industrial automation and controls systems security · • “security through obscurity” •...
TRANSCRIPT
Copyright © ISA
Setting the Standard for AutomationTM
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Industrial Automation and
Controls Systems Security
Past, Present and Future
Eric C. Cosman
COBISA 2019
Copyright © ISA 2
Your Speaker…
• 35+ years experience in industrial information
technology
• 15+ years in ICS cybersecurity, at the company,
sector, national and international level
• Founding member and co-chair, ISA99 committee
• Past vice president of standards and practices at
ISA
• ISA President-Elect
• Former leader, chemical sector cybersecurity
program
May 2019
Copyright © ISA 3
Topics
• Where have we been?
• Where do we stand?
• Changing the Conversation
• 62443 Basics
• A Cybersecurity Management System
May 2019
Copyright © ISA 4
WHERE HAVE WE BEEN?
May 2019
Copyright © ISA 5
Evolution of Threats
May 2019
High
Low
1980 1985 1990 1995 2000+
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking
sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
Intruder
Knowledge
Attack
Sophistication
“stealth” / advanced
scanning techniques
burglaries
network mgmt. diagnostics
distributed
attack tools
Cross site scripting
Staged
attack
bots
Source: CERT
Copyright © ISA 6
Evolution of Targets
May 2019
1980’s Current
Copyright © ISA 7
WHERE DO WE STAND?
May 2019
Copyright © ISA 8
The Situation
• Evolving Risk
• Increasing Complexity
• Improved Standards
• Proven Practices
May 2019
But The Challenges Continue!
Copyright © ISA 9
Evolving Risk
• Evolving threats
• Ever-present vulnerabilities
• Always serious potential consequences
May 2019
Threat, Vulnerability, Consequence Risk = f ( )
Copyright © ISA 10
Lingering Myths
Denial
• Nobody wants to attack us
• It can’t happen to us
Diversion
• It’s all about IT
• Industrial cybersecurity is the same as business system
cybersecurity
Naivete
• Addressing security is a project
• We can eliminate all vulnerabilities
• Cybersecurity incidents will not impact operations
May 2019
Copyright © ISA 11
The Challenges Remain
• Design with No Security
• Patching strategy
• Remote access requirements
• Vulnerability tracking
• Standardization
• Downtime for maintenance
• Unsupported or obsolete software
• Exposure to public networks
• Unable to penetration-test
in production
• No time for remediation
• Shared accounts or no
authentication
• Connecting IT & OT
• Skill set – Proficiency
May 2019
Copyright © ISA 12
And so are the Risks
• “Security through obscurity”
• Inaccurate or non-existing inventory
• Unpatched or unsupported (operating) systems
• Authentication and authorization issues
• Inadequate input validation
• Lack of proper security policies
• Default or weak configuration
• Lack of accountability
• Denial of Service (DoS)
May 2019
Copyright © ISA 13
CHANGING THE CONVERSATION
May 2019
Copyright © ISA 14
Response…
• Challenge and debunk the myths
• Face the challenges
• Acknowledge the risks
• Embrace Imperfections!
May 2019
Copyright © ISA 15
Better: The Enemy of Good
May 2019
“What we have done…”
“What we can…”
+
before
“What we face…”
More Sharing!
Copyright © ISA 16
From Standards to Practices
Standards
• maturing rapidly….
– ISA/IEC 62443 series almost “feature complete”
• but “not intended for civilians”
– Product and process certification
Practices
• Application and adoption
– Sharing of results
– Sharing of incident
information
May 2019
Copyright © ISA 17
(Typical) Asset Owner Response
• Skepticism (ignorance?) about the imperative and the
return
• Too often driven by compliance;
does not necessarily improve security
• Overwhelmed by complexity
– Analysis paralysis
• A “Program Response” by
Leaders
May 2019
Copyright © ISA 18
(Typical) Supplier Response
• Partnerships and acquisitions
• “embedding” of security into ICS products
– Firewalls, IPS, hardening, etc.
– Secure development life cycles
• Product Certifications
• Security Services
May 2019
Copyright © ISA 19
New Perspectives Needed
• Effective asset management is a prerequisite
– You can’t secure what you can’t identify
• Integrate security management and automation systems
management
– Dynamic system characterization
– Anomaly detection
– Management of change
May 2019
Copyright © ISA 20
62443 BASICS
May 2019
Copyright © ISA 21
Essential Elements…
May 2019
Appropriate IT Security Technology,
Specialized Security Expertise,
Industrial Automation Domain Expertise
Effective Automation Systems Security =
f ()
Copyright © ISA 22
Foundational Requirements
• FR 1 – Identification & authentication control
• FR 2 – Use control
• FR 3 – System integrity
• FR 4 – Data confidentiality
• FR 5 – Restricted data flow
• FR 6 – Timely response to events
• FR 7 – Resource availability
May 2019
Copyright © ISA 23
Fundamental Concepts
• System Taxonomy
• Life Cycles and Processes
• Principal Roles
• Zones and Conduits
• Security Levels
• Maturity
• Security Program Rating
Source: ISA-62443-1-1, 2nd Edition (Under development)
May 2019
Copyright © ISA 24
System Taxonomy
May 2019
Includes
a set of
Includes one
or more
IACS
Automation
Solution(s)
Includes one
or more
Systems
(Products)
Includes one
or more
Components
(Products)
Policies and
Procedures
Relevant Standards
• 62443-2-1
• 62443-2-2
• 62443-2-4
• 62443-3-2
• 62443-3-3
• 62443-4-1
• 62443-4-2
• 62443-2-1
• 62443-2-2
• 62443-2-3
• 62443-2-4
• 62443-3-2
• 62443-3-3
• 62443-4-1
• 62443-4-1
• 62443-4-2
Copyright © ISA 25
Solution Phases
May 2019
System
Supplier
Asset Owner
(Service Provider)
System
Integrator
Asset Owner
Operation &
MaintenanceDevelopment
Integration &
CommissioningDecommissioning
Automation
Solution
Security Measures and
Settings
Policies & Procedures
Decommissioning
Policies and
Procedures
Asset
Owner
Specification
Security
Targets
System
Capability
Project Application,
Configuration and User
Management
Automation
Solution
Automation
Solution
Copyright © ISA 26
Security Life Cycle
Source: ISA-62443-1-1, 2nd Edition (Under development)
May 2019
Copyright © ISA 27
Principal Roles
May 2019
Independent of IACS environment
IACS environment
Industrial automation and control system (IACS)
Control system (as a combination of)
Automation Solution
Essential functions
Control
functions
Complementary
functions
Safety
functions
Supporting
software
applications
Embedded
devices
Network
devices
Host
devices
Maintenance capabilities
(policies and procedures)
Operational capabilities
(policies and procedures)
Asset owner
Maintenance
service provider
Integration
service provider
Product supplier
accountable for
operates
maintains
maintains
commissions and validates
designs and deploys
develops and supports
develops and supports
Roles
Role
Includes configured products
(control systems and devices)
Copyright © ISA 28
Zones and Conduits
May 2019
Copyright © ISA 29
Security Levels
May 2019
Copyright © ISA 30
Program Maturity
Level Name Description
1 Initial Ad-hoc (non documented) operations and
activities
2 Managed Operation according to written policies
(including objectives)
3 Defined Operations are repeatable and can be
tailored for the situation
4 Improving Effectiveness and performance are
controlled and continuous improvement
programs are in place
May 2019
Copyright © ISA 31
A CYBERSECURITY MANAGEMENT SYSTEM
May 2019
Copyright © ISA 32
The Process
May 2019
Identify measures &
assess effectiveness
Select
countermeasures
Analyze and
assess risks
Determine relevant
security objectives
Implement
countermeasures
Perform
Process audit
Analyze
Threats
Identify
Assets
Start
Copyright © ISA 33
Risk Based Approach
• Do we understand each component?
• Who has the information?
• What can we do about each term?
Each has a specific response, from a specific
perspective.
Threat, Vulnerability, Consequence Risk = f( )
May 2019
Copyright © ISA 34
Mitigation Options
Secure
Defend
Contain
Manage
Anticipate
Level of Risk Reduction
Support Resources Required
Physical Security,
Security Practices,
Device Hardening,
Patch Mgmt
Perim Firewalls,
Unidir Gateways,
IDS/IPS,
Access Control,
Anti-Malware
Zone
Firewalls, Dev
Firewalls,
App
Whitelisting,
Threat
Intelligence
Full-time
ICS Cyber
Operations
Group
ICS Supplier or
Cyber Service
Provider
Part-time
Plant ICS
Staff
Full-time
Plant ICS
Staff
Co
st o
f M
itig
atio
n S
olu
tio
ns
Breach
Detection,
Incident
Mgmt, SIEM
* - Copyright © ARC Advisory Group
May 2019
Copyright © ISA 35
Sources of Help
• Operations – IT Partnership
– Really!
• Practices and Guidance
• Expectations and Regulations
• Standards
• NIST Cybersecurity Framework
May 2019
Copyright © ISA 36
Informative References
ISA/IEC62443
NIST SP 800-53
ISO/IEC 29100
ISO/IEC 27001
CO
BIT
CCS CSC
NERC CIP
NISTIR 7628
DO
E E
S-C
2M
2
NE
RC
EO
P
NIST SP 800-16
NIS
T S
P 8
00
-50
May 2019
Copyright © ISA 37
The 62443 Standards
• A series of standards, being developed by 2 groups:
– ISA99 Committee → ANSI/ISA-62443
– IEC TC65/WG10 → IEC 62443
• With guidance and consultation from:
– ISO/IEC JTC1/SC27 → ISO/IEC 2700x
May 2019
Copyright © ISA 38
The 62443 Series
May 2019
Copyright © ISA 39
Highlights
• New standards approaching completion:
– 62443-3-2 (Risk Assessment)
– 62443-4-1 (Product Development)
– 62443-4-2 (Component Requirements)
• ISA Adoption of 62443-2-4
• Patch management as a standard
– 62443-2-3
May 2019
Copyright © ISA 40
ADDITIONAL GUIDANCE
May 2019
Copyright © ISA 41
NIST Cybersecurity Framework
May 2019
https://www.nist.gov/cyberframework
Copyright © ISA 42
ISASecure™
• ISA/IEC-62443 standards set the requirements for Industrial
Automation and Control Systems
• ISASecure certifies that suppliers and products meet the ISA/IEC-
62443 standards
• Asset Owners have confidence that the IACS products they
purchase are robust against network attacks and are free from
known security vulnerabilities
May 2019
Copyright © ISA 43
Questions
May 2019May 2019