—ABB LIMITED

Securing industrial systems in a digital worldBen Dickinson, Cyber Security Consultant, ABB

benjamin.dickinson@gb.abb.com

—

• A quick introduction to Cyber Security

• Cyber challenges and pain points

• Common vulnerabilities

• Key components of a Cyber Security Management System (CSMS)

Introduction

September 18, 2018 Slide 2

—

Cyber Security

September 18, 2018 Slide 3

Definition Guiding Principles

“Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.”

Reality

There is no such thing as being 100% secure

Process

Cyber Security is not a destination

but a moving target. It is a process not a

product.

Balance

Cyber Security is about finding the right

balance. It impacts usability and increases

costs.

—

There are no magic solutions; security maturity takes time

September 18, 2018 Slide 4

3 Cyber Pillars:

– People, Process and Technology: each must be leveraged to protect digital systems

People

– People are critical in preventing and protecting against cyber threats.

– Organizations need competent people to implement and sustain cyber security technology and processes.

Process

– Policies and Procedures are key for an organization’s effective security strategy.

– Processes should adapt to changes as cyber threats evolve.

Technology

– Technology is important in preventing and mitigating cyber risks.

– Technology needs people, process and procedures to mitigate risks.

Must engage and educate people, develop and deploy processes, and design and deliver protected technology

—

Pain points

September 18, 2018 Slide 5

Increased ICS Cyber ThreatsSTUXNET, BLACKENERGY, HAVEX, CRASHOVERRIDE, TRISIS, WannaCry.

Few people understand how to protect our control systemsWe need more experts in both Operational Technology and Cyber Security.

IT/OT convergence CISOs require OT systems to following corporate security standards for patching, anti-virus and monitoring.

Desire to extend the life spanIndustrial control systems are running on EoL software with known vulnerabilities. Operators are looking for ways to extend the life.

Current challenges and changes

Workforce focusing on high-value tasksOrganizations scaling back on dedicated headcount, limited resources need to focus on higher value activities - looking for ways to automate sustaining secure systems.

Distributed assets difficult to secureAssets are becoming more intelligent and distributed, the attack surface is expanding making it difficult to protect with traditional approaches.

Compliance with industry standardsHSE Compliance example

Lack of situational awareness toolsICS asset owners have no visibility into the security posture and status. Monitoring cyber security across operational assets is difficult to implement.

CostMinimize Optimize

PerformanceExceed Meet or beat

RiskAvoid Manage

$

—

– Internet connected OT devices

– Dual homed machines

– Web and Email access from control systems

• 90%+ of successful attacks start with a phishing email

– Default passwords and configurations

– Insecure protocol use

– Poor password management

– Lack of physical security

– Lack of intrusion detection capability

Common Vulnerabilities

September 18, 2018 Slide 6

Potential Impact

•Shut down fuel system•Cause a fuel leak•Change fuel prices•Circumvent payment terminal to steal money•Steal driver details•Gain access to wider network

—

Through Operational Guidance 86, The Health and Safety Executive now calls upon duty holders to:

“Manage the risk of potential safety impacts arising from a breakdown in cyber security.”

Loss of Confidential Information

Loss of Production

Invasion into Privacy

Loss of control in “High Hazard” facilities which could result in a catastrophic incident.

Prevention and mitigation of accidents is the responsibility of the duty holder, this is typically the owner or operator of the Industrial Automation and Control System (IACS).

HSE Requirements

September 18, 2018 Slide 7

—

TRITON / TRISIS - Schneider Triconex SIS

September 18, 2018 Slide 8

– First cyber attack to specifically target human life

– Operators first notified when system went down

– Shutdown was not intended

– They could have simply uploaded flawed code to shutdown system

– Made several attempts to deliver functioning code to cause serious damage

– Researchers have tracked the actor in other systems

– Cyber Security best practices would likely have prevented this attack.

– Available online: https://github.com/ICSrepo/TRISIS-TRITON-HATMAN

—

– This process can be integrated into other site safety management systems

A Process for Management of Cyber Security on IACS

September 18, 2018 Slide 9

Summary

ProtectIdentify Detect Respond Recover

Know where to fixIdentifying what needs to be protected.

Know how & what to fixImplement solutions for protection.

Ability to detectMonitor system and detect breaches and vulnerabilities.

Ability to helpRespond to an incident if compromised.

Ability to restoreBackup and recovery.

—

Identify your Assets

September 18, 2018 Slide 10

ProtectIdentify Detect Respond Recover

Cyber Asset Management

– Identify all your assets, zones and conduits.

– Identify vulnerable assets, insecure device configurations

– Identify suspicious devices

– Automatically generate reports related to asset inventory

Key deliverables: Simple Network Diagram, Asset Register.

—

Identify your Vulnerabilities

September 18, 2018 Slide 11

ProtectIdentify Detect Respond Recover

Vulnerability Management

Do you have a good understanding of what vulnerabilities are in your system?

Your Vulnerabilities

Penetration Testing

Vendor Website

Journal Publications

National Vulnerability

Database (NVD)

ExploitDB

ICS-Cert

—

Identify your Threats

September 18, 2018 Slide 12

ProtectIdentify Detect Respond Recover

Threat Intelligence

Helps you answer some important questions:

– Who is targeting…

• Your employees

• Your equipment

• Your organisation

• Your market sector

– What tactics and methods do they use

– What weaknesses they are exploiting

Surface Web

Deep Web

Dark Web

—

Cyber Security Risk Assessments

– Describe the devices covered by the assessment

– Describe the threats (Phishing, Ransomware, Disgruntled Employee)

– Classify and prioritise the risk

– Make decisions on security controls

Identify your Risks

September 18, 2018 L = Likelihood C = Consequence R = Overall RiskSlide 13

Risk Assessment

Threat Intelligence

Vulnerability Management

Asset Management

ProtectIdentify Detect Respond Recover

—

Implement Security Controls

September 18, 2018 L = Likelihood C = Consequence R = Overall RiskSlide 14

ProtectIdentify Detect Respond Recover

Use the Risk Assessment to identify which security controls require implementing:

– Policies & Procedures

– Physical Security

– Device Hardening

– Malware protection management

– Patch Management

– Backups and Recovery Management

– User and Access Management

– Network Security Management

– Cyber Security Training

—

Detect any intrusions

September 18, 2018 Slide 15

ProtectIdentify Detect Respond Recover

System Security Management

– Collect your data

• Syslogs

• Firewall Logs

• Netflow data

– How to detect malicious activity

• Threat Intelligence

• Anomaly detection

Do you have the ability to detect?

61%of oil and gas organizationsbelieve it’s unlikely or highly unlikely that they would beable to detect a sophisticated attack*

https://www.ey.com/Publication/vwLUAssets/EY-oil-and-gas-cybersecurity-time-for-a-seismic-shift/$FILE/EY-oil-and-gas-cybersecurity-time-for-a-seismic-shift.pdf

—

Detect any intrusions

September 18, 2018 Slide 16

ProtectIdentify Detect Respond Recover

System Security Management

– Example MODBUS command

https://www.ey.com/Publication/vwLUAssets/EY-oil-and-gas-cybersecurity-time-for-a-seismic-shift/$FILE/EY-oil-and-gas-cybersecurity-time-for-a-seismic-shift.pdf

01 05 00 00 FF 00 8C 3A

Modbus Address

Function Code

Register Address

Set high

Checksum

Pattern of life analysis

01 05 00 00 FF 00 8C 3A19 Sep 2018, 02:04:00

Username:JoeBloggs ProcessName:example.dll

MaintenanceScheduled:Yes/No

When? Unusual time?

Who? What user, application or process

Context? Any maintenance activity scheduled?

—

Incident Response and Recovery

September 18, 2018 Slide 17

ProtectIdentify Detect Respond Recover

Things to consider:

– Roles and Responsibilities

– Incident Response plan

– Communications with media, customers, law enforcement, government and vendors

– Post incident forensics

– Exercising your plan

– Recovery and restoration

* https://www.ey.com/Publication/vwLUAssets/ey-oil-and-gas-information-security-survye-2016-17/$FILE/ey-oil-and-gas-information-security-survye-2016-17.pdf

6%of Oil & Gas companies have a robust incident response program and

regularly conduct table-top exercises.*

Ben Dickinson,

Cyber Security Consultant, ABB

Benjamin.Dickinson@gb.abb.com