Roel C. Mulder Business Consultant Emerson Process Management Sophistication of hacker tools, May 2006, Slide 2
Risk Assessment A system risk assessment is required to determine security level Security level varies by consequences of successful attack Hazardous process or product Location of plant Critical Infrastructure process are you a target? Security level varies by chance of attack Isolated control system Highly interconnected system Risk Assessment ISA SP99 report 2 can help, May 2006, Slide 3 Develop a System Security Policy Leverage off the corporate policy, must be modified to fit Process System situation Cannot use standard IT policy User Access management Patch management /Anti Virus management Physical Access to equipment Software Installation Three elements of system security Physical access User Acces Network Isolation, May 2006, Slide 4
IT and Control System Security Security goals are different Information Technology Performance and data integrity most important Example: Can t lockout operator after 3 misspelled passwords Process Control Human and plant safety primary responsibility, May 2006, Slide 5 Rings of Protection Defense in Depth A security method that provides additional protection within the security layers of the rings Physical example guard dogs in between fences Network example Anti-virus software on the protected network, May 2006, Slide 6
Basic Security Solution Define system boundary and control access to the system across this boundary Control Network Access Access to the system from outside LANs Control User Access Who is allowed in and what can they do Control Physical Access Access to equipment is secured, May 2006, Slide 7 Control System Boundary Control System boundary Protection = control access across the system boundary, May 2006, Slide 8
Entry Points to the system CD, Floppy, USB System Network Equipment I/O Subsystems External Network Control System Boundary Modem connection, May 2006, Slide 9 Control Security Philosophy One Way in well guarded and protected, May 2006, Slide 10
Modem Connection For Process Systems this is only used for remote troubleshooting (with PCAnywhere). Should be disconnected when not in use Setup as a dial-back connection only to known users, May 2006, Slide 11 I/O Entry Point CD, Floppy, USB System Network Equipment I/O Subsystems External Network Control System Boundary, May 2006, Slide 12
Controller I/O Boundary Access through the I/O into the Process System No real threat very low risk Requires physical access to devices No real open network access to controllers Security based on preventing physical access More harm can be done by damaging the devices or wiring, May 2006, Slide 13 DeltaV User Access User Access Process System Network Equipment I/O Subsystems External Network Control System Boundary, May 2006, Slide 14
System User Access Points All Control System user access is done through Workstations, May 2006, Slide 15 Most Basic Security Control user access to the system Authentication who are you Authorization - what can you do Proper privileges assigned, May 2006, Slide 16
Basic Security Control User Access Strict and enforced password policy Must change default user names or passwords Unique user names and passwords for all users User names and passwords kept private Enforcing password time out All users must prove requirement for access to the Control System nodes esp. remote access Enforced access policy in security manual Control system administrator controls access, May 2006, Slide 17 Physical Security Equipment locked away Limit physical access to network ports: Access to controllers Access to computers Access to network components Monitor event logs for connections/disconnections, May 2006, Slide 18
Virus Prevention X X Email WWW X X X Disable floppy and CD drives Unplug front panel USB ports No e-mail or internet access Run Anti-virus scannerstay current Very limited or no connection to outside LAN from an Operator Workstation Lock down the Workstations Not every workstation should be connected, May 2006, Slide 19 Anti-Virus Strategy Install anti-virus scanner on each workstation Setup for real-time scan per vendor instructions Manage and distribute new signatures from a specific node on the Control LAN New signatures should be obtained from a secure node within the plant or installed manually See vendor Anti-virus papers for details, May 2006, Slide 20
Microsoft Security Bulletins Security Patch management Supplier reviews every security bulletin Releases second Tue of each month from Microsoft Results published on Suppliers Website If not deployed the reason is documented Goal to certify within 7 business days Phased deployment based on release More complex patches may take longer Test Results published in Knowledge Base Articles Instructions on how to deploy You must install the tested and approved patches, May 2006, Slide 21 Network Entry Points CD, Floppy, USB Process System Network Equipment I/O Subsystems External Network Control System Boundary, May 2006, Slide 22
Control Network Device Access X Non-Control LAN Unsupported Direct connection to the Control LAN network devices violates the security design, May 2006, Slide 23 Network Access Points CD, Floppy, USB Process System Network Equipment I/O Subsystems External Network Control System Boundary, May 2006, Slide 24
Communications Access Points All network communications into and out of the Process system must come through a workstation protected by a network router/firewall, May 2006, Slide 25 Securing Connections This is a minimum requirement to secure the interconnection A router/firewall device must be used between the process system and the external network Create a Demilitarized Zone (DMZ) using the router/firewall and workstation Remote access PC Plant or other external LAN DMZ, May 2006, Slide 26
More Secure Interface Solution System access vs Data access, May 2006, Slide 27 Data Access vs System Access Data Access User needs to see information Trends, real time or calculations WebServer or other web type access Interposing database inherently view only System Access User needs to be on the Process system Maintenance, engineering, operate Different activities from simple data access Either access type should require authentication and authorization steps, May 2006, Slide 28
Sneak Attack X Business Laptop as workstation X X Plant LAN Connections Infected? If you use a laptop as a Workstation it must be a dedicated PC that is not used for email or www surfing. Be sure any wireless connections are dedicated and all wired connections are static IP addressed to the Control System, May 2006, Slide 29 Securing Connections + Intrusion Detection Intrusion Detection System (IDS) is optional IDS monitors network by producing logs of network traffic between systems Provides data to determine if system has been successfully entered by unauthorized users, May 2006, Slide 30
Summary Architecture promotes security Isolated network self-contained Very defined access boundary Creates a DMZ by default when connected to other LANs Does not need to be connected to other LANs Customer decision to connect and how to connect Trade off of security vs access No run-time access to floppy or CD drives Easy to lock out user access via sneaker-net Role based user access Control user actions to appropriate levels, May 2006, Slide 31 We facilitate your security efforts Only customers can make the system secure They decide how secure Analysis of system where are the vulnerabilities Rings of protection/defense in Depth Trade off ease of access for protection Protection layers with security measures within the layers Make it hard(er) to gain access On going process not a destination, May 2006, Slide 32