Post on 24-Aug-2020
transcript
© ABB Inc. September 24, 2012 | Slide 1
Securing Plant Operation The Important Steps
Stevens Point, WI
Purpose of this Presentation
During this presentation, we will introduce the subject of
securing your control system and the principles to bear
in mind when designing security for a system:
Least Privilege
Least Function
Defense in Depth
To explain major security controls which should be
deployed to your control system as a baseline, e.g.
patch management, anti virus, hardening, system
recovering.
We will explain services that ABB has to help implement
secure environment
© ABB Inc. September 24, 2012 | Slide 2
Three Key Issues to Address in System Vulnerability
Network connectivity
More and more connectivity is desired or even
required
An “air gap” is not as secure as many imagine
Removable Media
May be a valid use of the system with bad results
Restrictions on use
Proper procedures for necessary use
Users of the system
Protection against intentional mischief
Training to protect against mistakes and human
engineering
© ABB Inc. September 24, 2012 | Slide 3
Defense in Depth
© ABB Inc. September 24, 2012 | Slide 4
Standardization landscape Scope and completeness of selected standards
Energy
Industrial Autom.
IT
Design Details
Completeness
ISA 99*
NIST 800-53
IEC 62351
NE
RC
CIP
Operator Manufacturer
ISO 27K
Technical
Aspects
Management
Aspects
Details of
Operations
Relevance
for Manufacturers CPNI
IEEE P 1686
* Since the closing of the ESCoRTS project, ISA decided to relabel the ISA 99 standard to
ISA 62443 to make the alignment with the IEC 62443 series more explicit and obvious.
Two Important Principles Common to Most Standards
Principle of Least Privilege
No user should have more rights and permissions
than needed to perform his function in the system
Principle of Least Function
Only the functions needed for the system to
accomplish its purpose should be present or
enabled in the system
© ABB Inc. September 24, 2012 | Slide 6
Example: Least Privilege Considerations
Is there is a real strategy for the membership of groups such as
Operators, Engineers, Administrators?
Do these groups have wide ranging permissions?
Are personnel routinely added to multiple groups?
No operator should log onto a control system machine as an
administrator.
No engineering user should log on as an administrator unless
there is a need to perform administrative duties and they have this
responsibility. Even engineering accounts should have limitations
on their rights that limit them to the activities that are part of their
jobs.
There should be no use of the powerful service account for other
any other uses. Local login should be disabled in the security
policy for the service account.
© ABB Inc. September 24, 2012 | Slide 7
Example: Least Function Considerations
Is there any software loaded on the system that doesn‟t need
to be there such as games that come with default loads of
Windows?
Are any services enabled that don‟t need to be?
Are any network ports open that don‟t need to be?
Is removable media access required to accomplish the
functions of the control system computers?
Should servers in the system be used as operating screens?
Perhaps operating workplaces should limit which accounts
can log in based on function
© ABB Inc. September 24, 2012 | Slide 8
Network Architecture Considerations
Is the control system network completely isolated from any other network?
If connected to another network, does it use a firewall to segregate the networks?
Has the firewall been specifically configured for the least access required?
Is any use of RPC (DCOM) permitted through the firewall such as for classic OPC? (If so,
a tunneling product should be used to eliminate this.)
Are there any dual homed hosts in use? (One NIC on the control system LAN and one
NIC on another network such as the corporate network)
Does the ABB control system share a domain controller with any other control system or
with an enterprise domain?
Is wireless in use? If so, does it use secure encryption? (WPA Enterprise, Radius Server,
IPSEC)
Are there any dial up connections to the system?
Are there any direct connections such as an EWS or Historian on the corporate network
bypassing the firewall? (An example here is a historian on the corporate network
connected to an Infi90 system via a CIU.)
Any remote connections to the system? Do they use a reverse tunneling technology or
are they initiated from outside the firewall? If from outside do they use VPN?
© ABB Inc. September 24, 2012 | Slide 9
© ABB Inc. September 24, 2012 | Slide 10
User Account Policies
Establish hierarchy of User Accounts (operator, tech,
admin, etc)
Even an Administrator should not log on as Administrator
except to perform those duties
Domain wide policy to enforce:
Password Requirements and Role Association
Define Remote Access Security
Operator Group Policy that restricts access to Desktop and
Applications
Shared Operator Accounts – are they okay by standards
such as ISA99 and NERC?
Password Policies
© ABB Inc. September 24, 2012 | Slide 11
Standard practice today is complex passwords and regular
changes, but this may not be possible for some accounts in a
process control environment.
What about shared operator accounts?
800xA User Account Model
User access is controlled by a three-dimensional
model: Person x Object x Function.
ƒ A role based access is implemented.
The system restricts access according to the user and
user role configuration. For example Operator role can
acknowledge alarms.
Security can be further defined for an individual user on
a process section basis or even an individual tag basis.
For example Unit 1 operators can acknowledge alarms
only for Unit 1.
ƒ All accesses and changes to the 800xA system and
data are logged and tracked in the audit trail.
© ABB Inc. September 24, 2012 | Slide 12
Services A required services list is published for each product
© ABB Inc. September 24, 2012 | Slide 13
Programs that start without user intervention
Can be configured to start automatically or manually or not at all
Can configure which account starts the program
Securing Removable Media
Why secure removable Media?
June 2010 – Stuxnet; spread via infected removable USB
media is discovered. It is the first malware application to
include a PLC rootkit.
Methods
First line of defense: Physical restriction to computers +
BIOS protection
Second Line of Defense: Physical Locks on Available
Ports
Third Line of Defense: Deny OS access to removable
media using Group Policy or 3rd party solution
© ABB Inc. September 24, 2012 | Slide 14
Securing Removable Media Methods
Hardware Locks
Samples
BIOS protection from boot off USB device
Microsoft Group Policy
Group Policy Management Console
3rd Party endpoint protection
Several free and paid 3rd party utilities
© ABB Inc. September 24, 2012 | Slide 15
Always restrict physical access to the machines as much
as possible even if USB locks are used!
2 Types of Locking Mechanisms
Effective
Secure
Securing Removable Media Control Access using Hardware Lock Mechanism
© ABB Inc. September 24, 2012 | Slide 16
Cosmetic
=
Dust Protection
“Child Proof Locking”
© ABB Inc. September 24, 2012 | Slide 17
Patch Management
Patch management – Must be certain that no change to the
system will adversely affect operation. Patches must be kept
current within 30 days. NERC CIP-007, ISA TR99.02.03
Ports and services required for the applications must be
identified and only those ports and services may be enabled –
NERC CIP-007, ISA 99.03 SR 7.6, 7.7
Account management – Authentication and accountability
required, principle of least privilege, security audit trail, periodic
review, password policies, personnel changes NERC CIP-007,
ISA 99.03 SR 1.1, 1.2, 6.2
Security Updates – Patch Management
© ABB Inc. September 24, 2012 | Slide 18
Which updates are validated for my system?
Where do I get the updates?
How do I install the updates?
Which updates are validated for my system?
Find the validated update document for your products at:
http://solutionsbank.abb.com
© ABB Inc. September 24, 2012 | Slide 19
© ABB Inc. September 24, 2012 | Slide 20
Where do I get the updates?
Subscribe to Sentinel
Can retrieve update documentation from Solutionsbank
New add on service for Sentinel Subscribers
Sentinel subscribers can receive a Security Update CD in the mail as
they are released. These update cds currently only support 800xa 5.0
and 5.1 systems, but other systems are being considered for
inclusion.
© ABB Inc. September 24, 2012 | Slide 21
Download from Solutionsbank
As the updates are validated and compiled for the Security Update
cd, they are also made available as a download in Solutionsbank
© ABB Inc. September 24, 2012 | Slide 22
Automatic Downloads with WSUS
Utilizing WSUS services from Microsoft, all updates can be
downloaded, approved by you based on the ABB Validated Update
document, and installed to all nodes in your system using the built in
windows update feature.
© ABB Inc. September 24, 2012 | Slide 23
Manual Downloads
ABB validated updates can also be downloaded manually, directly
from the validated update document. Each update listed in the
document includes a hyperlink to Microsoft‟s TechNet update site.
© ABB Inc. September 24, 2012 | Slide 24
How do I install the updates?
Generally the procedure to install the updates will depend on how
you got them.
If you received the cd in the mail, all you need to do is perform a
maintenance stop on the node you want to install to, and install the
CD. The security update installation window will appear, prompting
to begin the install. After all of the updates have installed, reboot the
node to restart all of the ABB services.
If you downloaded the update file from Solutionsbank, unzip the file
and burn it to a cd, then the procedure will be the same as above.
You can also copy the files to a USB flash drive or a network share
and run the install from there.
If you manually downloaded the files either from the links in the
update document or used another manual process, the files need to
be individually installed. It is possible to automate the installation
process up by creating a batch file to install the updates.
© ABB Inc. September 24, 2012 | Slide 25
Example References
Recovery Plans for Critical Cyber Assets
Recovery plans must be documented including who is
responsible
Plans must be tested at least annually including walking through
a simulated loss and recovery
These plans are not limited to backing up software, but may
include recording configuration settings, etc.
Backups can be made without affecting normal plant operation
The system shall support automating this function
Software backup media must be tested
NERC CIP-009, ISA99.03 SR 7.3
Question:
What type of backups do I need to make?
© ABB Inc. September 24, 2012 | Slide 26
Answer:
What type of failure are you going to have?
© ABB Inc. September 24, 2012 | Slide 27
Software Backup Strategies
© ABB Inc. September 24, 2012 | Slide 28
Application Backups
Disk Image Backups
Active Directory Backups
Domain Controller Backups
Scheduling Considerations
Verifying Backups
Application backups vs. image backups
© ABB Inc. September 24, 2012 | Slide 29
Application Backups
Backs up specific data and configuration for an application or
project.
Great for restoring pieces of lost information.
Useful for replacing corrupt files
Only needed as often as the data changes.
Not OS or hardware specific but usually version specific
Does not backup the application itself.
Great for upgrades
Application backups vs. Image backups
© ABB Inc. September 24, 2012 | Slide 30
Disk Images
Full sector by sector image of the entire drive or partition.
Great for reloading the entire disk or computer.
Fastest recovery method for failed hard drive.
Useful for creating off-line virtual systems for troubleshooting
issues.
Regulatory compliance for testing backups can be met through
virtualization.
File and folder information can be restored through mounting the
image as a drive.
© ABB Inc. September 24, 2012 | Slide 31
Services to help achieve secure the system
Security Support Services
Software Backup Services
Patch Management Services
Change Management and Security Logging
These services are available for Microsoft
Windows based systems:
800xA – All connectivity options
Symphony – Process Portal B, Conductor NT, Conductor VMS
clients
© ABB Inc. September 24, 2012 | Slide 32
Security Support Services Solutions
Audits and policy validation
Compatibility testing
System hardening and policy
implementation
Documentation and training
Consulting
ABB Cyber Security Audit and Hardening Services
© ABB Inc. September 24, 2012 | Slide 33
Regulatory and Standards Considerations
ABB bases our recommendations and service offerings
on internationally recognized principles and best
practices.
Regulations are the key element driving some market
segments and help define our programs. Examples:
NERC CIP - Has force of law in US
OLF Guideline 104 - Best Practice widely adopted in
Oil and Gas industry
Existing and emerging standards help define what steps
are taken. Examples:
ISA99
ISO 27002
NIST 800-53
© ABB Inc. September 24, 2012 | Slide 34
Standardization landscape Scope and completeness of selected standards
Energy
Industrial Autom.
IT
Design Details
Completeness
ISA 99*
NIST 800-53
IEC 62351
NE
RC
CIP
Operator Manufacturer
ISO 27K
Technical
Aspects
Management
Aspects
Details of
Operations
Relevance
for Manufacturers CPNI
IEEE P 1686
* Since the closing of the ESCoRTS project, ISA decided to relabel the ISA 99 standard to
ISA 62443 to make the alignment with the IEC 62443 series more explicit and obvious.
Services and Ports A very important step for securing computers is to eliminate unneeded services and
network ports
Services and ports are audited to record their current state and are compared to the
ABB required services documentation
Any required third party services are reviewed
All others are disabled or uninstalled
Reduces the amount of functions for the computer
© ABB Inc. September 24, 2012 | Slide 36
Additional Security Principles Reviewed Recommendations Made
Physical Restriction to Interfaces
Removable Media Policies and Settings
BIOS Boot Settings and Configuration Passwords
Security Policy Administration
Principle of Least Privilege
Use of shared accounts
Standards for desktop lockdown
Auditing of Security Events
Reporting of Patch Management and Antivirus Deficiencies
Network Architecture Considerations
© ABB Inc. September 24, 2012 | Slide 37
Reporting
Detailed reporting provides easy to interpret summary
Also provides details of discrepancies with customer‟s own policy
or ABB secure default policies
Provides recommendations to correct deficiencies
Reporting
Reporting
© ABB Inc. September 24, 2012 | Slide 41
Security Support Services System Hardening and Policy Implementation
User Roles, Access Control and Workstation
Hardening
Establish hierarchy of User Accounts (operator, tech,
admin, etc)
Domain wide policy to enforce:
Password Requirements and Role Association
Define Remote Access Security
Operator Group Policy that restricts access to Desktop and
Applications
Provide hardening services as applicable
Close un-necessary ports
Disable non-essential services
© ABB Inc. September 24, 2012 | Slide 42
Security Support Services System Hardening and Policy Implementation
Schedule appropriate time for implementation
Often changes can be done with no impact on operations, but an attitude
of caution may be prudent depending on the process
Software upgrades and major system changes may be recommended if
operating systems are obsolete
Depending on changes, an outage may be required, e.g. if software
upgrades are required
Implement changes on site
Configuration with firewall and other mechanisms
Most changes can be made with group policies if the system is in a
domain
Final test of all changes in the operating environment
Prepare final report of „as delivered‟ changes
© ABB Inc. September 24, 2012 | Slide 43
Security Support Services Consulting and on-going compliance support
The system is likely to fall out of compliance over time, as a
result of:
Intentional or unintentional changes
Replacements of PCs
Software reloads, upgrades, etc.
New threats
Periodic Audits to ensure correct settings
Discussions with the plant personnel responsible for the
program to make sure the program is meeting their needs
© ABB Inc. September 24, 2012 | Slide 44
Security Support Services Consulting and on-going compliance support
Provide training as turnover of security responsible personnel
occurs in the plant
Create procedure documents for loading computers with correct
security policy settings
Implement policy requirements for new equipment added to
plant or on any replacements shipped to plant
Implement a secure remote connection to your system
For remote support from ABB (see our remote enabled
services demonstration in the US Services exhibit)
For your own use to securely connect to the system from a
remote location
© ABB Inc. September 24, 2012 | Slide 45
Software Backup Services Purposes
A service to safeguard the data and configuration of the
system against loss
A service to enable rapid recovery from a computer device
failure
A service to maintain the data needed in the process of an
upgrade of the applications
A service that verifies system recovery data is valid
A service to help in meeting regulatory requirements such as
NERC CIP regulations regarding disaster recovery
© ABB Inc. September 24, 2012 | Slide 46
Software Backup Services Features
Hard drive imaging to a central server
Configuration backups in addition to imaging
Customized scheduling and scripting to automate the update of
images
ABB tested bandwidth and CPU utilization to avoid performance
problems
Full domain integration
Backup image testing
Restoration training
© ABB Inc. September 24, 2012 | Slide 47
Patch Management Services Software updates
Update ABB control system applications
Install MS Operating System Hotfixes and Patches as
applicable
Submit Summary Report with as-hardened “baseline”
Prepare Patch Management Process documentation
Option for quarterly or semi-annual return service for
updating available
Option for installation of an update server for automating
roll-out of Windows Security Patches
© ABB Inc. September 24, 2012 | Slide 48
Patch Management Services Anti-Virus / Malware Protection
Load and configure Antivirus in accordance with ABB
guidelines for application performance
Update Virus Scan Engine
Load current definition files
Configure Automated Scan schedule
Submit Summary Report
Option for installation of an update server for automating
update of Anti-Virus updates
© ABB Inc. September 24, 2012 | Slide 49
Security Solutions Secure Remote Access
Connection to Corporate Network via Router w/ Firewall or
DMZ.
Allows for Remote Diagnostics for Control System support
Can Support WSUS (Windows Update) and Anti Virus
Updates
Allows for Remote Operator and Engineering Clients
Secured as Read-Only
Configured for off-site Operation and Maintenance
© ABB Inc. September 24, 2012 | Slide 50
Service Environment ™ Cyber Security Service Portfolio
Risk Assessment
Create asset register
Criticality classification
Support security policy creation
Support creation of a security organization
Gap analysis and Services design
Infrastructure for Services delivery
Maintenance of System Recovery Plan
User Management
ABB Remote Monitoring and Operations Room
Anti virus management
Microsoft Patch Management
System backup/restore management
NIDS/HIDS Management
Virus removal
© ABB Group September 24, 2012 | Slide 51