Loading in 2 Seconds...
Loading in 2 Seconds...
Roadmaps to Securing Industrial Control Systems Chemical Industry Forum 2 INCH. Terry J. Deo, Infineum USA, L.P. OpsManage’11 November 10, 2011. What is an ICS Security Roadmap?.
Terry J. Deo, Infineum USA, L.P.
OpsManage’11 November 10, 2011
A structured set of priorities, milestones and goals which address security requirements specific to Industrial Control Systems (ICS), over a 10 year timeframe
Energy Sector (revised Sep-11)
“The 2011 Roadmap takes the necessary steps to strengthen the security and reliability of our country’s electric grid, in a climate of increasingly sophisticated cyber incidents.”
“This update marks a continued effort by public and private energy sector stakeholders to reduce cyber vulnerabilities that could disrupt the nation's ability to deliver power and energy.”
Cross-Sector (recognizing and mapping commonality between sector documents) by ICSJWG
Build a Culture of Security
Assess, Monitor and Mitigate Risk
Develop and Implement New Protective Measures to Reduce Risk
Sustain Security Improvements
Measure and Assess Security Posture
Develop and Integrate Protective Measures
Develop and Deploy ICS Security Programs
Detect Intrusion and Implement Response Strategies
Develop and Implement Risk Mitigation Measures
Sustain Security Improvements
Partnership and Outreach
ICS are increasingly interconnected to other plant and business systems
ICS vendors continue to rapidly incorporate standard Information Technology into their products
These trends expose the ICS to modern malware threats
Potential consequences of an ICS cyber incident can include:
Reduction or loss of production at one site or multiple sites simultaneously;
Injury or death of employees;
Injury or death of persons in the community;
Damage to equipment;
Release, diversion, or theft of hazardous materials; and
Impact to company’s reputation in the community.
Federal agencies reported 30,000 incidents to US-CERT during fiscal yr 2009 [GAO report 6/16/2010]
>400% increase over what was reported in 2006 2010 CIP Survey conducted by Symantec
60% of cyber attacks were “somewhat” to “extremely” effective
Average cost of an attack was estimated at $850,000
Significant increase in Advanced Persistent Threat (APT)
Stuxnet signaled a paradigm shift in ICS cyber threats
Demonstrated that ICS are susceptible to increasingly sophisticated cyber-attacks
The “voice” of the sector on improvements to control systems security
Published September 2009
Following sign off by the
Chemical Sector Coordinating Council
A structured set of priorities spanning a 10 -year timeframespecific to needs ofIndustrial Control Systems (ICS) in the Chemical Sector
“In 10 years, the layers of defense for industrial control systems managing critical applications will be designed, installed and maintained, commensurate with risk, to operate with no loss of critical function during and after a cyber event.”
Industrial Control Systems (ICS) in chemical facilities that are part of the critical infrastructure
Possible implications for ICS vendors
Connection to other systems included if they impact ICS risk
Roadmap Implementation Manager
DHS SSA is supporting our efforts
Utilizing HSIN to share working documents
Focusing on milestones identified for the first two years
Comprehensive Awareness Package
Collected a wealth of resources/reference information
Designed to assist owners/operators in addressing ICS security
Providing speakers at various conferences across the U.S.
Metrics: Working on creating Roadmap Metrics
Secure Information Sharing: Developing a matrix of current forums
Website: In design stage
Improved ICS security across the chemical sector
Build awareness across the chemical sector and ICS vendor community of the resources available to assist the sector in realizing its long term objective.
Developing a Business Case for investing in ICS security
Conducting an ICS Security Assessment
Training for employees who work in the ICS environment
Implementing existing standards
Complying with existing CFATS Regulations
Leveraging Best Practices
Wherever possible, notChem. sector specific
The protection of ICS from cyber security threats requires resources and personnel to plan, develop and implement needed security measures
Companies must develop a business case for investing in ICS security
A business rationale for justifying this investment is currently under development
Authored by the Industrial Control Systems Joint Working Group
Goal is to provide guidance for Developing a Business Case
Case for Action
Cyber Security Evaluation Tool (CSET)
Cyber Security TTX
ICS Security Training Resource
ICS-CERT & Cyber Incident Response
Industry standards and additional relevant guidance
The chemical industry dedicates immense time and resources toward ensuring the safety of its personnel, customers, and surrounding community; but in today’s environment of growing cyber threats, a Chemical plant is not safe unless its control systems are secure.
One of the trends emerging in the current environment of cost efficiencies, is the move from delivery of ICS on “proprietary” system platforms to “open” system platforms. These open platforms carry a greater level of cyber risk due to the rapid growth of cyber threats against them.
Available from the Department of Homeland Security
Assists organizations in protecting their key national cyber assets.
Developed under the direction of the DHS National Cyber Security Division (NCSD)
Developed by cyber security experts and with assistance from the National Institute of Standards and Technology.
This tool provides a systematic and repeatable approach for assessing the security posture cyber systems and networks.
Includes both high-level and detailed questions related to all industrial control and IT systems.
Department of Homeland Security: Cyber Security Procurement Language for Control Systems provides sample recommended language for control systems security requirements, including:
New SCADA/control systems
Upgrading Legacy systems
Information and personnel security
Compiled by the Roadmap Implementation Working Group
Designed for owner/operators in the process control and automation industries.
Lists selected and representative security trainings… but not a comprehensive list
Organized by levels of difficulty (intro, intermediate, advanced)
Includes links to relevant websites, for ease of training access
Routinely interact with the ICS environment
Have primary responsibility for securing ICS
Responsible for design and configuration of ICS functionality
Have responsibility for operation & support of IT infrastructure supporting the ICS
ANSI/ISA99/IEC 62443, Industrial Automation and Control Systems Security
A series of 11 standards & technical reports
Address all aspects of ICS security
3 work products have been published
Several others are available in draft form for review & comment
Establishes general concepts and principles of IT security evaluation
Specifies the general model of evaluation given by its various parts
Is intended to be used as the basis for evaluation of security properties of IT products
ACC Guidance for Addressing Cyber Security in the Chemical Sector
DHS Catalog of Control Systems Security: Recommendations for Standards Developers
NIST Special Publication (SP) 800-82, Guide to ICS Security, final public draft Sept 29, 2008
NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009
NERC Critical Infrastructure Protection – 002-009
Pick up a DVD & Case for Action to take with you
Review the information shared today
Bring this issue to the attention of your engineering & manufacturing management
Ask key questions about how your company is addressing ICS security
And as you begin…
Ensure one person takes ownership of ICS security and is accountable.
Open the lines of communication between engineering, security, IT, process safety and manufacturing operations within your own company.
Conduct an audit of current ICS security measures and implement obvious fixes.
Follow-up with an ICS security vulnerability analysis (risk assessment).
Implement an ICS security management program that is integrated with existing company management systems for security, safety, quality, etc.
Keep in touch by emailing firstname.lastname@example.org for additional information.
Become an advocate in your company on this important issue!