Cyber SecurityDifferences between Industrial Control Systems and ICT approach

Marco Biancardi, Power Systems Division, BU Power Generation, October 2013

Introduction

Information Technology (IT)* is the application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data, often in the context of a business or other enterprise. The term is commonly used as a synonym for computers and computer networks

Industrial Control System (ICS)* is a general term that encompasses several types of control systems used in industrial production, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures

Definitions

* Source: Wikipedia

Introduction

Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack*

Cyber security: a definition

*Source: Merriam-Webster’s dictionary

IntroductionWhy is it an issue?

StandardEthernet/IP-based networks

Isolated devices Point to point interfaces

Proprietarynetworks

Inter-connected

systems

Distributed systems

Modern SCADA, automation, protection and control systems : leverage commercial off the shelf IT components (i.e. MS Windows, Internet

Explorer) use standardized, IP based communication protocols are distributed and highly interconnected use mobile devices and storage media

Modern control systems are specialized IT systems, with multiple vulnerabilities

Hacking

Malicious software installed via USB port

Employee Mistake

DifferencesOffice IT vs Utilities/Industry: …they are different!

Corporate/Office IT Utilities/Industry

Environment Offices and «mobile» «in the field»

People/EquipmentRatio # of Equipment ~= # of people Few people, many equipment.

Object under protection Information Industrial process: availability

Risk Impact Information disclosure, $$$ Safety (life), Health, Environment, Information disclosure, loss of production, downtime, repairing costs, $$$

Availabilityrequirements

95%-99% (accept. downtime/year: 18,25 –3,65 days) 99,9%-99,999% (accept. downtime/year: 8,76 hrs – 5,25 minutes)

System lifetime 3-5 years 15-30 years

Security focus Central Servers (CPU, memory,…) and PC Server/PC + distributed systems, Sensors, PLC,…

Operating systems Windows Windows + proprietary

Software Consumer Software , normally used on PC Specific

Protocols Well known (HTTP over TCP/IP ,…) / mainly web Industrial (TCP/IP, Vendor specific) / polling

Procedure Well known (password,…) Specific

Main actors IBM, SAP, Oracle, etc. ABB, Siemens, GE, Honeywell, Emerson, etc.

Measures taken to protect a computer or computer

system (as on the Internet) against unauthorized access

or attack*

translates into

Measures taken to protect the reliability, integrity and availability of power and automation technologies

against unauthorized access or attack

IntroductionA definition in the context of power and automation technology*source Merriam-Webster’s dictionary

Likelihood

ThreatsWhere are attack sources?

Accidents / Mistakes

Rogue insider

Malware

Thieves / Extortionists

Enemies / Terrorists

Likelihood is unknown

Consequences are potentially huge

ThreatsWhat if…

What if this information gets disclosed

What if someone opens a breaker

What if it does not open when it should

What if I cannot operate a device/PLC

What if someone else can operate a device/PLC

What if a transformer is overloaded due to a wrong temperature reading?

What if a protection is not working properly?

What if a not-authorized person can access supervision/control network?

What if a not-authorized person can access DSO/TSO network?

What if a blackout happen in cold winter?

ThreatsWorld news

SolutionsHow can you proceed?

CyberSecurity Cycle

Check Actual Status Assessment

AwarenessKeeping up-to-date

100% Security does not exist. Security: Is not a product but a process

RiskMitigation

Dedicated solutions

What if…

OperationalSecurity

Continuous monitoring

Follow-up

SolutionsABB Service Approach

Differentservicelevels,based onprojectstatus

Patch managementAccount managementAntivirus managementBackup&Restore management

2. FIRST-AID SERVICEDesign ReviewHW update & HardeningSW service

Analysis Report1. ASSESSMENTSite InventoryRisk Assesment

3. INDUSTRIAL DEFENDERManageMonitor

hardware/software

4. ACROSS-LIFEKeeping up-to-dateTraining

Recurrent Reports/ Coursewares

Why ABBDefense in depth

Strong (Secure)ABBproducts

+

Industrial DefenderSolutions

Defense in depth