Industrial Control System Cyber Security - Honeywell Process ...

104 downloads 1811 Views 2MB Size Report
Industrial Control System Cyber Security. • cyber security threat landscape for ICS's. • Honeywell's cyber security initiatives. • roles / responsibilities for protecting ...
2012 Honeywell Users Group Asia Pacific Sustain.Ability.

Industrial Control System Cyber Security 1

Mike Baldi • Honeywell Process Solutions Cyber Security Architect Global Architect Team Responsible for integrating security into HPS Products, security certifications, and compliance

• Honeywell rep on ISA Security Compliance Institute board • DHS interface for HPS • 33+ years experience with HPS

2



Lead SE for System Test ( 3 years )



Technical Assistance Center - Server/Client team lead ( 25 years ):

Industrial Control System Cyber Security • cyber security threat landscape for ICS’s • Honeywell’s cyber security initiatives

• roles / responsibilities for protecting ICS’s from cyber attacks • responding to cyber attacks against your ICS

3

Cyber Security threat landscape for ICS’s

Industrial Control System Cyber Security 4

How did we get here? • Security was not a major concern when Legacy ICS systems were developed • ICS system lifecycle is typically 15-20 years • ICS products are incorporating COTS technology from the business IT sector (Ethernet, Windows OS, SQL, webservers, etc.) • Multi-vendor solutions at most ICS sites • Increasing need to share data between the enterprise, corporate, and DCS networks • Lack of experienced security personnel working on ICS’s • History of separate IT and ICS teams

5

Business IT vs ICS systems

6

SECURITY TOPIC

Information Technology (IT)

Antivirus

Very common: easily deployed and updated

Difficult to keep current due to risk imposed to control process

Patch Management

Easily defined; enterprise wide remote and automated

Patches require exhaustive testing and qualification prior to installation on ICS’s. Install lags release.

Technology Support Lifetime

2-3 years;

10-20 years

Change Management

Regular and scheduled; aligned with minimum-use periods

Strategic scheduling; non trivial process due potential impact to process

Security Compliance

Limited regulatory oversight

Specific regulatory guidance (some sectors)

Incident Response and Forensics

Easily developed and deployed; some regulatory requirements; embedded in technology

Uncommon beyond system resumption activities; no forensics beyond event re-creation

Physical and Environmental Security

Poor (office systems) to excellent (critical operations systems)

Good to Excellent (operations centers; guards, gates, guns) Special

Secure Systems Development

Integral part of development process

Has not been an integral part of ICS systems development

Control Systems (ICS)

ICS challenges and security concerns • Vulnerability to Denial of Service attacks • Backdoors and “holes” in the network perimeter • Devices with little or no security features (modems, legacy control devices, etc.) • Common communication protocols designed without security • Remote, unmanned sites with challenging physical security • Database security vulnerabilities (proprietary and / or 3rd party )

• Lack of encryption and authentication • Improper or nonexistent patching of software and firmware

7

ICS challenges and security concerns • Unsecure coding techniques in product design • Non-existent cyber security procedures • Lack of control system-specific security protection / mitigation technologies • Security researchers with various vulnerability disclosure practices • Publicly available hacking tools make hacking easier for “novices” • Increased outside security regulation • NERC-CIP, CFATS, Pipeline Guidelines, …

• Increase in cyber attacks against ICS’s • Stuxnet, Duqu, Flame, …

8

Some typical attack vectors of ICS’s

9

Some current headlines • U.S. President Barack Obama is urging the Senate to pass the Cybersecurity Act of 2012. He believes legislation will help the U.S. fight "the cyber threat to our nation," which he calls "one of the most serious economic and national security challenges we face." July, 2012 - ZDNet • “Iran Oil Terminal taken offline by Cyber Attack” April, 2012 - PACE magazine

Pacific Northwest National Laboratory Report Reveals Dramatic Increase in Cyber Threats and Sabotage on Critical Infrastructure and Key Resources June 2012 – US Dept of Energy

10

The Impact of STUXNET • Provided proof-of-concept and a blueprint for hackers • Exposed corporate executives, regulators and the public to the potential dangers of cyber attacks on critical infrastructure • Opened the floodgates for “security researchers” to identify and exploit ICS vulnerabilities for financial gain

11

Project Basecamp • Announced at S4 Security Conference in Jan 2012 • Project Basecamp involved six researchers looking for vulnerabilities in embedded ICS devices (PLC’s, RTU’s, substation controllers) • The researchers found backdoors, weak credential storage, ability to change ladder logic and firmware, command line interface, buffer overflows, TFTP, etc… • Posted results publicly – releasing Nessus plugins and Metasploit modules enabling anyone to find and exploit these vulnerabilities 12

12

Cyber attacks on critical infrastructure

Cyber attacks against US critical infrastructure jumped 383 % in 2011”

13

13

ICS Specific Vulnerabilities Reported 2001 - 2011

Slide 25 from the presentation “Documenting the ‘Lost Decade’ An Empirical Analysis of publicly disclosed ICS vulnerabilities since 2001” by Sean McBride 14

14

Why have ICS systems become targets? • They’re easy targets – – – –

Security wasn’t designed in Running older Operating systems Embedded accounts with default passwords Systems aren’t updated with security patches

• Notoriety / validation within security research community • Community “watchdogs” • Hacktivists

• Competitive advantage • Nation State / Political motivation

15

Honeywell’s cyber security initiatives

Industrial Control System Cyber Security 16

What is Honeywell’s security philosophy ? • Design in Security is a Key initiative at Honeywell – Security designed in the product from the beginning – Incorporate people, technology, and process – Integrate security into our culture Process Control System

• Defense in Depth – Security at more than just the perimeter – Layered / High Security Network Architecture

Cyber Electronic Physical

• Security is a journey - not a destination – Cyber Threat landscape is continuously changing – Continuous evaluation and improvements required 17

Product development process • Product development – Security is foundational in the product • HIP process designs security into all products • Security Development Lifecycle – Design process is compliant with ISASecure SDSA » Threat modeling and security risk analysis is part of all projects » Static code analysis » Fuzz testing » Use and abuse case testing » Load and performance testing » Independent penetration testing

18

Product development process • Product development (Continued) • Experion Security Model drives security focus • Security – Security Core Team – manages security model – Security Steering Committee – communication / interactive exchange on security issues impacting HPS systems

• HPS is investing heavily in tools, testing, and training to improve the security of our products

19

Incorporating Security into the Software Development Lifecycle Security Response Planning and Execution

Security Training Security Requirements

Security Validation Testing

Security Architecture Design Security Risk Assessment and Threat Modeling

Security Coding Guidelines

20

Fuzz testing, Abuse case testing

Security Code Reviews & Static Analysis

20

Continuous security improvements • Short term improvement – Qualification of white listing component for Experion – Virtual Patching solution – Virtualization

• R410 security improvements – System mechanism to disable USB storage interface – Role based access control for process data • Implements separation of duties at parameter level

– Decouple DSA security credentials from system credentials • • • • 21

Compartmentalizes Experion clusters Allows different mngr passwords in each cluster Remove sysadmin privileges from mngr account Allow use of user specified domain accounts

Application Whitelisting - overview • Objective is to provide additional protection against malware, reduce system maintenance overhead and complexity, and extend the patching cycle • Application Whitelisting (AWL) locks down an end node – allowing only approved files to run • Significantly improves security against many types of malware attacks • Can extend patching cycle

• AWL solution must be tightly integrated into control system by ICS vendor to provide greatest protection with minimum risk • AWL on Industrial Control Systems will co-exist with Anti Virus solutions

22

Patch management lifecycle

Security research (e.g. ZDI, DVlabs) ICS-CERT Black hats -

Not always a patch available Patch is not always tested in time Can we install? Often reboots required -

23

Server / station protection Allow Known Good

Block Known Bad

(Block All Else)

(Allow All Else)

Execution Level

Application Application Control Control

Resource Shielding

Behavioral Containment

Application Level

Application and System Hardening

Antivirus Anti Virus

Application Inspection

Network Level

Host Firewall

Attack-Facing Attack-Facing Network Network Inspection Inspection

Vulnerability-Facing Vulnerability-Facing Network Inspection Network Inspection

Unknown

Gartner

24

BL – Black Listing

(Honeywell solution - McAfee / Norton)

AWL – Application White Listing

(Honeywell solution - Bit9)

VP – Virtual Patching

(Honeywell solution - HP Tipping Point)

Continuous security improvements • • • •

Virtualization improves operational efficiency Virtualization realizes life cycle extension Virtualization poses new security challenges Virtualization also facilitates security improvements – Application virtualization (i.e. eServer) provides sandboxing – Full virtualization (VMware vSphere) • • • •

Improved data recovery mechanisms Virtualization Layer Improved patching mechanisms Improved virus protection mechanisms Hypervisor / Virtual Machine Monitor has small attack surface

– Availability of thin clients

25

External security certifications • Wurldtech Achilles certification for C300, SM • Achilles practices certified ( WIB ) – Honeywell committed to compliance with Achilles practices when it becomes an approved IEC-62443 -2.4 standard

• ISASecure Embedded Device Security Assessment (EDSA) – Safety Manager R145 was first device to achieve EDSA certification (2011) – C300 and Foundation Fieldbus Interface Module are EDSA Certified (2012)

• Internal evaluation of HPS products for compliance with numerous external standards: – NERC-CIP, NIST_sp800_x, FERC_order_x, INGAA Cyber guidelines, TSA pipeline guidelines 26

ISA99 / IEC 62443 Structure

Systems

Devices

27

27

Embedded Device Security Assurance Certification

Integrated Threat Analysis (ITA) Software Development Security Assurance (SDSA)

Provides a common perspective on how threat scenarios can be sufficiently covered • Documents the expected resistance of the system to potential threat agents and threat scenarios • Clearly documents expected user measures versus inherent product protection measures Detects and Avoids systematic design faults • The vendor’s software development and maintenance processes are audited • Ensures the organization follows a robust, secure software development process Detects Implementation Errors / Omissions

Functional Security Assessment (FSA)

• A component’s security functionality is audited against its derived requirements for its target security level • Ensures the product has properly implemented the security functional requirements

Communications Robustness Testing (CRT)

Identifies vulnerabilities in networks and devices • A component’s communication robustness is tested against communication robustness requirements

• Tests for vulnerabilities in the 4 layers of OSI Reference Model

28

28

Benefits of ISASecure Certification Structured, auditable, repeatable approach to evaluating the security of an ICS product and the development practices of the manufacturer against an established benchmark End-user Supplier • Easy to specify • Build security requirement into RFP • Reduced time in FAT/SAT • Know security level out of the box

• • • • • •

Evaluated once Recognition for effort Build in security Product differentiator Reduce support costs Enhance credibility

Assurance that automation products, systems and suppliers meet an industry recognized baseline for cyber security 29

29

Honeywell’s Industrial IT Solutions

30

Assess against industry standards, regulatory requirements and best practices

Remediate focuses on the actions needed to address issues identified in the Assess phase

Assure addresses methods to assure your Industrial IT solutions are functioning as designed

Manage refers to the management of your Industrial IT investment, including network security

Evolving services and solutions for a changing Industrial IT environment

Honeywell’s Industrial IT Solutions • Continuous improvement of “standard build” – Consistent security configuration

• Extended remote service portfolio – Tested AV signature files - daily – Patch analysis and consolidated patching – Security incident handling, perimeter management

• Introduction of global service management – Uniform service delivery

• Compliance management • Full Whitelisting management and support

Assess

Assure

Remediate

Manage

31

Partnering with our customers • Documenting system security configuration – Includes risks that need external mitigations

• Rapid qualification of security updates – Microsoft – Adobe

• Network and security design services • Assessment services – ISA99 / CSET security audits / assessments

• Services offering for system security management – Patch, virus protection, and data recovery management – Security perimeter management

• Continued investment in building security skills – Design consultants, project and service engineers 32

Security Program Dashboard

33

Security from design to daily operation • Honeywell Process Solutions…. – builds Security features into our standard products, and is continuously evaluating and improving our security – is committed to ISA99 and IEC-62443 standards for industrial control system security

– works closely with external agencies including Department of Homeland Security to improve ICS security – documents secure system best practices and configurations – provides timely communication of security issues to customers – offers optional security features to customers who are want additional protection 34

roles / responsibilities for protecting ICS’s from cyber attacks

Industrial Control System Cyber Security 35

Stakeholders per phase in securing ICS’s -

ICS control system manufacturers / Vendors ICS automation solution providers System integrators and implementers Owner/operators or end users Local Governments

Phases and Participants in a Typical ICS Project From ICSJWG Cross Vendor Position Paper

36

Layers of Responsibility

End User (Security management system)

System Integrator (System engineering practices, Qualified Personnel)

Automation Supplier (Software Development, Vendor Practices)

Automation Products (Security features, Testing)

37

Vendor / automation supplier responsibilities • • • • • • • • •

38

Execute security testing during development cycle Integrate security into development lifecycle (SDLC) Scan systems for security vulnerabilities before deployment Document secure implementation of system Manage secure custody chain of assets Attain applicable 3rd party security certifications Provide timely qualification of security fixes Open and timely communication on product security issues Be positioned to respond to vulnerability disclosures or cyber incidents against deployed systems

Integrator / installer responsibilities • Install system per vendors recommended security practices • Segment the Control System Network • Ensure all software revisions are current during installation • Scan systems and network for security vulnerabilities before final commissioning • Baseline and document the system security before final commissioning

39

Owner / operator responsibilities • • • • • •

Apply security fixes as soon as they’re qualified Keep Anti Virus and related protection technologies current Document security configuration, Policies & Procedures Provide security Training for operators & Contractors Control Access to the Control System Harden the Components of the System – apply defense in depth • Constantly monitor the security of the system • Periodic full re-assessment of system security • Work closely with vendor and integrators to adopt to new security threats and vulnerabilities 40

ICS Security responsibilities summary • Owner / operators have the ultimate responsibility for the security and safety of their systems • ICS security must include technology, people, and processes • ICS security spans the lifecycle of an automation system • requires a partnership between all stakeholders

• All the security technology and controls in the world will not protect an ICS if not properly applied and continuously managed 41

responding to cyber attacks against your ICS

Industrial Control System Cyber Security 42

Cyber Incident Response Plan • Cyber security can no longer be an afterthought • Question is not “IF” your site will be attacked, but “WHEN”… be prepared

• Security can be measured by how quickly you detect, contain, and recover from a security incident. • Develop a cyber incident response plan, and actively “manage” it 43

Cyber Incident Response Plan • Create a cyber incident response plan – Priority is to isolate any suspect component, maintain safe operation, and preserve forensics where possible – Operators must be trained on how to respond to a cyber incident – Appoint a cyber security focal point and “watchdog” – with backup – Include all levels of “defense in depth” in creating response plan

• Practice the plan ( test it )

• Re-evaluate and update the cyber incident response plan periodically

44

Effective Security Plan

45

How can ICS’s prepare for cyber attacks? • Do a security assessment of your site, remediate any gaps identified, and repeat assessments periodically • Partner with your ICS vendor and specific support programs / organizations – keep defense plan current • Consider what your vendor or a security consultant can provide: – – – – – 46

24 x 7 support center Security Operations Center Access to specialty security skill sets Develop and maintain a “dashboard” or HMI for security manager Actively monitor security trends ( ie: security watchdog )

How can ICS’s prepare for cyber attacks? • Review your vendor’s security documentation – Network and Security Planning Guide – Domain and Workgroup Implementation Guide

• Maintain current security protection technologies on your system – Anti-Virus, Application Whitelisting, IPS, Firewalls, …

• Keep security current – timely application of qualified security updates • Proactively / continuously monitor site for cyber incidents 47

Be prepared for cyber attacks • Integrate security into your culture at site • An effective security program addresses people, processes, and technology

• Work with your vendor to create a cyber incident response plan, and Manage that plan • Ensure everyone knows the key players, and who to call • Security protections and incident response plans are only effective if properly managed 48

Q&A

Questions?

49

49