Theme 3: Cyber Security Just How Vulnerable is Your Safety System? Colin Easton MSc, CEng, FInstMC, MIET, ISA Senior Member TUV Rhienland FS Senior Expert PHRA & SIS 6 th July 2017 1
Safety System Security 2 Safety Systems are now more accessible and open than ever before, due to the increasing use of COTS solutions for networking and HMI purposes. Business needs drive the interconnectivity between between OT and IT systems at the same time as we see control and safety system architectures merging. This interconnectivity and merging of systems opens up vulnerabilities in our systems that can be exploited by cyber and physical threats.
Safety System Security 3 Safety Systems operate in real time to protect our processes, tampering with them, either intentionally or unintentionally, can lead to: Loss of Production Environmental releases Heath & Safety consequences Industrial Automation and Control System (IACS) security is about preventing or mitigating the exploitation of the vulnerabilities in our control and safety systems.
What is the Problem? 4 2010 Stuxnet Siemens S7 PLCs access for reconfiguration 2012 - Project Basecamp looking for vulnerabilities in 6 specific IACS devices found several including the ability to access PLC configurations and modify it. These vulnerabilities have been released and are included in publicly available databases for us to identify and protect against threats, but also enabling anyone to find and exploit them. But, not all threats originate from the internet - maintenance activities, software upgrades / patches, remote access, wireless, physical security and unauthorised access are just as big an issue for safety systems
IEC 62443 Security for IACS 5 Therefore, the SIS must be secure from both physical or cyber damage as a result of malicious acts or accidental events that would impact on the SIS s ability to maintain its functional and safety integrity on demand. To prevent both physical or cyber damage the risk reduction must be based on a mix of technical, procedural and managerial protection measures taken from the guidance in IEC 61511, IEC 62443 (ISA99) and in ISA TR84.00.09.
Security Risk Assessment IEC 61511 2 ED Clause 8.2.4 6 States that a SRA must be carried out to identify the security vulnerabilities of the SIS. The SRA output needs to include: 1. A description of the devices covered by the SRA What is the scope of the System Under Assessment (SuC); 2. A description of the identified threats that could exploit vulnerabilities and result in security events; 3. The potential consequences resulting form the security events and the likelihood of these events occurring; 4. Consideration of vulnerabilities and threats at all of the lifecycle phases; 5. The determination of requirements for additional risk reduction; 6. A description of, or references to information on, the security and compensating measures to be taken to reduce or remove the threats.
A description of the devices covered by the SRA 7 IACS Device Asset Operator control room HMI Consequence Rating Likelihood rating IACS Device Risk Level Clearly document the IACS and associated assets. Remote operator Panel Engineering Workstation Historian Server Gather and organise information such as: System architecture diagrams components, connectivity & location Controller Pressure Sensor Valve Positioner Gateway Network diagrams physical construct and assignments Devices (Ethernet & IP Address) Configurations hardware & software - Scan & MAP tools Identify known vulnerabilities IEC 62443-2-1 Example IACS Asset table
Security Vulnerability Assessments (The clever stuff) 8 High Level Gap Assessment: Assessment of existing operational procedures and practices Interviews, site audit, review of drawings, sample configurations, questionaire (Questionnaire could make use of US - Cyber Security Evaluation Tool ICS-CERT) Passive vulnerability assessment: Review architecture & network drawings & traffic analysis tools, Research using vulnerability databases ICS-CERT, NVD, Nessus Active vulnerability assessment Active network scanning Active vulnerability scanning Penetration test. Metasploit
Zones and Conduits 31 ISA-TR84.00.09-2013 9 WLAN Enterprise Web Server Enterprise Firewall Internet Review the system boundaries and break it down into zones and conduits. Control Center Data Historian Maintenance Workstation ` Plant DMZ Domain Controller The zones and conduits should include assets that will be assumed to require the same Security Level: SIS IAMS SIS HMI ` SIS Engineering Workstation BPCS BPCS Engineering Workstation Domain Controller ` IAMS Then carry out a High-level SRA. Handheld Programmer BPCS HMI Domain Controller SIS-PES Control PES Block Valve 24 VDC 4-20 ma 4-20 ma Control Valve 24 VDC 4-20 ma Pump Controller Transmitter Transmitter Figure A.3 Example Network Security Architecture with Integrated 2 Zone SIS
A description of the identified threats that could exploit vulnerabilities and result in security events 10 Stored data (e.g. history, programs) is intentionally modified or corrupted by unauthorised individual through local access Malware: unintentionally installed on control system through remotely connected computer; intentionally installed on control system through a remotely connected computer; enters the system through a laptop connected to the control system network enters the system through infected media (e.g. USB sticks etc.); enters the system through the business network. Confidential controls system data is intentionally disclosed through local or remote access A network device fails causing a network storm impacting system communication A denial of service attack is intentionally launched through remote access
High-level Risk Assessment Tools 11 IEC 62443-2-1 Example tables
The potential consequences resulting form the security events and the likelihood of these events occurring 12 IACS Device Asset Consequence Rating Likelihood rating IACS Device Risk Level Operator control room HMI A Medium High-Risk Remote operator Panel C High Medium-Risk Engineering Workstation A High High-Risk Historian Server B Medium Medium-Risk Controller A Medium High-Risk Pressure Sensor A Medium High-Risk Valve Positioner A Medium High-Risk Gateway B Low Low-Risk Firewall B Low Low-Risk IEC 62443-2-1 Example IACS Asset table with results
The determination of requirements for additional risk reduction 13 Draft IEC 62443-3-2 Security for IACS Workflow diagram to establish zones and conduits ZCR Zone & Conduit Requirement SuC System under consideration PHA Process Hazard Analysis
The determination of requirements for additional risk September 2016 24 ISA-62443-3-2, D6E3 reduction Start 14 Historical data and other threat information sources DRAR 1 Identify threats List of threats Draft IEC 62443-3-2 Security for IACS Workflow diagram for detailed cyber security risk assessment DRAR Detailed Risks Assessment Requirement Vulnerability assessment, prior audits, vulnerability databases, etc. Threats, vulnerabilities, existing PHAs, other risk assessments Lists of threats and vulnerabilities Likelihood, impact, corporate risk matrix Corporate risk matrix with tolerable risk [Updated] List of countermeasures Updated likelihood, impact and corporate risk matrix DRAR 2 Identify vulnerabilities DRAR 3 Determine consequences and impact DRAR 4 Determine unmitigated likelihood DRAR 5 Calculate unmitigated cyber security risk DRAR 6 Determine security level target DRAR 7 Identify and evaluate existing countermeasures DRAR 8 Reevaluate likelihood and impact DRAR 9 Calculate residual risk List of vulnerabilities Assessment of impact Assessment of likelihood Assessment of unmitigated cyber security risk Security level target List of countermeasures Updated likelihood and impact assessment Residual cyber security risk This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA. DRAR 10 Are all residual risks at or below tolerable risk No DRAR 11 Apply additional cyber security countermeasures Updated list of countermeasures Yes 612 DRAR 12 Document and communicate results Detailed risk assessment report
The determination of requirements for additional risk reduction 15 IEC 62443-3-2 Example table for mapping Cyber Risk Reduction Factor to Target Security Level
Description of information on the security & compensating measures taken to reduce / remove the threats 16 The counter measures to address a specific risk will be different depending on the system. For example, different Authentication rules will apply for controllers and HMI etc. Counter measures must be documented along with the procedure / guidance for using them. IEC 62443 approach similar to IEC 61508 identified control measures that can be used to demonstrate risk is reduced broken down by requirements IEC 62443-3-3.
Consideration of vulnerabilities and threats at all of the lifecycle phases 17 ISA TR84.00.09 Management Process - Identifies additional requirements for Cyber security, including: Clause 5 - Management of FS Inventory of vulnerabilities, risk assessment, security of operation, host protection, patch upgrade management, confidentiality of cyber security information; Clause 8 Additional requirements for security protection, potential threats taken from IEC 62443 guidance; Clause 9 To include security counter measures and compensating measures for when it is not possible to implement security counter measures in the SIS; Clause 10 SRS should have a section dedicated to counter measures specifically considering that the counter measures do not degrade SIS performance such as response time or field devices; Clause 11 & 12 Additional requirements for when full independence and segregation is not feasible based on air gap, integrated zone hierarchy, firewalls & vendor to supply security concepts that cover the SIS lifecycle; Clause 14 and 15 consideration of mechanical integrity and ongoing cyber security; Clause 16 - Ongoing cyber security, such protection during back up and restoration, patches and upgrades, remote access, bypasses and checking of tools. Clause 17 & 18 Modifications to the SIS related security counter measures should follow the MOC programme and an impact analysis carried out to include access control, authorisation and reasons for access, virus checking and control
Cyber Security - Competency and Training for C&I Engineers 18 It is critical that C&I Engineers acquire the skill set to be able to communicate and work along side Cyber Security Specialists. ISA Europe has introduced the ISA Industrial Cyber security Certificate Program this provides practical hands training using IACS network hardware, firewalls, switches and Rockwell & Siemens PLCs to work on. The training is tiered to ISA/IEC 62443: ISA/IEC 62443 Cyber security Fundamentals Specialist ISA/IEC 62443Cyber security Risk Assessment Specialist ISA/IEC 62443 Cyber security Design Specialist ISA/IEC 62443 Cyber security Maintenance Specialist TÜV Rhienland are also developing a Cyber Security scheme for C&I and FS Eng that will be introduced in early 2018
Additional Guidance (UK HSE) 19 Compliance with OG-0086 will contribute towards a suitable demonstration of compliance with UK H&S legislation and as part of the cyber security ALARP demonstration for the facility. OG-0086 Cyber Security for IACS identifies BS EN 61511 as the recognised good practice (RGP). The reference is related to 2 nd Edition Clause 8.2.4 requirements for a Security Risk Assessment (SRA). Both OG-0086 & IEC 61511 reference IEC 62443 as the applicable international standard as well as ISA-TR84.00.09-2013 Security Countermeasures Related to SIS as the relevant standards for IACS SRA and implementation.
20 OG-0086 Framework Process for the management of Cyber Security for IACS
Framework for Cyber Security 21 The OG-0086 approach is similar to the US NIST 800 Cyber security Framework of: The UK HSE guiding principles are: Protect, detect and respond - It is important to be able to detect possible attacks and respond in an appropriate and timely manner in order to minimise the impacts. Defence in depth. No single security countermeasure provides absolute protection as new threats and vulnerabilities can be identified at any time. To reduce these risks, implementing multiple protection measures in series avoids single point failures. Technical, procedural and managerial protection measures. Technology is insufficient on its own to provide robust levels of protection
22 IEC 61511 2 nd Edition introduces the requirement for SRA. UK HSE have produced guidance aligned to IEC 62443 and ISA-TR84.00.09 SRA Risk Matrix should be based on a subset of the Seveso RM to facilitate ALARP demonstration. Asset Register can be based on BOM, I/O Schedule,Instrument List for SIS. CSMS Gap Analysis required to help reduce systematic failures through procedures. EC&I Cyber security competence is increasing, but still a large gap between process & IT.
23 Thank you for listening Any questions?