ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division
Agenda Why worry about cyber security? ABB’s approach to cyber security Cyber security roadmap – reaching maturity with ABB Cyber Security Services Slide 2 May 8, 2017
Cyber security in power and automation Why is cyber security an issue? Power and automation today Cyber security issues Modern automation, protection, and control systems are highly specialized IT systems – Leverage commercial off the shelf IT components Increased attack surface as compared to legacy, isolated systems – Use standardized, IP-based communication protocols – Are distributed and highly interconnected Communication with external (non-OT) systems – Use mobile devices and storage media – Based on software (> 50% of the ABB offering is software- Attacks from/over the IT world related) Attacks are real and have an actual safety, health, environmental, and financial impact Slide 3 May 8, 2017
Cyber security in power and automation Why is cyber security an issue? Attacks are real and have an actual safety, health, environmental, and financial impact Slide 4 May 8, 2017
A few common myths Subtitle Myth #1 – We are not interesting enough to be a target Myth #2 – Security doesn’t pay off “Small companies and industries outside of media attention are “Strong security is a waste of time and money” not a relevant target” False False – If it’s worth having , it’s worth stealing – Compromised control systems are NOT reliable and trustworthy and can prevent the customer from achieving its – Attackers’ business models are often built on economies of mission. scale – Misoperations due to cyber events can become a safety issue . – Critical infrastructure is often a network of smaller entities – Business continuity insurance can become more expensive or even unavailable . Anyone can become a target, defenses should be risk-driven Slide 5 May 8, 2017
A few common myths Subtitle Myth #3 – We are air- gapped so we’re immune Myth #4 – We’re not on the Internet so we’re immune “Our system is air - gapped so attackers have no way in” “Our system does not have a direct connection to the Internet so attackers have no way in” False False – Staff needs to get data into and out of the system – Majority of incidents are staged attacks • Production schedules, engineering updates, … • (Spear)phishing to compromise legitimate user accounts • Production reports, emission reports, … • Compromise of perimeter networks first, e.g. DMZ, enterprise network – Entirely isolated systems are extremely cumbersome and expensive to operate • Lateral movement to reach more interesting targets • If no communication is built-in, convenient workarounds are improvised, e.g. unapproved networks, temporary connections, portable media Anyone can become a target, defenses should be risk-driven Slide 6 May 8, 2017
The Biggest Challenges Addressing a unique set of requirements “Traditional” information technology Power and automation technology Object under protection Information Physical process Risk impact Information disclosure, financial loss Safety, health, environmental, financial Main security objective Confidentiality, Privacy Availability, Integrity Central Servers Distributed System Security focus (fast CPU, lots of memory, …) (possibly limited resources) 95 – 99% 99.9 – 99.999% Availability requirements (accept. downtime/year: 18.25 - 3.65 days) (accept. downtime/year: 8.76 hrs – 5.25 minutes) System lifetime 3 – 10 Years 5 – 25 Years Slide 7 May 8, 2017
Agenda Why worry about cyber security? ABB’s approach to cyber security Cyber security roadmap – reaching maturity with ABB Cyber Security Services Slide 8 May 8, 2017
Cyber Security @ ABB Three guiding principles Reality There is no such thing as 100% or absolute security Process Cyber security is not destination but an evolving target – it is not a product but a process Balance Cyber security is about finding the right balance – it impacts usability and increases cost Cyber security is all about risk management Slide 9 May 8, 2017
ABB Cyber Security A word from ABB’s CEO Ulrich Spiesshofer, CEO ABB ”ABB recognizes the importance of cyber security in control-based systems and solutions for infrastructure and industry, and is working closely withour customers to address the new challenges.” Slide 10 May 8, 2017
ABB Cyber Security Approach Full lifecycle coverage Project Design Product Engineering FAT Design Commissioning Implementation SAT Verification Release Support Plant Operation Maintenance Review Upgrade ABB addresses cyber security throughout the entire lifecycle and expects the same from our suppliers Slide 11 May 8, 2017
Agenda Why worry about cyber security? ABB’s approach to cyber security Cyber security roadmap – reaching maturity with ABB Cyber Security Services Slide 12 May 8, 2017
Three phases in a journey Subtitle Diagnose Implement Sustain Collect information for defined cyber KPIs Implement countermeasures to address ABB Customer Care service agreements the identified risks / gaps with defense- Identify risk and compliance status with – tailored to fit customer needs for in-depth regular maintenance – international standards – ensure desired level of security is – relevant regulations maintained over time by – ABB best practices • maintaining and continuously – customer policy and requirements improving implemented countermeasures • Data • adapting the security management • Collect system and defense-in-depth • Store concept to changed threat landscape • View • Analyze • Interpret • Report Slide 13 May 8, 2017
Security service offering Slide 14 May 8, 2017
How to introduce a security management system? Inspiration Note: IEC 62443-2-1 Ed 2.0 is still a work in progress and only available as draft from ISA here Slide 16 May 8, 2017
Two core concepts Capability Maturity Indicator Levels Cyber Security Capability Domains MIL 0 : Generally, no practices are performed ISO/IEC 62443-2-1 C2M2 (ONG & ES) 1. Risk Management 1. Risk Management MIL 1 : Initial practices are performed but may be ad hoc 2. Information security policies 2. Asset, Change, and Configuration MIL 2 : Practices are established Management 3. Organization of information security 3. Identity and Access Management 4. Human resource security – Documented practices 4. Threat and Vulnerability Management 5. Asset management – Stakeholder involvement 5. Situational Awareness 6. Access control 6. Information Sharing and Communications 7. Cryptography – Appropriate resources 7. Event and Incident Response, Continuity 8. Physical and environmental security of Operations – Relevant standards used 9. Operations security 8. Supply Chain and External Dependencies 10.Communication Security Management MIL 3 : Practices are continuously managed 11. System acquisition, development and 9. Workforce Management maintenance – Policies guide the practices, incl. compliance 10. Cybersecurity Program Management 12. Supplier relationships – Continuous improvement 13. Information security incident management 14.Information security aspects of business – Assigned responsibility and authority continuity management 15. Compliance – Role-specific training Approach progression vs. Institutionalization progression Slide 17 May 8, 2017
Specific guidance from C2M2 Example: Reaching MIL-1 First step: Determine risk and define target maturity level for each domain 2 2 11 6 9 6 6 12 4 3 Moving from MIL 0 to MIL 1 is a fairly big step Slide 18 May 8, 2017
Lean approach Stage 0 – Getting started Objectives ABB Cyber Security Services Raise awareness in management and other relevant levels of the Awareness training organization – Often more effective if done by external entities Identify areas of biggest risk generically Security assessment / fingerprint – Doesn‘t have to be a very detailed audit – Leverage general experience with regards to common causes of incidents – Leverage general experience with regards to simple security countermeasures Slide 19 May 8, 2017
Lean approach Stage 1 – Introduce basic protection Objectives ABB Cyber Security Services Establish a foundation for cyber security in operations Awareness training (continued) Security Patch Management Mitigate the most common risks with countermeasures which Malware Protection Management the organization is capable of operating System Hardening Backup & Recovery Management Demonstrate risk reduction effectiveness by selected examples Network Security Management (at least perimeter) Basic security monitoring (of the above practices) Establish a context-specific, detailed understanding of risk Cyber Security Assessment Cyber Security Risk Assessment Slide 20 May 8, 2017
Recommend
More recommend