Date post: | 12-Sep-2014 |
Category: |
Technology |
View: | 4,336 times |
Download: | 2 times |
FIRST THINGS
FIRST7 things a chemical process professional should do to
secure their facility from unwanted intrusion
John A. Cusimano
• Director of Security Solutions for exida• President, Byres Research• Executive Director, Security Incidents Organization
• ISA S99 committee (voting member)• ISA Security Compliance Institute (voting
member)• Formerly with Moore Products / Siemens
• QUADLOG Product Manager• Global Process Safety Business Development• Process Automation Market Development Manager
• CFSE, Certified Functional Safety Expert
idaeCopyright © 2010 - exida
© Copyright 2010 exida 3
Stuxnet Summary• First malware specifically targeting
industrial control systems• First discovered in June 2010 (in
circulation since June 2009)• Has the ability reprogram Siemens S7 PLCs• Infects Siemens SIMATIC software running on Win PCs• Uses SIMATIC software to read S7 PLC memory and
overwrite FB with its own code (hidden)• Spreads via USB memory sticks, local networks and Step
7 project files• Thousands of PC’s infected worldwide (predominantly
Iran, India and Indonesia)• Approximately 17 cases reported on SIMATIC systems
© Copyright 2010 exida 11
THE 7 THINGS
1. ASSESSMENT
2. POLICY & PROCEDURE
3. AWARENESS & TRAINING
4. NETWORK SEGMENTATION
5. ACCESS CONTROL
6. SYSTEM HARDENING
7. MONITORING
© Copyright 2010 exida 12
ASSESSMENT• Evaluate current control system design,
architecture, policies and practices• Compare results to standards & best
practices• Identify gaps and provide
recommendations for closure
• Benefits:– Provides management with solid understanding of
current situation, gaps and path forward– Helps identify and prioritize investments– First step in developing a security management
program
© Copyright 2010 exida 13
POLICY & PROCEDURE• Establish control system security
policies & procedures– Scope– Management Support– Roles & Responsibilities– Specific Policies
• Remote access• Portable media• Patch mgmt • Anti-virus management• Change Management• Backup & Restore
– References
© Copyright 2010 exida 14
AWARENESS & TRAINING
• Make sure personnel are aware of the importance of security and company policies
• Provide role-based training – Visitors – Contractors– New hires – Operations – Maintenance – Engineering – Management
© Copyright 2010 exida 15
NETWORK SEGMENTATION• Defense-in-Depth strategy• Partition the system into distinct
security zones– Logical grouping of assets sharing common
security requirements– There can be zones within zones, or subzones,
that provide layered security– Zones can be defined physically and/or logically
• Define security objectives and strategy for each zone– Physical– Logical
• Create secure conduits for zone-to-zone communications– Install boundary or edge devices where communications enter or leave a zone
to provide monitoring and control capability over which data flows are permitted or denied between particular zones.
SYSTEM ARCHITECTURE
Copyright © 2010 - exida
Source: ANSI/ISA 99.00.01-2007
PARTITIONING INTO ZONES
Source: ANSI/ISA 99.00.01-2007
Reference Architecture
Image courtesy of Byres Security
Honeywell Reference Architecture
Image Courtesy of Honeywell Process Control
Emerson Reference Architecture
Image Courtesy of Emerson Process Management
Siemens Reference Architecture
Image Courtesy of Siemens AG
OMN
IP.21ServerPM&C
latigid latigid
PEClients
Manufacturing ApplicationServer
3Com
DUPONTNET Resource Domain Controllers
Web.21Server(optional)
latigid Manufacturing ApplicationServer
ProcessExplorerClients
latigidlatigid
PCNFirewall
DUPONTNET Domain Controller
DNS Server
Manufacturing Message BusAdaptors: SAP,EConnect)
Corporate Patch ManagementServer
PEClients
latigidlatigidlatigidlatigid
WAN
LAN
FBN
Field Bus Gateway
Field Devices
M odem Bank
DCSControllers
3Com
Field Devices
RCN
M odem Bank
ProcessExplorerClients
latigid DCS Application
Server
latigid DCS AD Domain
ControllersDCS
consoles
PCN
Process Control Zone
Operations Management Zone
Business Zone
DuPont Reference Architecture
SIS
Field Devices
Safety System Zone
M odem Bank
EthernetSwitch
DuPont Reference Architecture
Image Courtesy of DuPont
© Copyright 2010 exida 23
ACCESS CONTROL• Control and monitor access to control
system resources• Logical & Physical• AAA
– Administration– Authentication– Authorization
• Review– Who has access?– To what resources?– With what privileges?– How is it enforced?
• Zone-by-zone• Asset-by-Asset
• Role-by-Role• Person-by-Person
© Copyright 2010 exida 24
SYSTEM HARDENING
• Remove or disable unused communication ports
• Remove unnecessary applications and services
• Apply patches when and where possible
• Consider ‘whitelisting’ tools• Use ISASecure™ certified
products
© Copyright 2010 exida 25
SYSTEM MONITORING
• Install vendor recommended anti-virus and update signatures regularly
• Review system logs periodically
• Consider IDS or HIPS• Periodic assessments
© Copyright 2010 exida 26
THE 7 THINGS
1. ASSESSMENT
2. POLICY & PROCEDURE
3. AWARENESS & TRAINING
4. NETWORK SEGMENTATION
5. ACCESS CONTROL
6. SYSTEM HARDENING
7. MONITORING