understand the risk of cyber threats to an industrial process with a cyber pha
Post on 12-Sep-2014
670 Views
Preview:
DESCRIPTION
TRANSCRIPT
1
Understanding the Risk of Cyber
Threats to an Industrial Process with
a Cyber PHA
Copyright © 2013 exida Consulting LLC
2
John A. Cusimano, CFSE, CISSP
• Director of ICS Cybersecurity Solutions for exida
• 25 years experience in industrial automation
• Kodak, Moore Products, Siemens, exida
• 6 years in ICS Cybersecurity
• Certifications:
• CFSE, Certified Functional Safety Expert
• CISSP, Certified Information Systems Security Professional
• Industry Associations:
• ISA S99 Committee, WG4 TG3 Chair, TG6 Co-Chair
• Lead developer/instructor for ISA IC 32 Training Course
• ISA S84 Committee
• ISA Security Compliance Institute, technical steering committee
• ICSJWG Workforce Development & Vendor Subgroups
• NIST Cyber-physical Systems workshop lead
• US Expert to IEC TC65 WG10
6
Process Hazard Analysis (PHA)
• An organized and systematic assessment of the
potential hazards associated with an industrial process
• Used for decades to assist operators of potentially
hazardous industrial facilities in understanding and ranking
operational risks so they can be properly mitigated
• Mandated in the USA by the Occupational Safety and
Health Administration (OSHA) in its Process Safety
Management regulation for processes that handle highly
hazardous chemicals
Copyright © 2013 exida Consulting LLC
7
PHA
• Provides information to assist in making decisions for
improving safety and reducing the consequences of
unwanted or unplanned events
• Directed toward analyzing potential causes and
consequences of fires, explosions, releases of toxic or
flammable chemicals and major spills of hazardous
chemicals
• Focuses on equipment, instrumentation, utilities, human
actions, and external factors that might impact the
process.
Copyright © 2013 exida Consulting LLC
8
PHA Methods
• Checklist, What if?
• Hazard and Operability Study (HAZOP)
• Failure Mode and Effects Analysis (FMEA)
• Layer of Protection Analysis (LOPA)
• Fault Tree Analysis (FTA)
Copyright © 2013 exida Consulting LLC
9
HAZOP
• A hazard and operability study (HAZOP) is a structured
and systematic examination of a planned or existing
industrial process in order to identify and evaluate
problems that may represent risks to personnel or
equipment, or prevent efficient operation
• A HAZOP is a qualitative technique based on guide-words
and is carried out by a multi-disciplinary team (HAZOP
team) during a set of meetings
Copyright © 2013 exida Consulting LLC
10
Example P&ID
Copyright © 2013 exida Consulting LLC
11
Parameters and Guide-Words
Copyright © 2013 exida Consulting LLC
12
GW DEVIATION CAUSES CONSEQUENCES SAFEGUARDS REF# RECOMMENDATIONS BY
No No Agitation
Agitator
motor drive
fails
Non-uniformity leads
to runaway reaction
and possible
explosion.
Agitator failure is
indicated by high
reactor temperature
and high pressure.
• High Temperature
and High Pressure
Alarm in DCS.
• Shortstop system.
• Add SIF to chemically control
runaway reaction.
• Add a pressure safety relief valve
• If necessary, add a de-pressurization
SIF. Use LOPA to determine required
SIL.
More Higher
Temperature
Temperature
control failure
causes
overheating
during steam
heating
High temperature
could damage
reactor seals causing
leak. Indicated by
high temperature.
High Temperature Alarm
in DCS.
• Add high-temperature SIF.
• Use LOPA to determine required SIL
More Higher Level
Flow control
failure allows
the reactor to
overfill
Reactor becomes
full, possible reactor
damage and release.
Indicated by high
level or high
pressure.
High Level Alarm in DCS. • Add high-level SIF.
• Use LOPA to determine required SIL
Example HAZOP
Copyright © 2013 exida Consulting LLC
13
Plant
personnel
intervenes
Safety system
(automatic)
Basic
automation
Overpressure valve, rupture disc
Collection basin
Active protection
Passive protection
Disaster protection Disaster protection
Safety Instrumented System (SIS)
Process value
Process alarm
Normal activity
Process control system
Safety shutdown
Layers of Protection
14
Safety Instrumented System (SIS)
A system composed of sensors, logic solvers, and final
control elements for the purpose of taking the process to
a safe state when pre-determined conditions are violated.
I / P
FT
Basic Process Control
System (BPCS)
Inputs Outputs
Reactor
PT
1A
Safety Instrumented
System (SIS)
Inputs Outputs
PT PT
15
The Problem
• PHA’s / HAZOP’s assume that the control systems and
operators (alarms) will perform their intended function
(layers of protection)
• Additional layers (e.g. safety systems) are added when the
risk is too great
• Modern control systems and safety systems are
software based systems
• It very common for both to sit on the same network
and communicate to the same servers/workstations
• A single vulnerability could disable all layers of
protection!
Copyright © 2013 exida Consulting LLC
16
Modern SIS’s
I / P
FT
Basic Process Control
System (BPCS)
Inputs Outputs
Reactor
PT
1A
Safety Instrumented
System (SIS)
Inputs Outputs
PT PT
PCN
Plant LAN
To Corp WAN &
Internet
17
Plant
personnel
intervenes
Safety system
(automatic)
Basic
automation
Overpressure valve, rupture disc
Collection basin
Active protection
Passive protection
Disaster protection Disaster protection
Safety Instrumented System (SIS)
Process value
Process alarm
Normal activity
Process control system
Safety shutdown
Layers of Protection
18
The ICS Cybersecurity Lifecycle
Adapted from ISA/IEC 62443-1-1
(formerly ISA 99.01.01:2007)
Start with
Risk Assessment
Copyright © 2013 exida Consulting LLC
21
• Before we can protect our control systems we must
understand what we are dealing with
• Determine which assets to protect
• Determine threats to the assets
• Determine vulnerabilities that currently exist
• Identify the risks posed with regard to the assets
• Develop a plan to address unacceptable risk
• Recommend changes to current practice that reduce risks to an
acceptable level
• Determine priorities
• Balance cost versus effectiveness
Value of Performing Cyber Risk Assessments
on Control Systems
Copyright © 2013 exida Consulting LLC
24
NIST Preliminary Cybersecurity Framework
Start with
Risk Assessment
Copyright © 2013 exida Consulting LLC
25
RA Guidance from
NIST Preliminary Cybersecurity Framework
IDENTIFY
(ID)
IDENTIFY
(ID)
26
Risk Assessment Requirements from
ISA 62443-2-1 (formerly 99.02.01)
• Select a risk assessment methodology
• Conduct a high-level risk assessment
• Identify the industrial automation and control systems
• Develop simple network diagrams
• Prioritize systems
• Perform a detailed vulnerability assessment
• Identify a detailed risk assessment methodology
• Identify the reassessment frequency and triggering criteria
• Conduct risk assessments throughout the lifecycle of the
IACS
• Document the risk assessment
Copyright © 2013 exida Consulting LLC
27
General Risk Assessment Methodology
• Identify, characterize threats
• Assess the vulnerability of critical assets to specific threats
• Determine the risk (i.e. the expected likelihood and
consequences of specific types of attacks on specific
assets)
• Identify ways to reduce those risks
• Prioritize risk reduction measures based on a strategy
Copyright © 2013 exida Consulting LLC
28
What’s different about performing a risk
assessment on an ICS versus an IT system?
1. Difficult to identify ICS assets and assess vulnerabilities
• ICS networks often can’t be scanned
• No vulnerability scanning tools for automation equipment (e.g.
PLC’s, VFD’s, MCC’s, RTU’s, etc.)
• Network diagrams non-existent or outdated
2. Challenging to determine the impact or consequence of
compromise
• Depends on the process it is controlling, the hazards and the
existing safeguards.
• Example:
• What is the impact of an email server getting compromised?
• AD Server? OPC Server? PLC? SIS?
3. Difficult to estimate likelihood or frequency of threats
• Very little historical data available
Copyright © 2013 exida Consulting LLC
29
Risk Assessment Flowchart from
ISA 62443-3-2 (Draft 4, Edit 5)
Identify Threats(Section 4.5.1)
List of threats
Identify Vulnerabilities(Section 4.5.2)
Determine Likelihood(Section 4.5.3)
Determine Impact(Section 4.5.4)
Calculate Risk(Section 4.5.5)
Target attractiveness. Historical data or common sources (See Appendix A)
Prior audits, vendors, vulnerability databases, government sources, etc.
List of Threats
List of Vulnerabilities
List of vulnerabilities
Qualitative or quantitative
assessment of likelihood
Qualitative or quantitative
assessment of financial and social
impacts
Process Hazard Assessments (e.g.
HAZOP)
Corporate Risk Matrix
Qualitative or quantitative
assessment of residual risk
Historical Data
Copyright © 2013 exida Consulting LLC
30
Example Risk Assessment Process
• Characterize the product or system • Model the system (zones & conduits)
• Identify trust boundaries
• Identify entry points and data flows
• Document assumptions and external dependencies
• Identify Critical Assets and Consequences • Identify critical assets
• Evaluate consequence of compromise
• Identify threats • Enumerate threats
• Classify and evaluate threats
• Analyze threats • Identify vulnerabilities
• Identify existing countermeasures
• Assess the risk of each threat Copyright © 2013 exida Consulting LLC
31
System Architecture Diagram
FS-PES
`
BPCS
Engineering
Workstation
Control PES
Operator
Consoles
Operator
Consoles
Corporate
WAN
Business LAN
PCN
Business
LAN
`
SIS
Engineering
Workstation
BPCS HMI
PCN
PCN
DCS Server DCS Server
Equipment Room
Field
Control Room
IT Data Center
Data
Historian
Domain
Controller
Enterprise
Firewall
Copyright © 2013 exida Consulting LLC
32
Cyber PHA Example
Copyright © 2013 exida Consulting LLC
33
Initial Zone & Conduit Diagram
Copyright © 2013 exida Consulting LLC
34
Conclusion
With Good Risk Information You Can…
• Determine what plants/processes need to be addressed
first
• Intelligently design and apply countermeasures (e.g.
network segmentation, access controls, hardening,
detection, etc.) to reduce risk
• Prioritize activities and resources
• Evaluate countermeasures based upon their effectiveness
of versus their cost/complexity
Copyright © 2013 exida Consulting LLC
John Cusimano
exida
jcusimano@exida.com
215-453-1720
www.exida.com/security
top related