Securing Plant Operation The Important Steps

Transcription

1 Stevens Point, WI Securing Plant Operation The Important Steps September 24, 2012 Slide 1

2 Purpose of this Presentation During this presentation, we will introduce the subject of securing your control system and the principles to bear in mind when designing security for a system: Least Privilege Least Function Defense in Depth To explain major security controls which should be deployed to your control system as a baseline, e.g. patch management, anti virus, hardening, system recovering. We will explain services that ABB has to help implement secure environment September 24, 2012 Slide 2

3 Three Key Issues to Address in System Vulnerability Network connectivity More and more connectivity is desired or even required An air gap is not as secure as many imagine Removable Media May be a valid use of the system with bad results Restrictions on use Proper procedures for necessary use Users of the system Protection against intentional mischief Training to protect against mistakes and human engineering September 24, 2012 Slide 3

4 Defense in Depth September 24, 2012 Slide 4

5 Standardization landscape Scope and completeness of selected standards Energy Design Details Industrial Autom. IT IEC Technical NIST IEEE P 1686 Aspects Details of Operations CPNI Relevance for Manufacturers NERC CIP ISO 27K ISA 99* Management Aspects Operator Completeness Manufacturer * Since the closing of the ESCoRTS project, ISA decided to relabel the ISA 99 standard to ISA to make the alignment with the IEC series more explicit and obvious.

6 Two Important Principles Common to Most Standards Principle of Least Privilege No user should have more rights and permissions than needed to perform his function in the system Principle of Least Function Only the functions needed for the system to accomplish its purpose should be present or enabled in the system September 24, 2012 Slide 6

7 Example: Least Privilege Considerations Is there is a real strategy for the membership of groups such as Operators, Engineers, Administrators? Do these groups have wide ranging permissions? Are personnel routinely added to multiple groups? No operator should log onto a control system machine as an administrator. No engineering user should log on as an administrator unless there is a need to perform administrative duties and they have this responsibility. Even engineering accounts should have limitations on their rights that limit them to the activities that are part of their jobs. There should be no use of the powerful service account for other any other uses. Local login should be disabled in the security policy for the service account. September 24, 2012 Slide 7

8 Example: Least Function Considerations Is there any software loaded on the system that doesn t need to be there such as games that come with default loads of Windows? Are any services enabled that don t need to be? Are any network ports open that don t need to be? Is removable media access required to accomplish the functions of the control system computers? Should servers in the system be used as operating screens? Perhaps operating workplaces should limit which accounts can log in based on function September 24, 2012 Slide 8

9 Network Architecture Considerations Is the control system network completely isolated from any other network? If connected to another network, does it use a firewall to segregate the networks? Has the firewall been specifically configured for the least access required? Is any use of RPC (DCOM) permitted through the firewall such as for classic OPC? (If so, a tunneling product should be used to eliminate this.) Are there any dual homed hosts in use? (One NIC on the control system LAN and one NIC on another network such as the corporate network) Does the ABB control system share a domain controller with any other control system or with an enterprise domain? Is wireless in use? If so, does it use secure encryption? (WPA Enterprise, Radius Server, IPSEC) Are there any dial up connections to the system? Are there any direct connections such as an EWS or Historian on the corporate network bypassing the firewall? (An example here is a historian on the corporate network connected to an Infi90 system via a CIU.) Any remote connections to the system? Do they use a reverse tunneling technology or are they initiated from outside the firewall? If from outside do they use VPN? September 24, 2012 Slide 9

10 User Account Policies Establish hierarchy of User Accounts (operator, tech, admin, etc) Even an Administrator should not log on as Administrator except to perform those duties Domain wide policy to enforce: Password Requirements and Role Association Define Remote Access Security Operator Group Policy that restricts access to Desktop and Applications Shared Operator Accounts are they okay by standards such as ISA99 and NERC? September 24, 2012 Slide 10

11 Password Policies Standard practice today is complex passwords and regular changes, but this may not be possible for some accounts in a process control environment. What about shared operator accounts? September 24, 2012 Slide 11

12 800xA User Account Model User access is controlled by a three-dimensional model: Person x Object x Function. ƒa role based access is implemented. The system restricts access according to the user and user role configuration. For example Operator role can acknowledge alarms. Security can be further defined for an individual user on a process section basis or even an individual tag basis. For example Unit 1 operators can acknowledge alarms only for Unit 1. ƒall accesses and changes to the 800xA system and data are logged and tracked in the audit trail. September 24, 2012 Slide 12

13 Services A required services list is published for each product Programs that start without user intervention Can be configured to start automatically or manually or not at all Can configure which account starts the program September 24, 2012 Slide 13

14 Securing Removable Media Why secure removable Media? June 2010 Stuxnet; spread via infected removable USB media is discovered. It is the first malware application to include a PLC rootkit. Methods First line of defense: Physical restriction to computers + BIOS protection Second Line of Defense: Physical Locks on Available Ports Third Line of Defense: Deny OS access to removable media using Group Policy or 3 rd party solution September 24, 2012 Slide 14

15 Securing Removable Media Methods Hardware Locks Samples BIOS protection from boot off USB device Microsoft Group Policy Group Policy Management Console 3 rd Party endpoint protection Several free and paid 3 rd party utilities September 24, 2012 Slide 15

16 Securing Removable Media Control Access using Hardware Lock Mechanism Always restrict physical access to the machines as much as possible even if USB locks are used! 2 Types of Locking Mechanisms Effective Secure Dust Protection Cosmetic Child Proof Locking = September 24, 2012 Slide 16

17 Patch Management Patch management Must be certain that no change to the system will adversely affect operation. Patches must be kept current within 30 days. NERC CIP-007, ISA TR Ports and services required for the applications must be identified and only those ports and services may be enabled NERC CIP-007, ISA SR 7.6, 7.7 Account management Authentication and accountability required, principle of least privilege, security audit trail, periodic review, password policies, personnel changes NERC CIP-007, ISA SR 1.1, 1.2, 6.2 September 24, 2012 Slide 17

18 Security Updates Patch Management Which updates are validated for my system? Where do I get the updates? How do I install the updates? September 24, 2012 Slide 18

19 Which updates are validated for my system? Find the validated update document for your products at: September 24, 2012 Slide 19

20 Where do I get the updates? Subscribe to Sentinel Can retrieve update documentation from Solutionsbank New add on service for Sentinel Subscribers Sentinel subscribers can receive a Security Update CD in the mail as they are released. These update cds currently only support 800xa 5.0 and 5.1 systems, but other systems are being considered for inclusion. September 24, 2012 Slide 20

21 Download from Solutionsbank As the updates are validated and compiled for the Security Update cd, they are also made available as a download in Solutionsbank September 24, 2012 Slide 21

22 Automatic Downloads with WSUS Utilizing WSUS services from Microsoft, all updates can be downloaded, approved by you based on the ABB Validated Update document, and installed to all nodes in your system using the built in windows update feature. September 24, 2012 Slide 22

23 Manual Downloads ABB validated updates can also be downloaded manually, directly from the validated update document. Each update listed in the document includes a hyperlink to Microsoft s TechNet update site. September 24, 2012 Slide 23

24 How do I install the updates? Generally the procedure to install the updates will depend on how you got them. If you received the cd in the mail, all you need to do is perform a maintenance stop on the node you want to install to, and install the CD. The security update installation window will appear, prompting to begin the install. After all of the updates have installed, reboot the node to restart all of the ABB services. If you downloaded the update file from Solutionsbank, unzip the file and burn it to a cd, then the procedure will be the same as above. You can also copy the files to a USB flash drive or a network share and run the install from there. If you manually downloaded the files either from the links in the update document or used another manual process, the files need to be individually installed. It is possible to automate the installation process up by creating a batch file to install the updates. September 24, 2012 Slide 24

25 Example References Recovery Plans for Critical Cyber Assets Recovery plans must be documented including who is responsible Plans must be tested at least annually including walking through a simulated loss and recovery These plans are not limited to backing up software, but may include recording configuration settings, etc. Backups can be made without affecting normal plant operation The system shall support automating this function Software backup media must be tested NERC CIP-009, ISA99.03 SR 7.3 September 24, 2012 Slide 25

26 Question: What type of backups do I need to make? September 24, 2012 Slide 26

27 Answer: What type of failure are you going to have? September 24, 2012 Slide 27

28 Software Backup Strategies Application Backups Disk Image Backups Active Directory Backups Domain Controller Backups Scheduling Considerations Verifying Backups September 24, 2012 Slide 28

29 Application backups vs. image backups Application Backups Backs up specific data and configuration for an application or project. Great for restoring pieces of lost information. Useful for replacing corrupt files Only needed as often as the data changes. Not OS or hardware specific but usually version specific Does not backup the application itself. Great for upgrades September 24, 2012 Slide 29

30 Application backups vs. Image backups Disk Images Full sector by sector image of the entire drive or partition. Great for reloading the entire disk or computer. Fastest recovery method for failed hard drive. Useful for creating off-line virtual systems for troubleshooting issues. Regulatory compliance for testing backups can be met through virtualization. File and folder information can be restored through mounting the image as a drive. September 24, 2012 Slide 30

31 Services to help achieve secure the system Security Support Services Software Backup Services Patch Management Services Change Management and Security Logging These services are available for Microsoft Windows based systems: 800xA All connectivity options Symphony Process Portal B, Conductor NT, Conductor VMS clients September 24, 2012 Slide 31

32 Security Support Services Solutions Audits and policy validation Compatibility testing System hardening and policy implementation Documentation and training Consulting September 24, 2012 Slide 32

33 ABB Cyber Security Audit and Hardening Services September 24, 2012 Slide 33

34 Regulatory and Standards Considerations ABB bases our recommendations and service offerings on internationally recognized principles and best practices. Regulations are the key element driving some market segments and help define our programs. Examples: NERC CIP - Has force of law in US OLF Guideline Best Practice widely adopted in Oil and Gas industry Existing and emerging standards help define what steps are taken. Examples: ISA99 ISO NIST September 24, 2012 Slide 34

35 Standardization landscape Scope and completeness of selected standards Energy Design Details Industrial Autom. IT IEC Technical NIST IEEE P 1686 Aspects Details of Operations CPNI Relevance for Manufacturers NERC CIP ISO 27K ISA 99* Management Aspects Operator Completeness Manufacturer * Since the closing of the ESCoRTS project, ISA decided to relabel the ISA 99 standard to ISA to make the alignment with the IEC series more explicit and obvious.

36 Services and Ports A very important step for securing computers is to eliminate unneeded services and network ports Services and ports are audited to record their current state and are compared to the ABB required services documentation Any required third party services are reviewed All others are disabled or uninstalled Reduces the amount of functions for the computer September 24, 2012 Slide 36

37 Additional Security Principles Reviewed Recommendations Made Physical Restriction to Interfaces Removable Media Policies and Settings BIOS Boot Settings and Configuration Passwords Security Policy Administration Principle of Least Privilege Use of shared accounts Standards for desktop lockdown Auditing of Security Events Reporting of Patch Management and Antivirus Deficiencies Network Architecture Considerations September 24, 2012 Slide 37

38 Reporting Detailed reporting provides easy to interpret summary Also provides details of discrepancies with customer s own policy or ABB secure default policies Provides recommendations to correct deficiencies

39 Reporting

40 Reporting

41 Security Support Services System Hardening and Policy Implementation User Roles, Access Control and Workstation Hardening Establish hierarchy of User Accounts (operator, tech, admin, etc) Domain wide policy to enforce: Password Requirements and Role Association Define Remote Access Security Operator Group Policy that restricts access to Desktop and Applications Provide hardening services as applicable Close un-necessary ports Disable non-essential services September 24, 2012 Slide 41

42 Security Support Services System Hardening and Policy Implementation Schedule appropriate time for implementation Often changes can be done with no impact on operations, but an attitude of caution may be prudent depending on the process Software upgrades and major system changes may be recommended if operating systems are obsolete Depending on changes, an outage may be required, e.g. if software upgrades are required Implement changes on site Configuration with firewall and other mechanisms Most changes can be made with group policies if the system is in a domain Final test of all changes in the operating environment Prepare final report of as delivered changes September 24, 2012 Slide 42

43 Security Support Services Consulting and on-going compliance support The system is likely to fall out of compliance over time, as a result of: Intentional or unintentional changes Replacements of PCs Software reloads, upgrades, etc. New threats Periodic Audits to ensure correct settings Discussions with the plant personnel responsible for the program to make sure the program is meeting their needs September 24, 2012 Slide 43

44 Security Support Services Consulting and on-going compliance support Provide training as turnover of security responsible personnel occurs in the plant Create procedure documents for loading computers with correct security policy settings Implement policy requirements for new equipment added to plant or on any replacements shipped to plant Implement a secure remote connection to your system For remote support from ABB (see our remote enabled services demonstration in the US Services exhibit) For your own use to securely connect to the system from a remote location September 24, 2012 Slide 44

45 Software Backup Services Purposes A service to safeguard the data and configuration of the system against loss A service to enable rapid recovery from a computer device failure A service to maintain the data needed in the process of an upgrade of the applications A service that verifies system recovery data is valid A service to help in meeting regulatory requirements such as NERC CIP regulations regarding disaster recovery September 24, 2012 Slide 45

46 Software Backup Services Features Hard drive imaging to a central server Configuration backups in addition to imaging Customized scheduling and scripting to automate the update of images ABB tested bandwidth and CPU utilization to avoid performance problems Full domain integration Backup image testing Restoration training September 24, 2012 Slide 46

47 Patch Management Services Software updates Update ABB control system applications Install MS Operating System Hotfixes and Patches as applicable Submit Summary Report with as-hardened baseline Prepare Patch Management Process documentation Option for quarterly or semi-annual return service for updating available Option for installation of an update server for automating roll-out of Windows Security Patches September 24, 2012 Slide 47

48 Patch Management Services Anti-Virus / Malware Protection Load and configure Antivirus in accordance with ABB guidelines for application performance Update Virus Scan Engine Load current definition files Configure Automated Scan schedule Submit Summary Report Option for installation of an update server for automating update of Anti-Virus updates September 24, 2012 Slide 48

49 Security Solutions Secure Remote Access Connection to Corporate Network via Router w/ Firewall or DMZ. Allows for Remote Diagnostics for Control System support Can Support WSUS (Windows Update) and Anti Virus Updates Allows for Remote Operator and Engineering Clients Secured as Read-Only Configured for off-site Operation and Maintenance September 24, 2012 Slide 49

50 Service Environment Cyber Security Service Portfolio Risk Assessment Create asset register Criticality classification Support security policy creation Support creation of a security organization Gap analysis and Services design Infrastructure for Services delivery Maintenance of System Recovery Plan User Management ABB Remote Monitoring and Operations Room Anti virus management Microsoft Patch Management System backup/restore management NIDS/HIDS Management Virus removal September 24, 2012 Slide 50

51 ABB Group September 24, 2012 Slide 51