Embed Size (px)
DESCRIPTION
As presented at AIST 2014: The proliferation of cyber threats and recent facts have prompted asset owners in industrial environments to search for security solutions that can protect plant assets and prevent potentially significant monetary loss and safety issues While some industries have made progress in reducing the risk of cyber attacks, the barriers to improving cybersecurity remain high. More open architectures and different networks exchanging data among different levels have made systems more vulnerable to attack. With the increased use of commercial off-the-shelf IT solutions in industrial environments, control system integrity started to be vulnerable to malware originally targeted for commercial applications and already opened a new world of new threats dedicated for control systems. The objective of this presentation is to describe a multi-layered Defense-in-Depth approach through a holistic, step-by-step plan to mitigate risk.
Citation preview
Cyber security for Industrial Plants Threats and defense approach
Dave HrehaSystem Architect Engineer
Cyber security for Industrial PlantsThreats and Defense Approach
• The proliferation of cyber threats and recent facts have prompted asset owners in industrial environments to search for security solutions that can protect plant assets and prevent potentially significant monetary loss and safety issues.
• While some industries have made progress in reducing the risk of cyber attacks, the barriers to improving cyber security remain high.
• More open architectures and different networks exchanging data among different levels have made systems more vulnerable to attack.
• With the increased use of commercial off-the-shelf IT solutions in industrial environments, control system integrity started to be vulnerable to malware originally targeted for commercial applications and already opened a new world of new threats dedicated for control systems.
What is Cyber security?
• Cyber security is a branch of network administration that addresses attacks on or by computer systems and through computer networks that can result in accidental or intentional disruptions.
• The objective of cyber security is to provide increased levels of protection for information and physical assets from theft, corruption, misuse, or accidents while maintaining access for their intended users.
• Cyber security is an ongoing process that encompasses procedures, policies, software, and hardware and it must be continually re-evaluated.
An Example of Facility
Facilities may include:• Coke ovens• Blast Furnaces• Electric Arc Furnaces• Continuous Casting • Rolling Mills• Finishing Lines• Water Treatment
Typical Facilities
Security Challenges
• Impact on Control system being secured• Exposure to malicious software from “friendly
sources”• Exposure from linked systems• Adverse effects from implementation• Multiple sites and geography• Physical and logical boundaries
Security Threats
Internal threats:• Good intentions from misinformed employees• Non-appropriate behavior from employees or contractors• Disgruntled employees or contractors
External threats:• Hackers• Virus writers• Activists• Criminal groups• Terrorists• Foreign governments
System Access
• Peer utilities• Poorly configured firewalls• Database links• Corporate VPN (Virtual Private Network)• IT controlled communication equipment• Spear phishing• Supplier access• Legacy dial up systems
System Access Points
Supplier access points
Peer utilities
VPN
Dial up access
Poorly configured firewall
Database links
IT controlled products
Accessing the Process
• System databases• SCADA or HMI screens• PC systems• “Man-in-the-Middle”• Denial of Service• Accidents
Defense in Depth
• Risk assessment• Security plan based on the assessment• Develop training• Define network separation and segmentation• Define system access control• Device hardening• Network monitoring and continued
maintenance
Risk assessment
• Identify threats • Prioritize
SafetySeverityBusiness impact
• Deploy resources• Document with infrastructure diagrams
Security Plan
• Roles and responsibilities of those affected by the policy and procedures• Actions, activities, and processes that are allowed and not allowed• Consequences of non-compliance• Incident response policies and procedures
• Who to notify and what actions to perform to contain the incident• Role-specific procedures for restoring devices and process to known good
operating state• Details equipment, software, protocols, procedures, and personnel • Summarizes the risk assessment and includes infrastructure diagrams• Defines the training plan.
The security plan should be reviewed periodically for changes in threats, environment, and adequate security level
Training
Cyber security awareness program• Understanding the organization’s security policies,
procedures, and standards• Job and role based training classes that detail the relevant
security policies, procedures, and standards• Classes that provide specific steps for applying the security
policies and procedures. • Classes on how to respond if a cyber attack or accident has
occurred.• Classes for vendors and other visitors
Network separation
Firewall - DMZ (Demilitarized Zone)• No direct communication between Enterprise
and Control network• Only certain server types allowed in DMZ– Data servers (Historian)– Patch management– Proxy servers– RADIUS (Remote Authentication Dial In User Service)– VPN
Network segmentation
Still behind Firewall - DMZ• Logical segments• Security zonesVirtual Local Area Network (VLAN)• Managed switches• Routers– Access control list
Network segmentation
Benefits• Contains infection if occurs• Limits node visibility• Stops intruder scans of network• Limits impact if breach• Restricts broadcasts and multicasts• Improved network performance• Provides higher level of security
Access Control
Security for remote accessRADIUS (Remote Authentication Dial In User Service)
AAA Protocol– Authentication– Authorization– Accounting
RAS (Remote Access Services)VPN (Virtual Private Network)
Access Control
VPN Protocols and components• Secure Socket Layer (SSL)• Internet Protocol Security (Ipsec)• Internet Key Exchange (IKE)• Advanced Encryption Standard (AES)• Data Encryption Standard (DES)• Encapsulating Security Payload (ESP)
Device Hardening
Configuring device settings to strengthen security • Network devices– Firewalls– Managed Switches– Routers
• Control system devices– Distributed Control Systems (DCS)– Supervisory Control and Data Acquisition (SCADA)– Programmable Automation Controllers (PAC)– Programmable Logic Controllers (PLC)
Device Hardening
• Implement Password protection• Implement access control• Disable any unused services• Maintain up to date patches and hot fixes
(especially security)• Use strong authentication
Network monitoring& maintenance
Users should monitor for any suspicious activity • Use intrusion detection systems• Monitor network loading• Examining log files• Use SNMP (Simple Network Management
Protocol) traps By being proactive, any attempts to gain access to
the system should be discovered and stopped before any entry is made
Conclusion
The Defense in Depth recommendations can decrease the risk of attack.
No single component provides adequatedefense. It is important to consider all of the
Defense in Depth recommendations to mitigaterisk.
