abb ics cyber security reference architecture
TRANSCRIPT
—PUBLIC
ABB ICS Cyber Security Reference ArchitectureIntroductionJune 2021
—ABB ICS Cyber Security Reference Architecture
June 30, 2021 Slide 2
Agenda
1
2
3
Introduction
Foundational principles
Implementation Examples
—Industrial companies face elevated cyber security risks
June 30, 2021 Slide 3
Distributedsystems
Asset complexity
Processcomplexity
Insufficient security visibility
Insufficient security awareness
Insufficientsecurity expertise
Key risk factors Potential impacts
Production
Environmental Public Health andsafety
Lucrative and attractive target that leads to… Trust Revenue
—
Operations
Consulting
Training
Maintenance
Controls
ABB Ability™ Cyber Security Services
June 30, 2021 Slide 4
Reducing risk – ABBs cyber security portfolio helps to reduce the likelihood of cyber incidents
Ris
kH
igh
Lo
w
SecurityLow High
Lik
eli
ho
od
of
be
ing
aff
ec
ted
Non targeted threats Hobbyist hackers Professional hackers Nation states
Required security level
ABBs cyber portfolio
—
Operations
Consulting
Training
Maintenance
Controls
ABB Ability™ Cyber Security Services
June 30, 2021 Slide 5
Reducing risk – A strong network architecture reduces risk
Ris
kH
igh
Lo
w
SecurityLow High
Lik
eli
ho
od
of
be
ing
aff
ec
ted
Design and deploy a strong network architecture
Non targeted threats Hobbyist hackers Professional hackers Nation states
Required security level
ABBs cyber portfolio
—ABB ICS Cyber Security Reference Architecture
June 30, 2021 Slide 6
What is it?
A reference architecture provides a template solution for an architecture for a particular domain. It also provides a common vocabulary with which to discuss implementations, often with the aim to stress commonality.
Your guide for a cyber secure architecture.
Introduction
• It is not a guarantee that a system is secure or invulnerable from cyber-attacks.
• It does not guarantee to pass external audits.
• The reference architecture is not developed with a specific (DCS) system in mind.
Always follow product manuals to ensure proper functionality and system availability.
What is it NOT!
—ABB ICS Cyber Security Reference Architecture
June 30, 2021 Slide 7
Security levels Functional requirements
Description
1Prevent the casual or coincidental circumvention of zone and conduit segmentation.
2Prevent the intended circumvention of zone and conduit segmentation by entities using simple means with low resources, generic skills, and low motivation.
3
Prevent the intended circumvention of zone and conduit segmentation by entities using sophisticated means with moderate resources, IACS specific skills, and moderate motivation.
4
Prevent the intended circumvention of zone and conduit segmentation by entities using sophisticated means with extended resources, IACS specific skills, and high motivation.
Sections
1 Identification and authentication control
2 Use control
3 System integrity
4 Data confidentiality
5 Restricted data flow
6 Timely response to events
7 Resource availability
IEC62443-3-3:2013
—ABB ICS Cyber Security Reference Architecture
June 30, 2021 Slide 8
Our assessment
The reference architecture makes it possible to design a system to achieve SL4.
However, the reference architecture doesn’t suggest that by simply applying the recommendations will ensure compliance to SL4, nor does it imply that the reference architecture is certified.
Compliance requires hard work and can never be bought.
IEC62443-3-3:2013
—
—
OT Systems
Control System
—
OT Systems
Control System
IT Systems
—
—
June 30, 2021 Slide 13
Level 0ProcessSensors and actuators directly connected to the process
—
June 30, 2021 Slide 14
Level 1Local and Basic ControlDCS controllers, I/O and fieldbus interfaces that controls the process.
—
June 30, 2021 Slide 15
Level 2Supervisory ControlRelated to monitoring and controlling the process
—
June 30, 2021 Slide 16
Level 3Operations and Systems ManagementAuxiliary functions tied to the production (OT) but not directly used to operate
—
June 30, 2021 Slide 17
Level 4Enterprise Business SystemsOffice systems
—
June 30, 2021 Slide 18
Cloud/InternetApplications and functions hosted either in personal or public clouds or other functions using the Internet for communication.
—
June 30, 2021 Slide 19
—
June 30, 2021 Slide 20
Level 3Operations ManagementBusiness related systems and functions used for production
—
June 30, 2021 Slide 21
Level 3Systems ManagementSecurity related functions
—
June 30, 2021 Slide 22
Secure area
Un-trusted area
Trusted area
—
June 30, 2021 Slide 23
Secure area
—
June 30, 2021 Slide 24
Secure area
—ABB ICS Cyber Security Reference Architecture
June 30, 2021 Slide 25
Commonly used drawings
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Half (.5) Levels
Combined Level 1 and 0
Many Different “Zones”
Same Concepts
Same Basic Principles
Demilitarized Zone (DMZ)
Not connected to
anythingNo firewalls shown between Levels
—ABB ICS Cyber Security Reference Architecture
June 30, 2021 Slide 26
Remote access
Customer
Use-case 1
ABB
Remote access is an integral part of many of our services and with the recommendations in the architecture it can de implemented without increasing the risk or break compliance.
“We realize that remote access is valuable, but we are concerned that it isn't secure or will break our compliance.”
—ABB ICS Cyber Security Reference Architecture
June 30, 2021 Slide 27
IoT Gateways (or any buzzword)
Use-case 2
ABB
We created the architecture with this in mind. Correctly implemented, you can reap the benefits of these new technologies with only negligible increased cyber risk.
“We see the value in [insert buzzword here]but don't think it can be done securely.”
Customer
—ABB ICS Cyber Security Reference Architecture
June 30, 2021 Slide 28
Management Networks
Customer
Use-case 3
“We were expecting to implement a management network in our design. As it's not shown on the reference architecture, is this prohibited?”
ABB
Sure we can do that. It's not part of our standard design, but our experts have provided us with guidance to set this up securely.
—ABB ICS Cyber Security Reference Architecture
June 30, 2021 Slide 29
Compliance
Customer
Use-case 4
“My CISO told me that I must get my control system certified by the end of the year. Will the reference architecture make me compliant?”
ABB
No, but implementing the architecture will help you meet some of the compliance requirements related to data control and architecture.
—
Mitigate cyber security risks with a solid architecture for your OT systems
ABB ICS Cyber Security Reference Architecture
June 30, 2021 Slide 30
Resource
The reference architecture is the keystone of OT security and your go to document
• ABB provides recommendations, not rules
• The architecture is highly flexible
• Applies to any OT system or device
Compliance
The reference architecture is the foundation of cyber security compliance
• Rooted in IEC62443
• Address Functional Requirement 5
• Maintain compliance while adopting new technologies
Digital Enabler
The reference architecture is an enabler for the implementation of digital services
• Securely connect to other systems and clouds
• Collect data without reducing security
• Remote access to reduce maintenance cost
Conclusion