INDUSTRIAL CONTROL SYSTEMS PROTECTING YOUR ASSETS
Kay Sallee, CIO, Phillips 66
Keith Hall, Manager, IT Audit, Phillips 66
April 11, 2016
AGENDA
• Industrial Control Systems Overview
• Layered Defense Strategy
• Risks
• Governance
• IT Audit
• Summary
2
Distributed Control Systems (DCS)
Supervisory Control and Data Acquisition (SCADA) systems
Programmable Logic Controllers (PLC)
Other interconnected control devices
Also referred as Operations Technology (OT)
WHAT ARE INDUSTRIAL CONTROL SYSTEMS
3
A term used to describe:
Level 4 business network
Level 3.5 DMZ – process historian, system
management services
Level 3 manufacturing operations and
control
Level 2 instrumentation control / HMI
Level 1 instrumentation/intelligent devices
PURDUE MODEL
4
IT AND ICS COMPARISON
Industrial Control Systems Traditional IT World
Availability
Confidentiality
Data Integrity
Main objective
Main objective
Availability
Confidentiality
Data Integrity
“With identifiable business benefits and rapidly developing technologies that are closing the IT/OT divide, there are functional and operational differences between IT and OT groups” – Gartner
5
INDUSTRY IT AND ICS COMPARISON
Functional / Operational differences exist between IT and ICS AND the underlying
technologies are converging
TOPIC INFORMATION TECHNOLOGY INDUSTRIAL CONTROL SYSTEMS
Support Technology Lifetime 3 - 5 years Up to 20 years
Anti-virus Application Common / Widely Used Difficult to Deploy / Maintain
Patch Updates & Application
Revisions Regular / Routine Schedule Vendor Specific / Slower to Deploy
Change Management Regular / Routine Schedule Irregular
System Availability Delays Accepted 24 x 7 x 365
Security Awareness Good in private and public sector Generally Weak, Making Progress
Physical Security Generally Secured Generally strong, often unmanned
6
PHILLIPS 66 A DIVERSIFIED ENERGY MANUFACTURING AND LOGISTICS COMPANY
Refining Midstream Chemicals
Refines crude oil into
products such as gasoline,
diesel, aviation fuel.
Transports and stores
crude oil, refined products,
natural gas and natural
gas liquids (NGL); Gathers
and processes natural gas
and NGL.
Manufactures
petrochemicals, polymers
and plastics found in cars,
electronics, and other
everyday goods.
Marketing and Specialties
Markets gasoline, diesel
and aviation fuel;
Manufactures and markets
lubricants.
7
• Firewalls
• Antivirus
• Intrusion Detection
• Event Monitoring (SEIM)
• Forensic Tools
• Vulnerability Scanning
• Data Loss Prevention
Prevent. Detect. Respond.
• User Awareness
• Risk Assessment
• Forensic Analysis
• Firewall Management
• Internal Audit
• FBI
• API
• Department of
Homeland Security
• Vendors
• Security Specialists
• Incident Response
• Access Management
• Change Management
• Patch Management
• Security Scanning Security
Tools
Internal
Expertise
External
Resources
Operating
Processes
PHILLIPS 66 LAYERED DEFENSE
8
Common Processes
Policy and standards, training and awareness, change management, user access provisioning,
incident response, business continuity planning, disaster recovery planning
Network
• Firewall
• Intrusion detection
• VPN remote
access
• Email filtering
• Network forensics
Server
• Antivirus
• Patch management
• Password vault
• Physical security
• Log monitoring
• Vulnerability
scanning
• Forensics
• Intrusion prevention
Workstation
• Antivirus / local
firewall
• Disk encryption
• Limited user rights
• Web filtering
• Patch management
• Forensics
• Intrusion prevention
Application
• Application
patching
• User access
management
• Separation of
duties
• Log monitoring
Data / Database
• User access
management
• Database patching
• Data classification
• Encryption
• Records
management
Risk Assessment
Internal risk and assurance assessments and third party penetration tests evaluate criticality of IT assets as
well as effectiveness of controls
PHILLIPS 66 LAYERED DEFENSE
9
Compromise of control systems
could lead to • Disruption or degradation of processes
• Control systems used to deliberately create
HSE* event
ICS events • 2013 Bowman Dam
• 2015 Ukrainian utility blackout
• 2014 German steel plant
• 2008 Turkey pipeline explosion
ICS CYBERSECURITY RISKS
* HSE – Health, Safety and Environment
10
Cybersecurity
Governance
Board
Cybersecurity
Working Groups
Cybersecurity
Networks
• Draft and implement standards & best
practices
• Execute policy and manage exceptions
• Self-audit performance
• Communicate and train at the facilities
• Develop and execute security projects
• Ensure gap assessment of standards
• Evaluate new external cyber-threats and
recommend actions to mitigate risk
• Manage the scope of cybersecurity projects
• Approve cybersecurity standards and policies
• Set acceptable risk level & priorities at
enterprise level
• Secure funding & resources for cyber-security
projects Executive
Committee
PHILLIPS 66 IT AND ICS GOVERNANCE
10
Active business and
IT participation
at all levels
Governance model covers multiple business units (Refining, Midstream, Lubricants)
11
BEST PRACTICES AT PHILLIPS 66
• Shared governance
• Layered defense strategy
• Standardization of the network segmentation
• Internal gap assessment
• External cyber risk assessments
• Internal audit
12
IT AUDIT – APPROACH
• Process Control and other applications
• Programmable Logic Controllers (PLC’s)
• Servers and Console Administration
• Backup and Recovery
• Network Components
• Physical Security
• Remote Access
• Wireless
13
IT AUDIT – BEST PRACTICES
• Schedule additional planning time
• Consider a “guest auditor” who knows the business
• Acknowledge the uniqueness between IT and ICS
14
SUMMARY
• Threat to Industrial Control Systems is real
• ICS systems and underlying technology are changing - becoming more like
traditional IT systems
• Opportunity to learn from and leverage skills across IT and ICS
• Organizational and cultural difference exist
• Strong IT/ICS partnership reduces cybersecurity risk
15