cyber security: differences between industrial control systems and ict approach
DESCRIPTION
by Marco Biancardi Cyber Security Manager and Renewable Automation Sales Support at ABB SpA – Power system Division;TRANSCRIPT
Cyber SecurityDifferences between Industrial Control Systems and ICT approach
Marco Biancardi, Power Systems Division, BU Power Generation, October 2013
Introduction
Information Technology (IT)* is the application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data, often in the context of a business or other enterprise. The term is commonly used as a synonym for computers and computer networks
Industrial Control System (ICS)* is a general term that encompasses several types of control systems used in industrial production, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures
Definitions
* Source: Wikipedia
Introduction
Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack*
Cyber security: a definition
*Source: Merriam-Webster’s dictionary
IntroductionWhy is it an issue?
StandardEthernet/IP-based networks
Isolated devices Point to point interfaces
Proprietarynetworks
Inter-connected
systems
Distributed systems
Modern SCADA, automation, protection and control systems : leverage commercial off the shelf IT components (i.e. MS Windows, Internet
Explorer) use standardized, IP based communication protocols are distributed and highly interconnected use mobile devices and storage media
Modern control systems are specialized IT systems, with multiple vulnerabilities
Hacking
Malicious software installed via USB port
Employee Mistake
DifferencesOffice IT vs Utilities/Industry: …they are different!
Corporate/Office IT Utilities/Industry
Environment Offices and «mobile» «in the field»
People/EquipmentRatio # of Equipment ~= # of people Few people, many equipment.
Object under protection Information Industrial process: availability
Risk Impact Information disclosure, $$$ Safety (life), Health, Environment, Information disclosure, loss of production, downtime, repairing costs, $$$
Availabilityrequirements
95%-99% (accept. downtime/year: 18,25 –3,65 days) 99,9%-99,999% (accept. downtime/year: 8,76 hrs – 5,25 minutes)
System lifetime 3-5 years 15-30 years
Security focus Central Servers (CPU, memory,…) and PC Server/PC + distributed systems, Sensors, PLC,…
Operating systems Windows Windows + proprietary
Software Consumer Software , normally used on PC Specific
Protocols Well known (HTTP over TCP/IP ,…) / mainly web Industrial (TCP/IP, Vendor specific) / polling
Procedure Well known (password,…) Specific
Main actors IBM, SAP, Oracle, etc. ABB, Siemens, GE, Honeywell, Emerson, etc.
Measures taken to protect a computer or computer
system (as on the Internet) against unauthorized access
or attack*
translates into
Measures taken to protect the reliability, integrity and availability of power and automation technologies
against unauthorized access or attack
IntroductionA definition in the context of power and automation technology*source Merriam-Webster’s dictionary
Likelihood
ThreatsWhere are attack sources?
Accidents / Mistakes
Rogue insider
Malware
Thieves / Extortionists
Enemies / Terrorists
Likelihood is unknown
Consequences are potentially huge
ThreatsWhat if…
What if this information gets disclosed
What if someone opens a breaker
What if it does not open when it should
What if I cannot operate a device/PLC
What if someone else can operate a device/PLC
What if a transformer is overloaded due to a wrong temperature reading?
What if a protection is not working properly?
What if a not-authorized person can access supervision/control network?
What if a not-authorized person can access DSO/TSO network?
What if a blackout happen in cold winter?
ThreatsWorld news
SolutionsHow can you proceed?
CyberSecurity Cycle
Check Actual Status Assessment
AwarenessKeeping up-to-date
100% Security does not exist. Security: Is not a product but a process
RiskMitigation
Dedicated solutions
What if…
OperationalSecurity
Continuous monitoring
Follow-up
SolutionsABB Service Approach
Differentservicelevels,based onprojectstatus
Patch managementAccount managementAntivirus managementBackup&Restore management
2. FIRST-AID SERVICEDesign ReviewHW update & HardeningSW service
Analysis Report1. ASSESSMENTSite InventoryRisk Assesment
3. INDUSTRIAL DEFENDERManageMonitor
hardware/software
4. ACROSS-LIFEKeeping up-to-dateTraining
Recurrent Reports/ Coursewares
Why ABBDefense in depth
Strong (Secure)ABBproducts
+
Industrial DefenderSolutions
Defense in depth