ABB MINING USER CONFERENCE, MAY 02-05, 2017
Cyber Security in Mining Automation
Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division
Why worry about cyber security?
ABB’s approach to cyber security
Cyber security roadmap – reaching maturity with ABB Cyber Security Services
May 8, 2017 Slide 2
Agenda
Why is cyber security an issue?
Cyber security in power and automation
May 8, 2017 Slide 3
Modern automation, protection, and control systemsare highly specialized IT systems
– Leverage commercial off the shelf IT components
– Use standardized, IP-based communication protocols
– Are distributed and highly interconnected
– Use mobile devices and storage media
– Based on software (> 50% of the ABB offering is software-related)
Increased attack surface as compared to legacy, isolated systems
Communication with external (non-OT) systems
Attacks from/over the IT world
Attacks are real and have an actual safety, health, environmental, and financial impact
Power and automation today Cyber security issues
Why is cyber security an issue?
Cyber security in power and automation
May 8, 2017 Slide 4
Attacks are real and have an actual safety, health, environmental, and financial impact
Subtitle
A few common myths
May 8, 2017 Slide 5
“Small companies and industries outside of media attention are not a relevant target”
False
– If it’s worth having, it’s worth stealing
– Attackers’ business models are often built on economies of scale
– Critical infrastructure is often a network of smaller entities
“Strong security is a waste of time and money”
False
– Compromised control systems are NOT reliable and trustworthy and can prevent the customer from achieving its mission.
– Misoperations due to cyber events can become a safety issue.
– Business continuity insurance can become more expensive or even unavailable.
Anyone can become a target, defenses should be risk-driven
Myth #1 – We are not interesting enough to be a target Myth #2 – Security doesn’t pay off
Subtitle
A few common myths
May 8, 2017 Slide 6
“Our system is air-gapped so attackers have no way in”
False
– Staff needs to get data into and out of the system
• Production schedules, engineering updates, …
• Production reports, emission reports, …
– Entirely isolated systems are extremely cumbersome and expensive to operate
• If no communication is built-in, convenient workarounds are improvised, e.g. unapproved networks, temporary connections, portable media
“Our system does not have a direct connection to the Internet so attackers have no way in”
False
– Majority of incidents are staged attacks
• (Spear)phishing to compromise legitimate user accounts
• Compromise of perimeter networks first, e.g. DMZ, enterprise network
• Lateral movement to reach more interesting targets
Anyone can become a target, defenses should be risk-driven
Myth #3 – We are air-gapped so we’re immune Myth #4 – We’re not on the Internet so we’re immune
Addressing a unique set of requirements
The Biggest Challenges
May 8, 2017 Slide 7
“Traditional” information technology Power and automation technology
Object under protection Information Physical process
Risk impact Information disclosure, financial loss Safety, health, environmental, financial
Main security objective Confidentiality, Privacy Availability, Integrity
Security focusCentral Servers
(fast CPU, lots of memory, …)Distributed System
(possibly limited resources)
Availability requirements95 – 99%
(accept. downtime/year: 18.25 - 3.65 days)99.9 – 99.999%
(accept. downtime/year: 8.76 hrs – 5.25 minutes)
System lifetime 3 – 10 Years 5 – 25 Years
Why worry about cyber security?
ABB’s approach to cyber security
Cyber security roadmap – reaching maturity with ABB Cyber Security Services
May 8, 2017 Slide 8
Agenda
Three guiding principles
Cyber Security @ ABB
May 8, 2017 Slide 9
There is no such thing as 100% or absolute security
Cyber security is not destination but an evolving target – it is not a product but a process
Cyber security is about finding the right balance – it impacts usability and increases cost
Reality
Process
Balance
Cyber security is all about risk management
A word from ABB’s CEO
ABB Cyber Security
May 8, 2017 Slide 10
”ABB recognizes the importance of cyber security incontrol-based systems and solutions for infrastructureand industry, and is working closely withour customers
to address the new challenges.”
Ulrich Spiesshofer, CEO ABB
Full lifecycle coverage
ABB Cyber Security Approach
May 8, 2017 Slide 11
ABB addresses cyber security throughout the entire lifecycle and expects the same from our suppliers
DesignImplementationVerificationReleaseSupport
Product
OperationMaintenanceReviewUpgrade
DesignEngineeringFATCommissioningSAT
Project
Plant
Why worry about cyber security?
ABB’s approach to cyber security
Cyber security roadmap – reaching maturity with ABB Cyber Security Services
May 8, 2017 Slide 12
Agenda
Subtitle
Three phases in a journey
May 8, 2017 Slide 13
Collect information for defined cyber KPIs
Identify risk and compliance status with
– international standards
– relevant regulations
– ABB best practices
– customer policy and requirements
Implement countermeasures to address the identified risks / gaps with defense-in-depth
ABB Customer Care service agreements
– tailored to fit customer needs for regular maintenance
– ensure desired level of security is maintained over time by
• maintaining and continuously improving implemented countermeasures
• adapting the security management system and defense-in-depth concept to changed threat landscape
Diagnose Implement Sustain
•Data
•Collect
•Store
•View
•Analyze
•Interpret
•Report
Security service offering
May 8, 2017 Slide 14
Inspiration
How to introduce a security management system?
May 8, 2017 Slide 16
Note:
IEC 62443-2-1 Ed 2.0 is
still a work in progress
and only available as draft
from ISA here
Two core concepts
May 8, 2017 Slide 17
MIL 0: Generally, no practices are performed
MIL 1: Initial practices are performed but may be ad hoc
MIL 2: Practices are established
– Documented practices
– Stakeholder involvement
– Appropriate resources
– Relevant standards used
MIL 3: Practices are continuously managed
– Policies guide the practices, incl. compliance
– Continuous improvement
– Assigned responsibility and authority
– Role-specific training
Approach progression vs. Institutionalization progression
ISO/IEC 62443-2-11. Risk Management
2. Information security policies
3. Organization of information security
4. Human resource security
5. Asset management
6. Access control
7. Cryptography
8. Physical and environmental security
9. Operations security
10.Communication Security
11. System acquisition, development and maintenance
12. Supplier relationships
13. Information security incident management
14. Information security aspects of business continuity management
15. Compliance
C2M2 (ONG & ES)1. Risk Management
2. Asset, Change, and Configuration Management
3. Identity and Access Management
4. Threat and Vulnerability Management
5. Situational Awareness
6. Information Sharing and Communications
7. Event and Incident Response, Continuity of Operations
8. Supply Chain and External Dependencies Management
9. Workforce Management
10. Cybersecurity Program Management
Capability Maturity Indicator Levels Cyber Security Capability Domains
First step: Determine risk and define target maturity level for each domain
Example: Reaching MIL-1
May 8, 2017 Slide 18
Specific guidance from C2M2
Moving from MIL 0 to MIL 1 is a fairly big step
2
6
6
12
3
2
11
9
6
4
Stage 0 – Getting started
Lean approach
May 8, 2017 Slide 19
Raise awareness in management and other relevant levels of the organization
Identify areas of biggest risk generically
Awareness training
– Often more effective if done by external entities
Security assessment / fingerprint
– Doesn‘t have to be a very detailed audit
– Leverage general experience with regards to common causes of incidents
– Leverage general experience with regards to simple security countermeasures
Objectives ABB Cyber Security Services
Stage 1 – Introduce basic protection
Lean approach
May 8, 2017 Slide 20
Establish a foundation for cyber security in operations
Mitigate the most common risks with countermeasures which the organization is capable of operating
Demonstrate risk reduction effectiveness by selected examples
Establish a context-specific, detailed understanding of risk
Awareness training (continued)
Security Patch Management
Malware Protection Management
System Hardening
Backup & Recovery Management
Network Security Management (at least perimeter)
Basic security monitoring (of the above practices)
Cyber Security Assessment
Cyber Security Risk Assessment
Objectives ABB Cyber Security Services
Stage 2 – Defend your system
Lean approach
May 8, 2017 Slide 21
Establish a security management system based on the risk assessment results
Establish security practices systematically
Reach compliance to relevant standards(e.g. NERC-CIP IEC 62443-2-1)
Focused awareness training
Security policy & procedure development
Security Patch Management
Malware Protection Management
System Hardening
Backup & Recovery Management
Network Security Management
User & Access Management
Security Monitoring
Incident Response*
Cyber Security Assessment
Objectives ABB Cyber Security Services
Stage 3 – Manage your risks
Lean approach
May 8, 2017 Slide 22
Continuously adapt and improve the security management system based on evolving threat landscape
Maintain & document compliance with relevant standards
Security policy & procedure development
Security Patch Management
Malware Protection Management
System Hardening
Backup & Recovery Management
Network Security Management
User & Access Management
Security Monitoring
Incident Response*
Threat Intelligence*
Objectives ABB Cyber Security Services
Subtitle
Conclusion
May 8, 2017 Slide 23
Introducing cyber security management into control system operations is a major change and can be overwhelming
Early steps must work towards a solid understanding of context-specific risks and prioritize these
In parallel, basic controls can be introduced which experience shows will be part of any security management system
Competent partners are available on the market to bridge transition periods or continuously provide services
Don‘t be the deer in headlights –get started with small steps and look for partners!
Step-by-step to cyber security maturity
Assess & Diagnose
Cyber Security Fingerprint & Benchmark
May 8, 2017 Slide 25
Provides a comprehensive view of your site’s cyber security status
Identifies strengths and weaknesses for defending against an attack within your plant’s control systems
Reduces potential for system and plant disruptions
Increases plant and community protection
Supplies a solid foundation from which to build a sustainable cyber security strategy
Overview
It does NOT make the system completely secure.
Sample results
Cyber Security Fingerprint
May 8, 2017 Slide 26
Consulting
Cyber Security Training
May 8, 2017 Slide 27
Cyber security awareness training
– Raise awareness for cyber security threats and risks
– For various audiences (technical as well as management)
Product related security training
– Enables attendees to fully leverage the security capabilities of ABB products, including e.g.
• Configuration
• Administration
• Operation
Overview
Implement / Sustain
Security Patch Management
May 8, 2017 Slide 28
Modern operating systems and embedded software often need to be patched to defend against emerging threats.
Efficient patch management is an essential part of any security policy, but one that is often neglected.
This service includes the implementation and maintenance of systems that handle security updates for third party software (e.g. Microsoft or Adobe products).
Service can include
– Patch qualification
– Patch delivery (online or offline)
– Patch deployment
Overview
Implement / Sustain
Malware Protection Management
May 8, 2017 Slide 29
A common threat to control systems is the infection with malware, often generic malware circulating on the Internet but also target malware for control systems. Common anti-virus solutions are a part of the security architecture recommended by ABB.
ABB experts secure your power and automation systems with industry-standard malware and intrusion protection solutions, like anti-virus protection and application whitelisting
Service can include
– AV signature updates qualification
– AV signature updates delivery (online)
– AV signature updates deployment
Overview
Offline solution – Security Patch Disc
Patch & Malware Protection Management
May 8, 2017 Slide 30
The Security Patch Disc Service provides an efficient way for customers with no remote connectivity with the need to deploy security patches and antivirus data files
Benefits:
The resulting media removes the need for customers to locate the ABB documentation, find the appropriate patches, download them from the Internet, and transfer them via mobile media to the control system
Significantly reduced effort, but also reduced risk of transferring a virus or malware using mobile media (e.g. USB drive)
Overview1) Patch Tuesday
- Microsoft Releases monthly patches
- 2nd Tuesday of the month
2) ABB Updates Status Document
- ABB identifies the patches as tested and marks them as "T" in the Security Updates Validation Status product bulletin's
- Product bulletins released to ABB Library, MCS, SolutionsBank
3) Security Patch Testing Executed
- ABB teams install and test the various ABB products for compatibility issues with security patches released
4) ABB Updates Status Document
Patches then go from "Testing" to "Qualified".
Patches may remain in the testing state if further work is needed.
5) Security Patch Disc Production
Security Patch Disc master is produced, manufactured, and shipped.
Online solution – ABB Security Update Service
Patch & Malware Protection Management
May 8, 2017 Slide 31
The ABB Security Update Server is updated with the latest patches validated and approved by ABB:
– Microsoft patches (monthly update)
– McAfee and Symantec pattern files (as supported for the connected system – daily update)
The ABB Security Update Server synchronizes with the plant security server at the customer site. Servers are connected via the ABB’s RAP/RAS service.
The plant security server on the customer site distributes the security updates to the connected ABB control system(s).
Overview 1. Microsoft Patchmonthly deployment
2. Antivirus McAfee daily pattern updates
3. Antivirus Symantec daily pattern updates
WSUS (Server)
ePo Server
(ePolicy Orchestrator)
Symantec Endpoint
Protection Server
Security Update Service for the
automated distribution and
deployment of ABB validated
Cyber Security updates using
highly secured methodology
Implement / Sustain
System Hardening
May 8, 2017 Slide 32
An important challenge in any cyber security management system is to maintain a system configuration that is as secure as possible – a task commonly referred to as system hardening.
This service lets you benefit from the in-depth expertise of ABB and the hardening policies that have been vetted rigorously by ABB’s product and service teams.
Hardening may include for example
– removal or deactivation of unused software and services and specific ports
– removal or deactivation of unused user accounts
– generally proper utilization of security options provided by the system, e.g.
• BIOS passwords in PCs
• disabling interactive login for service accounts
Overview
Implement / Sustain
Backup and Recovery Management
May 8, 2017 Slide 33
If the worst does happen, and cyber-attack or natural disaster strikes, then ABB’s backup and emergency response services enable a rapid recovery to normal operations.
ABB’s back-up solutions ensure the integrity, and availability, of critical data and the system, no matter what happens to the original.
Overview
Implement / Sustain
Network Security Management
May 8, 2017 Slide 34
Firewalls protect the perimeter of a network against outsider intrusion.
ABB’s managed firewall service ensures your perimeter protection is actively monitored and maintained.
Segregated networks allows for an easier enforcement of the principle of least privilege on a network communication level. Also, it is crucial to contain potential incidents to a defined subsystem and to prevent a single breach of security to spread throughout the entire system and into other systems.
A well-designed security policy will separate the network into distinct, controlled zones, protected by internal firewalls to ensure that a compromised server doesn’t mean compromising the entire network.
Overview
Diagnose
Cyber Security Assessment
May 8, 2017 Slide 35
In-depth survey to obtain detailed information about
– the system infrastructure
– the effectiveness and status of existing cyber security measures.
The assessment is carried out by ABB in close cooperation with the customer and within a clearly defined scope of work.
Collected data is compared against industry best practices and standards to detect weaknesses within your system’s defense.
Pinpoints areas that require action to help protect your system by ensuring it has multiple layers of security.
Proposes a solution that will maintain the system's cyber security at best-practice levels
Overview
Consulting
Cyber Security Risk Assessment
May 8, 2017 Slide 36
This service contains an IEC 62443 based process for performing a cyber security risk assessments. The assessment shall improve the security of the products and systems, perform a threats / risks based security status evaluation and a plan for prioritizing the threats / risks for the control system.
Risk assessment identifies and qualitatively assesses risk an organization is exposed to
Security assessment checks compliance with given requirements, e.g. from internal, national or international standards or regulations
Overview
Risk
Consulting
Cyber Security Policies & Procedures
May 8, 2017 Slide 37
Cyber Security will always be a challenge on a global scale; no single solution can keep increasingly interconnected systems secure
ABB works with customers to understand your processes and procedures, group security policies and computer settings to create a defense-in-depth approach
Multiple security layers detect and deter threats – if, where and when they may arise.
Overview
Implement / Sustain
User & Access Management
May 8, 2017 Slide 38
Implementing user accounts and access rights is the recommended mechanism to enforce the principle of least privilege on the user level. Defining user access rights and user policies, are all important measures.
Typical user definitions to be implemented are accounts of the process control system, demilitarized zone and for remote work.
This service gives the customer peace of mind that users of the system always have the approved and relevant access rights.
Overview
Sustain
Cyber Security Monitoring Service
May 8, 2017 Slide 39
Identifies, classifies and helps prioritize opportunities to improve
the security of your control system by comparing data collected
against industry best practices and standards to detect security
vulnerabilities.
Features:
– Automatic, non-invasive data gathering
– Proactive analysis of KPIs to detect possible security
weaknesses
– On-demand analysis
– On-site or remote access for site personnel and ABB experts
– Configurable alerts (locally and e-mail)
Overview
User interface
Cyber Security Monitoring Service
May 8, 2017 Slide 40
Scan
Raw Data
– View shows raw data associated with each channel
Notification
– Track (event-triggered) generates notifications based on predefined KPIs
Math Function
– Scan (scheduled) presents KPIs generated from raw data through periodic diagnostic monitoring
View Track