to
provide robust levels of protection
22

 IEC 61511 2nd Edition introduces the requirement for SRA.


 UK HSE have produced guidance aligned to IEC 62443 and ISA-TR84.00.09
 SRA Risk Matrix should be based on a subset of the Seveso RM to facilitate ALARP
demonstration.
 Asset Register can be based on BOM, I/O
Schedule,Instrument List for SIS.
 CSMS Gap Analysis required to help reduce
systematic failures through procedures.
 EC&I Cyber security competence is increasing,
but still a large gap between process & IT.
23

Thank you for listening

Any questions?

You might also like