slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Roadmaps to Securing Industrial Control Systems Chemical Industry Forum 2 INCH PowerPoint Presentation
Download Presentation
Roadmaps to Securing Industrial Control Systems Chemical Industry Forum 2 INCH

Loading in 2 Seconds...

play fullscreen
1 / 28

Roadmaps to Securing Industrial Control Systems Chemical Industry Forum 2 INCH - PowerPoint PPT Presentation

  • Uploaded on

Roadmaps to Securing Industrial Control Systems Chemical Industry Forum 2 INCH. Terry J. Deo, Infineum USA, L.P. OpsManage’11 November 10, 2011. What is an ICS Security Roadmap?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Roadmaps to Securing Industrial Control Systems Chemical Industry Forum 2 INCH' - javier

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
roadmaps to securing industrial control systems chemical industry forum 2 inch

Roadmaps to Securing Industrial Control SystemsChemical Industry Forum 2 INCH

Terry J. Deo, Infineum USA, L.P.

OpsManage’11 November 10, 2011

what is an ics security roadmap
What is an ICS Security Roadmap?

A structured set of priorities, milestones and goals which address security requirements specific to Industrial Control Systems (ICS), over a 10 year timeframe

published roadmaps
Published Roadmaps

Energy Sector (revised Sep-11)

“The 2011 Roadmap takes the necessary steps to strengthen the security and reliability of our country’s electric grid, in a climate of increasingly sophisticated cyber incidents.”

“This update marks a continued effort by public and private energy sector stakeholders to reduce cyber vulnerabilities that could disrupt the nation's ability to deliver power and energy.”

published roadmaps1
Published Roadmaps

Water Sector

Chemical Sector




Cross-Sector (recognizing and mapping commonality between sector documents) by ICSJWG

roadmap strategies
Roadmap Strategies

Build a Culture of Security

Assess, Monitor and Mitigate Risk

Develop and Implement New Protective Measures to Reduce Risk

Manage Incidents

Sustain Security Improvements


Asset Owner/Operators

Vendors/Solution Providers



Regulators/Standards Organizations

common goals across roadmaps
Common Goals Across Roadmaps

Measure and Assess Security Posture

Assess Risk

Develop and Integrate Protective Measures

Develop and Deploy ICS Security Programs

Detect Intrusion and Implement Response Strategies

Develop and Implement Risk Mitigation Measures

Sustain Security Improvements

Partnership and Outreach


why do we care
Why do we Care?

ICS are increasingly interconnected to other plant and business systems

ICS vendors continue to rapidly incorporate standard Information Technology into their products

These trends expose the ICS to modern malware threats

Potential consequences of an ICS cyber incident can include:

Reduction or loss of production at one site or multiple sites simultaneously;

Injury or death of employees;

Injury or death of persons in the community;

Damage to equipment;

Release, diversion, or theft of hazardous materials; and

Impact to company’s reputation in the community.

the risk is real
The Risk is Real!!

Federal agencies reported 30,000 incidents to US-CERT during fiscal yr 2009 [GAO report 6/16/2010]

>400% increase over what was reported in 2006 2010 CIP Survey conducted by Symantec

60% of cyber attacks were “somewhat” to “extremely” effective

Average cost of an attack was estimated at $850,000

Significant increase in Advanced Persistent Threat (APT)

Stuxnet signaled a paradigm shift in ICS cyber threats

Demonstrated that ICS are susceptible to increasingly sophisticated cyber-attacks

chemical sector roadmap
Chemical Sector Roadmap

The “voice” of the sector on improvements to control systems security

Published September 2009

Following sign off by the

Chemical Sector Coordinating Council

A structured set of priorities spanning a 10 -year timeframespecific to needs ofIndustrial Control Systems (ICS) in the Chemical Sector


roadmap vision
Roadmap Vision

“In 10 years, the layers of defense for industrial control systems managing critical applications will be designed, installed and maintained, commensurate with risk, to operate with no loss of critical function during and after a cyber event.”


Industrial Control Systems (ICS) in chemical facilities that are part of the critical infrastructure

Possible implications for ICS vendors

Connection to other systems included if they impact ICS risk

chemical sector roadmap implementation working group established december 2010
Chemical Sector Roadmap Implementation Working Groupestablished December 2010

Roadmap Implementation Manager

  • Catalyst 35, under ACC contract


  • American Chemistry Council (ACC)
  • National Petrochemical & Refiners Association (NPRA)


  • DHS NCSD Control Systems Security Program
  • DHS Chemical SSA


  • AkzoNobel
  • Dow Chemical
  • Infineum
  • DuPont
  • Eastman Chemical
  • Western Refining
  • Exxon Mobil
  • Air Products
  • Ashland
  • Air Products


  • Computer Sciences Corporation (CSC)
roadmap implementation in partnership with dhs
Roadmap ImplementationIn Partnership with DHS

DHS SSA is supporting our efforts

Utilizing HSIN to share working documents

Focusing on milestones identified for the first two years

Comprehensive Awareness Package

Collected a wealth of resources/reference information

Designed to assist owners/operators in addressing ICS security

Providing speakers at various conferences across the U.S.

Metrics: Working on creating Roadmap Metrics

Secure Information Sharing: Developing a matrix of current forums

Website: In design stage


roadmap objectives
Roadmap Objectives

Long Term

Improved ICS security across the chemical sector


Build awareness across the chemical sector and ICS vendor community of the resources available to assist the sector in realizing its long term objective.

awareness campaign focus areas
Awareness CampaignFocus Areas

Developing a Business Case for investing in ICS security

Conducting an ICS Security Assessment

Training for employees who work in the ICS environment

Implementing existing standards

Complying with existing CFATS Regulations

Leveraging Best Practices

Wherever possible, notChem. sector specific

developing a business case
Developing a Business Case

The protection of ICS from cyber security threats requires resources and personnel to plan, develop and implement needed security measures

Companies must develop a business case for investing in ICS security

A business rationale for justifying this investment is currently under development

Authored by the Industrial Control Systems Joint Working Group

Goal is to provide guidance for Developing a Business Case

awareness materials
Awareness Materials

Case for Action

Cyber Security Evaluation Tool (CSET)

Cyber Security TTX

Procurement language

ICS Security Training Resource

ICS-CERT & Cyber Incident Response

Industry standards and additional relevant guidance

a case for action
A Case for Action

The chemical industry dedicates immense time and resources toward ensuring the safety of its personnel, customers, and surrounding community; but in today’s environment of growing cyber threats, a Chemical plant is not safe unless its control systems are secure.

One of the trends emerging in the current environment of cost efficiencies, is the move from delivery of ICS on “proprietary” system platforms to “open” system platforms. These open platforms carry a greater level of cyber risk due to the rapid growth of cyber threats against them.

cset cyber security evaluation tool
CSET -Cyber Security Evaluation Tool

Available from the Department of Homeland Security

Assists organizations in protecting their key national cyber assets.

Developed under the direction of the DHS National Cyber Security Division (NCSD)

Developed by cyber security experts and with assistance from the National Institute of Standards and Technology.

This tool provides a systematic and repeatable approach for assessing the security posture cyber systems and networks.

Includes both high-level and detailed questions related to all industrial control and IT systems.

procurement language
Procurement Language

Department of Homeland Security: Cyber Security Procurement Language for Control Systems provides sample recommended language for control systems security requirements, including:

New SCADA/control systems

Upgrading Legacy systems

Maintenance contracts

Information and personnel security

ics training resources chemical sector
ICS Training ResourcesChemical Sector

Compiled by the Roadmap Implementation Working Group

Designed for owner/operators in the process control and automation industries.

Lists selected and representative security trainings… but not a comprehensive list

Organized by levels of difficulty (intro, intermediate, advanced)

Includes links to relevant websites, for ease of training access

who can benefit from this training
Who can Benefit from this training?

ICS Operations

Routinely interact with the ICS environment

Security Managers

Have primary responsibility for securing ICS


Responsible for design and configuration of ICS functionality

IT Personnel

Have responsibility for operation & support of IT infrastructure supporting the ICS

leveraging existing standards
Leveraging Existing Standards

ANSI/ISA99/IEC 62443, Industrial Automation and Control Systems Security

A series of 11 standards & technical reports

Address all aspects of ICS security

3 work products have been published

Several others are available in draft form for review & comment

ISO/IEC 15408-1:2009

Establishes general concepts and principles of IT security evaluation

Specifies the general model of evaluation given by its various parts

Is intended to be used as the basis for evaluation of security properties of IT products

additional guidance
Additional Guidance

ACC Guidance for Addressing Cyber Security in the Chemical Sector

DHS Catalog of Control Systems Security: Recommendations for Standards Developers

NIST Special Publication (SP) 800-82, Guide to ICS Security, final public draft Sept 29, 2008

NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009

NERC Critical Infrastructure Protection – 002-009

what can you do
What Can You Do?

Pick up a DVD & Case for Action to take with you

Review the information shared today

Bring this issue to the attention of your engineering & manufacturing management

Ask key questions about how your company is addressing ICS security

And as you begin…


tips for getting started
Tips for Getting Started

Ensure one person takes ownership of ICS security and is accountable.

Open the lines of communication between engineering, security, IT, process safety and manufacturing operations within your own company.

Conduct an audit of current ICS security measures and implement obvious fixes.

Follow-up with an ICS security vulnerability analysis (risk assessment).

tips for getting started1
Tips for Getting Started

Implement an ICS security management program that is integrated with existing company management systems for security, safety, quality, etc.

Keep in touch by emailing for additional information.

Become an advocate in your company on this important issue!