Process System Security. Process System Security

Similar documents
TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

ANATOMY OF AN ATTACK!

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Symantec Client Security. Integrated protection for network and remote clients.

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Simple and Powerful Security for PCI DSS

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Client Computing Security Standard (CCSS)

AUTHORITY FOR ELECTRICITY REGULATION

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

GUIDE. MetaDefender Kiosk Deployment Guide

HikCentral V1.3 for Windows Hardening Guide

HikCentral V.1.1.x for Windows Hardening Guide

LESSONS LEARNED IN SMART GRID CYBER SECURITY

K12 Cybersecurity Roadmap

Cyber Security. Our part of the journey

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

CIS Controls Measures and Metrics for Version 7

Information Security Controls Policy

CIS Controls Measures and Metrics for Version 7

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

CompTIA Security+(2008 Edition) Exam

DeltaV Remote Client. Introduction. Remote engineering and operator consoles. View Multiple DeltaV Systems from a single workstation

Online Services Security v2.1

Payment Card Industry (PCI) Data Security Standard

5. Execute the attack and obtain unauthorized access to the system.

Securing Industrial Control Systems

During security audits, over 15,000 vulnerability assessments are made, scanning the network IP by IP.

IC32E - Pre-Instructional Survey

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

SECURITY PRACTICES OVERVIEW

Cyber Essentials Questionnaire Guidance

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Security Standards for Electric Market Participants

2. INTRUDER DETECTION SYSTEMS

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Children s Health System. Remote User Policy

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

CS 356 Operating System Security. Fall 2013

Mobility, Security Concerns, and Avoidance

Chapter 9. Firewalls

DeltaV Remote Client. Introduction. Remote engineering and operator consoles. View Multiple DeltaV Systems from a single workstation

CSE 565 Computer Security Fall 2018

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

RIPE RIPE-17. Table of Contents. The Langner Group. Washington Hamburg Munich

Cyber Security for Process Control Systems ABB's view

COMPUTER NETWORK SECURITY

Security analysis and assessment of threats in European signalling systems?

Campus Network Design

Changing face of endpoint security

NEN The Education Network

T22 - Industrial Control System Security

BeOn Security Cybersecurity for Critical Communications Systems

Firewalls (IDS and IPS) MIS 5214 Week 6

Converged World. Martin Capurro

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

ClearPath OS 2200 System LAN Security Overview. White paper

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Industrial Defender ASM. for Automation Systems Management

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

IPM Secure Hardening Guidelines

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

4 Information Security

PCI DSS Compliance. White Paper Parallels Remote Application Server

Securing Plant Operation The Important Steps

IPC2018 Industrial PC (IPC) Secure Deployment Guide

ASA/PIX Security Appliance

How can I use ISA/IEC (Formally ISA 99) to minimize risk? Standards Certification Education & Training Publishing Conferences & Exhibits

Industry Best Practices for Securing Critical Infrastructure

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

QuickBooks Online Security White Paper July 2017

Is Your Information Safe? Presented by: Jake Gibson IT Director, Eurofins

Cyber Security Requirements for Electronic Safety and Security

SIMATIC. Process Control System PCS 7 Symantec Endpoint Protection 11.0 Configuration. Using virus scanners 1. Configuration 2. Commissioning Manual

Cyber security tips and self-assessment for business

SIMATIC. Process Control System PCS 7 V7.0 SP1 Security Information Note: Setting up antivirus software. Preface. Using virus scanners 2

Practical SCADA Cyber Security Lifecycle Steps

Addressing PCI DSS 3.2

The Information Age has brought enormous

Carbon Black PCI Compliance Mapping Checklist

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

CompTIA E2C Security+ (2008 Edition) Exam Exam.

Computer Security: Cyber Essentials KAMI VANIEA 1

Trend Micro. Apex One as a Service / Apex One. Best Practice Guide for Malware Protection. 1 Best Practice Guide Apex One as a Service / Apex Central

Configuring BIG-IP ASM v12.1 Application Security Manager

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

CyberP3i Course Module Series

Network Security and Cryptography. 2 September Marking Scheme

EVALUATING HOW AN OPERATOR HAS EFFECTIVELY IMPLEMENTED CYBER- SECURITY POLICIES TO MANAGE AND ADMINISTER THE SYSTEM. Wurldtech Security Technologies

ETSI TR V1.1.1 ( )

Perspectives on Threat

Transcription:

Roel C. Mulder Business Consultant Emerson Process Management Sophistication of hacker tools, May 2006, Slide 2

Risk Assessment A system risk assessment is required to determine security level Security level varies by consequences of successful attack Hazardous process or product Location of plant Critical Infrastructure process are you a target? Security level varies by chance of attack Isolated control system Highly interconnected system Risk Assessment ISA SP99 report 2 can help, May 2006, Slide 3 Develop a System Security Policy Leverage off the corporate policy, must be modified to fit Process System situation Cannot use standard IT policy User Access management Patch management /Anti Virus management Physical Access to equipment Software Installation Three elements of system security Physical access User Acces Network Isolation, May 2006, Slide 4

IT and Control System Security Security goals are different Information Technology Performance and data integrity most important Example: Can t lockout operator after 3 misspelled passwords Process Control Human and plant safety primary responsibility, May 2006, Slide 5 Rings of Protection Defense in Depth A security method that provides additional protection within the security layers of the rings Physical example guard dogs in between fences Network example Anti-virus software on the protected network, May 2006, Slide 6

Basic Security Solution Define system boundary and control access to the system across this boundary Control Network Access Access to the system from outside LANs Control User Access Who is allowed in and what can they do Control Physical Access Access to equipment is secured, May 2006, Slide 7 Control System Boundary Control System boundary Protection = control access across the system boundary, May 2006, Slide 8

Entry Points to the system CD, Floppy, USB System Network Equipment I/O Subsystems External Network Control System Boundary Modem connection, May 2006, Slide 9 Control Security Philosophy One Way in well guarded and protected, May 2006, Slide 10

Modem Connection For Process Systems this is only used for remote troubleshooting (with PCAnywhere). Should be disconnected when not in use Setup as a dial-back connection only to known users, May 2006, Slide 11 I/O Entry Point CD, Floppy, USB System Network Equipment I/O Subsystems External Network Control System Boundary, May 2006, Slide 12

Controller I/O Boundary Access through the I/O into the Process System No real threat very low risk Requires physical access to devices No real open network access to controllers Security based on preventing physical access More harm can be done by damaging the devices or wiring, May 2006, Slide 13 DeltaV User Access User Access Process System Network Equipment I/O Subsystems External Network Control System Boundary, May 2006, Slide 14

System User Access Points All Control System user access is done through Workstations, May 2006, Slide 15 Most Basic Security Control user access to the system Authentication who are you Authorization - what can you do Proper privileges assigned, May 2006, Slide 16

Basic Security Control User Access Strict and enforced password policy Must change default user names or passwords Unique user names and passwords for all users User names and passwords kept private Enforcing password time out All users must prove requirement for access to the Control System nodes esp. remote access Enforced access policy in security manual Control system administrator controls access, May 2006, Slide 17 Physical Security Equipment locked away Limit physical access to network ports: Access to controllers Access to computers Access to network components Monitor event logs for connections/disconnections, May 2006, Slide 18

Virus Prevention X X Email WWW X X X Disable floppy and CD drives Unplug front panel USB ports No e-mail or internet access Run Anti-virus scannerstay current Very limited or no connection to outside LAN from an Operator Workstation Lock down the Workstations Not every workstation should be connected, May 2006, Slide 19 Anti-Virus Strategy Install anti-virus scanner on each workstation Setup for real-time scan per vendor instructions Manage and distribute new signatures from a specific node on the Control LAN New signatures should be obtained from a secure node within the plant or installed manually See vendor Anti-virus papers for details, May 2006, Slide 20

Microsoft Security Bulletins Security Patch management Supplier reviews every security bulletin Releases second Tue of each month from Microsoft Results published on Suppliers Website If not deployed the reason is documented Goal to certify within 7 business days Phased deployment based on release More complex patches may take longer Test Results published in Knowledge Base Articles Instructions on how to deploy You must install the tested and approved patches, May 2006, Slide 21 Network Entry Points CD, Floppy, USB Process System Network Equipment I/O Subsystems External Network Control System Boundary, May 2006, Slide 22

Control Network Device Access X Non-Control LAN Unsupported Direct connection to the Control LAN network devices violates the security design, May 2006, Slide 23 Network Access Points CD, Floppy, USB Process System Network Equipment I/O Subsystems External Network Control System Boundary, May 2006, Slide 24

Communications Access Points All network communications into and out of the Process system must come through a workstation protected by a network router/firewall, May 2006, Slide 25 Securing Connections This is a minimum requirement to secure the interconnection A router/firewall device must be used between the process system and the external network Create a Demilitarized Zone (DMZ) using the router/firewall and workstation Remote access PC Plant or other external LAN DMZ, May 2006, Slide 26

More Secure Interface Solution System access vs Data access, May 2006, Slide 27 Data Access vs System Access Data Access User needs to see information Trends, real time or calculations WebServer or other web type access Interposing database inherently view only System Access User needs to be on the Process system Maintenance, engineering, operate Different activities from simple data access Either access type should require authentication and authorization steps, May 2006, Slide 28

Sneak Attack X Business Laptop as workstation X X Plant LAN Connections Infected? If you use a laptop as a Workstation it must be a dedicated PC that is not used for email or www surfing. Be sure any wireless connections are dedicated and all wired connections are static IP addressed to the Control System, May 2006, Slide 29 Securing Connections + Intrusion Detection Intrusion Detection System (IDS) is optional IDS monitors network by producing logs of network traffic between systems Provides data to determine if system has been successfully entered by unauthorized users, May 2006, Slide 30

Summary Architecture promotes security Isolated network self-contained Very defined access boundary Creates a DMZ by default when connected to other LANs Does not need to be connected to other LANs Customer decision to connect and how to connect Trade off of security vs access No run-time access to floppy or CD drives Easy to lock out user access via sneaker-net Role based user access Control user actions to appropriate levels, May 2006, Slide 31 We facilitate your security efforts Only customers can make the system secure They decide how secure Analysis of system where are the vulnerabilities Rings of protection/defense in Depth Trade off ease of access for protection Protection layers with security measures within the layers Make it hard(er) to gain access On going process not a destination, May 2006, Slide 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback