tomas lindström, abb control technologies security · pdf filesecurity for process...
TRANSCRIPT
© ABB Group November 26, 2015 | Slide 13BSE072042
Security for Process Control systems
Embedded products with long lifecycle
Tomas Lindström, ABB Control Technologies
© ABB Group November 26, 2015 | Slide 23BSE072042
Process Control Systems, Application examplesBreweries Mines
Steel mills
Gas pipelines
Oil rigs Power plants
Pulp & paper mills Container terminals
© ABB Group November 26, 2015 | Slide 33BSE072042
A Process Control System: System 800xAMany types of embedded devices to secure…
© ABB Group November 26, 2015 | Slide 43BSE072042
How ABB works with Cyber Security An important factor in all phases
Design
Implementation
Verification
Release
Support
T=0,5-2 Years
Design
Engineering
FAT
Commissioning
SAT
T=0,5-5 Years
Operation
Maintenance
Review
Upgrade
T = 5-20 Years
Product
Lifecycle
Project
LifecyclePlant Lifecycle
© ABB Group November 26, 2015 | Slide 53BSE072042
Security in the Product Development Process:Requirements, Design, Implementation, Verification
Secure by Design
Default installation and usage withminimal attack surface
Built in functions for Defense in Depth
Secure by Default
Support for Secure Project and Plant Lifecycle
Validation of 3rd party software and solutions
Secure in Deployment
Correct information to those who need to knowCommunication
Cyber Security for a product organizationThe SD3 + C Security Framework
© ABB Group November 26, 2015 | Slide 63BSE072042
Secure by DesignSecurity in the Product Development Process
© ABB Group November 26, 2015 | Slide 73BSE072042
Secure by DesignSecurity in the product development process
Aligning with Microsoft’s SDL, IEC 61508, IEC 62443-4-1
Examples:
Security check points at Project Gates
Threat modeling
Attack surface analysis
Design & Coding: Guidelines and reviews
Static Code analysis
Security Testing with Fuzzing
SD3 + C
Secure by Design
Secure by Default
Secure in Deployment
Communication
© ABB Group November 26, 2015 | Slide 83BSE072042
Reporting
Communication Robustness TestingABB’s Device Security Assurance Center
Development team:
Correction
OK
Analysis
Vulnerability scanning
Protocolfuzzing
Network flooding
Re-Test PASS
FAIL
SD3 + C
Secure by Design
Secure by Default
Secure in Deployment
Communication
© ABB Group November 26, 2015 | Slide 93BSE072042
Secure by Design Lifecycle considerations
How to design for long lifetime?
Impact on architecture selection?
What to do in SW/HW?
Example:
HW solutions “below” the Operating System:
+ Allows updating of all SW
– Is the HW solution itself secure in the future?
Security Training for developers?
For HW developers?
Improve testing methods:
Correct & robust implementation of
security functions (SW/HW)
Do other functions add vulnerabilities?
Design
Implementation
Verification
Release
Support
TD=0,5-2 Years
TL=5-20 Years
Product
Lifecycle
SD3 + C
Secure by Design
Secure by Default
Secure in Deployment
Communication
© ABB Group November 26, 2015 | Slide 103BSE072042
Secure by DefaultDefense in Depth for Process control systems
© ABB Group November 26, 2015 | Slide 113BSE072042
Defense in DepthThe coordinated use of multiple security measures, addressing people, technology and operations.
The 7 Foundational Requirements (FRx) in IEC 62443
Who should use the system for what FR1: User (human, device, SW) authentication
Account management
FR2: Authorization enforcement
Security event logging
Protect FR3: Data/SW Integrity
Against Malicious code
FR4: Confidentiality
FR5: Data flows by network segmentation
Detect problems FR6: Continuous monitoring, log availability
Manage system resource availability FR7: Denial of service protection
Backup functions
SD3 + C
Secure by Design
Secure by Default
Secure in Deployment
Communication
© ABB Group November 26, 2015 | Slide 123BSE072042
Windows Firewall in Servers and Workstations
Secure communication (IPSec, TLS, HTTPS)
Network redundancy based on dual separated networks
Network filter in Controllers and Communication Modules
Blocks unsupported traffic
Network Storm protection
Defense in Depth, examplesSecurity functions for Networks and Hosts
Separated networks
enable fault isolation
SD3 + C
Secure by Design
Secure by Default
Secure in Deployment
Communication
IPSec protection of the
Client Server Network
IP
© ABB Group November 26, 2015 | Slide 133BSE072042
Solutions to support long lifecycles
Whitelisting: Block the unknown (FR3)
Firmware, Applications, Communication
Monitoring (FR6)
Current status
Evolving threats
Maintenance (FR7)
Upgrading (FR7)
…
Defense in Depth for Long LifecyclesWhat features/solutions should be there?
SD3 + C
Secure by Design
Secure by Default
Secure in Deployment
Communication
IP
© ABB Group November 26, 2015 | Slide 143BSE072042
Secure in DeploymentSupport for Secure Project and Plant Lifecycle
© ABB Group November 26, 2015 | Slide 153BSE072042
Secure in Deployment, exampleThe Security Update Service
Plant Security ServerABB-WSUS/EPO
ABB verifies
3rd part SW Security updates
Anti-virus SW with updates
ABB server updated with verified files
ABB server synchronizes with
Plant Server.
DCS
WSUS1 Server
ePO2 Server
SEP3 Server
The Plant Security Server distributes the
updates to the connected Control Systems
Remote
Access
PlatformAPPROVEDa
1 Windows Security
Update Service
2 McAfee ePolicy
Orchestrator
3 Symantec Endpoint
Protection
SD3 + C
Secure by Design
Secure by Default
Secure in Deployment
Communication
© ABB Group November 26, 2015 | Slide 163BSE072042
Secure in Deployment, exampleThe Cyber Security Fingerprint service
Interview
Data collection
Analysis
Cyber security status:
Strengths and weaknesses
Recommendations:
How to maintain & improve
Standard: Manual service
“Monitoring”:
Automatic KPI tracking
Security in Depth – 7 Layers of defense
Cyber Security Risk Profile
SD3 + C
Secure by Design
Secure by Default
Secure in Deployment
Communication
© ABB Group November 26, 2015 | Slide 173BSE072042
Security considerations for the Plant LifecycleHow to keep the plant secure for many years?
Is Up to date = secure or
is Fixed functionality = secure?
When to install updates?
At stops? Are there stops?
During operation?
Who should deploy updates?
Owner?
Vendor?
3rd party service provider?
All or some of the above?
Implications? Key management?
Operation
Maintenance
Review
Upgrade
T = 5-20 Years
Plant Lifecycle
SD3 + C
Secure by Design
Secure by Default
Secure in Deployment
Communication
© ABB Group November 26, 2015 | Slide 203BSE072042
Cyber Security for a Control SystemDepends on the vendor and the owner