@ abb group february 9, 2014 | slide 1 · february 9, 2014 | slide 23 . verification at fat and...

@ ABB Group February 9, 2014 | slide 1


145,000 employees in about 100 countries

$39 billion in revenue (2012)

Formed in 1988 merger of Swiss and Swedish engineering companies

Predecessors founded in 1883 and 1891

Publicly owned company with head office in Switzerland

A global leader in power and automation technologies Leading market positions in main businesses


Power Products

Power Systems

Discrete Automation and Motion

Process Automation

$10.7 billion 36,000

employees

$7.9 billion 20,000

employees

$9.4 billion 29,000

employees

$8.2 billion 28,000

employees (2012 revenues)

Low Voltage Products

$6.6 billion 31,000

employees

Electricals, automation, controls and instrumentation for power generation and industrial processes

Power transmission

Distribution solutions

Low-voltage products

Motors and drives

Intelligent building systems

Robots and robot systems

Services to improve customers productivity and reliability

ABB’s portfolio covers:

How ABB is organized Five global divisions


Cyber Security @ ABB


Just to be clear …

A bit of ABB terminology

Internal (i.e. IT Security) Protecting ABB IT infrastructure against unauthorized access, computer based

threats and attacks

External (i.e. Cyber Security) Helping ABB customers to protect their

assets (e.g. energy networks or automation plants) against unauthorized access, computer based threats and attacks

Responsibility of Group Function Information Systems (GF-IS)

Responsibility of Group Cyber Security Council and ABB Business

http://imagebank.abb.com/ABB.DocumentManagement.SitePages/DocumentViewPage.aspx?ID=40073&ListId=4ef91416-2d21-48b6-8f0d-f74390c80771&Source=http://imagebank.abb.com/Lists/ABB/DocumentManagement/Document/Forms/AdvancedThumbnails.aspx?CategoryId=9AAC123932&Filter=0&IncludeSubCategories=True&Sort=Title&Asc=True&k=&r=&PageSize=20&View=1&Language=

http://imagebank.abb.com/ABB.DocumentManagement.SitePages/DocumentViewPage.aspx?ID=15173&ListId=4ef91416-2d21-48b6-8f0d-f74390c80771&Source=http://imagebank.abb.com/Lists/ABB/DocumentManagement/Document/Forms/AdvancedThumbnails.aspx?CategoryId=9AAC910040&Filter=0&IncludeSubCategories=False&Sort=Title&Asc=True&k=&r=&PageSize=60&View=1&Language=


Addressing a global challenge

Cyber Security demand differs

greatly around the world

ABB strives to Fulfill requirements of „advanced“ markets (e.g N.A.) Help establish cyber security in „emerging“ markets Introduce cyber security and raise awareness where

cyber security is not yet a topic

High demand Low Demand


The foundation of Cyber Security What does it mean for ABB as an organization

Corporate foundation

Awar

enes

s

Res

earc

h

Inci

dent

R

espo

nse

IT S

ecur

ity

Trai

ning

Man

agm

ent

Supp

ort

Organizational priority at top management level Global, cross-functional and long-term initiative Formally established - it is not just a side task Starts with improving operational readiness

“(Cyber) Security issues are here to stay” Joe Hogan, CEO ABB Group, ABB Automation and Power World, 2011

Exte

rnal

O

utre

ach


Group Cyber Security Council Organization

Group Head of Cyber Security

Head of Cyber Security

PS / PP Head of Cyber Security

PA Head of Cyber Security

DM Head of Cyber Security

LP

Cyber Security Manager

Substation Automation


Ventyx


Power Generation


Grid Systems


Oil, Gas & Petrochemicals


Control Technologies


Service


External Outreach and Research

Collaborations, partnerships and joint research are a must for effective cyber security solutions

• Open discussions and involvement with customers (requires a certain level of trust)

• International standardization efforts (e.g. IEC62351, IEC61850, IEEE1686)

• Joint research initiatives (e.g. EU projects VIKING or ESCoRTS)

• Information exchange initiatives (CPNI.NL, CPNI UK, ICSJWG US)

• Collaborations with 3rd party solution providers


ABB Cyber Security Approach From the Product Lifecycle to the Plant Lifecycle

Product Lifecycle

Project Lifecycle

Plant Lifecycle

Design Implemen-tation Verification Release Support

Design Engineering FAT Commissioning SAT

Operation Maintenance Review Upgrade


Goal: Implement SDL throughout ABB to increase robustness, quality and security of ABB solutions

Governance: SDL is owned by the ABB Group Cyber Security Council who mandates its use.

Implementation strategy Strategy & roadmap developed and driven based on MS-

SDL, BSIMM, OWASP and IEC62443-4-1 Implementation through ABB’s Software Development

Improvement Program Implementation according to a maturity model

SDL for ABB What is our strategy?


Security Development Lifecycle The Process

Training Requirements Design Implementation Verification Release Response

Core training Define quality gates/bug bar

Analyze cyber security risk

Attack surface analysis

Threat modeling

Specify tools

Enforce banned functions

Static analysis

Dynamic/Fuzz testing (e.g. DSAC)

Verify treat models/attack surface

Response plan

Final security review (FSR)

Release archive

Execute response plan (e.g. vulnerability handling policy)

Administer and track security

training

Education Guide product teams to meet

SDL requirements

Process

Establish release criteria and sign-off as part of G5

Accountability

Incident response


Product Lifecycle - Design & Implementation

Security Training depending on role:

SDL Introduction Training

Secure Design

Threat Modeling

Secure Coding

Security Testing

And more advanced training

Cyber Security Training for Developers


Product Lifecycle - Requirements

Intention is to protect ABB as an organization and the ABB brand

Requirements focus on items that if not properly addressed in any single product could impact all of ABB, e.g. because of negative media coverage

Requirements do not include any items that are e.g. considered requirements to enter a certain market

Approved by the TCT, now included in our Cyber Security and SDL practices/requirements.

Minimum Cyber Security Product Requirements


Graphical representation of scope and completeness of selected standards

*) source DTS IEC 62351-10 10: Security architecture guidelines

Product Lifecycle - Design & Implementation Standards and their scope


Formally established, centralized and independent security test center

Leveraging state-of-the-art open source, commercial and proprietary robustness and vulnerability analysis tools

Close collaboration with ABB developers providing in-depth analysis and recommendations

ABB Device Security Assurance Center State-of-the-art cyber security testing


ABB Device Security Assurance Center State-of-the-art cyber security testing

Qualified and experienced team of 4 full time analysts to run tests and analyze the results

Completed around 100 tests in 2011

Capable of testing standard protocols (e.g. ARP/IP/TCP/ UDP/HTTP) and industrial communication protocol (e.g. Modbus/DNP3/IEC61850)

Capable of testing any proprietary protocol using commercially available tools and internal tools developed by the center

Assures consistent approach in carrying-out robustness testing for embedded devices


Product Lifecycle - Verification ABB’s approach to system security testing

Regular system tests at INL SCADA test bed First vendor to have system tested at INL SCADA test bed Different systems Very valuable for both ABB and customers Results go back into requirements on new development and

corrections

Interoperability tests with third party solutions

Verify that solution does not interfere with control system Document configuration and setup Improve third party solutions


Verification at FAT and SAT

Project Lifecycle – Engineering / Commissioning Cyber Security Basic Best Practices for Vendors

Product Lifecycle

Project Lifecycle

Plant Lifecycle




System Deliveries

Security Basics Adequately Trained Engineers Secure and Hardened Architecture User Management Patched System Malware Protection System Backup System Documentation

Verification at FAT and SAT

Training

Hardening

Users

Patching

Malware

Backup

Doc.


Project Lifecycle – Engineering / Commissioning Deployment Guidelines

Product Lifecycle

Project Lifecycle

Plant Lifecycle





Project Lifecycle – Engineering / Commissioning NERC-CIP Statements

Product Lifecycle

Project Lifecycle

Plant Lifecycle





Periodically verify System Status

Plant Lifecycle – Operation/Maintenance Cyber Security Basic Best Practices for End Users

Secure System Operation / Cyber Security Services

Security Basics Adequately Trained Operators/Engineers Periodically Verify Hardened Architecture Manage and use Personal Accounts Periodically Patch System Periodically update Malware Protection Periodically Backup and Test Restore Update System Documentation

Periodically verify System Status

Training

Hardening

Users

Patching

Malware

Backup

Doc.

Product Lifecycle

Project Lifecycle

Plant Lifecycle





Plant Lifecycle - Maintenance Patch Management – Example Symphony Plus

Validation of Microsoft security updates All relevant updates are tested for compatibility Dedicated Security Test Lab covers supported S+ versions

Other 3rd party SW (e.g. Adobe Reader, McAfee ) Released from SW vendor without schedule Verified with next Microsoft Security Update Verification status published the same way a Microsoft Security

Updates

Similar process for other ABB products

Product Lifecycle

Project Lifecycle

Plant Lifecycle





Plant Lifecycle - Maintenance

Minimize customer risk

This requires Cultural change: Accept that vulnerabilities exist

(having a vulnerability is acceptable, improperly handling them is not!)

Formal processes and policies Proper communication at the right time

ABB has established a formal process and

vulnerability handling has top priority To report a vulnerability:

[email protected]

Vulnerability handling & Incident response C

omm

unication

First Response

Initial Triage

Investigation

Remediation

Notification

Product Lifecycle

Project Lifecycle

Plant Lifecycle





Contact – Cyber Security @ ABB Urgent needs – vulnerabilities, incidents, etc.

Web: http://www.abb.com/cybersecurity/

E-Mail: [email protected]

http://www.abb.com/cybersecurity/

mailto:[email protected]


Cyber Security

ABB Corporate Research Develops forward-looking cyber security concepts and technology

Authentication, remote access, security monitoring, security engineering, product/system security assessments, tracking market trends, …

Evaluates security relevant technologies Adapts enterprise security to industrial control systems context

Research Challenges

Addressing high availability and performance requirements Simplification of security engineering Diversity in security solution approaches across the industry

ABB Motivation Develop and deploy secure systems Drive industry standards

…also a topic in ABB Corporate Research


ABB Corporate Research

Threat Modeling changed ABB’s internal processes

IEC62351 Performance Evaluation evolved a standard

Automated network security configuration created a future engineering concept

ESCoRTS was supported by the EU Commission

Selected projects


Cyber Security @ ABB …

Industrial Defender ASM

Centralized dedicated monitoring of security events from Servers, Workstations, Network equipment

Correlation, prioritization and notification of events based on customer preference and policy.

Storage for forensic analysis

Asset Management

Intel Group

McAfee Antivirus and Application Whitelisting

WindRiver RTOS security capabilities

SE46

Application Whitelisting

… strong in itself, strong with specialized partners


Cyber Security for Industrial Control Systems


Why is cyber security an issue?

Isolated devices

Point to point interfaces

Proprietary networks

Standard Ethernet/IP- based networks

Inter- connected systems

Distributed systems

Modern automation, protection and control systems leverage commercial off the shelf IT components use standardized, IP based communication protocols are distributed and highly interconnected use mobile devices and storage media are highly specialized IT systems


What are the unique challenges?

Enterprise IT Industrial Control Systems

Object under protection Information Physical process

Risk impact Information disclosure, financial loss

Safety, health, environment, financial

Main security objective Confidentiality, Privacy Availability, Privacy

Security focus Central Servers (fast CPU, lots of memory, …)

Distributed System (possibly limited resources)

Availability requirements

95 – 99% (accept. downtime/year: 18.25 - 3.65 days)

99.9 – 99.999% (accept. downtime/year: 8.76 hrs – 5.25 minutes)

System Lifetime 3 – 10 Years 5 – 25 Years


Cyber Security vs. Safety Similar but different

Cyber Security = Safety Both require(d) a culture change Both are all about processes Both require training Both require top management support

Cyber Security ≠ Safety Safety is static and predictable (threats don’t change) Cyber Security is constantly changing (threats change) For Cyber Security the attacker evolves Safety solutions can be certified


Demand for Cyber Security By industry and applications

Customers

Vendors Standards & Regulations

2 Process Automation (Oil & Gas)

4 Substation Automation

3 Power Generation DCS

2

1 Network Management (EMS, SCADA)

1

3

4

High demand

Low demand


How big is the risk?

Cyber incidents are real and cyber security for industrial control systems must be taken seriously

but it is a challenge that can be met

Stephen Cummings, director of the British government's Centre for the Protection of National Infrastructure,

“Cyberterrorism is a myth”

Denial Panic

Reality


Cyber Security Solutions Delivery for Industrial Control Systems


ABB Foundation Security Solutions User Roles, Access Control and Hardening

Establish hierarchy of Accounts (operator, tech, admin, etc)

Domain wide policy to enforce:

Password Requirements and Role Association

Define Remote Access Security

Operator Group Policy that restricts access to Desktop and Applications

Provide hardening services as applicable

Close un-necessary ports

Disable non-essential services

Establish minimum required software components


ABB Foundation Security Solutions Patch & Anti-Malware Management

Monthly distribution of patches on DVD

Optional service under ServiceGrid Software Support

On-site services to deploy and document patches

Installation of an update server for automating roll-out of both Windows Security Patches and Anti-Virus updates

Application Whitelisting


ABB Foundation Security Solutions Configuration Change Management

Enable Security Event logging

Set-Up a maintenance back-up schedule

Audit Trail Feature logs specified events and includes time stamp when changes were made, which changes were made, on which node the changes were made and who made the changes.

Installation of a security event log server for automating collection and reporting.


ABB Foundation Security Solutions Disaster Recovery

Disk Imaging and selective application Back Up/Restores are possible

Set-up scheduled back up routine

Can use Local or Network Access Storage (NAS) devices

Comprehensive documentation developed for customer use in the event of performing a recovery.

On-Line imaging software with Server Based storage array.

Server can be set-up as image backup testing bed


ABB Foundation Security Solutions Compliance Documentation Service

ABB can work to develop custom documentation for inclusion in a NERC-CIP Compliance Program

Documents compile information from multiple sources and also include project specific instructions

Examples include:

Password change procedures

Back-up and Restore procedures

Detail of node software components

User Maintenance Instructions

Detailed reporting on Ports and Services


Interviews

Data Collection

Analysis Cyber Security status

identifies strengths and weaknesses

Recommendations provide a solid foundation to build a sustainable cyber security strategy

Based on widely accepted industry standards (e.g. NERC CIP, ISA-61443)

What ABB offers – Cyber Security Services Example: Cyber Security Fingerprint

Product Lifecycle

Project Lifecycle

Plant Lifecycle





ABB - Industrial Defender Partnership

Unquestioned expert in securing the systems we build. That’s

our focus – delivering inherently secure systems for

industrial and power automation

Combined know-how

True integration

Aligned technologies

Tested and verified solutions

Unified support

Efficient, effective and sustainable cyber security

solutions Leader in developing platform-

agnostic technologies that monitor, manage and protect

automation systems – centrally, and across mixed

environments

For more information visit

www.abb.com/cybersecurity & www.industrialdefender.com


Monitor – Manage – Protect Unified approach to security & compliance

• Monitor security & health activity in real-time

• Manage critical activity, including configurations, changes, policy and security events

• Protect against threats to vital automation systems

Enhancing operational excellence, sustaining security & compliance


Cyber Security Solutions Spotlight ABB Security Workplace


ABB Power Generation Cyber Security Introducing Security Workplace

Real-time Security Event Monitoring & Correlation Compliance Automation for NERC CIP Configuration Change Management Host Intrusion Prevention via Application Whitelisting Defense-in-Depth Security Automated Anti-virus/malware deployment Patch Deployment Backup and Restoration Automation Disaster Recovery

ABB can help you achieve NERC-CIP compliance with Security Workplace!


ABB Power Generation Cyber Security Introducing Security Workplace

Scalable Solution can incorporate : Patching Tool Anti-Virus update server BackUp & Restore application 3rd Party Advance Solutions (e.g.

Industrial Defender’s Automation System Management suite

Integrated with ServiceGrid program Offers consolidated terminal and

view for managing Industrial Control System Cyber Security and Compliance


ABB Power Generation Cyber Security Operating Systems Patch Tool

Works directly with monthly ServiceGrid patch DVD

Scans System nodes to determine current patch status

Reports a on per machine basis what may be missing or improrperly installed

Detail drill down for specific patch and knowledge bank information

Creates installation package for approved patches and pushes this to the endpoint

Automated install can be initiated by at each workstation to allow supervision





Reports a on per machine basis what may be missing or improperly installed








Reports a on per machine basis what may be missing or improrperly installed





ABB Power Generation Cyber Security Anti Virus Management

Based on McAfee ePolicy

Orchestrator ePO Provides reporting on node AV

status Automate distribution of DAT files Build schedules and rules for AV

operation


ABB Power Generation Cyber Security Disaster Recovery Application

Based on Acronis application software

Disking Imagining technology for rapid recovery

Allows “bare metal” restore and compensates for hardware variation

Runs in background and can be scheduled


ABB Power Generation Cyber Security Security Event Management

Based on Industrial Defender’s

Automation System Appliance ASA Provides security event

management and reporting Integrates into the Automation

System Manager platform.


ABB Power Generation Cyber Security Compliance Reporting

Based on Industrial Defender’s Automation System Management solution

Provides comprehensive system reporting

Automates the collection of required control system data

Includes NERC-CIP standards templates to quickly demonstrate compliance


Cyber Security NERC-CIP Update


NERC – CIP Update What Version of NERC CIP?

Version 4 of the CIP Standards Current Plan:

Version 4 does NOT go into effect CIP-002-4 through CIP-009-4 do not become effective.

Version 3 to remain in effect until Version 5 CIP-002-3 through CIP-009-3 remain in effect and are not retired

until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.

Version 5 of the CIP Standards of the Cyber Security Standards is currently posted on the NERC website.


NERC-CIP Revision 4 – Bright Line replaces ambiguous approach

Transmission lines operating at greater than 300-500 KV, depending on their connectivity,

Reactive power assets larger than 1000 MVAR,

Generation sites larger than 1500 MW in a single interconnection,

Certain assets essential to Blackstart capabilities,

Assets able to automatically shed load of 300MW or more, and

A number of types of Control Centers.

NERC – CIP Update NERC CIP NEW for Version 4 & 5


NERC – CIP Update New “Levels of Impact” to Bulk Electric System for V5

High Impact Large Control Centers

CIP-003 through 009+

Medium Impact Generation and Transmission

Other Control Centers

Similar to CIP-003 to 009 v4

All other BES Cyber Systems Security Policy

Security Awareness

Incident Response

Boundary Protection


Conclusions


Conclusions

Cyber security for critical infrastructures must become a high priority item for all involved stakeholders

Modern control systems bring new challenges in the form of increased connectivity and protection privacy of end user data

Effective cyber security solutions require a joint effort by vendors, integrators, operating system providers, end users and governments

Effective cyber security will require solutions that cover both legacy and new installations

Security is about risk management - perfect security is neither existent nor economically feasible


Contact information Questions, Comments, etc.

[email protected]

[email protected] www.abb.com/cybersecurity