Professional Documents
Culture Documents
ISA99/IEC 62443: A Solution To Cyber-Security Issues?: District 12 & Qatar Section
ISA99/IEC 62443: A Solution To Cyber-Security Issues?: District 12 & Qatar Section
Publishing
• Cyber-security
y y of control systems
y relates to the p
prevention of
risks associated with intrusions into systems linked to
malicious actions, through computer equipment and
communication networks
networks.
• The effect of intrusions may include:
– Loss of system availability and of production capacity
– Inferior product quality
– Publication of sensitive information to unthorized destinations
– E i
Equipment td
damage
– Personal injury
– Risk to public health and confidence
– Violation of legal and regulatory requirements
– Compromised image, etc.
2
Cyber-security
Cyber security risks are a reality
#
Cyber-security is not a paranoïa !
• Water industry
– Maroochy Shire (Australia) sewage spill (disgruntled employee) – 2002
– Water filtering plant near Harrisburg (USA) - 2006
– South Houston water utility (proof of concept) - 2011 ,etc.
• Oil Industry
– CIA Trojan causes Siberian gas pipeline explosion (1982)
– Electronic Sabotage of Venezuela Oil Operations (2009)
– Slammer impacts offshore platforms (2009)
– Night Dragon attack against 12 gas-oil
gas oil and chemical companies - Steal
of sensitive information (2009-2011), etc.
• Power industry
– Davis-Besse nuclear power plant (Ohio – USA) - 2003
– Brown Ferry nuclear power plant (Alabama-USA) – 2006
• Electrical networks, chemical industries etc.
SCADA and ICS are now targets
4
Number of reported incidents is increasing
5
US CERT : a reliable source of information
6
Attacks are getting more sophisticated
7
Stuxnet (1)
• July
July, 2010: Stuxnet worm discovered
• Attacked Siemens PCS7, S7 PLC and
WIN-CC systems
• Infected 100,000 computers
• Infected at least 22 manufacturing
sites
• Main target, Iran’s nuclear enrichment
program
• May have destroyed up to 1000
centrifuges
g ((10 ppercent)) sometime
between November 2009 and late
January 2010
8
The Stuxnet process
• Aramco
A (August
(A t 2012)
– most destructive attack the business
sector has seen to date
– 30,000 computers running on
Windows NT infected at Aramco
– replaced
p crucial system
y files with p
part
of an image of a burning U.S. flag
– Messaging services severely
disturbed for several weeks
– Production officially not directly
affected
– Rasgas (Qatar) hit by an apparently
similar virus
11
The number of US-CERT alerts is increasing
12
Why are IACS* vulnerable ?
13
The myth of « air gap » is dead
14
Three main reasons
• Interconnection of networks
– Integration between control networks and enterprise networks
– Remote connections (debugging, maintenance, etc.)
– « Sneakernets » : USB drives
drives, CD Roms,
Roms Laptops,
Laptops Smart phones
• Use of Commercial off-the-shelf components (COTS)
– Unsecured protocols
p
– Commercial operating systems (operator stations, engineer stations)
– Applications not regularly patched
• Lack
L k off security
it policies
li i and
d procedures
d
– Coexistence of two cultures : IT and IC
– Lack of p
procedures ((wordpasses
p & antivirus management,
g etc.))
– Lack of procedures (access control, patch management, visitors,
subcontractors, etc.)
– Lack of awareness,
awareness training,
training motivation
motivation…
15
Open systems mean more entry points
Internet
Réseau d’entreprise
Router
CAO - Ingénierie
Supervision
Control network
Modem
PLCs
Maintenance
laptop
16
New remote clients
17
How to p
protect IACS? The
IEC 62443 (ISA-99) approach
#
Limits of a conventional IT approach
o Confidentiality first
o large servers to be protected
– IC Availability Confidentiality
o Availability and Integrity first Integrity
Priority
y
o Numerous critical points to
Integrity
protect
Confidentiality Availability
19
The firewall illusion
Internet
Enterprise network
Router
CAO – Engineering station
Supervision
Control network
Modem
M Titanic
Maginot
Tit
i tiline
li syndrom
syndrom
d d
20
IEC 62443 approach
21
CEI 62443 – State of completion
IEC 62443-1-1
62443 1 1 (Ed 2)
Genera
IEC/TR 62443-3-1
Security technologies Security assurance levels for System security requirements
for IACS zones and conduits and security assurance levels
22
General philosophy (1)
Risks generatted by the activity
Accepteble risk level
SIL level: 1 to 4
Safety Instrumented Basic process
systems Control system
Control system
Activity generates risks
R
Risk range
23
General philosophy (2)
25
Key principle : Defense in depth
26
Defense in depth implementation : Security
zones
• Defense in depth
p implementation
p leads to divide the system
y
into security zones, according to their functionality/criticality
and to their physical location
• Security
S it zones : groupingi off logical
l i l or physical
h i l assets t
that share common security requirements
27
Connecting the zones : conduits
28
Basic example : a chlorine truck
loading station
Loading station
Switch
Motors, VSD, pumps
Controller
PWR
OK
RUN
A12 3 4 5 6 78 A 12 3 4 56 7 8 A12 3 4 5 67 8 A1 2 3 45 6 78 A 12 3 45 6 7 8 A 12 3 4 56 7 8 A1 2 34 5 6 78 A 12 3 45 6 7 8 A 12 3 45 6 7 8
GE Fanuc BATT
SERIES90-30 CPU F F F F F F F F F
B12 3 4 5 6 78 B 12 3 4 56 7 8 B12 3 4 5 67 8 B1 2 3 45 6 78 B 12 3 45 6 7 8 B 12 3 4 56 7 8 B1 2 34 5 6 78 B 12 3 45 6 7 8 B 12 3 45 6 7 8
PROGRAMMABLE
CONTROLLER
100-240
VAC 40A
50/60HZ
B
A
T
T
E
R
Y
+
24VDC
OUTPUT
-
Supervisory
station
S itch
Switch
Routeur and Internet
firewall
Local control
station
29
Functional architecture
30
Décomposition en zones et conduits
31
Establishing an IACS security program
32
The main steps
Security
Level
assess-
assess
ment
Security Counter-
Implemen levels measure
tation - assess- s
Training ment definition
33
Risk analysis
34
Security Assurance Levels
36
Counter-measures
– Rights management
– Patch management (system & applications)
ecurity ma
Station Internet
Laptop de travail Mainframe Serveur Serveur
Réseau d’entreprise
Usine
Firewall
Laptop Poste de Poste
contrôle ingénierie Réseau d’usine
Réseau externe
. . . . Serveur . .
Serveur Serveur Serveur de Serveur Serveur Serveur de Serveur Serveur de
d’applications de données d’applications de données maintenance d’
d’applications
li ti de données i t
maintenance
maintenance
38
Architecture segmentation (2)
– Based on programmation of
switchs/firewalls
Serveur archives Serveur. Serveur
impression d’applications de données
. .
Serveur Serveur Serveur de
d’applications
d applications de données maintenance
Contrôleur Contrôleur
I/O I/O
39
Demilitarized zones
• Perimeter
P i t networkt k segmentt
that is logically between
internal and external networks
• A demilitarized zone aims to
enforce the control network’s
policy for external information
exchange and to provide
external, untrusted sources
with restricted access to
releasable information while
shielding the control network
from outside attacks
40
Protection of security zones by firewalls
41
Specifying
p y g the zones
42
Defining the conduits
43
Protecting the conduits and the zones with
firewalls
Firewalls have
to be specified
and progammed
carefully !
Corporate
p
Firewall
Industrial
Firewall
44
Limiting
g and monitoring
g remote accesses
#
Activating securities on wireless
comm nications
communications
46
Security Policy, organization and awareness
are as important
i t t as technical
t h i l measures
47
Security
yppolicy
y and p
procedures ((1))
• As important
p as technical measures
• Less investment intensive but more volatile
• A cyber-security management system requires :
– Top management support
– Setting up a team of stakeholders
– Gathering the various cultures : information systems
systems, automation
– Sharing experiences and good practices
– Defining indicators for measuring progress and results
• Develop security procedures
– Screen personnel initially and on an ongoing basis(insider risk)
– Protect sensitive assets
– Physical protection
– Logical protection (identification, authentication, authorization, registration )
48
Security policy and procedures (2)
• Develop
p securityy p
procedures ((Cont.))
– Establish procedures for using certain devices
– CD Roms, USB drives, laptops et PCs, remote connections
– Carefully manage
– Firewalls, antivirus, passwords
• Awareness and training
– All the personnel has to be educated, at the right level, based on well
prepared tutorials
• Respond appropriately to any incident
– Organize safeguards and back-ups
– Establish a reporting procedure for unusual events
– Identify priority sectors to be preserve
– Establish recovery plans
49
After the counter-measures…
#
Why to invest in cyber-security ?
51
THANKS FOR YOUR
ATTENTION
Jean-Pierre
Jean Pierre HAUET
jean-pierre.hauet@kbintelligence.com
www hauet com
www.hauet.com