Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

Transcription

1 Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

2 Cyber Security solutions from ABB Agenda Cyber Security in ABB: general view, activities, organization How we work with Cyber Security: The SD 3 +C framework in System 800xA Application whitelisting for System 800xA web portal Communication and SW tailored for your system What do I get from where? Solutions from ABB Solutions from ABB s partners September 5, 2013 Slide 2 Tomas Lindström Cyber Security Manager ABB BU Control Technologies tomas.lindstrom@se.abb.com,

3 Cyber Security in the System Lifecycle An important factor in all phases Product Lifecycle Project Lifecycle Plant Lifecycle Design Implementation Verification Release Support Design Engineering FAT Commissioning SAT Operation Maintenance Review Upgrade September 5, 2013 Slide 3

4 Cyber security is an integral part of ABB s products and systems Embedded in the product life cycle From early design to service Embedded in the organization Cyber security Councils on Group, Division and BU level Collaboration Partner with industry collaborators and specialists Close collaboration with customers Compliance with standards Active role in standardization initiatives September 5, 2013 Slide 4

5 Security for System 800xA for all phases The SD 3 + C Security Framework Design Security in the Product Development Process: Requirements, Design, Implementation, Verification Default Default installation and usage with minimal attack surface Built in functions for Secure in Deployment Support for Secure Project and Plant Lifecycle Validation of 3 rd party software and solutions Communication Correct information to those who need to know September 5, 2013 Slide 5

6 Design Security in the Product Development Processes SD 3 + C Design Default Secure in Deployment Communication Security integrated in the Quality Management System Security check points at Project Gates Threat modeling Secure coding guidelines Design and code reviews Aligning with Microsoft s SDL (Security Development Lifecycle) Security Testing By R&D teams By ABB s Device Security Assurance Center (DSAC) By 3 rd party testers September 5, 2013 Slide 6

7 Default Secure Built in Functions and Default Settings SD 3 + C Design Default Secure in Deployment Communication September 5, 2013 Slide 7 Automatic installation with Secure default settings and system hardening Advanced Role Based Access Control User Authentication based on Windows Active Directory or Workgroup 800xA Access Control Based on User, Role, and Location Set on Structure, Object and Attribute level Special Authentication functions Re-authentication, Double authentication Log over Audit trail of user actions Digital signatures

8 Default support for Networks and Hosts SD 3 + C Design Default Windows Firewall in Servers and Workstations Client-Server communication protected with IPSec Network redundancy based on dual separated networks Network filter in Controllers and Communication Modules Blocks unsupported traffic Network Storm protection Secure in Deployment Communication IPSec protection of the Client Server Network Separated networks enable fault isolation September 5, 2013 Slide 8

9 Secure in Deployment Supporting installations throughout all their Lifecycles SD 3 + C Design Default Secure in Deployment Communication User manuals, guidelines and system functions Best practices for Secure Architectures Backup/restore solutions Malware protection solutions Validating Antivirus SW (Automation Sentinel) Application : 800xA SE46 Patch management solutions Validating Security updates (Automation Sentinel) Patch deployment solutions Industrial Defender Security Event management with Monitor September 5, 2013 Slide 9 Asset Inventory Management with Manage

10 Communication Inform those who need to know in case of problems SD 3 + C Design Default Secure in Deployment Reporting a suspected problem: ABB Customer: Your regular ABB contact Others: or cybersecurity@ch.abb.com ABB s Responses in case of product vulnerability Field Communication Security Bulletin or Safety Report or Product Alert if Safety impact If publically disclosed è public response: ICS-CERT and Communication September 5, 2013 Slide 10

11 Application for System 800xA 800xA SE46 from ABB and Cryptzone Antivirus SW blocks malware based on a blacklist Application SW only allows known SW to run SE46 Agents on 800xA Servers and Workstations known SW identified with Application Certificates:(AppCerts) SE46 runs on existing 800xA nodes: No extra system HW needed SE 46 Studio on secured computer Integration with Industrial Defender: SE46 log events collected for centralized analysis SE46 Agents protect the computers September 5, 2013 Slide 11 Industrial Defender Agents forward SE46 Events to the Automation Systems Manager

12 800xA SE46 System components Policies: What should the SE46 Agents do with unknown SW Viewing SE46 log Monitor mode: Report execution in SE46 log Blocking mode: Block execution (and report) Application Certificates and Policies Installed in the Distribution Point Management Application 800xA Servers and Workstations SE 46 Distribution Point in the 800xA Central Licensing Server DP SE46 Agents protect the computers September 5, 2013 Slide 12 Application Certificates and Policies Distributed to the Agents from the Distribution Point

13 800xA SE46 Creating Application Certificates The SE46 Inventory tool scans the computers and creates Fingerprint files i i i i i i Fingerprint Files The SE46 Studio creates the Application Certificates based on the Fingerprint files September 5, 2013 Slide 13

14 800xA SE46 Creating Application Certificates After installation Based on inventory of what is actually installed Based on agent log entries Pre-made, before installation (unique feature for SE46!) Fingerprint the executables in advance 100% coverage not possible, but still very valuable Some code is site adapted, e.g. just in time compiled Pre-made by ABB (future) Operating System ABB applications Drivers for IIT Certified HW September 5, 2013 Slide 14 Qualified 3 rd party SW security updates

15 800xA SE46 Installing new Software 1. Install pre-made Application Certificates if there are any 2. Switch to Monitor mode 3. Install new SW 4. Do new inventory 5. Go through the list of new/modified applications (Shorter list if pre-made Application Certificates are used) If you trust them: Include them in a new Application Certificate If not: Exclude and remove from the computer 6. Install the new Application Certificates 7. Check the SE46 log for any exceptions 8. Switch to Blocking mode September 5, 2013 Slide 15

16 Security via web portal Communication and SW tailored for your system Field Communication related to your system e.g. Security Bulletins Security fingerprint reports With ABB Automation Sentinel 800xA SW updates 3 rd party SW Security updates validation results PDF document with validation status Qualified Security Updates ZIP-file (the files) Coming: New distribution and deployment methods Anti Virus Definition Files validation results (daily!) McAfee Virus Scan Enterprise (validation status) Symantec Endpoint Protection (validation status + files) Coming: Cyber Security Benchmark ( traffic light status) September 5, 2013 Slide 16

17 What do I get from where? Solutions from ABB System 800xA Covering your essential needs/the good start Malware protection: Application 800xA SE46 ABB Automation Sentinel Keeps you up to date ABB s Cyber Security Fingerprint Configuration compliance management service E163 Cyber Security for System 800xA Expert Workshop training September 5, 2013 Slide 17

18 What do I get from where? Solutions from ABB s partners Malware protection: AntiVirus McAfee VirusScan Enterprise with epo server Symantec Endpoint Protection Security Event Monitoring Industrial Defender Monitor Configuration compliance management (24*7) Industrial Defender Manage September 5, 2013 Slide 18

19 September 5, 2013 Slide 19

20 Secure in Deployment details, Qualified partner additions System 800xA with Industrial Defender ASA+ASM Introduction Security Objectives Security practices Products and Solutions Plant Intranet Demilitarized Zone 800xA Servers and Workstations 800xA Client Server Network 800xA Connectivity Servers 800xA Control Network Controllers Field Networks September 5, 2013 Slide 22