securing plant operation the important steps...securing your control system and the principles to...

© ABB Inc. September 24, 2012 | Slide 1

Securing Plant Operation The Important Steps

Stevens Point, WI

Purpose of this Presentation

During this presentation, we will introduce the subject of

securing your control system and the principles to bear

in mind when designing security for a system:

Least Privilege

Least Function

Defense in Depth

To explain major security controls which should be

deployed to your control system as a baseline, e.g.

patch management, anti virus, hardening, system

recovering.

We will explain services that ABB has to help implement

secure environment


Three Key Issues to Address in System Vulnerability

Network connectivity

More and more connectivity is desired or even

required

An “air gap” is not as secure as many imagine

Removable Media

May be a valid use of the system with bad results

Restrictions on use

Proper procedures for necessary use

Users of the system

Protection against intentional mischief

Training to protect against mistakes and human

engineering


Defense in Depth


Standardization landscape Scope and completeness of selected standards

Energy

Industrial Autom.

IT

Design Details

Completeness

ISA 99*

NIST 800-53

IEC 62351

NE

RC

CIP

Operator Manufacturer

ISO 27K

Technical

Aspects

Management

Aspects

Details of

Operations

Relevance

for Manufacturers CPNI

IEEE P 1686

* Since the closing of the ESCoRTS project, ISA decided to relabel the ISA 99 standard to

ISA 62443 to make the alignment with the IEC 62443 series more explicit and obvious.

Two Important Principles Common to Most Standards

Principle of Least Privilege

No user should have more rights and permissions

than needed to perform his function in the system

Principle of Least Function

Only the functions needed for the system to

accomplish its purpose should be present or

enabled in the system


Example: Least Privilege Considerations

Is there is a real strategy for the membership of groups such as

Operators, Engineers, Administrators?

Do these groups have wide ranging permissions?

Are personnel routinely added to multiple groups?

No operator should log onto a control system machine as an

administrator.

No engineering user should log on as an administrator unless

there is a need to perform administrative duties and they have this

responsibility. Even engineering accounts should have limitations

on their rights that limit them to the activities that are part of their

jobs.

There should be no use of the powerful service account for other

any other uses. Local login should be disabled in the security

policy for the service account.


Example: Least Function Considerations

Is there any software loaded on the system that doesn‟t need

to be there such as games that come with default loads of

Windows?

Are any services enabled that don‟t need to be?

Are any network ports open that don‟t need to be?

Is removable media access required to accomplish the

functions of the control system computers?

Should servers in the system be used as operating screens?

Perhaps operating workplaces should limit which accounts

can log in based on function


Network Architecture Considerations

Is the control system network completely isolated from any other network?

If connected to another network, does it use a firewall to segregate the networks?

Has the firewall been specifically configured for the least access required?

Is any use of RPC (DCOM) permitted through the firewall such as for classic OPC? (If so,

a tunneling product should be used to eliminate this.)

Are there any dual homed hosts in use? (One NIC on the control system LAN and one

NIC on another network such as the corporate network)

Does the ABB control system share a domain controller with any other control system or

with an enterprise domain?

Is wireless in use? If so, does it use secure encryption? (WPA Enterprise, Radius Server,

IPSEC)

Are there any dial up connections to the system?

Are there any direct connections such as an EWS or Historian on the corporate network

bypassing the firewall? (An example here is a historian on the corporate network

connected to an Infi90 system via a CIU.)

Any remote connections to the system? Do they use a reverse tunneling technology or

are they initiated from outside the firewall? If from outside do they use VPN?



User Account Policies

Establish hierarchy of User Accounts (operator, tech,

admin, etc)

Even an Administrator should not log on as Administrator

except to perform those duties

Domain wide policy to enforce:

Password Requirements and Role Association

Define Remote Access Security

Operator Group Policy that restricts access to Desktop and

Applications

Shared Operator Accounts – are they okay by standards

such as ISA99 and NERC?

Password Policies


Standard practice today is complex passwords and regular

changes, but this may not be possible for some accounts in a

process control environment.

What about shared operator accounts?

800xA User Account Model

User access is controlled by a three-dimensional

model: Person x Object x Function.

ƒ A role based access is implemented.

The system restricts access according to the user and

user role configuration. For example Operator role can

acknowledge alarms.

Security can be further defined for an individual user on

a process section basis or even an individual tag basis.

For example Unit 1 operators can acknowledge alarms

only for Unit 1.

ƒ All accesses and changes to the 800xA system and

data are logged and tracked in the audit trail.


Services A required services list is published for each product


Programs that start without user intervention

Can be configured to start automatically or manually or not at all

Can configure which account starts the program

Securing Removable Media

Why secure removable Media?

June 2010 – Stuxnet; spread via infected removable USB

media is discovered. It is the first malware application to

include a PLC rootkit.

Methods

First line of defense: Physical restriction to computers +

BIOS protection

Second Line of Defense: Physical Locks on Available

Ports

Third Line of Defense: Deny OS access to removable

media using Group Policy or 3rd party solution


Securing Removable Media Methods

Hardware Locks

Samples

BIOS protection from boot off USB device

Microsoft Group Policy

Group Policy Management Console

3rd Party endpoint protection

Several free and paid 3rd party utilities


Always restrict physical access to the machines as much

as possible even if USB locks are used!

2 Types of Locking Mechanisms

Effective

Secure

Securing Removable Media Control Access using Hardware Lock Mechanism


Cosmetic

=

Dust Protection

“Child Proof Locking”


Patch Management

Patch management – Must be certain that no change to the

system will adversely affect operation. Patches must be kept

current within 30 days. NERC CIP-007, ISA TR99.02.03

Ports and services required for the applications must be

identified and only those ports and services may be enabled –

NERC CIP-007, ISA 99.03 SR 7.6, 7.7

Account management – Authentication and accountability

required, principle of least privilege, security audit trail, periodic

review, password policies, personnel changes NERC CIP-007,

ISA 99.03 SR 1.1, 1.2, 6.2

Security Updates – Patch Management


Which updates are validated for my system?

Where do I get the updates?

How do I install the updates?

Which updates are validated for my system?

Find the validated update document for your products at:

http://solutionsbank.abb.com


http://solutionsbank.abb.com/


Where do I get the updates?

Subscribe to Sentinel

Can retrieve update documentation from Solutionsbank

New add on service for Sentinel Subscribers

Sentinel subscribers can receive a Security Update CD in the mail as

they are released. These update cds currently only support 800xa 5.0

and 5.1 systems, but other systems are being considered for

inclusion.


Download from Solutionsbank

As the updates are validated and compiled for the Security Update

cd, they are also made available as a download in Solutionsbank


Automatic Downloads with WSUS

Utilizing WSUS services from Microsoft, all updates can be

downloaded, approved by you based on the ABB Validated Update

document, and installed to all nodes in your system using the built in

windows update feature.


Manual Downloads

ABB validated updates can also be downloaded manually, directly

from the validated update document. Each update listed in the

document includes a hyperlink to Microsoft‟s TechNet update site.


How do I install the updates?

Generally the procedure to install the updates will depend on how

you got them.

If you received the cd in the mail, all you need to do is perform a

maintenance stop on the node you want to install to, and install the

CD. The security update installation window will appear, prompting

to begin the install. After all of the updates have installed, reboot the

node to restart all of the ABB services.

If you downloaded the update file from Solutionsbank, unzip the file

and burn it to a cd, then the procedure will be the same as above.

You can also copy the files to a USB flash drive or a network share

and run the install from there.

If you manually downloaded the files either from the links in the

update document or used another manual process, the files need to

be individually installed. It is possible to automate the installation

process up by creating a batch file to install the updates.


Example References

Recovery Plans for Critical Cyber Assets

Recovery plans must be documented including who is

responsible

Plans must be tested at least annually including walking through

a simulated loss and recovery

These plans are not limited to backing up software, but may

include recording configuration settings, etc.

Backups can be made without affecting normal plant operation

The system shall support automating this function

Software backup media must be tested

NERC CIP-009, ISA99.03 SR 7.3

Question:

What type of backups do I need to make?


Answer:

What type of failure are you going to have?


Software Backup Strategies


Application Backups

Disk Image Backups

Active Directory Backups

Domain Controller Backups

Scheduling Considerations

Verifying Backups

Application backups vs. image backups


Application Backups

Backs up specific data and configuration for an application or

project.

Great for restoring pieces of lost information.

Useful for replacing corrupt files

Only needed as often as the data changes.

Not OS or hardware specific but usually version specific

Does not backup the application itself.

Great for upgrades

Application backups vs. Image backups


Disk Images

Full sector by sector image of the entire drive or partition.

Great for reloading the entire disk or computer.

Fastest recovery method for failed hard drive.

Useful for creating off-line virtual systems for troubleshooting

issues.

Regulatory compliance for testing backups can be met through

virtualization.

File and folder information can be restored through mounting the

image as a drive.


Services to help achieve secure the system

Security Support Services

Software Backup Services

Patch Management Services

Change Management and Security Logging

These services are available for Microsoft

Windows based systems:

800xA – All connectivity options

Symphony – Process Portal B, Conductor NT, Conductor VMS

clients


Security Support Services Solutions

Audits and policy validation

Compatibility testing

System hardening and policy

implementation

Documentation and training

Consulting

ABB Cyber Security Audit and Hardening Services


Regulatory and Standards Considerations

ABB bases our recommendations and service offerings

on internationally recognized principles and best

practices.

Regulations are the key element driving some market

segments and help define our programs. Examples:

NERC CIP - Has force of law in US

OLF Guideline 104 - Best Practice widely adopted in

Oil and Gas industry

Existing and emerging standards help define what steps

are taken. Examples:

ISA99

ISO 27002

NIST 800-53


Standardization landscape Scope and completeness of selected standards

Energy

Industrial Autom.

IT

Design Details

Completeness

ISA 99*

NIST 800-53

IEC 62351

NE

RC

CIP

Operator Manufacturer

ISO 27K

Technical

Aspects

Management

Aspects

Details of

Operations

Relevance

for Manufacturers CPNI

IEEE P 1686

* Since the closing of the ESCoRTS project, ISA decided to relabel the ISA 99 standard to

ISA 62443 to make the alignment with the IEC 62443 series more explicit and obvious.

Services and Ports A very important step for securing computers is to eliminate unneeded services and

network ports

Services and ports are audited to record their current state and are compared to the

ABB required services documentation

Any required third party services are reviewed

All others are disabled or uninstalled

Reduces the amount of functions for the computer


Additional Security Principles Reviewed Recommendations Made

Physical Restriction to Interfaces

Removable Media Policies and Settings

BIOS Boot Settings and Configuration Passwords

Security Policy Administration

Principle of Least Privilege

Use of shared accounts

Standards for desktop lockdown

Auditing of Security Events

Reporting of Patch Management and Antivirus Deficiencies

Network Architecture Considerations


Reporting

Detailed reporting provides easy to interpret summary

Also provides details of discrepancies with customer‟s own policy

or ABB secure default policies

Provides recommendations to correct deficiencies

Reporting


Security Support Services System Hardening and Policy Implementation

User Roles, Access Control and Workstation

Hardening

Establish hierarchy of User Accounts (operator, tech,

admin, etc)

Domain wide policy to enforce:

Password Requirements and Role Association

Define Remote Access Security

Operator Group Policy that restricts access to Desktop and

Applications

Provide hardening services as applicable

Close un-necessary ports

Disable non-essential services


Security Support Services System Hardening and Policy Implementation

Schedule appropriate time for implementation

Often changes can be done with no impact on operations, but an attitude

of caution may be prudent depending on the process

Software upgrades and major system changes may be recommended if

operating systems are obsolete

Depending on changes, an outage may be required, e.g. if software

upgrades are required

Implement changes on site

Configuration with firewall and other mechanisms

Most changes can be made with group policies if the system is in a

domain

Final test of all changes in the operating environment

Prepare final report of „as delivered‟ changes


Security Support Services Consulting and on-going compliance support

The system is likely to fall out of compliance over time, as a

result of:

Intentional or unintentional changes

Replacements of PCs

Software reloads, upgrades, etc.

New threats

Periodic Audits to ensure correct settings

Discussions with the plant personnel responsible for the

program to make sure the program is meeting their needs


Security Support Services Consulting and on-going compliance support

Provide training as turnover of security responsible personnel

occurs in the plant

Create procedure documents for loading computers with correct

security policy settings

Implement policy requirements for new equipment added to

plant or on any replacements shipped to plant

Implement a secure remote connection to your system

For remote support from ABB (see our remote enabled

services demonstration in the US Services exhibit)

For your own use to securely connect to the system from a

remote location


Software Backup Services Purposes

A service to safeguard the data and configuration of the

system against loss

A service to enable rapid recovery from a computer device

failure

A service to maintain the data needed in the process of an

upgrade of the applications

A service that verifies system recovery data is valid

A service to help in meeting regulatory requirements such as

NERC CIP regulations regarding disaster recovery


Software Backup Services Features

Hard drive imaging to a central server

Configuration backups in addition to imaging

Customized scheduling and scripting to automate the update of

images

ABB tested bandwidth and CPU utilization to avoid performance

problems

Full domain integration

Backup image testing

Restoration training


Patch Management Services Software updates

Update ABB control system applications

Install MS Operating System Hotfixes and Patches as

applicable

Submit Summary Report with as-hardened “baseline”

Prepare Patch Management Process documentation

Option for quarterly or semi-annual return service for

updating available

Option for installation of an update server for automating

roll-out of Windows Security Patches


Patch Management Services Anti-Virus / Malware Protection

Load and configure Antivirus in accordance with ABB

guidelines for application performance

Update Virus Scan Engine

Load current definition files

Configure Automated Scan schedule

Submit Summary Report

Option for installation of an update server for automating

update of Anti-Virus updates


Security Solutions Secure Remote Access

Connection to Corporate Network via Router w/ Firewall or

DMZ.

Allows for Remote Diagnostics for Control System support

Can Support WSUS (Windows Update) and Anti Virus

Updates

Allows for Remote Operator and Engineering Clients

Secured as Read-Only

Configured for off-site Operation and Maintenance


Service Environment ™ Cyber Security Service Portfolio

Risk Assessment

Create asset register

Criticality classification

Support security policy creation

Support creation of a security organization

Gap analysis and Services design

Infrastructure for Services delivery

Maintenance of System Recovery Plan

User Management

ABB Remote Monitoring and Operations Room

Anti virus management

Microsoft Patch Management

System backup/restore management

NIDS/HIDS Management

Virus removal

securing plant operation the important steps...securing your control system and the principles to...

Documents