ABB MINING USER CONFERENCE, MAY 02-05, 2017

Cyber Security in Mining Automation

Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division

Why worry about cyber security?

ABB’s approach to cyber security

Cyber security roadmap – reaching maturity with ABB Cyber Security Services

May 8, 2017 Slide 2

Agenda

Why is cyber security an issue?

Cyber security in power and automation

May 8, 2017 Slide 3

Modern automation, protection, and control systemsare highly specialized IT systems

– Leverage commercial off the shelf IT components

– Use standardized, IP-based communication protocols

– Are distributed and highly interconnected

– Use mobile devices and storage media

– Based on software (> 50% of the ABB offering is software-related)

Increased attack surface as compared to legacy, isolated systems

Communication with external (non-OT) systems

Attacks from/over the IT world

Attacks are real and have an actual safety, health, environmental, and financial impact

Power and automation today Cyber security issues

Why is cyber security an issue?

Cyber security in power and automation

May 8, 2017 Slide 4

Attacks are real and have an actual safety, health, environmental, and financial impact

Subtitle

A few common myths

May 8, 2017 Slide 5

“Small companies and industries outside of media attention are not a relevant target”

False

– If it’s worth having, it’s worth stealing

– Attackers’ business models are often built on economies of scale

– Critical infrastructure is often a network of smaller entities

“Strong security is a waste of time and money”

False

– Compromised control systems are NOT reliable and trustworthy and can prevent the customer from achieving its mission.

– Misoperations due to cyber events can become a safety issue.

– Business continuity insurance can become more expensive or even unavailable.

Anyone can become a target, defenses should be risk-driven

Myth #1 – We are not interesting enough to be a target Myth #2 – Security doesn’t pay off

Subtitle

A few common myths

May 8, 2017 Slide 6

“Our system is air-gapped so attackers have no way in”

False

– Staff needs to get data into and out of the system

• Production schedules, engineering updates, …

• Production reports, emission reports, …

– Entirely isolated systems are extremely cumbersome and expensive to operate

• If no communication is built-in, convenient workarounds are improvised, e.g. unapproved networks, temporary connections, portable media

“Our system does not have a direct connection to the Internet so attackers have no way in”

False

– Majority of incidents are staged attacks

• (Spear)phishing to compromise legitimate user accounts

• Compromise of perimeter networks first, e.g. DMZ, enterprise network

• Lateral movement to reach more interesting targets

Anyone can become a target, defenses should be risk-driven

Myth #3 – We are air-gapped so we’re immune Myth #4 – We’re not on the Internet so we’re immune

Addressing a unique set of requirements

The Biggest Challenges

May 8, 2017 Slide 7

“Traditional” information technology Power and automation technology

Object under protection Information Physical process

Risk impact Information disclosure, financial loss Safety, health, environmental, financial

Main security objective Confidentiality, Privacy Availability, Integrity

Security focusCentral Servers

(fast CPU, lots of memory, …)Distributed System

(possibly limited resources)

Availability requirements95 – 99%

(accept. downtime/year: 18.25 - 3.65 days)99.9 – 99.999%

(accept. downtime/year: 8.76 hrs – 5.25 minutes)

System lifetime 3 – 10 Years 5 – 25 Years

Why worry about cyber security?

ABB’s approach to cyber security

Cyber security roadmap – reaching maturity with ABB Cyber Security Services

May 8, 2017 Slide 8

Agenda

Three guiding principles

Cyber Security @ ABB

May 8, 2017 Slide 9

There is no such thing as 100% or absolute security

Cyber security is not destination but an evolving target – it is not a product but a process

Cyber security is about finding the right balance – it impacts usability and increases cost

Reality

Process

Balance

Cyber security is all about risk management

A word from ABB’s CEO

ABB Cyber Security

May 8, 2017 Slide 10

”ABB recognizes the importance of cyber security incontrol-based systems and solutions for infrastructureand industry, and is working closely withour customers

to address the new challenges.”

Ulrich Spiesshofer, CEO ABB

Full lifecycle coverage

ABB Cyber Security Approach

May 8, 2017 Slide 11

ABB addresses cyber security throughout the entire lifecycle and expects the same from our suppliers

DesignImplementationVerificationReleaseSupport

Product

OperationMaintenanceReviewUpgrade

DesignEngineeringFATCommissioningSAT

Project

Plant

Why worry about cyber security?

ABB’s approach to cyber security

Cyber security roadmap – reaching maturity with ABB Cyber Security Services

May 8, 2017 Slide 12

Agenda

Subtitle

Three phases in a journey

May 8, 2017 Slide 13

Collect information for defined cyber KPIs

Identify risk and compliance status with

– international standards

– relevant regulations

– ABB best practices

– customer policy and requirements

Implement countermeasures to address the identified risks / gaps with defense-in-depth

ABB Customer Care service agreements

– tailored to fit customer needs for regular maintenance

– ensure desired level of security is maintained over time by

• maintaining and continuously improving implemented countermeasures

• adapting the security management system and defense-in-depth concept to changed threat landscape

Diagnose Implement Sustain

•Data

•Collect

•Store

•View

•Analyze

•Interpret

•Report

Security service offering

May 8, 2017 Slide 14

Inspiration

How to introduce a security management system?

May 8, 2017 Slide 16

Note:

IEC 62443-2-1 Ed 2.0 is

still a work in progress

and only available as draft

from ISA here

Two core concepts

May 8, 2017 Slide 17

MIL 0: Generally, no practices are performed

MIL 1: Initial practices are performed but may be ad hoc

MIL 2: Practices are established

– Documented practices

– Stakeholder involvement

– Appropriate resources

– Relevant standards used

MIL 3: Practices are continuously managed

– Policies guide the practices, incl. compliance

– Continuous improvement

– Assigned responsibility and authority

– Role-specific training

Approach progression vs. Institutionalization progression

ISO/IEC 62443-2-11. Risk Management

2. Information security policies

3. Organization of information security

4. Human resource security

5. Asset management

6. Access control

7. Cryptography

8. Physical and environmental security

9. Operations security

10.Communication Security

11. System acquisition, development and maintenance

12. Supplier relationships

13. Information security incident management

14. Information security aspects of business continuity management

15. Compliance

C2M2 (ONG & ES)1. Risk Management

2. Asset, Change, and Configuration Management

3. Identity and Access Management

4. Threat and Vulnerability Management

5. Situational Awareness

6. Information Sharing and Communications

7. Event and Incident Response, Continuity of Operations

8. Supply Chain and External Dependencies Management

9. Workforce Management

10. Cybersecurity Program Management

Capability Maturity Indicator Levels Cyber Security Capability Domains

First step: Determine risk and define target maturity level for each domain

Example: Reaching MIL-1

May 8, 2017 Slide 18

Specific guidance from C2M2

Moving from MIL 0 to MIL 1 is a fairly big step

2

6

6

12

3

2

11

9

6

4

Stage 0 – Getting started

Lean approach

May 8, 2017 Slide 19

Raise awareness in management and other relevant levels of the organization

Identify areas of biggest risk generically

Awareness training

– Often more effective if done by external entities

Security assessment / fingerprint

– Doesn‘t have to be a very detailed audit

– Leverage general experience with regards to common causes of incidents

– Leverage general experience with regards to simple security countermeasures

Objectives ABB Cyber Security Services

Stage 1 – Introduce basic protection

Lean approach

May 8, 2017 Slide 20

Establish a foundation for cyber security in operations

Mitigate the most common risks with countermeasures which the organization is capable of operating

Demonstrate risk reduction effectiveness by selected examples

Establish a context-specific, detailed understanding of risk

Awareness training (continued)

Security Patch Management

Malware Protection Management

System Hardening

Backup & Recovery Management

Network Security Management (at least perimeter)

Basic security monitoring (of the above practices)

Cyber Security Assessment

Cyber Security Risk Assessment

Objectives ABB Cyber Security Services

Stage 2 – Defend your system

Lean approach

May 8, 2017 Slide 21

Establish a security management system based on the risk assessment results

Establish security practices systematically

Reach compliance to relevant standards(e.g. NERC-CIP IEC 62443-2-1)

Focused awareness training

Security policy & procedure development

Security Patch Management

Malware Protection Management

System Hardening

Backup & Recovery Management

Network Security Management

User & Access Management

Security Monitoring

Incident Response*

Cyber Security Assessment

Objectives ABB Cyber Security Services

Stage 3 – Manage your risks

Lean approach

May 8, 2017 Slide 22

Continuously adapt and improve the security management system based on evolving threat landscape

Maintain & document compliance with relevant standards

Security policy & procedure development

Security Patch Management

Malware Protection Management

System Hardening

Backup & Recovery Management

Network Security Management

User & Access Management

Security Monitoring

Incident Response*

Threat Intelligence*

Objectives ABB Cyber Security Services

Subtitle

Conclusion

May 8, 2017 Slide 23

Introducing cyber security management into control system operations is a major change and can be overwhelming

Early steps must work towards a solid understanding of context-specific risks and prioritize these

In parallel, basic controls can be introduced which experience shows will be part of any security management system

Competent partners are available on the market to bridge transition periods or continuously provide services

Don‘t be the deer in headlights –get started with small steps and look for partners!

Step-by-step to cyber security maturity

Assess & Diagnose

Cyber Security Fingerprint & Benchmark

May 8, 2017 Slide 25

Provides a comprehensive view of your site’s cyber security status

Identifies strengths and weaknesses for defending against an attack within your plant’s control systems

Reduces potential for system and plant disruptions

Increases plant and community protection

Supplies a solid foundation from which to build a sustainable cyber security strategy

Overview

It does NOT make the system completely secure.

Sample results

Cyber Security Fingerprint

May 8, 2017 Slide 26

Consulting

Cyber Security Training

May 8, 2017 Slide 27

Cyber security awareness training

– Raise awareness for cyber security threats and risks

– For various audiences (technical as well as management)

Product related security training

– Enables attendees to fully leverage the security capabilities of ABB products, including e.g.

• Configuration

• Administration

• Operation

Overview

Implement / Sustain

Security Patch Management

May 8, 2017 Slide 28

Modern operating systems and embedded software often need to be patched to defend against emerging threats.

Efficient patch management is an essential part of any security policy, but one that is often neglected.

This service includes the implementation and maintenance of systems that handle security updates for third party software (e.g. Microsoft or Adobe products).

Service can include

– Patch qualification

– Patch delivery (online or offline)

– Patch deployment

Overview

Implement / Sustain

Malware Protection Management

May 8, 2017 Slide 29

A common threat to control systems is the infection with malware, often generic malware circulating on the Internet but also target malware for control systems. Common anti-virus solutions are a part of the security architecture recommended by ABB.

ABB experts secure your power and automation systems with industry-standard malware and intrusion protection solutions, like anti-virus protection and application whitelisting

Service can include

– AV signature updates qualification

– AV signature updates delivery (online)

– AV signature updates deployment

Overview

Offline solution – Security Patch Disc

Patch & Malware Protection Management

May 8, 2017 Slide 30

The Security Patch Disc Service provides an efficient way for customers with no remote connectivity with the need to deploy security patches and antivirus data files

Benefits:

The resulting media removes the need for customers to locate the ABB documentation, find the appropriate patches, download them from the Internet, and transfer them via mobile media to the control system

Significantly reduced effort, but also reduced risk of transferring a virus or malware using mobile media (e.g. USB drive)

Overview1) Patch Tuesday

- Microsoft Releases monthly patches

- 2nd Tuesday of the month

2) ABB Updates Status Document

- ABB identifies the patches as tested and marks them as "T" in the Security Updates Validation Status product bulletin's

- Product bulletins released to ABB Library, MCS, SolutionsBank

3) Security Patch Testing Executed

- ABB teams install and test the various ABB products for compatibility issues with security patches released

4) ABB Updates Status Document

Patches then go from "Testing" to "Qualified".

Patches may remain in the testing state if further work is needed.

5) Security Patch Disc Production

Security Patch Disc master is produced, manufactured, and shipped.

Online solution – ABB Security Update Service

Patch & Malware Protection Management

May 8, 2017 Slide 31

The ABB Security Update Server is updated with the latest patches validated and approved by ABB:

– Microsoft patches (monthly update)

– McAfee and Symantec pattern files (as supported for the connected system – daily update)

The ABB Security Update Server synchronizes with the plant security server at the customer site. Servers are connected via the ABB’s RAP/RAS service.

The plant security server on the customer site distributes the security updates to the connected ABB control system(s).

Overview 1. Microsoft Patchmonthly deployment

2. Antivirus McAfee daily pattern updates

3. Antivirus Symantec daily pattern updates

WSUS (Server)

ePo Server

(ePolicy Orchestrator)

Symantec Endpoint

Protection Server

Security Update Service for the

automated distribution and

deployment of ABB validated

Cyber Security updates using

highly secured methodology

Implement / Sustain

System Hardening

May 8, 2017 Slide 32

An important challenge in any cyber security management system is to maintain a system configuration that is as secure as possible – a task commonly referred to as system hardening.

This service lets you benefit from the in-depth expertise of ABB and the hardening policies that have been vetted rigorously by ABB’s product and service teams.

Hardening may include for example

– removal or deactivation of unused software and services and specific ports

– removal or deactivation of unused user accounts

– generally proper utilization of security options provided by the system, e.g.

• BIOS passwords in PCs

• disabling interactive login for service accounts

Overview

Implement / Sustain

Backup and Recovery Management

May 8, 2017 Slide 33

If the worst does happen, and cyber-attack or natural disaster strikes, then ABB’s backup and emergency response services enable a rapid recovery to normal operations.

ABB’s back-up solutions ensure the integrity, and availability, of critical data and the system, no matter what happens to the original.

Overview

Implement / Sustain

Network Security Management

May 8, 2017 Slide 34

Firewalls protect the perimeter of a network against outsider intrusion.

ABB’s managed firewall service ensures your perimeter protection is actively monitored and maintained.

Segregated networks allows for an easier enforcement of the principle of least privilege on a network communication level. Also, it is crucial to contain potential incidents to a defined subsystem and to prevent a single breach of security to spread throughout the entire system and into other systems.

A well-designed security policy will separate the network into distinct, controlled zones, protected by internal firewalls to ensure that a compromised server doesn’t mean compromising the entire network.

Overview

Diagnose

Cyber Security Assessment

May 8, 2017 Slide 35

In-depth survey to obtain detailed information about

– the system infrastructure

– the effectiveness and status of existing cyber security measures.

The assessment is carried out by ABB in close cooperation with the customer and within a clearly defined scope of work.

Collected data is compared against industry best practices and standards to detect weaknesses within your system’s defense.

Pinpoints areas that require action to help protect your system by ensuring it has multiple layers of security.

Proposes a solution that will maintain the system's cyber security at best-practice levels

Overview

Consulting

Cyber Security Risk Assessment

May 8, 2017 Slide 36

This service contains an IEC 62443 based process for performing a cyber security risk assessments. The assessment shall improve the security of the products and systems, perform a threats / risks based security status evaluation and a plan for prioritizing the threats / risks for the control system.

Risk assessment identifies and qualitatively assesses risk an organization is exposed to

Security assessment checks compliance with given requirements, e.g. from internal, national or international standards or regulations

Overview

Risk

Consulting

Cyber Security Policies & Procedures

May 8, 2017 Slide 37

Cyber Security will always be a challenge on a global scale; no single solution can keep increasingly interconnected systems secure

ABB works with customers to understand your processes and procedures, group security policies and computer settings to create a defense-in-depth approach

Multiple security layers detect and deter threats – if, where and when they may arise.

Overview

Implement / Sustain

User & Access Management

May 8, 2017 Slide 38

Implementing user accounts and access rights is the recommended mechanism to enforce the principle of least privilege on the user level. Defining user access rights and user policies, are all important measures.

Typical user definitions to be implemented are accounts of the process control system, demilitarized zone and for remote work.

This service gives the customer peace of mind that users of the system always have the approved and relevant access rights.

Overview

Sustain

Cyber Security Monitoring Service

May 8, 2017 Slide 39

Identifies, classifies and helps prioritize opportunities to improve

the security of your control system by comparing data collected

against industry best practices and standards to detect security

vulnerabilities.

Features:

– Automatic, non-invasive data gathering

– Proactive analysis of KPIs to detect possible security

weaknesses

– On-demand analysis

– On-site or remote access for site personnel and ABB experts

– Configurable alerts (locally and e-mail)

Overview

User interface

Cyber Security Monitoring Service

May 8, 2017 Slide 40

Scan

Raw Data

– View shows raw data associated with each channel

Notification

– Track (event-triggered) generates notifications based on predefined KPIs

Math Function

– Scan (scheduled) presents KPIs generated from raw data through periodic diagnostic monitoring

View Track