Industrial Control System Cyber Security. • cyber security threat landscape for
ICS's. • Honeywell's cyber security initiatives. • roles / responsibilities for
protecting ...
2012 Honeywell Users Group Asia Pacific Sustain.Ability.
Industrial Control System Cyber Security 1
Mike Baldi • Honeywell Process Solutions Cyber Security Architect Global Architect Team Responsible for integrating security into HPS Products, security certifications, and compliance
• Honeywell rep on ISA Security Compliance Institute board • DHS interface for HPS • 33+ years experience with HPS
2
•
Lead SE for System Test ( 3 years )
•
Technical Assistance Center - Server/Client team lead ( 25 years ):
Industrial Control System Cyber Security • cyber security threat landscape for ICS’s • Honeywell’s cyber security initiatives
• roles / responsibilities for protecting ICS’s from cyber attacks • responding to cyber attacks against your ICS
3
Cyber Security threat landscape for ICS’s
Industrial Control System Cyber Security 4
How did we get here? • Security was not a major concern when Legacy ICS systems were developed • ICS system lifecycle is typically 15-20 years • ICS products are incorporating COTS technology from the business IT sector (Ethernet, Windows OS, SQL, webservers, etc.) • Multi-vendor solutions at most ICS sites • Increasing need to share data between the enterprise, corporate, and DCS networks • Lack of experienced security personnel working on ICS’s • History of separate IT and ICS teams
5
Business IT vs ICS systems
6
SECURITY TOPIC
Information Technology (IT)
Antivirus
Very common: easily deployed and updated
Difficult to keep current due to risk imposed to control process
Patch Management
Easily defined; enterprise wide remote and automated
Patches require exhaustive testing and qualification prior to installation on ICS’s. Install lags release.
Technology Support Lifetime
2-3 years;
10-20 years
Change Management
Regular and scheduled; aligned with minimum-use periods
Strategic scheduling; non trivial process due potential impact to process
Security Compliance
Limited regulatory oversight
Specific regulatory guidance (some sectors)
Incident Response and Forensics
Easily developed and deployed; some regulatory requirements; embedded in technology
Uncommon beyond system resumption activities; no forensics beyond event re-creation
Physical and Environmental Security
Poor (office systems) to excellent (critical operations systems)
Good to Excellent (operations centers; guards, gates, guns) Special
Secure Systems Development
Integral part of development process
Has not been an integral part of ICS systems development
Control Systems (ICS)
ICS challenges and security concerns • Vulnerability to Denial of Service attacks • Backdoors and “holes” in the network perimeter • Devices with little or no security features (modems, legacy control devices, etc.) • Common communication protocols designed without security • Remote, unmanned sites with challenging physical security • Database security vulnerabilities (proprietary and / or 3rd party )
• Lack of encryption and authentication • Improper or nonexistent patching of software and firmware
7
ICS challenges and security concerns • Unsecure coding techniques in product design • Non-existent cyber security procedures • Lack of control system-specific security protection / mitigation technologies • Security researchers with various vulnerability disclosure practices • Publicly available hacking tools make hacking easier for “novices” • Increased outside security regulation • NERC-CIP, CFATS, Pipeline Guidelines, …
• Increase in cyber attacks against ICS’s • Stuxnet, Duqu, Flame, …
8
Some typical attack vectors of ICS’s
9
Some current headlines • U.S. President Barack Obama is urging the Senate to pass the Cybersecurity Act of 2012. He believes legislation will help the U.S. fight "the cyber threat to our nation," which he calls "one of the most serious economic and national security challenges we face." July, 2012 - ZDNet • “Iran Oil Terminal taken offline by Cyber Attack” April, 2012 - PACE magazine
Pacific Northwest National Laboratory Report Reveals Dramatic Increase in Cyber Threats and Sabotage on Critical Infrastructure and Key Resources June 2012 – US Dept of Energy
10
The Impact of STUXNET • Provided proof-of-concept and a blueprint for hackers • Exposed corporate executives, regulators and the public to the potential dangers of cyber attacks on critical infrastructure • Opened the floodgates for “security researchers” to identify and exploit ICS vulnerabilities for financial gain
11
Project Basecamp • Announced at S4 Security Conference in Jan 2012 • Project Basecamp involved six researchers looking for vulnerabilities in embedded ICS devices (PLC’s, RTU’s, substation controllers) • The researchers found backdoors, weak credential storage, ability to change ladder logic and firmware, command line interface, buffer overflows, TFTP, etc… • Posted results publicly – releasing Nessus plugins and Metasploit modules enabling anyone to find and exploit these vulnerabilities 12
12
Cyber attacks on critical infrastructure
Cyber attacks against US critical infrastructure jumped 383 % in 2011”
13
13
ICS Specific Vulnerabilities Reported 2001 - 2011
Slide 25 from the presentation “Documenting the ‘Lost Decade’ An Empirical Analysis of publicly disclosed ICS vulnerabilities since 2001” by Sean McBride 14
14
Why have ICS systems become targets? • They’re easy targets – – – –
Security wasn’t designed in Running older Operating systems Embedded accounts with default passwords Systems aren’t updated with security patches
• Notoriety / validation within security research community • Community “watchdogs” • Hacktivists
• Competitive advantage • Nation State / Political motivation
15
Honeywell’s cyber security initiatives
Industrial Control System Cyber Security 16
What is Honeywell’s security philosophy ? • Design in Security is a Key initiative at Honeywell – Security designed in the product from the beginning – Incorporate people, technology, and process – Integrate security into our culture Process Control System
• Defense in Depth – Security at more than just the perimeter – Layered / High Security Network Architecture
Cyber Electronic Physical
• Security is a journey - not a destination – Cyber Threat landscape is continuously changing – Continuous evaluation and improvements required 17
Product development process • Product development – Security is foundational in the product • HIP process designs security into all products • Security Development Lifecycle – Design process is compliant with ISASecure SDSA » Threat modeling and security risk analysis is part of all projects » Static code analysis » Fuzz testing » Use and abuse case testing » Load and performance testing » Independent penetration testing
18
Product development process • Product development (Continued) • Experion Security Model drives security focus • Security – Security Core Team – manages security model – Security Steering Committee – communication / interactive exchange on security issues impacting HPS systems
• HPS is investing heavily in tools, testing, and training to improve the security of our products
19
Incorporating Security into the Software Development Lifecycle Security Response Planning and Execution
Security Training Security Requirements
Security Validation Testing
Security Architecture Design Security Risk Assessment and Threat Modeling
Security Coding Guidelines
20
Fuzz testing, Abuse case testing
Security Code Reviews & Static Analysis
20
Continuous security improvements • Short term improvement – Qualification of white listing component for Experion – Virtual Patching solution – Virtualization
• R410 security improvements – System mechanism to disable USB storage interface – Role based access control for process data • Implements separation of duties at parameter level
– Decouple DSA security credentials from system credentials • • • • 21
Compartmentalizes Experion clusters Allows different mngr passwords in each cluster Remove sysadmin privileges from mngr account Allow use of user specified domain accounts
Application Whitelisting - overview • Objective is to provide additional protection against malware, reduce system maintenance overhead and complexity, and extend the patching cycle • Application Whitelisting (AWL) locks down an end node – allowing only approved files to run • Significantly improves security against many types of malware attacks • Can extend patching cycle
• AWL solution must be tightly integrated into control system by ICS vendor to provide greatest protection with minimum risk • AWL on Industrial Control Systems will co-exist with Anti Virus solutions
22
Patch management lifecycle
Security research (e.g. ZDI, DVlabs) ICS-CERT Black hats -
Not always a patch available Patch is not always tested in time Can we install? Often reboots required -
23
Server / station protection Allow Known Good
Block Known Bad
(Block All Else)
(Allow All Else)
Execution Level
Application Application Control Control
Resource Shielding
Behavioral Containment
Application Level
Application and System Hardening
Antivirus Anti Virus
Application Inspection
Network Level
Host Firewall
Attack-Facing Attack-Facing Network Network Inspection Inspection
Vulnerability-Facing Vulnerability-Facing Network Inspection Network Inspection
Unknown
Gartner
24
BL – Black Listing
(Honeywell solution - McAfee / Norton)
AWL – Application White Listing
(Honeywell solution - Bit9)
VP – Virtual Patching
(Honeywell solution - HP Tipping Point)
Continuous security improvements • • • •
Virtualization improves operational efficiency Virtualization realizes life cycle extension Virtualization poses new security challenges Virtualization also facilitates security improvements – Application virtualization (i.e. eServer) provides sandboxing – Full virtualization (VMware vSphere) • • • •
Improved data recovery mechanisms Virtualization Layer Improved patching mechanisms Improved virus protection mechanisms Hypervisor / Virtual Machine Monitor has small attack surface
– Availability of thin clients
25
External security certifications • Wurldtech Achilles certification for C300, SM • Achilles practices certified ( WIB ) – Honeywell committed to compliance with Achilles practices when it becomes an approved IEC-62443 -2.4 standard
• ISASecure Embedded Device Security Assessment (EDSA) – Safety Manager R145 was first device to achieve EDSA certification (2011) – C300 and Foundation Fieldbus Interface Module are EDSA Certified (2012)
• Internal evaluation of HPS products for compliance with numerous external standards: – NERC-CIP, NIST_sp800_x, FERC_order_x, INGAA Cyber guidelines, TSA pipeline guidelines 26
ISA99 / IEC 62443 Structure
Systems
Devices
27
27
Embedded Device Security Assurance Certification
Integrated Threat Analysis (ITA) Software Development Security Assurance (SDSA)
Provides a common perspective on how threat scenarios can be sufficiently covered • Documents the expected resistance of the system to potential threat agents and threat scenarios • Clearly documents expected user measures versus inherent product protection measures Detects and Avoids systematic design faults • The vendor’s software development and maintenance processes are audited • Ensures the organization follows a robust, secure software development process Detects Implementation Errors / Omissions
Functional Security Assessment (FSA)
• A component’s security functionality is audited against its derived requirements for its target security level • Ensures the product has properly implemented the security functional requirements
Communications Robustness Testing (CRT)
Identifies vulnerabilities in networks and devices • A component’s communication robustness is tested against communication robustness requirements
• Tests for vulnerabilities in the 4 layers of OSI Reference Model
28
28
Benefits of ISASecure Certification Structured, auditable, repeatable approach to evaluating the security of an ICS product and the development practices of the manufacturer against an established benchmark End-user Supplier • Easy to specify • Build security requirement into RFP • Reduced time in FAT/SAT • Know security level out of the box
• • • • • •
Evaluated once Recognition for effort Build in security Product differentiator Reduce support costs Enhance credibility
Assurance that automation products, systems and suppliers meet an industry recognized baseline for cyber security 29
29
Honeywell’s Industrial IT Solutions
30
Assess against industry standards, regulatory requirements and best practices
Remediate focuses on the actions needed to address issues identified in the Assess phase
Assure addresses methods to assure your Industrial IT solutions are functioning as designed
Manage refers to the management of your Industrial IT investment, including network security
Evolving services and solutions for a changing Industrial IT environment
Honeywell’s Industrial IT Solutions • Continuous improvement of “standard build” – Consistent security configuration
• Extended remote service portfolio – Tested AV signature files - daily – Patch analysis and consolidated patching – Security incident handling, perimeter management
• Introduction of global service management – Uniform service delivery
• Compliance management • Full Whitelisting management and support
Assess
Assure
Remediate
Manage
31
Partnering with our customers • Documenting system security configuration – Includes risks that need external mitigations
• Rapid qualification of security updates – Microsoft – Adobe
• Network and security design services • Assessment services – ISA99 / CSET security audits / assessments
• Services offering for system security management – Patch, virus protection, and data recovery management – Security perimeter management
• Continued investment in building security skills – Design consultants, project and service engineers 32
Security Program Dashboard
33
Security from design to daily operation • Honeywell Process Solutions…. – builds Security features into our standard products, and is continuously evaluating and improving our security – is committed to ISA99 and IEC-62443 standards for industrial control system security
– works closely with external agencies including Department of Homeland Security to improve ICS security – documents secure system best practices and configurations – provides timely communication of security issues to customers – offers optional security features to customers who are want additional protection 34
roles / responsibilities for protecting ICS’s from cyber attacks
Industrial Control System Cyber Security 35
Stakeholders per phase in securing ICS’s -
ICS control system manufacturers / Vendors ICS automation solution providers System integrators and implementers Owner/operators or end users Local Governments
Phases and Participants in a Typical ICS Project From ICSJWG Cross Vendor Position Paper
36
Layers of Responsibility
End User (Security management system)
System Integrator (System engineering practices, Qualified Personnel)
Automation Supplier (Software Development, Vendor Practices)
Automation Products (Security features, Testing)
37
Vendor / automation supplier responsibilities • • • • • • • • •
38
Execute security testing during development cycle Integrate security into development lifecycle (SDLC) Scan systems for security vulnerabilities before deployment Document secure implementation of system Manage secure custody chain of assets Attain applicable 3rd party security certifications Provide timely qualification of security fixes Open and timely communication on product security issues Be positioned to respond to vulnerability disclosures or cyber incidents against deployed systems
Integrator / installer responsibilities • Install system per vendors recommended security practices • Segment the Control System Network • Ensure all software revisions are current during installation • Scan systems and network for security vulnerabilities before final commissioning • Baseline and document the system security before final commissioning
39
Owner / operator responsibilities • • • • • •
Apply security fixes as soon as they’re qualified Keep Anti Virus and related protection technologies current Document security configuration, Policies & Procedures Provide security Training for operators & Contractors Control Access to the Control System Harden the Components of the System – apply defense in depth • Constantly monitor the security of the system • Periodic full re-assessment of system security • Work closely with vendor and integrators to adopt to new security threats and vulnerabilities 40
ICS Security responsibilities summary • Owner / operators have the ultimate responsibility for the security and safety of their systems • ICS security must include technology, people, and processes • ICS security spans the lifecycle of an automation system • requires a partnership between all stakeholders
• All the security technology and controls in the world will not protect an ICS if not properly applied and continuously managed 41
responding to cyber attacks against your ICS
Industrial Control System Cyber Security 42
Cyber Incident Response Plan • Cyber security can no longer be an afterthought • Question is not “IF” your site will be attacked, but “WHEN”… be prepared
• Security can be measured by how quickly you detect, contain, and recover from a security incident. • Develop a cyber incident response plan, and actively “manage” it 43
Cyber Incident Response Plan • Create a cyber incident response plan – Priority is to isolate any suspect component, maintain safe operation, and preserve forensics where possible – Operators must be trained on how to respond to a cyber incident – Appoint a cyber security focal point and “watchdog” – with backup – Include all levels of “defense in depth” in creating response plan
• Practice the plan ( test it )
• Re-evaluate and update the cyber incident response plan periodically
44
Effective Security Plan
45
How can ICS’s prepare for cyber attacks? • Do a security assessment of your site, remediate any gaps identified, and repeat assessments periodically • Partner with your ICS vendor and specific support programs / organizations – keep defense plan current • Consider what your vendor or a security consultant can provide: – – – – – 46
24 x 7 support center Security Operations Center Access to specialty security skill sets Develop and maintain a “dashboard” or HMI for security manager Actively monitor security trends ( ie: security watchdog )
How can ICS’s prepare for cyber attacks? • Review your vendor’s security documentation – Network and Security Planning Guide – Domain and Workgroup Implementation Guide
• Maintain current security protection technologies on your system – Anti-Virus, Application Whitelisting, IPS, Firewalls, …
• Keep security current – timely application of qualified security updates • Proactively / continuously monitor site for cyber incidents 47
Be prepared for cyber attacks • Integrate security into your culture at site • An effective security program addresses people, processes, and technology
• Work with your vendor to create a cyber incident response plan, and Manage that plan • Ensure everyone knows the key players, and who to call • Security protections and incident response plans are only effective if properly managed 48
Q&A
Questions?
49
49