Gerhard Brndt, ABB AG, BU Power Generation Cyber Security and Compliance in Increasingly Distributed and Aging Power Generation Infrastructures

Transcription

1 Gerhard Brndt, ABB AG, BU Power Generation Cyber Security and Compliance in Increasingly Distributed and Aging Power Generation Infrastructures ABB Group June 20, 2012 Slide 1

2 Situation of today The potential threat for IACS during the years 2010 and 2011 has increased significantly and today authorities like the German BSI (Bundesamt für Sicherheit in der Informationstechnik) note, that professional attacks from organized crime and intelligence agencies on industries, authorities and private individuals are a common fact. The methods and techniques involved get increasingly complex and sophisticated, resulting in growing effort and cost for the defense. Trojans like Stuxnet demonstrate, that IACS and SCADA systems are in the focus of such activities. The most effective means still being prevention. The legal status throughout Europe is still heterogeneous, as no common binding guidelines exist. However existing regulations resulting from various laws (e.g. in Germany SOX, HGB, AktG, KonTraG) indirectly demand corporations and individuals to take adequate organizational and technical precautions (obligation to exercise due care, risk management, liability for premises) as neglect may cause indemnification claims. IACS = Indusgtrial Automation and Control System ABB Group June 20, 2012 Slide 2

3 Anticipated development (1) International, European and national standardization activities converge and a set of binding guidelines for suppliers, service providers as well as operators in Europe is on the horizon. On global scale the standards SO/IEC and are getting established and specifically for industrial automation ISA99 / IEC The German government (BMI, ministry of interior) intensifies its activities with focus on critical infrastructures (kritische Infrastrukturen, KRITIS). These are defined as infrastructures whose failure would have a sustained impact on the security of supplies with considerable effect on public safety and other dramatic impacts. ABB Group June 20, 2012 Slide 3

4 Anticipated development (2) Standard NERC CIP IEC IEEE PSRC/H13& SUB/C10 IEEE 1686 IEC Main focus Cyber security regulation for North American power utilities Data and communications security Cyber security requirements for substation automation, protection and control systems IEEE standard for substation intelligent electronic devices (IED s) Industrial communication networks Network and system security (DRAFT) ISO-IEC ISO/IEC series (27001, / 17799) Information technology - Security techniques - Code of practice for information security management. ISA-99 Security for Industrial Automation and Control Systems Selected international standards and initiatives in the German market some de-facto standards establish themselves amongst involved parties ABB Group June 20, 2012 Slide 4

5 Anticipated development (3) Standard BDEW Whitepaper (bdew, Vattenfall, e.on, EnBW, itecplus) VDI/VDE guideline 2182 VGB Powertech technical guideline R175 Main focus Anforderungen an sichere Steuerungs- und Telekommunikationssysteme (requirements on safe control and communications systems) Informationssicherheit in der industriellen Automatisierung - Allgemeines Vorgehensmodell" (information security in industrial automation general process model) IT-Sicherheit in Erzeugungsanlagen (IT security in power generation plants) Selected German guidelines and initiatives Once a binding set of standards is established, operators and suppliers of products and solutions may strive or be forced for a certification of information security. In the German markets such a direction from BSI as well as TÜV can be noticed. ABB Group June 20, 2012 Slide 5

6 Aspects of information security (1) Organization Personnel Organisation (ISMS) Processes, responsibilities, security concepts, awareness and training of staff, Physical Security Compliance Process Control Security Administration & Maintenance Access Control Physical safety Security zones, access control, safety of System security System documentation (like project manual, maintenance manual, backup manual) System architecture, security zones Redundancy, availability, system hardening (DMZ) Network security Network interfaces, firewalls, local and remote address management, Remote Access WLAN, Mobile Computing, Intranet/Internet ABB Group June 20, 2012 Slide 6

7 Aspects of information security (2) Operations and communications management Protections from malware and trojans, vulneraribility management (e. g. closing of USB ports), user and rights management, Schutz vor Schadsoftware, Schwachstellenmanagement (z.b. USB-Ports sperren), Benutzer- und Rechteverwaltung, handling of storage media Access to network, operating system and applications (local and fremote access) Monitoring and diagnosis Safeguarding of business operations Data security and integrity (backup / restore) disaster recovery Handling of information security cases Compliance Manual and automated logging and protocols of conformity with rules and guidelines as audit preparation (audit trail) audits

8 Focus on Cyber Security solutions ABB Group June 20, 2012 Slide 8

9 Automation Systems Management Diverse objectives, overlapping requirements Uptime & Performance Health & Safety External Threats Malicious Insiders Inadvertent Violations Operational Policy Regulations & Standards

10 Corporate IT vs. Industrial IT Understanding the critical differences

11 Multi-system DCS architecture ABB Inc. June 20, 2012 Slide 11

12 SCADA architecture examples: hydro power control SWITCH Elect. Opt. IEC MODBUS SERVER SERVER +EWS PROFIBUS Remote Remote Remote Ethernet TCP/IP Fiber optic >6 Km Ethernet TCP/IP UDP Modulebus Fiber optic >1,2 Km Fieldbus Remote I&O ABB Inc. June 20, 2012 Slide 12 Remote I&O Remote I&O

13 Recommended cyber security features of an IACS Basic features: User authentication Role-based access control Event logging/audit trails Backup/Restore Hardened hosts Host firewall configuration Antivirus Network zones Security patch validation

14 Recommended cyber security features of an IACS Optional features: Patch management Virus pattern (Definition BSI) Host intrusion detection Host intrusion prevention Network intrusion detection Compliance management

15 Extended Cyber Security solutions (1) Electronic Perimeter Protection (UTM/Firewall) UTM is used at IACS borderline as dynamic management and control of data traffic to/from mission-critical systems Recognition of virii and intrusions attempts Security Event Management (SEM) Monitoring and management of security in IACS and networks Network Intrusion Detection System (NIDS) Monitoring of the complete data traffic within a control network Identification and reporting of any suspicious activity Access Management (AM) Secured access and authorization ABB Group June 20, 2012 Slide 15

16 Erweiterte Cyber Security Lösungen mit Industrial Defender (2) Host Intrusion Detection System (HIDS) Monitoring and supervision of critical computers like workstations, operator stations, historians, router and similar IP-based systems and devices with respect to malware Host Intrusion Prevention System (HIPS) Whitelisting -based technology to protect server, operator stations, engineering workstations and other important devices from attacks Protects systems against malware and not approved aplications by verification with a list of released/permitted applications Resource denial for not approved applications Compliance Management (CM) assessment and audit reports patch and configuration management software and asset management

17 Application example Symphony TM Plus Symphony Plus Workplaces Plant Network Symphony Plus Workplaces Compliance Management CM Access Management AM Host Intrusion Prevention System HIPS Host Intrusion Detection System HIDS Network Intrusion Detection System NIDS Security Event Management SEM DMZ WSUS, epo Group Policies Virenschutz Remote Service Router / Firewall Electronic Perimeter Protection UTM / Firewall Industrial Defender Symphony Plus Server Control Network O-net Melody ABB Group June 20, 2012 Slide 17

18 ABB Group June 20, 2012 Slide 18