By: Ayman AL-Issa, Chief Technologist & Senior Advisor Industrial Cyber Security (MENA), Booz Allen Hamilton

Transcription

1 By: Ayman AL-Issa, Chief Technologist & Senior Advisor Industrial Cyber Security (MENA), Booz Allen Hamilton

2 A Glance about the Digital Oil Field The Evolving nature of Industrial Cyber Threats The Industrial Cyber Dilemmas Resolving the Human Conflict ISA99/IEC62443, the SILs and SALs The MAC and The MCSC Protecting critical infrastructures from the emerging cyber threats Industrial Cyber Security by Design Group Discussion and Scenarios (to be covered if attendees are interested to spend more time)

3 3 Digital Intelligent Smart Fields of the Future What does it all mean? It is all about How we Operate Oilfields in the future. Establishing a Collaborative work Environment, and Moving to Real-Time or near Real-Time way of working Connecting remote sites Having teams to work together

4 It is all about: Increasing Productivity More Oil Recovery Lower Operational Costs Reduced Risks to Health More Safe and more protection to the Environment

5 How to turn a brown oilfield into a Digital Oil Field? How to implement an Industrial Defense in Depth Cyber Security Model in a Brown Oil Field? How to Integrate Industrial Cyber Security Solution in both the green and brown oil fields? How to safely integrate industrial networks with business networks?

6 While there is Increase in successful Cyber Attacks. Are Smart Oil Fields equipped with Smart Cyber Security Controls?! Is the Smart Oil Field an Option or a Must? Important Questions that need Smart answers.

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21 Most of the Companies or even Governmental Entities avoid to disclose Cyber Security Incidents. "In order to disrupt the Soviet gas supply, its hard currency earnings from the West, and the internal Russian economy, the pipeline software that was to run the pumps, turbines, and valves was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds," Reed wrote. "The result was the most monumental non-nuclear explosion and fire ever seen from space."

22 Cyber Security Threat Converted Beyond the Nature of: Virus Spread Computer or Data Damage Data Stealing To the Capability of: Increasing pressure in a pipeline Changing field device parameter settings Closing/Opening a motorized Valve Causing a Denial Service Attack within ICS Increasing/Decreasing Motor Speeds Viewing Fake HMI Readings

23 25 Loss of View Loss of Control Loss of Operation Loss of Production Loss of Lives Damage to Critical Infrastructure Damage to Environment

24 We are not a likely target. We are not interesting to attract Hackers. Our production system is proprietary one Our production systems are completely isolated. We don t think it will happen We built these systems for Seven 9s continuity We can t justify the expense and the manpower.

25 27 When you walk on mines, your first mistake is the last mistake You are or you are NOT in control of your control systems?

26

27

28 30 OLD DCS Systems Proprietary Systems. Installed in isolation from ordinary IT systems. Minimum Cyber Security Risk due to being Proprietary Systems installed in Isolated Area Different DCS systems in different locations were operated separately. New DCS Systems IT nature systems Based on Open Standards (Windows-based). Integrated with IT Systems at business networks to facilitate the extraction of real-time information to support: Better decision making and, Advanced reporting requirements Increase in Cyber Security Risk being based on Open Systems, and connected to business networks. More and More Integration: New-generation DCS systems are more integrated with each other through RTOC at main offices

29 32 The Legacy Control Systems The new IT nature-based Control Systems The ones isolated from business systems The ones connected to business systems

30 Automation Systems Manufactures & Cyber Security Players should work together Customers shall use their influence to promote Cyber Security IT, Control, Engineering, and Planning teams shall work together

31 IT Professional Role Automation Control System Engineering Role Who will do it in the field? Understanding the SPA role (Single Point of Accountability).

32 Can Industrial Cyber Security be Outsourced? Can We implement industrial cyber security without the automation vendor? The Role of Industrial cyber security consultancy

33 Integrate the Efforts between: Automation Best-in-class manufacturers, & Real Cyber Security Players Use Integrated Industrial Cyber Security Solution Integrate IT & Operation Teams to Work Together

34 37 One team work (Customer, Manufacture, Cyber Security Provider) Build your own Cyber Security Standard for Industrial Systems Security Make the Invisible Visible Security is Visibility, and Visibility is Security. Implement Security By Design

35 38 Know your ICS Components Build Cyber Security Infrastructure First, and then, Design Industrial Operations Systems with Cyber Security at the core.

36 Goals People Processes Technology Information Information Confidentiality, Intellectual Property Protection, Equipment Protection, Availability, Business Continuity, Process Safety, Workers Safety and Health, Environmental Protection and Compliance ICS Cyber Security Program Sponsor, Managers, Auditors, ICS and IT Cyber Security, Control System Engineers, Specialists, General Workforce. Regulations and Industry Standards, Best Practices, Quick Wins, Configuration Management, Incident Management, Auditing Compliance Reporting, Employee Training and Testing Network, - Firewalls, Intrusion Protection Devices Firewalls, Access, AV, WL System - System Hardening, Configuration Management, Incident Management, Audit and Test Technologies User Passwords, Rights and Privileges, Network and Device Configuration, Software versions and Patches, Advisories and Alerts, Activity Histories and Incidents

37

38

39 ISA/IEC (Formerly ISA99) ANSI/ISA NIST SP (Special Publication) NIST SP Guide to Industrial Controls Systems (ICS) Security NIST SP Guide for Applying the Risk Management Framework ANSI/ISA-95, or ISA-95 NERC Critical Infrastructure Protection (CIP)

40 Checklists, what if? Hazard and Operability Study (HAZOP) Failure Mode and Effects Analysis (FMEA) Layers of Protection Analysis (LOPA) Fault Tree Analysis (FTA)

41

42

43

44

45

46

47 Reference: ISA 99 Standard and Honeywell Documentation

48

49

50 Designing a Robust Information Security Model For Industrial Infrastructures Security through Integration and Visibility

51

52 Remote Site Headquarters AV AV AV WL WL WL Antivirus DC Antivirus DC Antivirus DC SU SU SU HIPS HIPS HIPS Enterprise Security NAC NAC NAC NAC NTBA NTBA NTBA NTBA DLPM PCN : Process Control Network PIN : Process Information Network CPIN : Central- Process Information Network EBN : Enterprise Business Network IPS: Intrusion Prevention System AV: Antivirus & Antispyware Technology NAC: Network Access Control WL: White Listing Technology NTBA: Network Threat Behavior Analysis DC: Device Control Technology DLPM: Data Loss Prevention Monitor SU: Security Updates Technology HIPS: Host Intrusion Prevention System (Monitor Only)

53 Ayman AL-Issa, Digital Oil Fields Cyber Security Advisor ADMA-OPCO, Abu Dhabi, UAE

54 Today s Status? The IACS DID Model Components The MAC and the MCSC Conclusion

55

56

57 What are the obstacles faced by the customer at the plant floor to protect new/existing (old) diverse types of IACS from the emerging cyber threats. Why an effective cyber-security DID model failed to be implemented so far in a Critical Infrastructure having multi/diverse/old/new Automation Systems, and the way forward?

58

59 We realized the need for Industrial Cyber Security The ship commander is not clearly identified yet. We don t know what we want to do! We don t know the approach. We still did not realize the need for overall solution integrator. We hardly completed make up risk assessments. Very little cyber security efforts done on ground.

60 The mission is not easy The stakeholders are not all onboard? Automation Vendors are moving slowly Automation Vendors can not provide their own Complete DID cyber security solution. Industrial cyber security vendors are doing better, however, many Cyber Security Vendors are still not onboard More chances for arising automation system conflict by implementing Cyber Security Solutions

61 More dependence on procedures, guidelines and policies Week Cyber Security Controls in General More chances for arising automation system conflict by implementing Cyber Security Solutions

62 Prior 1960 Control hardware comprised pneumatic or electronic analog devices 1960s Conventional Control Systems: minicomputers were used in the control of industrial processes Early 70s The DCS was introduced in 1975 (new era of the computer applications in process control) 1999 Schneider Automation (which acquired Modicon) released the "Open MODBUS/TCP Specification in March 1999

63 Planning Level Execution Level Supervisory Level Control Level DCS (Distributed Control System) PLC (Programmable Logic Controller) MES (Manufacturing Execution System) SCADA (Supervisory Control and Data Acquisition) ERP (Enterprise Resource Planning) ms seconds hours days weeks month years

64 ERP MES Supervision months days minutes Group Control seconds Complexity Individual Control Field Site 0.1s 0.01s Reaction Speed

65

66

67 Proposed Mitigation Step: Use of Automation Vendor s Repository Server. Use of Site Virtual Machines for each vendor. Use of Customer Owned Laptops for each vendor.

68 - What is wrong & what is the proposed solution?

69

70 - Please stop misleading our automation engineers?

71 - Standards - Are excellent references prepared by world top experts. - They should be used - Control Systems are Similar but implementations are different. - Threats are more to some nations than another. Proposed Mitigation Step: Build your own standard

72

73

74

75

76

77

78 1. VISION FIRST A. Asset Inventory B. Change Management C. Automated Backup Solutions D. DRP E. Performance Management System F. Network Health Check 2. End-Point Security

79 While customers are being offered divers numbers of cyber security Defense-In-Depth solutions by cyber security vendors to protect their critical infrastructures, the question that needs to have a GIGANTIC answer for is: HOW CAN SUCH A MODEL BE: - IMPLEMENTED, - SUPPORTED, & - OPERATED SUCCESSFULLY DURING THE PLANT LONG LIFETIME???

80 Recent DCS, ESD, F&G, etc. systems are having different nature compared to the old ones where the number of the COTS systems are much more than the ones utilized by obsolete systems, and hence maintain/operating them is different in nature as well. The move to the MAC approach came to facilitate proper OPERATION/MAINTENANCE/SUPPORT of the overall plant during its long-life time span, and it has proved its great benefits.

81 A Cyber-Security Defense-In-Depth Model within IACS in a Critical Infrastructure is easy to say but very difficult to: Implement Support during the plant long-life time Operate So, let s explore how adopting the approach of Main Cyber Security Contractor (MCSC) in a way similar to the approach of Main Automation Contractor (MAC) shall help to pave the way for: A successful implementation, and Long-term support/operation of an industrial cyber security Defense-In-Depth (DID) solution within the automation systems in critical infrastructures.

82 To demonstrate the value of adopting the approach of the Main Cyber Security Contractor, I ll use the following three scenarios:

83 Company X procures the end-point security solutions from different vendors (3 or more), and it procures the network security systems from different vendors as well. Common Result: Chances for conflicts in the new updates are high. MAC has to deal with many cyber security vendors, and he/she will suffer till he/she resolves the conflict. Plant operation will be affected negatively and security will turn into a disaster rather than a solution. The alternative option left to the customer could be to disable the security solutions or remove them as the plant operation is its top priority.

84 Company Y procures the end-point solution from limited number of vendors (two or less), the network security solution is procured from limited number of vendors, and a MCSC is set responsible for supporting the whole environment. MCSC has partnership with the cyber security providers. Common Result: The Chances for conflicts are there as a result of diversity in vendors; however as MCSC has agreements with the vendors, problems will take less time to resolve. Plant operation might be affected if the conflict is not resolved in a short time.

85

86 Company Z procures the automation system from a MAC who has a partnership with a MCSC. The MCSC can provide the overall DID solution. The MAC has partnership agreement with the MCSC to test all the updates in the MAC systems prior to releasing them. The MCSC Role is under the responsibility of the MAC Common Result: Better cyber security and smooth Long-time operation/support of the plant.

87 The adoption of a real DID model within the automation systems can only be successful if it can be operated and maintained for a long run. Partnership between Automation Vendors and Cyber Security vendors can ease the way of implementing Cyber Security within plants. Cyber Security Solution within a plant shall be Supported by the Automation vendor while operated and administered by the customer in the same way a plant is operated.

88

89

90

91

92

93

94

95

96

97

98 Technology Solution. OEM Professional Services OEM Certified Training Consultancy. Infrastructure Design for the Project and Solution.

99

100

101 106

102 107

103 108

104 109

105 Build The Security Operations Center (SOC), and the Network Operations Center (NOC) Network Segmentation Industrial Firewalls Next Generation Firewalls Next Generation Intrusion Prevention Systems Network Threat Behavior Analysis (NTBA)

106 Vulnerability Management Systems Data Loss Prevention Database Security Network Access Control SIEM Solution Performance Availability Monitoring Solution Consider Wireless Security Controls

107 Workstations, Engineering Workstations, Servers, Storage. Application Control and White-listing Configuration control system AntiVirus/AntiSpyware/Antimalware Host Intrusion Prevention System

108 Workstations, Engineering Workstations, Servers, Storage. Deep Defender Patch Management Solution Systems Hardening Systems Backup (Data and System Images)

109 The configuration, installation, and deployment of the technology solutions shall be carried out by OEM Professional Services from the OEM vendors.

110 An OEM Certified Training shall be provided for all Systems, Solutions, and applications part of the technology solutions mentioned in part 1.

111 Risk Assessment: Risk Assessments shall be conducted according to the best industrial practices risk assessments and standards as follows: First Risk Assessment is to be conducted to evaluate the risks at the industrial control systems included in the project on the SAT phase. Second round of Risk Assessment shall be conducted as part of the Site Acceptance Test, and it shall be carried out by consultants from a specialized industrial cyber security company. The risk assessment shall cover all systems and their configurations including digital security systems, network systems, industrial control systems, and any IP-based system. It shall also cover all systems configuration as well. All gaps identified shall be closed before going to the production. Regular Risk Assessments will be conducted and arranged by the Company every year to ensure that all IP-based systems and applications are rigid to cyber attacks. Vendors shall close all gaps identified by any future risk assessment.

112 Disaster Recovery (DR) Plan, Business Continuity (BC) Plan, and Incidence Response (IR) Plan: Vendor shall provide a full plan for their systems preparedness and backup to cases such as major system failures, blackouts, or virus outbreak. Vendor is required to clearly state and deliver their DR, BC Plans including their mitigation plans and Incidence Response Plans. They shall also provide the operational plan within "worst case scenario" type of crisis. Procedures, Policies, Guidelines, and Best Practices: Procedures, Policies, Guidelines, and Best Practices shall be provided by the vendor before going to production, and shall be included in the training plan to all employees working on any system within the vendor provided solution. The training shall include a mechanism that verifies that the employees clearly understand the procedures, policies, guidelines, and best practices.

113 The vendor shall provide an Infrastructure Design that matches all requirements mentioned in Part 1 (Technology Solution). The design shall reflect all required segregations, segmentations, industrial control systems, networking, and digital security components. The design shall be verified and accepted by Company Information Security Section.

114 Comply with the latest version of any Company, or it s shareholders standard related to the Digital/Cyber Security Standards All LAN/WAN Security equipment supplied by Contractor shall be compatible and compliant with existing Company LAN/WAN Security equipment and configuration and approved by IT Security Team. Contractor shall not procure LAN/WAN Security equipment until it is required to assure implementation of the latest state-of-art approved technology. This can only be achieved by delaying the procurement of LAN/WAN Security equipment to the latest phase of the project. The bill of material and purchase request should be approved by Company IT Security Section (ITSS) prior to tendering.

115 Security Controls shall be provided from a single vendor MCSC (Main Cyber Security Contractor) to ease the support and management of the systems, and to provide high security and visibility value by the integration of all products. The IT Security Team shall be present during all systems tests.

116 Must be of the latest models/proved technology in the market, and Must have a manufacture support road map (life continuity) of at least 5 years from the day of purchasing, and Must have a sales road map of at least two years. Must be High Available with redundancy, and shall not cause any kind of latency to the traffic that could affect the operation by any means. The vendor has to make use of technologies such as the Intel Processor Security Features to be capable to have a vision on attacks such as hidden attacks. These technologies shall be used by the systems provided by the vendor.

117

118 Senior Management Ownership One Team from Different Disciplines. Understanding Oil Field Operational System Requirements. Build Cyber Security Infrastructure First, and then, Design Industrial Operations Systems with Cyber Security at the core.

119 Integrate security efforts between Security companies and industrial companies Smart Grid Security Innovation Alliance Build your own Cyber Security Standard for Industrial Systems Security Remember: Industrial Systems are the most difficult systems to secure. Make the Invisible Visible Security is Visibility, and Visibility is Security.

120 An effective process control security in the Industrial Oil and Gas Plants can make the difference between a normal day at work and a disaster Cyber Security shall be at the core of Smart Technologies

121 Some of the information and images used in this presentation has been obtained from public domains, published sources, catalogs of manufacturers. It is used solely for the purpose of illustration and presentation only References: Securing SCADA Systems (Ronald L. Krutz), Industrial Network Security (Eric Napp), Thoughts from Eric Byers. ISA-99, IEC 62443

122 127

123 128