Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

Insert Photo Here

Rockwell Automation

Process Solutions User Group (PSUG)

November 14-15, 2011

Chicago, IL – McCormick Place West

Roadmaps to Securing

Industrial Control

Systems

Mark Heard

Eastman Chemical Company

Presenter

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

Mark Heard, Eastman Chemical Company

• Recovering Control System Engineer

• Experience with several kinds of automation systems, especially networking with other plant systems

• General interest in security and admin issues for ICS

Work on Eastman Cybersecurity teams

• Process Control Network Security, 2003-

• Network Segmentation, 2004-

• Cybersecurity Vulnerability Assessment, 2005-

• Process Automation Systems Authentication, 2006-

• Systems Integrity, 2008-

• IT Security Team 2011-

Working with ISA S99, ACC Cybersecurity Program (formerly

through ChemITC and CIDX) since 2002

What is an ICS Security Roadmap?

A structured set of priorities, milestones and goals which address security requirements specific to Industrial Control Systems (ICS), over a 10 year timeframe

Published Roadmaps

Energy Sector (revised Sep-11)

“The 2011 Roadmap takes the necessary steps to strengthen the security and reliability of our country’s electric grid, in a climate of increasingly sophisticated cyber incidents.”

“This update marks a continued effort by public and private energy sector stakeholders to reduce cyber vulnerabilities that could disrupt the nation's ability to deliver power and energy.”

Published Roadmaps

Water Sector

Chemical Sector

Dams

Draft/Approval:• Nuclear

• Cross-Sector (recognizing and mapping commonality between sector documents) by Department of Homeland Security’s Industrial Control Systems Joint Working Group

Roadmap Strategies

• Build a Culture of Security

• Assess, Monitor and Mitigate Risk

• Develop and Implement New Protective Measures to Reduce Risk

• Manage Incidents

• Sustain Security Improvements

for…– Asset Owner/Operators

– Vendors/Solution Providers

– Research/Academia

– Government

– Regulators/Standards Organizations

Common Goals Across Roadmaps

• Measure and Assess Security Posture

• Assess Risk

• Develop and Integrate Protective Measures

• Develop and Deploy ICS Security Programs

• Detect Intrusion and Implement Response Strategies

• Develop and Implement Risk Mitigation Measures

• Sustain Security Improvements

• Partnership and Outreach

• Secure-by-Design

Why do We Care?

• ICS are increasingly interconnected to other plant and business systems

• ICS vendors continue to rapidly incorporate standard Information Technology into their products

• These trends expose the ICS to modern malware threats

• Potential consequences of an ICS cyber incident can include:

• Reduction or loss of production at one site or multiple sites simultaneously;

• Injury or death of employees;

• Injury or death of persons in the community;

• Damage to equipment;

• Release, diversion, or theft of hazardous materials; and

• Impact to company’s reputation in the community.

The Risk is Real!!

• Federal agencies reported 30,000 incidents to US-CERT during fiscal year 2009 [U.S. Government Accountability Office report 6/16/2010]

– >400% increase over what was reported in 2006

• 2010 CIP Survey conducted by Symantec– 60% of cyber attacks were “somewhat” to “extremely” effective– Average cost of an attack was estimated at $850,000

• Significant increase in Advanced Persistent Threat (APT)

• Stuxnet signaled a paradigm shift in ICS cyber threats

– Demonstrated that ICS are susceptible to increasingly sophisticated cyber-attacks

Chemical Sector Roadmap

The “voice” of the sector on

improvements to control systems

security

Published September 2009

Following sign off by the

Chemical Sector Coordinating Council

A structured set of priorities spanning a 10-year timeframe specific to needs of Industrial Control Systems (ICS) in the Chemical Sector

10

www.us-cert.gov/control_systems/pdf/ChemSec_Roadmap.pdf

Roadmap Vision

“In 10 years, the layers of defense for industrial control systems managing critical applications will be designed, installed and maintained, commensurate with risk, to operate with no loss of critical function during and after a cyber event.”

Scope• Industrial Control Systems (ICS) in chemical facilities that are part of the critical infrastructure

• Possible implications for ICS vendors

• Connection to other systems included if they impact ICS risk

Chemical Sector Roadmap

Implementation Working Group

Roadmap Implementation Manager

• Catalyst 35, under ACC contract

CSCC

• American Chemistry Council (ACC)

• National Petrochemical & Refiners Association (NPRA)

DHS

• DHS National Cyber Security Division - Control Systems Security Program

• DHS Chemical SSA

Owners/Operators

• AkzoNobel

• Dow Chemical

• Infineum

• DuPont

• Eastman Chemical

• Western Refining

• Exxon Mobil

• Air Products

• Ashland

• Air Products

Vendors

• Computer Sciences Corporation (CSC)

Established December 2010

Roadmap ImplementationIn Partnership with DHS

• DHS Sector Specific Agency (SSA) is supporting our efforts• Utilizing Homeland Security Information Network (HSIN) to share

working documents• Focusing on milestones identified for the first two years• Comprehensive Awareness Package

– Collected a wealth of resources/reference information – Designed to assist owners/operators in addressing ICS security

• Providing speakers at various conferences across the U.S.• Metrics: Working on creating Roadmap Metrics• Secure Information Sharing: Developing a matrix of current forums• Website: in design stage

13

Roadmap Objectives

Long Term• Improved ICS security across the chemical sector

Immediate• Build awareness across the chemical sector and ICS vendor community of the resources available to assist the sector in realizing its long term objective.

Awareness CampaignFocus Areas

• Developing a Business Case for investing in ICS security

• Conducting an ICS Security Assessment

• Training for employees who work in the ICS environment

• Implementing existing standards

• Complying with existing Chemical Facility Anti-Terrorism Standards (CFATS) Regulations

• Leveraging Best Practices– Wherever possible, not Chem sector specific

Developing a Business Case

• The protection of ICS from cyber security threats requires resources and personnel to plan, develop and implement needed security measures

• Companies must develop a business case for investing in ICS security

• A business rationale for justifying this investment is currently under development

• Authored by the Industrial Control Systems Joint Working Group

• Goal is to provide guidance for Developing a Business Case

icsjwg@dhs.gov

Awareness Materials

• Case for Action• Cyber Security Evaluation Tool (CSET)• Cyber Security Tabletop Exercise (TTX)• Procurement language• ICS Security Training Resource • ICS-CERT & Cyber Incident Response• Industry standards and additional relevant guidance

A Case for Action

The chemical industry dedicates immense time and resources toward ensuring the safety of its personnel, customers, and surrounding community; but in today’s environment of growing cyber threats, a Chemical plant is not safe unless its control systems are secure.

One of the trends emerging in the current environment of cost efficiencies, is the move from delivery of ICS on “proprietary” system platforms to “open” system platforms. These open platforms carry a greater level of cyber risk due to the rapid growth of cyber threats against them.

CSET - Cyber Security Evaluation Tool

• Available from the Department of Homeland Security• Assists organizations in protecting their key national cyber assets. • Developed under the direction of the DHS National Cyber Security Division (NCSD)– Developed by cybersecurity experts and with assistance from the National Institute of Standards and Technology.

• This tool provides a systematic and repeatable approach for assessing the security posture cyber systems and networks.

• Includes both high-level and detailed questions related to all industrial control and IT systems.

Procurement Language

• Department of Homeland Security: Cyber Security Procurement Language for Control Systems provides sample recommended language for control systems security requirements, including:

• New SCADA/control systems

• Upgrading Legacy systems

• Maintenance contracts

• Information and personnel security

ICS Training ResourcesChemical Sector

• Compiled by the Roadmap Implementation Working Group• Designed for owner/operators in the process control and automation industries.

• Lists selected and representative security trainings… but not a comprehensive list

• Organized by levels of difficulty (intro, intermediate, advanced)• Includes links to relevant websites, for ease of training access

Who Can Benefit from this training?

– ICS Operations

• Routinely interact with the ICS environment

– Security Managers

• Have primary responsibility for securing ICS

– Engineers

• Responsible for design and configuration of ICS functionality

– IT Personnel

• Have responsibility for operation & support of IT infrastructure supporting the ICS

Leveraging Existing Standards

• ANSI/ISA99/IEC 62443, Industrial Automation and Control Systems Security– A series of 11 standards & technical reports– Address all aspects of ICS security– 3 work products have been published– Several others are available in draft form for review and comment

• ISO/IEC 15408-1:2009– Establishes general concepts and principles of IT security evaluation– Specifies the general model of evaluation given by its various parts– Is intended to be used as the basis for evaluation of security properties of IT products

Additional Guidance

• ACC Guidance for Addressing Cyber Security in the Chemical Sector

• DHS Catalog of Control Systems Security: Recommendations for Standards Developers

• NIST Special Publication (SP) 800-82, Guide to ICS Security, final public draft Sept 29, 2008

• NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009

• NERC Critical Infrastructure Protection – 002-009

What Can You Do?

• Pick up a DVD & Case for Action to take with you

• Review the information shared today

• Bring this issue to the attention of your engineering & manufacturing management

• Ask key questions about how your company is addressing ICS security

• And as you begin…

25

Tips for Getting Started

• Ensure one person takes ownership of ICS security and is accountable.

• Open the lines of communication between engineering, security, IT, process safety and manufacturing operations within your own company.

• Conduct an audit of current ICS security measures and implement obvious fixes.

• Follow-up with an ICS security vulnerability analysis (risk assessment).

Tips for Getting Started

• Implement an ICS security management program that is integrated with existing company management systems for security, safety, quality, etc.

• Keep in touch by emailing chemicalsector@dhs.gov for additional information.

• Become an advocate in your company on this important issue!

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

Insert Photo Here

Rockwell Automation

Process Solutions User Group (PSUG)

November 14-15, 2011

Chicago, IL – McCormick Place West