Securing Plant Operation The Important Steps

Similar documents
Ensuring Your Plant is Secure Tim Johnson, Cyber Security Consultant

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

T22 - Industrial Control System Security

Changing face of endpoint security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Securing Industrial Control Systems

Information Technology Procedure IT 3.4 IT Configuration Management

Windows Server Security Best Practices

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Security Standards for Electric Market Participants

Cyber Security Solutions Mitigating risk and enhancing plant reliability

Cyber Security for Process Control Systems ABB's view

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

Cyber Essentials Questionnaire Guidance

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

Standard CIP Cyber Security Systems Security Management

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

SERVER HARDENING CHECKLIST

Mobility Windows 10 Bootcamp

CompTIA A+ Certification ( ) Study Guide Table of Contents

AUTHORITY FOR ELECTRICITY REGULATION

GUIDE. MetaDefender Kiosk Deployment Guide

CS 356 Operating System Security. Fall 2013

Ellipse Support. Contents

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Education Network Security

Watson Developer Cloud Security Overview

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

SECURITY & PRIVACY DOCUMENTATION

Standard CIP 007 4a Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management

7.16 INFORMATION TECHNOLOGY SECURITY

Ready Theatre Systems RTS POS

Industrial Defender ASM. for Automation Systems Management

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

Process System Security. Process System Security

K12 Cybersecurity Roadmap

Information Security Policy

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Chapter 16: Advanced Security

SECURITY POLICY FOR USER. 1.Purpose: The policy aims at providing secure and acceptable use of client systems.

IPM Secure Hardening Guidelines

Cyber Security Standards Developments

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Checklist: Credit Union Information Security and Privacy Policies

MEETING ISO STANDARDS

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

VMware Mirage Getting Started Guide

CompTIA A+ Accelerated course for & exams

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard CIP 007 3a Cyber Security Systems Security Management

Gerhard Brndt, ABB AG, BU Power Generation Cyber Security and Compliance in Increasingly Distributed and Aging Power Generation Infrastructures

Windows Server Upgrade tips and tricks. Winnie Leung Technology Specialist Microsoft Corporation

VMware Mirage Getting Started Guide

CCISO Blueprint v1. EC-Council

Protecting productivity with Industrial Security Services

Administering System Center Configuration Manager

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

CYBER SECURITY POLICY REVISION: 12

RIPE RIPE-17. Table of Contents. The Langner Group. Washington Hamburg Munich

Standard: Event Monitoring

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Cyber Criminal Methods & Prevention Techniques. By

Server Hardening Title Author Contributors Date Reviewed By Document Version

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Agenda. Today s IT Challenges. Symantec s Collaborative Architecture. Symantec TM Endpoint Management Suite. Connecting Symantec Technologies Today

AT&T Endpoint Security

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Online Services Security v2.1

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Advanced Security Measures for Clients and Servers

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

HikCentral V1.3 for Windows Hardening Guide

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

SECURITY PRACTICES OVERVIEW

The Common Controls Framework BY ADOBE

CIP Cyber Security Systems Security Management

QuickBooks Online Security White Paper July 2017

Network Performance, Security and Reliability Assessment

Standard CIP Cyber Security Critical Cyber Asset Identification

About NitroSecurity. Application Data Monitor. Log Mgmt Database Monitor SIEM IDS / IPS. NitroEDB

NEN The Education Network

Standard CIP Cyber Security Critical Cyber Asset Identification

Administering Windows Server 2012

W11 Hyper-V security. Jesper Krogh.

Information Security Controls Policy

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Transcription:

Stevens Point, WI Securing Plant Operation The Important Steps September 24, 2012 Slide 1

Purpose of this Presentation During this presentation, we will introduce the subject of securing your control system and the principles to bear in mind when designing security for a system: Least Privilege Least Function Defense in Depth To explain major security controls which should be deployed to your control system as a baseline, e.g. patch management, anti virus, hardening, system recovering. We will explain services that ABB has to help implement secure environment September 24, 2012 Slide 2

Three Key Issues to Address in System Vulnerability Network connectivity More and more connectivity is desired or even required An air gap is not as secure as many imagine Removable Media May be a valid use of the system with bad results Restrictions on use Proper procedures for necessary use Users of the system Protection against intentional mischief Training to protect against mistakes and human engineering September 24, 2012 Slide 3

Defense in Depth September 24, 2012 Slide 4

Standardization landscape Scope and completeness of selected standards Energy Design Details Industrial Autom. IT IEC 62351 Technical NIST 800-53 IEEE P 1686 Aspects Details of Operations CPNI Relevance for Manufacturers NERC CIP ISO 27K ISA 99* Management Aspects Operator Completeness Manufacturer * Since the closing of the ESCoRTS project, ISA decided to relabel the ISA 99 standard to ISA 62443 to make the alignment with the IEC 62443 series more explicit and obvious.

Two Important Principles Common to Most Standards Principle of Least Privilege No user should have more rights and permissions than needed to perform his function in the system Principle of Least Function Only the functions needed for the system to accomplish its purpose should be present or enabled in the system September 24, 2012 Slide 6

Example: Least Privilege Considerations Is there is a real strategy for the membership of groups such as Operators, Engineers, Administrators? Do these groups have wide ranging permissions? Are personnel routinely added to multiple groups? No operator should log onto a control system machine as an administrator. No engineering user should log on as an administrator unless there is a need to perform administrative duties and they have this responsibility. Even engineering accounts should have limitations on their rights that limit them to the activities that are part of their jobs. There should be no use of the powerful service account for other any other uses. Local login should be disabled in the security policy for the service account. September 24, 2012 Slide 7

Example: Least Function Considerations Is there any software loaded on the system that doesn t need to be there such as games that come with default loads of Windows? Are any services enabled that don t need to be? Are any network ports open that don t need to be? Is removable media access required to accomplish the functions of the control system computers? Should servers in the system be used as operating screens? Perhaps operating workplaces should limit which accounts can log in based on function September 24, 2012 Slide 8

Network Architecture Considerations Is the control system network completely isolated from any other network? If connected to another network, does it use a firewall to segregate the networks? Has the firewall been specifically configured for the least access required? Is any use of RPC (DCOM) permitted through the firewall such as for classic OPC? (If so, a tunneling product should be used to eliminate this.) Are there any dual homed hosts in use? (One NIC on the control system LAN and one NIC on another network such as the corporate network) Does the ABB control system share a domain controller with any other control system or with an enterprise domain? Is wireless in use? If so, does it use secure encryption? (WPA Enterprise, Radius Server, IPSEC) Are there any dial up connections to the system? Are there any direct connections such as an EWS or Historian on the corporate network bypassing the firewall? (An example here is a historian on the corporate network connected to an Infi90 system via a CIU.) Any remote connections to the system? Do they use a reverse tunneling technology or are they initiated from outside the firewall? If from outside do they use VPN? September 24, 2012 Slide 9

User Account Policies Establish hierarchy of User Accounts (operator, tech, admin, etc) Even an Administrator should not log on as Administrator except to perform those duties Domain wide policy to enforce: Password Requirements and Role Association Define Remote Access Security Operator Group Policy that restricts access to Desktop and Applications Shared Operator Accounts are they okay by standards such as ISA99 and NERC? September 24, 2012 Slide 10

Password Policies Standard practice today is complex passwords and regular changes, but this may not be possible for some accounts in a process control environment. What about shared operator accounts? September 24, 2012 Slide 11

800xA User Account Model User access is controlled by a three-dimensional model: Person x Object x Function. ƒa role based access is implemented. The system restricts access according to the user and user role configuration. For example Operator role can acknowledge alarms. Security can be further defined for an individual user on a process section basis or even an individual tag basis. For example Unit 1 operators can acknowledge alarms only for Unit 1. ƒall accesses and changes to the 800xA system and data are logged and tracked in the audit trail. September 24, 2012 Slide 12

Services A required services list is published for each product Programs that start without user intervention Can be configured to start automatically or manually or not at all Can configure which account starts the program September 24, 2012 Slide 13

Securing Removable Media Why secure removable Media? June 2010 Stuxnet; spread via infected removable USB media is discovered. It is the first malware application to include a PLC rootkit. Methods First line of defense: Physical restriction to computers + BIOS protection Second Line of Defense: Physical Locks on Available Ports Third Line of Defense: Deny OS access to removable media using Group Policy or 3 rd party solution September 24, 2012 Slide 14

Securing Removable Media Methods Hardware Locks Samples BIOS protection from boot off USB device Microsoft Group Policy Group Policy Management Console 3 rd Party endpoint protection Several free and paid 3 rd party utilities September 24, 2012 Slide 15

Securing Removable Media Control Access using Hardware Lock Mechanism Always restrict physical access to the machines as much as possible even if USB locks are used! 2 Types of Locking Mechanisms Effective Secure Dust Protection Cosmetic Child Proof Locking = September 24, 2012 Slide 16

Patch Management Patch management Must be certain that no change to the system will adversely affect operation. Patches must be kept current within 30 days. NERC CIP-007, ISA TR99.02.03 Ports and services required for the applications must be identified and only those ports and services may be enabled NERC CIP-007, ISA 99.03 SR 7.6, 7.7 Account management Authentication and accountability required, principle of least privilege, security audit trail, periodic review, password policies, personnel changes NERC CIP-007, ISA 99.03 SR 1.1, 1.2, 6.2 September 24, 2012 Slide 17

Security Updates Patch Management Which updates are validated for my system? Where do I get the updates? How do I install the updates? September 24, 2012 Slide 18

Which updates are validated for my system? Find the validated update document for your products at: http://solutionsbank.abb.com September 24, 2012 Slide 19

Where do I get the updates? Subscribe to Sentinel Can retrieve update documentation from Solutionsbank New add on service for Sentinel Subscribers Sentinel subscribers can receive a Security Update CD in the mail as they are released. These update cds currently only support 800xa 5.0 and 5.1 systems, but other systems are being considered for inclusion. September 24, 2012 Slide 20

Download from Solutionsbank As the updates are validated and compiled for the Security Update cd, they are also made available as a download in Solutionsbank September 24, 2012 Slide 21

Automatic Downloads with WSUS Utilizing WSUS services from Microsoft, all updates can be downloaded, approved by you based on the ABB Validated Update document, and installed to all nodes in your system using the built in windows update feature. September 24, 2012 Slide 22

Manual Downloads ABB validated updates can also be downloaded manually, directly from the validated update document. Each update listed in the document includes a hyperlink to Microsoft s TechNet update site. September 24, 2012 Slide 23

How do I install the updates? Generally the procedure to install the updates will depend on how you got them. If you received the cd in the mail, all you need to do is perform a maintenance stop on the node you want to install to, and install the CD. The security update installation window will appear, prompting to begin the install. After all of the updates have installed, reboot the node to restart all of the ABB services. If you downloaded the update file from Solutionsbank, unzip the file and burn it to a cd, then the procedure will be the same as above. You can also copy the files to a USB flash drive or a network share and run the install from there. If you manually downloaded the files either from the links in the update document or used another manual process, the files need to be individually installed. It is possible to automate the installation process up by creating a batch file to install the updates. September 24, 2012 Slide 24

Example References Recovery Plans for Critical Cyber Assets Recovery plans must be documented including who is responsible Plans must be tested at least annually including walking through a simulated loss and recovery These plans are not limited to backing up software, but may include recording configuration settings, etc. Backups can be made without affecting normal plant operation The system shall support automating this function Software backup media must be tested NERC CIP-009, ISA99.03 SR 7.3 September 24, 2012 Slide 25

Question: What type of backups do I need to make? September 24, 2012 Slide 26

Answer: What type of failure are you going to have? September 24, 2012 Slide 27

Software Backup Strategies Application Backups Disk Image Backups Active Directory Backups Domain Controller Backups Scheduling Considerations Verifying Backups September 24, 2012 Slide 28

Application backups vs. image backups Application Backups Backs up specific data and configuration for an application or project. Great for restoring pieces of lost information. Useful for replacing corrupt files Only needed as often as the data changes. Not OS or hardware specific but usually version specific Does not backup the application itself. Great for upgrades September 24, 2012 Slide 29

Application backups vs. Image backups Disk Images Full sector by sector image of the entire drive or partition. Great for reloading the entire disk or computer. Fastest recovery method for failed hard drive. Useful for creating off-line virtual systems for troubleshooting issues. Regulatory compliance for testing backups can be met through virtualization. File and folder information can be restored through mounting the image as a drive. September 24, 2012 Slide 30

Services to help achieve secure the system Security Support Services Software Backup Services Patch Management Services Change Management and Security Logging These services are available for Microsoft Windows based systems: 800xA All connectivity options Symphony Process Portal B, Conductor NT, Conductor VMS clients September 24, 2012 Slide 31

Security Support Services Solutions Audits and policy validation Compatibility testing System hardening and policy implementation Documentation and training Consulting September 24, 2012 Slide 32

ABB Cyber Security Audit and Hardening Services September 24, 2012 Slide 33

Regulatory and Standards Considerations ABB bases our recommendations and service offerings on internationally recognized principles and best practices. Regulations are the key element driving some market segments and help define our programs. Examples: NERC CIP - Has force of law in US OLF Guideline 104 - Best Practice widely adopted in Oil and Gas industry Existing and emerging standards help define what steps are taken. Examples: ISA99 ISO 27002 NIST 800-53 September 24, 2012 Slide 34

Standardization landscape Scope and completeness of selected standards Energy Design Details Industrial Autom. IT IEC 62351 Technical NIST 800-53 IEEE P 1686 Aspects Details of Operations CPNI Relevance for Manufacturers NERC CIP ISO 27K ISA 99* Management Aspects Operator Completeness Manufacturer * Since the closing of the ESCoRTS project, ISA decided to relabel the ISA 99 standard to ISA 62443 to make the alignment with the IEC 62443 series more explicit and obvious.

Services and Ports A very important step for securing computers is to eliminate unneeded services and network ports Services and ports are audited to record their current state and are compared to the ABB required services documentation Any required third party services are reviewed All others are disabled or uninstalled Reduces the amount of functions for the computer September 24, 2012 Slide 36

Additional Security Principles Reviewed Recommendations Made Physical Restriction to Interfaces Removable Media Policies and Settings BIOS Boot Settings and Configuration Passwords Security Policy Administration Principle of Least Privilege Use of shared accounts Standards for desktop lockdown Auditing of Security Events Reporting of Patch Management and Antivirus Deficiencies Network Architecture Considerations September 24, 2012 Slide 37

Reporting Detailed reporting provides easy to interpret summary Also provides details of discrepancies with customer s own policy or ABB secure default policies Provides recommendations to correct deficiencies

Reporting

Reporting

Security Support Services System Hardening and Policy Implementation User Roles, Access Control and Workstation Hardening Establish hierarchy of User Accounts (operator, tech, admin, etc) Domain wide policy to enforce: Password Requirements and Role Association Define Remote Access Security Operator Group Policy that restricts access to Desktop and Applications Provide hardening services as applicable Close un-necessary ports Disable non-essential services September 24, 2012 Slide 41

Security Support Services System Hardening and Policy Implementation Schedule appropriate time for implementation Often changes can be done with no impact on operations, but an attitude of caution may be prudent depending on the process Software upgrades and major system changes may be recommended if operating systems are obsolete Depending on changes, an outage may be required, e.g. if software upgrades are required Implement changes on site Configuration with firewall and other mechanisms Most changes can be made with group policies if the system is in a domain Final test of all changes in the operating environment Prepare final report of as delivered changes September 24, 2012 Slide 42

Security Support Services Consulting and on-going compliance support The system is likely to fall out of compliance over time, as a result of: Intentional or unintentional changes Replacements of PCs Software reloads, upgrades, etc. New threats Periodic Audits to ensure correct settings Discussions with the plant personnel responsible for the program to make sure the program is meeting their needs September 24, 2012 Slide 43

Security Support Services Consulting and on-going compliance support Provide training as turnover of security responsible personnel occurs in the plant Create procedure documents for loading computers with correct security policy settings Implement policy requirements for new equipment added to plant or on any replacements shipped to plant Implement a secure remote connection to your system For remote support from ABB (see our remote enabled services demonstration in the US Services exhibit) For your own use to securely connect to the system from a remote location September 24, 2012 Slide 44

Software Backup Services Purposes A service to safeguard the data and configuration of the system against loss A service to enable rapid recovery from a computer device failure A service to maintain the data needed in the process of an upgrade of the applications A service that verifies system recovery data is valid A service to help in meeting regulatory requirements such as NERC CIP regulations regarding disaster recovery September 24, 2012 Slide 45

Software Backup Services Features Hard drive imaging to a central server Configuration backups in addition to imaging Customized scheduling and scripting to automate the update of images ABB tested bandwidth and CPU utilization to avoid performance problems Full domain integration Backup image testing Restoration training September 24, 2012 Slide 46

Patch Management Services Software updates Update ABB control system applications Install MS Operating System Hotfixes and Patches as applicable Submit Summary Report with as-hardened baseline Prepare Patch Management Process documentation Option for quarterly or semi-annual return service for updating available Option for installation of an update server for automating roll-out of Windows Security Patches September 24, 2012 Slide 47

Patch Management Services Anti-Virus / Malware Protection Load and configure Antivirus in accordance with ABB guidelines for application performance Update Virus Scan Engine Load current definition files Configure Automated Scan schedule Submit Summary Report Option for installation of an update server for automating update of Anti-Virus updates September 24, 2012 Slide 48

Security Solutions Secure Remote Access Connection to Corporate Network via Router w/ Firewall or DMZ. Allows for Remote Diagnostics for Control System support Can Support WSUS (Windows Update) and Anti Virus Updates Allows for Remote Operator and Engineering Clients Secured as Read-Only Configured for off-site Operation and Maintenance September 24, 2012 Slide 49

Service Environment Cyber Security Service Portfolio Risk Assessment Create asset register Criticality classification Support security policy creation Support creation of a security organization Gap analysis and Services design Infrastructure for Services delivery Maintenance of System Recovery Plan User Management ABB Remote Monitoring and Operations Room Anti virus management Microsoft Patch Management System backup/restore management NIDS/HIDS Management Virus removal September 24, 2012 Slide 50

ABB Group September 24, 2012 Slide 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback