1 / 28

Roadmaps to Securing Industrial Control Systems Chemical Industry Forum 2 INCH

Roadmaps to Securing Industrial Control Systems Chemical Industry Forum 2 INCH. Terry J. Deo, Infineum USA, L.P. OpsManage’11 November 10, 2011. What is an ICS Security Roadmap?.

javier
Télécharger la présentation

Roadmaps to Securing Industrial Control Systems Chemical Industry Forum 2 INCH

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Roadmaps to Securing Industrial Control SystemsChemical Industry Forum 2 INCH Terry J. Deo, Infineum USA, L.P. OpsManage’11 November 10, 2011

  2. What is an ICS Security Roadmap? A structured set of priorities, milestones and goals which address security requirements specific to Industrial Control Systems (ICS), over a 10 year timeframe

  3. Published Roadmaps Energy Sector (revised Sep-11) “The 2011 Roadmap takes the necessary steps to strengthen the security and reliability of our country’s electric grid, in a climate of increasingly sophisticated cyber incidents.” “This update marks a continued effort by public and private energy sector stakeholders to reduce cyber vulnerabilities that could disrupt the nation's ability to deliver power and energy.”

  4. Published Roadmaps Water Sector Chemical Sector Dams Draft/Approval: Nuclear Cross-Sector (recognizing and mapping commonality between sector documents) by ICSJWG

  5. Roadmap Strategies Build a Culture of Security Assess, Monitor and Mitigate Risk Develop and Implement New Protective Measures to Reduce Risk Manage Incidents Sustain Security Improvements for… Asset Owner/Operators Vendors/Solution Providers Research/Academia Government Regulators/Standards Organizations

  6. Common Goals Across Roadmaps Measure and Assess Security Posture Assess Risk Develop and Integrate Protective Measures Develop and Deploy ICS Security Programs Detect Intrusion and Implement Response Strategies Develop and Implement Risk Mitigation Measures Sustain Security Improvements Partnership and Outreach Secure-by-Design

  7. Why do we Care? ICS are increasingly interconnected to other plant and business systems ICS vendors continue to rapidly incorporate standard Information Technology into their products These trends expose the ICS to modern malware threats Potential consequences of an ICS cyber incident can include: Reduction or loss of production at one site or multiple sites simultaneously; Injury or death of employees; Injury or death of persons in the community; Damage to equipment; Release, diversion, or theft of hazardous materials; and Impact to company’s reputation in the community.

  8. The Risk is Real!! Federal agencies reported 30,000 incidents to US-CERT during fiscal yr 2009 [GAO report 6/16/2010] >400% increase over what was reported in 2006 2010 CIP Survey conducted by Symantec 60% of cyber attacks were “somewhat” to “extremely” effective Average cost of an attack was estimated at $850,000 Significant increase in Advanced Persistent Threat (APT) Stuxnet signaled a paradigm shift in ICS cyber threats Demonstrated that ICS are susceptible to increasingly sophisticated cyber-attacks

  9. Chemical Sector Roadmap The “voice” of the sector on improvements to control systems security Published September 2009 Following sign off by the Chemical Sector Coordinating Council A structured set of priorities spanning a 10 -year timeframespecific to needs ofIndustrial Control Systems (ICS) in the Chemical Sector http://www.us-cert.gov/control_systems/pdf/ChemSec_Roadmap.pdf 10

  10. Roadmap Vision “In 10 years, the layers of defense for industrial control systems managing critical applications will be designed, installed and maintained, commensurate with risk, to operate with no loss of critical function during and after a cyber event.” Scope Industrial Control Systems (ICS) in chemical facilities that are part of the critical infrastructure Possible implications for ICS vendors Connection to other systems included if they impact ICS risk

  11. Chemical Sector Roadmap Implementation Working Groupestablished December 2010 Roadmap Implementation Manager • Catalyst 35, under ACC contract CSCC • American Chemistry Council (ACC) • National Petrochemical & Refiners Association (NPRA) DHS • DHS NCSD Control Systems Security Program • DHS Chemical SSA Owners/Operators • AkzoNobel • Dow Chemical • Infineum • DuPont • Eastman Chemical • Western Refining • Exxon Mobil • Air Products • Ashland • Air Products Vendors • Computer Sciences Corporation (CSC)

  12. Roadmap ImplementationIn Partnership with DHS DHS SSA is supporting our efforts Utilizing HSIN to share working documents Focusing on milestones identified for the first two years Comprehensive Awareness Package Collected a wealth of resources/reference information Designed to assist owners/operators in addressing ICS security Providing speakers at various conferences across the U.S. Metrics: Working on creating Roadmap Metrics Secure Information Sharing: Developing a matrix of current forums Website: In design stage 13

  13. Roadmap Objectives Long Term Improved ICS security across the chemical sector Immediate Build awareness across the chemical sector and ICS vendor community of the resources available to assist the sector in realizing its long term objective.

  14. Awareness CampaignFocus Areas Developing a Business Case for investing in ICS security Conducting an ICS Security Assessment Training for employees who work in the ICS environment Implementing existing standards Complying with existing CFATS Regulations Leveraging Best Practices Wherever possible, notChem. sector specific

  15. Developing a Business Case The protection of ICS from cyber security threats requires resources and personnel to plan, develop and implement needed security measures Companies must develop a business case for investing in ICS security A business rationale for justifying this investment is currently under development Authored by the Industrial Control Systems Joint Working Group Goal is to provide guidance for Developing a Business Case icsjwg@dhs.gov

  16. Awareness Materials Case for Action Cyber Security Evaluation Tool (CSET) Cyber Security TTX Procurement language ICS Security Training Resource ICS-CERT & Cyber Incident Response Industry standards and additional relevant guidance

  17. A Case for Action The chemical industry dedicates immense time and resources toward ensuring the safety of its personnel, customers, and surrounding community; but in today’s environment of growing cyber threats, a Chemical plant is not safe unless its control systems are secure. One of the trends emerging in the current environment of cost efficiencies, is the move from delivery of ICS on “proprietary” system platforms to “open” system platforms. These open platforms carry a greater level of cyber risk due to the rapid growth of cyber threats against them.

  18. CSET -Cyber Security Evaluation Tool Available from the Department of Homeland Security Assists organizations in protecting their key national cyber assets. Developed under the direction of the DHS National Cyber Security Division (NCSD) Developed by cyber security experts and with assistance from the National Institute of Standards and Technology. This tool provides a systematic and repeatable approach for assessing the security posture cyber systems and networks. Includes both high-level and detailed questions related to all industrial control and IT systems.

  19. Procurement Language Department of Homeland Security: Cyber Security Procurement Language for Control Systems provides sample recommended language for control systems security requirements, including: New SCADA/control systems Upgrading Legacy systems Maintenance contracts Information and personnel security

  20. ICS Training ResourcesChemical Sector Compiled by the Roadmap Implementation Working Group Designed for owner/operators in the process control and automation industries. Lists selected and representative security trainings… but not a comprehensive list Organized by levels of difficulty (intro, intermediate, advanced) Includes links to relevant websites, for ease of training access

  21. Who can Benefit from this training? ICS Operations Routinely interact with the ICS environment Security Managers Have primary responsibility for securing ICS Engineers Responsible for design and configuration of ICS functionality IT Personnel Have responsibility for operation & support of IT infrastructure supporting the ICS

  22. Leveraging Existing Standards ANSI/ISA99/IEC 62443, Industrial Automation and Control Systems Security A series of 11 standards & technical reports Address all aspects of ICS security 3 work products have been published Several others are available in draft form for review & comment ISO/IEC 15408-1:2009 Establishes general concepts and principles of IT security evaluation Specifies the general model of evaluation given by its various parts Is intended to be used as the basis for evaluation of security properties of IT products

  23. Additional Guidance ACC Guidance for Addressing Cyber Security in the Chemical Sector DHS Catalog of Control Systems Security: Recommendations for Standards Developers NIST Special Publication (SP) 800-82, Guide to ICS Security, final public draft Sept 29, 2008 NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009 NERC Critical Infrastructure Protection – 002-009

  24. What Can You Do? Pick up a DVD & Case for Action to take with you Review the information shared today Bring this issue to the attention of your engineering & manufacturing management Ask key questions about how your company is addressing ICS security And as you begin… 25

  25. Tips for Getting Started Ensure one person takes ownership of ICS security and is accountable. Open the lines of communication between engineering, security, IT, process safety and manufacturing operations within your own company. Conduct an audit of current ICS security measures and implement obvious fixes. Follow-up with an ICS security vulnerability analysis (risk assessment).

  26. Tips for Getting Started Implement an ICS security management program that is integrated with existing company management systems for security, safety, quality, etc. Keep in touch by emailing chemicalsector@dhs.gov for additional information. Become an advocate in your company on this important issue!

  27. Questions… 28

More Related