23
CASE: Implementation of Cyber Security for Yara Glomfjord Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015
CASE: Implementation of Cyber Securityfor Yara Glomfjord
Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015
© ABB GroupSeptember 27, 2015 | Slide 2
Implementation of Cyber Security for Yara Glomfjord
§ ABB Norway
§ Integrated Operations
§ Team Lead Cyber Security & Infrastructure
§ Cyber Security Manager Oil, Gas and Chemicals
§ Member of the global ABB Cyber Security organizationsince 2010
§ Working with Cyber Security for Automation since 2003
§ Master's degree in Engineering Cybernetics at NTNU
§ Thesis on Remote Access to Offshore Oil & GasInstallations
Speaker profile – Olav Mo
© ABB GroupSeptember 27, 2015 | Slide 3
Implementation of Cyber Security for Yara Glomfjord
§ Cyber security best practices
§ Yara Glomfjord
§ Target and timeline
§ Installed Base
§ Deployment Project
§ Service Agreement
§ Secure in Deployment
§ Cyber Security Guidelines
§ Cyber Security Services
Agenda
© ABB GroupSeptember 27, 2015 | Slide 4
Cyber security best practicesLots of support available
Industrial Autom.EnergyIT
Design Details
Completeness
ISA 99*
IEC 62443
NIST 800-53
IEC 62351
NERC
CIP
Operator Manufacturer
ISO 27K
TechnicalAspects
Management/ProcessAspects
Details ofOperations
Relevance forManufacturers
NIST Cyber Security Framework
IEEE P 1686
* Since the closing of the ESCoRTS project, ISA decided torelabel the ISA 99 standard to ISA 62443 to make thealignment with the IEC 62443 series more explicit and obvious.
Source: ESCoRTS Project (Europeannetwork for the Security of Control andReal-Time Systems), with ABB additions.
© ABB GroupSeptember 27, 2015 | Slide 5
Cyber security best practicesABB’s view
ISA 99/
IEC 62443
NIST Cyber SecurityFramework
NERC CIP
Industrial Autom.Energy
IT
§ The most prominent standard and it is international§ Applicable for operators/users & manufacturers/vendorsand has the most significant scope§ ABB will target compliance for 800xA
§ Limited details, but a good way to get started for control systemusers.
§ In the US, bulk electric systems has to comply.
© ABB GroupSeptember 27, 2015 | Slide 6
Cyber security best practicesIEC 62443
Published(may be under review)
PA
© ABB GroupSeptember 27, 2015 | Slide 7
2. Policies & procedures 3. System requirements
FR 1 Identification and authentication control• User, software, & device authentication• Account management
FR 2 Use control• Authorization enforcement• Auditable events
FR 3 System integrity• Communication integrity• Malicious code protection
FR 4 Data confidentiality• Information confidentiality
FR 5 Restricted data flow• Network segmentation
FR 6 Timely response to events• Audit log accessibility• Continuous monitoring
FR 7 Resource availability• Denial of service protection• Control system backup
PA
Cyber security best practicesIEC 62443-2 & IEC 62443-3
© ABB GroupSeptember 27, 2015 | Slide 8
Cyber security best practicesDefense in Depth
The coordinated use ofmultiple security measures,
addressing people,technology, and operations.
© ABB GroupSeptember 27, 2015 | Slide 9
Yara GlomfjordSetting the target
§ Yara Technical and Operational Standard 1-17: ProductionIT Security Standard
§ Describes the security requirements regarding theprocurement, set-up, operation and retirement ofProduction IT systems...
§ ABB Cyber Security Guidelines
§ Security Policy
§ Security Design Specification
© ABB GroupSeptember 27, 2015 | Slide 10
Yara GlomfjordTimeline
§ 2011: GAP analysis made by Yara Glomfjord towards internalstandard
§ 2012 Q1: Pre-study by ABB
§ System upgrade seen as most effective solution to getCyber Security issues addressed
§ Estimated time saving: 55%
§ This would also address system lifetime issues
§ 2012 Q2: ABB Cyber Security Guidelines used as basis withnecessary adjustments required in Yara internal standards
§ 2012 Q4: Upgrade completed and Cyber Securityimplemented
§ 2014: Service Agreement with Cyber Security Servicesincluded
§ 2015: Renewal of Service Agreement
© ABB GroupAugust 29, 2015 | Slide 11
Yara GlomfjordInstalled base
§ External Infrastructure
§ Secure Update Server
§ Firewall
§ Computers
§ 12 Operator Workstations
§ 2 Engineering Workstations
§ 7 System Servers
§ Management Server
§ Backup Server
§ Controllers
§ 14 800xA AC800M
§ 4 * Advant AC450
§ Network Equipment
© ABB GroupAugust 29, 2015 | Slide 12
Yara GlomfjordDeployment Project – Security Design Specification
§ 2. IT Infrastructure§ 3. Security Implementation
§ Secure Update Servers§ Backup and Recovery§ Patch Management§ Anti-Virus§ Hardening
§ 4. Computer and User Configuration§ Group Policy Management§ Organizational Units§ Role Based Access Control§ Security Configuration (in System 800xA)
§ 5. Network and Interface§ Monitoring§ Network planning and documentation§ Communication Interfaces§ Network Setup for the Execute Project Phase
§ 6. Upgrade to System 800xA Rev. A
© ABB GroupSeptember 27, 2015 | Slide 13
Yara GlomfjordService Agreement
§ Basic services (required)
§ Service Desk
§ Change Management
§ Configuration Management (Inventory Database)
§ Field Alert Management (e.g. Security Update andVulnerabilities)
§ Cyber Security Services
§ Service Maintenance and Incident Handling
§ Security Patch Management
§ Antivirus Management
§ System Security Monitoring
§ System Backup and Restore
§ Optional Services
© ABB GroupSeptember 27, 2015 | Slide 14
Yara GlomfjordOperational Tasks
§ All Cyber Security Services are based on Operational Tasks
§ Operational tasks are defined in the Cyber Security Guidelines
§ The Engineering team run the Operational Tasks in theProject Deployment phase
§ The Service organization take over the responsibility forthe Operational phase
§ Operational tasks definition
§ Title: Name of task
§ Type: Frequency (Ad-hoc, Daily, Weekly, Monthly, Yearly)
§ Estimated effort: Number of hours
§ Purpose: Brief description of scope
§ Description: Detailed step by step list of actions
© ABB GroupSeptember 27, 2015 | Slide 15
Secure in DeploymentDefense in Depth
The coordinated useof multiple security
measures,addressing people,
technology, andoperations.SD3 + C
Secure byDesign
Secure byDefault
Secure inDeployment
Communication
© ABB GroupSeptember 27, 2015 | Slide 16
Set of documents describing how toengineer and commission projectsand maintain and service a system.§ 100 - Security Policy
§ 101 - Security Design Specification
§ 102 - Antivirus Software
§ 103 - Patch Management
§ 104 - Secure Default Settings & Hardening
§ 105 - Access & Account Management
§ 106 - Backup & Recovery
§ 107 - Plant Network Topology
§ 108 - Secure Remote Access
§ 109 - System Connectivity
§ 110 - Security Monitoring & Diagnostics
Secure in DeploymentCyber Security Guidelines
SD3 + CSecure by
Design
Secure byDefault
Secure inDeployment
Communication
© ABB GroupSeptember 27, 2015 | Slide 17
The Cyber Security Services is established to maintainInformation Security for critical process systems.
§ Security Patch Management
§ Antivirus Management
§ User and Access Management
§ System Security Monitoring
§ System Backup and Restore
§ Network Management
§ Cyber Security Fingerprint
Secure in DeploymentCyber Security Services
SD3 + CSecure by
Design
Secure byDefault
Secure inDeployment
Communication
Fingerprint Assessment Implementation Sustain
© ABB GroupSeptember 27, 2015 | Slide 18
Secure in DeploymentCyber Security Fingerprint
SD3 + CSecure by
Design
Secure byDefault
Secure inDeployment
Communication
Fingerprint Assessment Implementation Sustain
Benefits:
§ Consistent – sameeverywhere
§ High and even quality
§ Repeatable
§ Based on bestpracticies
• Data
• Collect
• Store
• View
• Analyze
• Interpret
• Report
© ABB GroupSeptember 27, 2015 | Slide 19
Secure in DeploymentCyber Security Assessment
SD3 + CSecure by
Design
Secure byDefault
Secure inDeployment
Communication
Fingerprint Assessment Implementation Sustain
What to protect and how to protect:
© ABB GroupSeptember 27, 2015 | Slide 20
Secure in DeploymentCyber Security Implementation
SD3 + CSecure by
Design
Secure byDefault
Secure inDeployment
Communication
Fingerprint Assessment Implementation Sustain
Antivirus SolutionsSecurity UpdatesAccount ManagementComputer PoliciesMicrosoft FirewallProcedures and PoliciesPhysical Security
© ABB GroupSeptember 27, 2015 | Slide 21
Secure in DeploymentCyber Security Sustain
SD3 + CSecure by
Design
Secure byDefault
Secure inDeployment
Communication
Fingerprint Assessment Implementation Sustain
ServiceEnvironment
Siteservicedesk
Sharedwork
processes
Integratedroles
Scheduledservices
Service agreementsare tailored to fitcustomer needs andcan representeverything from a fastresponse service to alongterm partnershipincluding a wide rangeof services.
© ABB GroupSeptember 27, 2015 | Slide 22
How ABB works with Cyber SecurityAn integral part of ABB’s products and systems
© ABB GroupSeptember 27, 2015 | Slide 24© ABB GroupSeptember 27, 2015 | Slide 24
