1 / 14

Information Security in Industrial Automation Systems

oshin
Download Presentation

Information Security in Industrial Automation Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 1 Information Security in Industrial Automation Systems Rick Morse Manufacturing and Control Systems Security Panel ISA October 2002

    2. 2 Security Topics The way it was Trends The way it is today The way it can be Recommendations Basic format for the presentation is to first look back at where we have been. Look at today’s typical situation and then look out and offer some recommendations. Basic format for the presentation is to first look back at where we have been. Look at today’s typical situation and then look out and offer some recommendations.

    3. 3 Security “Security is an ongoing process, not simply a technology solution. While security utilizes technologies to support a company’s level of risk mitigation, the key to managing risk (providing security) is the planning, implementation and interdependencies of process, policies, procedures and people in combination with the selection of appropriate security best-of-breed technology products and/or services.” Security is NOT TECHNOLOGY, it is a process, policies, procedures, people and planning. Think of it as the 5Ps of security. Security is NOT TECHNOLOGY, it is a process, policies, procedures, people and planning. Think of it as the 5Ps of security.

    4. 4 Yes life was more secure and simpler in the good old days. But from internal threats the environment was not a lot different than today..Yes life was more secure and simpler in the good old days. But from internal threats the environment was not a lot different than today..

    5. 5 Fortress Theory Current security systems are built on a tried and true model. Put what you think is valuable behind the fortress wall (we call it a firewall) and then lock the doors. Only let people in who you know and trust, and make sure you write down who comes and goes……There are a lot of buzzwords around security and security systems but the model is simple. Current security systems are built on a tried and true model. Put what you think is valuable behind the fortress wall (we call it a firewall) and then lock the doors. Only let people in who you know and trust, and make sure you write down who comes and goes……There are a lot of buzzwords around security and security systems but the model is simple.

    6. 6 Trends Demands on access to information increase Ethernet grows on factory floor Commercial Wireless technologies emerge on the Factory floor IT spending continues to increase Collaboration is on the rise E-commerce grows Driving factory systems development has been the customer demand for Interoperable open systems. Recognizing the customer demand control manufacturers have embraced open systems, (some more than others) and collaboration and sharing of technology was the norm for most of the 90’s . RA opened up our networks by joining ODVA, ControlNet Vendors assn, and by participating on most of the open systems industry committees. Driving factory systems development has been the customer demand for Interoperable open systems. Recognizing the customer demand control manufacturers have embraced open systems, (some more than others) and collaboration and sharing of technology was the norm for most of the 90’s . RA opened up our networks by joining ODVA, ControlNet Vendors assn, and by participating on most of the open systems industry committees.

    7. 7 Trends: Information demand is increasing A new trend that is emerging is that the user is becoming the center of “data collection” universe. The user requires immediate access to all forms of data. Wireless technology can help provide the necessary access points into many data collection systems.A new trend that is emerging is that the user is becoming the center of “data collection” universe. The user requires immediate access to all forms of data. Wireless technology can help provide the necessary access points into many data collection systems.

    8. 8 Trends: Risks have increased Information Technology evolution and integration across supply chain and throughout the enterprise has tremendous advantages, but also has increased risk and exposure. During the past several years, process automation systems that support the manufacturing enterprise have evolved from isolated, proprietary networks and operating systems to interconnected systems. These interconnected systems are using open architectures and standard protocols to facilitate interoperability with corporate networks and applications, which is a huge advantage for today’s supply chain solutions. During the past several years, process automation systems that support the manufacturing enterprise have evolved from isolated, proprietary networks and operating systems to interconnected systems. These interconnected systems are using open architectures and standard protocols to facilitate interoperability with corporate networks and applications, which is a huge advantage for today’s supply chain solutions.

    9. 9 1 in 8 Mfg. Interruptions are deliberate Scenario: —An angry technician blocks maintenance access to a controller in another division by changing password —A sales manager from your competitor discovers your bid on a big RFP and substantially underbids you to win the order —A group of teenagers from China try to explore the control system on a utility grid and deface the web site —A disgruntled job-seeker turns into an eco-terrorist and manipulates the city sewage treatment plant using a lap top and a radio to release millions of gallons of untreated sewage into the river.Scenario: —An angry technician blocks maintenance access to a controller in another division by changing password —A sales manager from your competitor discovers your bid on a big RFP and substantially underbids you to win the order —A group of teenagers from China try to explore the control system on a utility grid and deface the web site —A disgruntled job-seeker turns into an eco-terrorist and manipulates the city sewage treatment plant using a lap top and a radio to release millions of gallons of untreated sewage into the river.

    10. 10 Trends: Attack Sophistication vs. Intruder Technical Knowledge

    11. 11 The way it is today Today. Think of what happens when you go to the computer store, pick a new pc and then take it home and plug into your new DSL line…… Then you put in firewall software - because 1000s of probes are hitting your site…. Then you put some virus protection software on the system - to protect from email threats…. Then you decide that the best thing to do is disconnect from the “world” when you’re not using the system. WHY RISK IT….. Is this different in the factory? Today. Think of what happens when you go to the computer store, pick a new pc and then take it home and plug into your new DSL line…… Then you put in firewall software - because 1000s of probes are hitting your site…. Then you put some virus protection software on the system - to protect from email threats…. Then you decide that the best thing to do is disconnect from the “world” when you’re not using the system. WHY RISK IT….. Is this different in the factory?

    12. 12 Typical plant setup incorporating commercially available security technologies Look at today’s picture. Point out handheld devices, Multiple nets, Multple servers….. So how hard is it to protect this environment? We have some solutions - both products and services. Let’s see what we have to help. Look at today’s picture. Point out handheld devices, Multiple nets, Multple servers….. So how hard is it to protect this environment? We have some solutions - both products and services. Let’s see what we have to help.

    13. 13 DuPont started in 2000 to address their internal security issues. They put a full time project team in place to come up with a methodology and policies which raises the security of their global process facilities to the next level. DuPont and Rockwell have a long tradition of a partner relation ship. When Rockwell started the Industrial Network Solution Business in 2001 we decided to license this methodology since it is applicable to any industry and everyone of our customers. Today we offer and deliver this consulting services based on the DNSAM methodology to broad range of customers.DuPont started in 2000 to address their internal security issues. They put a full time project team in place to come up with a methodology and policies which raises the security of their global process facilities to the next level. DuPont and Rockwell have a long tradition of a partner relation ship. When Rockwell started the Industrial Network Solution Business in 2001 we decided to license this methodology since it is applicable to any industry and everyone of our customers. Today we offer and deliver this consulting services based on the DNSAM methodology to broad range of customers.

    14. 14 Additional Information Government Supported Activities NIST Activity Computer Security Resource Center, (http://csrc.nist.gov/) NIST Process Control Security Requirements Forum (http://www.isd.mel.nist.gov/projects/processcontrol/) CERT/CC (computer emergency response team computer center) (http://www.cert.org/) Infraguard (http://www.infragard.net/) Organization & Associations (IT focused) Commonly Accepted Security Practices and Regulations (CASPR) (www.caspr.org) Control Objectives for Information and (Related) Technology (COBIT) (www.isaca.org/cobit.htm Center for Internet Security (http://www.cisecurity.org/) Organization & Associations (Industry focused) NCMS Manufacturing Trust (http://trust.ncms.org/) Center for Chemical Process Safety (http://www.aiche.org/ccps/) American Gas Association - SCADA( http://gtiservices.org/security/index.shtml) Standards & Standards Organizations (IT focused) General information -(http://www.infosyssec.org/infosyssec/secstan1.htm) ISO IT Security Techniques (ISO JTC 1/SC 27, see www.iso.ch) standards such as common criteria, ISO 15408 IEEE (http://ieee-security.org/) Standards & Standards Organizations (Industry focused) ISA (http://www.isa.org/~safety/security.htm) IEC TC 57/ WG 15 (standards for devices in SCADA power applications) Government Activities NIST has general cybersecurity site as well as the process control security requirement forum that is developing protection profiles for process control systems based on the ISO common criteria standards (ISO 15408) Gov’t supported lab - Center for Emergency Response Team located at Software Engineering Institute provides research and awareness on security issues Infra-guard is an information sharing organization started by FBI in Cleveland, Ohio to share information among industry professionals; now has regional centers nationwide (NCMS hosts Infra-guard to address issues that are specific to manfuacturing). IT related organizations - there are several good sources of information listed here, but most of these are focused on IT issues Industry focused associations & organizations - most of the industry focused work related to issues addressed by the Critical Infra-structure programs where interdependencies exist such as power, water treatment, waste water, natural gas, etc, and also chemical and petro-chemical facilities related to potential dangers of release. More recently, interest has gained in foods & pharmaceuticals. Government Activities NIST has general cybersecurity site as well as the process control security requirement forum that is developing protection profiles for process control systems based on the ISO common criteria standards (ISO 15408) Gov’t supported lab - Center for Emergency Response Team located at Software Engineering Institute provides research and awareness on security issues Infra-guard is an information sharing organization started by FBI in Cleveland, Ohio to share information among industry professionals; now has regional centers nationwide (NCMS hosts Infra-guard to address issues that are specific to manfuacturing). IT related organizations - there are several good sources of information listed here, but most of these are focused on IT issues Industry focused associations & organizations - most of the industry focused work related to issues addressed by the Critical Infra-structure programs where interdependencies exist such as power, water treatment, waste water, natural gas, etc, and also chemical and petro-chemical facilities related to potential dangers of release. More recently, interest has gained in foods & pharmaceuticals.

    15. 15 Summary Rockwell Automation is committed to open systems - and to helping customers make their facilities secure. Rockwell Automation offers DNSAM : for protecting automation networks from internal and external intrusion, and RSMACC : Change Management System available today. Rockwell Automation will continue to enhance its security offerings by working closely with its customers, partners and standards organizations.

More Related