dupont's practices and expectations - tom good
TRANSCRIPT
ISA–The Instrumentation, Systems, and Automation Society
Process Control Network Security Activities in DuPont Process Control Network Security Activities in DuPont
ISA 2002
Panel on Control Systems Security Tom Good
DuPont Engineering
October 21, 2002
2
Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product direction
Topics Covered
3
What is a process control system? The set of devices that directly control the
manufacturing processes. Typically include: DCS (Distributed Control Systems)
• Continuous manufacturing PLC (Programmable Logic Controllers)
• Discrete manufacturing SCADA (Supervisory Control and Data Acquisition
System) Hybrid systems
Within DuPont Online analyzers Online thickness gauging systems Identification and tracking systems etc.
4
What is a Process Control Network in DuPont?
Process Control Network (PCN) The PCN is a proprietary network that acts as
the communication link between the operator consoles and the control devices like DCS controllers and PLCs.
The Ethernet network that links all critical manufacturing computer systems and devices.
5
Architecture of the 80’s and early 90’s
ProcessController
Proprietary Control Network
Operator ControlStation
ApplicationServer
OperatorConsole
ProcessController
ProcessController
OperatorConsole
OperatorConsole
Modem Modem
Not Secure
Not Secure
SecureSecure
6
Changing Technology
Operating Systems:
Data Communication:
Information Flow:
Computing Solutions:
Architecture:
Operating Systems:
Data Communication:
Information Flow:
Computing Solutions:
Architecture:
Proprietary
Proprietary
Segmented
Monolithic
Closed
Proprietary
Proprietary
Segmented
Monolithic
Closed
Open
Standard Protocols
Integrated
Modular
Open
Open
Standard Protocols
Integrated
Modular
Open
Evolution of TechnologyEvolution of Technology
7
Architecture of the late 90’s and present day
Process
Controller
Proprietary Control Network
Operator Control
Station PC
ApplicationServer PC
OPC Serve(PC)
ProcessController
Operator Control
Station PCs
Operator Control
Station PC
Process
Controller
Process
Controller
Process Control Ethernet LAN
ApplicationServer
Not Secure
Not Secure
SecureSecure
Site Ethernet LAN
EthernetSwitch
EthernetSwitch
Desktop PC
Desktop PC
Desktop PC
Desktop PC
Desktop PC
Desktop PC
FirewallFirewall
Modem Modem
8
Process
Controller
Proprietary Control Network
Operator Control
Station PC
ApplicationServer PC
OPC Serve(PC)
ProcessController
Operator Control
Station PCs
Operator Control
Station PC
Process
Controller
Process
Controller
Process Control Ethernet LAN
ApplicationServer
Modem Modem
Not Secure
Not Secure
SecureSecure
Site Ethernet LAN
EthernetSwitch
EthernetSwitch
Desktop PC
Desktop PC
Desktop PC
Desktop PC
Desktop PC
Desktop PC
FirewallFirewall
Router
Internet
FirewallFirewall
DuPont WAN Modem Modem
9
Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product direction
Topics Covered
10
History of PCN Security Initiative in DuPont
Ground up activity
Jan 00 - Formed work group to study PCN Security
Nov 00 - Published guidance document
11
DuPont Realization
Lack of Cyber Security is a threat to our manufacturing assets:
Threat to safety both on and off-site Threat to continuity of production Threat to production equipment Threat of adverse public opinion
Community can withdraw sanction for company to operate.
Technology exists to significantly reduce vulnerabilities of our PCNs
12
History of PCN Security Initiative in DuPont
Jan 00 - Formed work group to study PCN Security
Nov 00 - Published guidance document
Aug 01 - Obtained support from IT Org.
13
History of PCN Security Initiative in DuPont
Jan 00 - Formed work group to study PCN Security
Nov 00 - Published guidance document
Aug 01 - Obtained support from IT Org.
Oct 01 - Mandatory security policy
Top Down Support from CIO
Nov 01 - Obtained corporate funds to address PCN security at all locations
14
Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product direction
Topics Covered
15
PCN Security Policy (Highlights)
All high and medium risk PCNs must be firewalled or disconnected from any external network (LAN, WAN, Internet).
High Risk PCNs secured by 12/31/02.
Access to PCN requires 2 factor authentication
Participate in corporate firewall program Standard firewall w/std. configuration policy Centralized firewall monitoring Centralized backup for disaster recovery
16
Existing Security Controls
E-Pass = Two Factor Authentication (RSA)
Security Weaknesses
• Over 500 entrances into Intranet perimeter
• Lack workable authentication and authorization mechanism for control room operation at operators consoles
• Weak Windows application authorization
17
New Perimeter Based Security Controls
E-Pass = Two Factor Authentication (RSA)
Security Strengths
Between Intranet and PCN perimeter
• Secure authentication
• Destination authorization
Security Weaknesses
• Lack workable authentication and authorization mechanism for control room operation at operators consoles
• Weak Windows application authorization
18
Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product direction
Topics Covered
19
Security Project Activities
Front-End Loading Inventory and characterize each PCN Develop PCN network diagram Conduct a Risk Analysis of vulnerabilities.
Design Consider alternative security measures
Implement Adopt appropriate security practices to comply
with security policy
20
Characterized PCN in spreadsheet (portion shown) SBUBusinessSiteOperating UnitSite ITContact
Phone #
Site Process Control Contact Phone #CS Contact Phone #Last Updated
PLEASE ANSWER THE FOLLOWING QUESTIONS :Are process control systems currently interfaced to site or corporateLANs?Are process control systems remotely accessed from outside the processcontrol domain?
IF THE ANSWER TO EITHER OF THE ABOVE QUESTIONS IS YES PLEASECOMPLETETHE REMAINDER OF THIS FORM.
Process Control DomainTotal Number of IP addressableNodesNumber of IP addressable nodes to be accessed from outside process controldomainNumber of Concurrent Users inside Process Control DomainNumber of Concurrent Users inside Process Control Domain requiring access toexternal resourcesNumber of Total Users outside Process Control Domain requiring access toProcess Control ResourcesNumber of Concurrent Users outside Process Control Domain requiring accessto Process Control ResourcesIP Addressing (check all that apply)
DHCPStatic
Control Platforms
21
Develop Logical PCN Block Diagram
Site xyz
Advanced Process Manager
Honeywell LCN
Honeywell TDC3000 System
Plant Ethernet LAN
NIM
Cisco RouterUser
Site Workstation (Win2K Professional)
Redundant
FHRS1ResourceDomain
Controller(WinNT Server)
DuPont Intranet Ethernet WAN
High Performance Process Manager
Redundant
Honeywell
UniversalStation #1
Honeywell
Universal Station 2-3
UserSite Workstation
(Win95/98)
HoneywellGUS
Win2K Prof.
NIM
Honeywell UCN
22
Risk Assessment
Probability Criticality
A = Very likely 1 = Severe impact
B = Likely 2 = Major impact
C = Not likely 3 = Minor impact
D = Remote chance 4 = No impact
Network Segment Threat Probability
Internet, Wireless, Direct Dial-in A = Very likely
Intranet, Secure Dial-in B = Likely
Integrated PCN C = Not likely
Isolated PCN D = Remote Chance
Impact Category 1=Severe impact 2=Major impact 3=Minor impact 4=No impact
Injury Loss of life or limb Requiringhospitalization
Cuts, bruises,requiring first aid
None
Financial loss Millions $100,000s $1000s None
Environmentalrelease
Permanent damage/Off-site damage
Lasting damage/On-site damage
Temporary damage/Local damage
None
Interruption ofproduction
Weeks Days Hours None
Public image Permanent damage Lasting blemish Temporary tarnish None
Key Learning - Involve all stakeholders to build consensus on vulnerability.
23
Identified Assets
The threat is the theft, corruption, or falsification of thefollowing data:
Probability Criticality
Production schedule B 3
Production summary data (rates, yields) B 2
Process variables B 3
Product quality, raw material and shipment information A 3
Tuning data/set points C 4
Product Recipes and Formularies B 2
Standard operating conditions (SOC) B 3
Area operating procedures (AOP) C 4
Historical process data B 3
Data Assets
Application & Device Assets
The threat is the corruption, denial of service, or destruction of thefollowing PCN applications/devices:
Probability Criticality
Operator control station B 2
Engineering workstation B 2
PM&C B 3
Process controller D 2
External applications gateway B 3
Control room printer B 4
24
Mitigation Strategies
Data Assets
Criticality
DATA Assets1
Severe2
Major3
Minor4
None
A—Very Likely
Encryptionrequired
Encryptionrequired
Encryptionrequired(to Intranetperimeter)
Encryptionrequired(to Intranetperimeter)
B—LikelyEncryptionrequired
Encryptionrequired
C—Not Likely Encryptionrequired
Pro
ba
bil
ity
D—Remote Chance
Data Assets
Criticality
DATA Assets1
Severe2
Major3
Minor4
None
A—Very Likely
Encryptionrequired
Encryptionrequired
Encryptionrequired(to Intranetperimeter)
Encryptionrequired(to Intranetperimeter)
B—LikelyEncryptionrequired
Encryptionrequired
C—Not Likely Encryptionrequired
Pro
ba
bil
ity
D—Remote Chance
PCN Application/Device Assets
CriticalityPCN Application/DeviceAssets 1
Severe2
Major3
Minor4
None
A—Very Likely Firewallrequired
Firewallrequired
Firewallrequired
B—Likely Firewallrequired
Firewallrequired
Firewallrequired
C—Not Likely Firewallrequired
Firewallrequired
Firewallrequired
Pro
ba
bil
ity
D—Remote Chance
Key Learning - Involve all stakeholders to build consensus on mitigation plan.
25
(Asside - DNSAM)
DuPont developed a risk analysis process to meet the internal needs for process control systems.
Making available to industry.
Partnered with Rockwell Automation to offer DNSAM(DuPont Network Security Analysis Methodology) as part of their services business.
26
Prioritize Implementation
Businesses set overall priorities for each PCN based upon:
Safety Criticality to business
Key Learning - Availability of business knowledgeable resources is required.
27
Deployment Strategy for PCN Firewalls
Manage as one project worldwide
Standardize on single firewall vendor
Using single vendor to design, install, and commission all firewalls
Sites managing network re-engineering
Site ownership of firewall
Ongoing co-management of firewall
28
Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product directions
Topics Covered
29
Key Learnings PCN vulnerabilities exist
More than 300 PCNs, > 200 connected to LAN
Need management endorsement and support Commitment of resources and $ to mitigate vulnerabilities Asset owner is accountable
Project Execution Network analysis and re-engineering are the bottleneck for
firewall deployment. (typically 3-4 mo.) May require manufacturing shutdown depending upon
system integration and nature of the process
30
Key Learnings Cont’d
Site Manufacturing
IT & Security Organization
To be SuccessfulTypical in many companies
31
Key Learnings Cont’d
PCN firewalls are the meeting point of two different cultures and security policies.
Co-accountability and co-responsibility for administration of PCN firewalls.
Security is an evergreen task
New cooperative team approach is needed to steer direction (Process control, IT, Security, Safety, Engineering)
32
Grounding - Process Control SystemsPCN Security - History of DuPont activitiesSecurity policies for process controlPCN security mitigation programKey learningsConcern with product directions
Topics Covered
33
Product Direction Concerns
Web enable process information Microsoft IIS many vulnerabilities (Not desired on
PCN) Full feature web based GUIs using Active X
controls and other scripts (Difficult to protect PCN against malicious code)
Wireless connectivity to process information 802.11b based products (subject to hacker
access)
Not addressing secure authentication and authorization for control room operators
Must allow response to emergencies by designated operators
34
?