Applying ISO 27001 in an industrial control environment

Riemer Brouwer – Head IT Security ADCOrbrouwer@adco.ae

Doha, February 2014

A basic IT security principle is to follow a risk-based approach

…yet SCADA systems are often overlooked, despite their huge significance

Corporate IT

SCADASystems

“Somehow risk assessment for SCADA went terribly wrong: Pantries are often better protected than control rooms”

IT Security out of balance

SCADA systems are used to control complex industries such as utility plants (water, electricity), oil & gas refineries etc.

As a result, SCADA systems usually seem highly complex, and understanding them takes time and effort

Above 23.0

Below 22.0

Start Cooling

Start Heating

Continuous Loop

Yet….SCADA systems are actually quite basic in nature

The network, connecting the

sensors with the actuators

Above 23.0

Below 22.0

Start Cooling

Start Heating

Continuous Loop

Industrial control systems have a few core elements that are critical to cybersecurity

Sensors: in this case the

thermometer

Actuators: in this case the

ventilator

Main Control Server, monitoring the sensors and controlling the actuators

Set points: upper and lower limits that

initiate action

Some “reasons” for ignoring the IT security aspects of control systems, are the result of fundamental misconceptions

• In reality, SCADA networks and corporate IT systems are often bridged through remote access which allows engineers to monitor and control the system from points on the corporate network. Also, many utilities have added connections to allow corporate decision makers to obtain instant access to critical data about the status of their operational systems

Misconception: “The SCADA system resides on a physically separate, standalone network.”

1.FALSE!

• Many of the interconnections between corporate networks and SCADA systems require the integration of systems with different communications standards. The complexity of integrating disparate systems often creates security risks that are not taken into account.

Misconception: “Connections between SCADA systems and other corporate networks are protected by strong access controls.”

2.FALSE!

• The above misconception assumes that all attackers of a SCADA system lack the ability to access information about their design and implementation. These assumptions are inappropriate given the changing nature of process system vulnerabilities in an interconnected environment. Also, most SCADA system providers publish their training on the internet, making it accessible to the general public.

Misconception: “SCADA systems require specialized knowledge, making them difficult for network intruders to access and control.”

3.FALSE!

Gauss (2012)One of the most sophisticated pieces of malware yet designed to

monitor bank account information and the money flow for various Middle Eastern banks.

Shamoon (2012)Saudi Aramco, the worlds largest oil producer, was targeted by hackers for the government’s supposed support of “oppressive

measures” in the Middle East.

Flame / FinSpy (2012)Highly advanced spyware kits mostly found in the Middle East

that can intercept and record communications.

The most important reason for ignoring IT security in control systems is the impression that “hackers don’t care about us”

Mahdi (2012)Trojan espionage attack designed to target Middle Eastern critical infrastructure firms, engineering students, financial services firms,

and government embassies.

Source: Booz Allen Hamilton

FALSE!

Target AttractivenessExamples of Recent Attacks

ISO27001 provides an excellent framework to implement IT security controls and a risk management program

Figure: Areas covered by ISO27001/2

Information System Acquisition,Development and Maintenance

Communications andOperations Mgmt.

Business Continuity Mgmt.Human Resources

Security

Physical and EnvironmentalSecurity

Compliance

SecurityPolicy

Organization ofInformation Security

Asset Management

Access Control

Information SecurityIncident Management

Operations

Management

Organizational

Technical

Physical

Nature of controls

ISO27001 provides an excellent framework to implement IT security controls and a risk management program

Grouping resulted in 18 policies

ISMS Policy 000

Acceptable Use Policy 001

Antivirus Policy 002

Network Security Policy 003

Asset Management and Classification Policy 004

Personnel Security Policy 005

Physical and Environmental Security Policy 006

IT Operations Management Policy 007

Security Incident Handling Policy 008

Access Control Policy 009

Systems Development and Maintenance Policy

010

Business Continuity Management Policy 011

Compliance Monitoring Policy 012

Security Testing and Auditing Policy 013

Encryption Policy 014

Security Patch Management Policy 015

Third Party Policy 016

Wireless Policy 017

But…but…but… isn’t ISO27001 for corporate IT only?!

ISO27001’s core objectives are to:Understand organization’s information security requirements

Implement and operate controls to manage risk

Monitor and review

Continuous improvement

Applicable to SCADA?

In addition, using a well-renowned framework facilitates communication with senior management

ISO27001 are not best practices,they are minimum practices

Metrics to provide insight in current security posture

SCADA environments present their own unique challenges to implementing IT security measures

SCADA systems usually not under control of IT

Liaise with Engineering team in charge of SCADA systems

SCADA systems are “always on”Include IT security updates in

maintenance windows

SCADA systems were never built with security in mind

Identify work-around solutions to mitigate the risks

SCADA systems can be in remote areas

Physical security controls deserve full attention from IT security

SCADA systems are not always well-documented and studied

Build partnership with vendors to obtain relevant information

IT Security Team

• Establish and lead procedure development team

• Invite ad-hoc specialists depending on the procedure

• Responsible for effective review mechanism

Engineering / Vendors

• Provide in-depth knowledge on IT systems and processes

• Must be able to evaluate feasibility of proposed security procedures

Operators

• Ultimately responsible for following IT security policies

• Essential to have security-minded contributors

Internal Audit

• Responsible for IT security compliance review

• Provide input on enforceability of suggest procedures

HR/Legal/Others

• Other departments must be involved depending on topic

• Main task is to ensure IT security procedures are aligned with policies/procedures

Key to a successful SCADA Security program is collaboration between all stakeholders within IT and related departments

In summary, an ISO27001 based SCADA security program leverages existing skills and technologies, supplemented with tailored considerations

ISO 27001 – ISA 99 Roadmap

Start

Towards a secure future

Obtain support fromsenior management

Co-develop procedures with in-house SCADA staff

Provide awareness training toSCADA staff and others

Become integrated partof security operations

Tailor corporate IT security policies

Develop procedures / Risk Management process

ImplementPolicies & procedures

Key to success is ensuring policies and procedures are realistic and doable

Risk Management framework must be tailored, e.g., access rights and backup will most likely differ

SCADA Security Roadmap to Success

Thank you