Advancing the

Roadmap

Implementation

May 2011

ICSJWG Spring MeetingMark Heard, Eastman Chemical Company

Presenter

Mark Heard, Eastman Chemical Company• Control System Engineer

• Experience with several kinds of automation systems, especially networking with other plant systems

• General interest in security and admin issues for ICS

Work on Eastman Cybersecurity teams• Process Control Network Security, 2003-

• Network Segmentation, 2004-

• Cybersecurity Vulnerability Assessment, 2005-

• Process Automation Systems Authentication, 2006-

• Systems Integrity, 2008-

Working with ISA S99, ACC Cybersecurity Program (formerly thru ChemITC and CIDX) since 2002

What is the Roadmap?

• A structured set of priorities which address specific Industrial Control Systems (ICS) needs, over a 10 year timeframe

• Chemical Sector Coordinating Council (CSCC) signed off in Sept 2009

Agreeing to pursue a focused, coordinated approach to accomplish the activities set forth in the Roadmap

Is the risk real? (ie what is the problem that this is the solution

for?)

• ICS are increasingly interconnected to other plant and business systems

• ICS vendors continue to rapidly incorporate standard Information Technology into their products

• These trends expose the ICS to modern malware threats

• Stuxnet demonstrated that ICS are susceptible to increasingly sophisticated cyber-attacks

• Potential consequences of ICS incident are similar to those of a safety breach

Roadmap vision

“In 10 years, the layers of defense for industrial control systems managing critical applications will be designed, installed and maintained, commensurate with risk, to operate with no loss of critical function during and after a cyber event.”

Scope•Industrial Control Systems (ICS) in chemical facilities that are part of the critical infrastructure•Possible implications for ICS vendors•Connection to other systems included if they impact ICS risk

Chemical Sector Roadmap Implementation Working Group

est. December 2010

Roadmap Implementation Manager•Catalyst 35, under ACC contract

CSCC•American Chemistry Council (ACC) •National Petrochemical & Refiners Association (NPRA)

DHS•DHS NCSD Control Systems Security Program•DHS Chemical SSA

Owners/Operators•AkzoNobel•Dow Chemical•Infineum•DuPont•Eastman Chemical•Western Refining•Exxon Mobil•Air Products•Ashland•Air Products

Vendors•Computer Sciences Corporation (CSC)

DHS & Chemical sector

working in partnership

Chemical Sector Coordinating Council is sponsoring the Roadmap Implementation Working Group •RIWG has collected a wealth of resources/reference information •designed to assist owners/operators in addressing ICS security

www.chemicalcybersecurity.com/ICSroadmap

Roadmap Working Group Focus

Long Term

Improved ICS security across the chemical sector

ImmediateBuild awareness across the chemical

sector and ICS vendor industry of resources available to assist the sector in realizing its long term objective.

• Comprehensive Awareness Campaign

• Cyber Incident Response Process• Secure Information Sharing Forum• Metrics

Awareness Campaign

• Conducting an ICS Security Assessment

• Developing a Business Case for investing in ICS security

• Training for employees who work in the ICS environment

• Implementing existing standards

• Complying with existing CFATS Regulations

• Leveraging Best Practices• Wherever possible, not Chem

sector specific

Training Resources

• Chemical Sector ICS Security Training Resource

• Developed by the Roadmap Implementation Committee

• Designed for professionals in the process control and automation industries.

• Lists selected and representative security trainings… not a comprehensive list

• Organized by levels of difficulty (intro; intermediate; adv)

• Includes links to relevant websites, for ease of training access

Implementing Existing Standards

• ISA99, Industrial Automation and Control Systems Security• A series of 14 standards & technical

reports• Address all aspects of ICS security• 3 work products have been

published• Several others are available in draft

form for review and comment• ISO/IEC 15408-1:2009

• Establishes general concepts and principles of IT security evaluation

• Specifies the general model of evaluation given by its various parts

• Is intended to be used as the basis for evaluation of security properties of IT products

Relevant Guidance

• ACC Guidance for Addressing Cyber Security in the Chemical Sector

• DHS Catalog of Control Systems Security: Recommendations for Standards Developers

• NIST Special Publication (SP) 800-82, Guide to ICS Security, final public draft Sept 29, 2008

• NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009

• NERC Critical Infrastructure Protection – 002-009

CFATS RBPS 8 - Cyber

There are nine (9) specific risk-based performance metrics under RBPS 8:

8.1 Cyber Security Policies

8.2 Access Control

8.3 Personnel Security

8.4 Awareness and Training

8.5 Cyber Security Controls, Monitoring, Response, and Reporting

8.6 Disaster Recovery and Business Continuity

8.7 System Development and Acquisition

8.8 Configuration Management

8.9 Audits

Deter cyber sabotage, including preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control And Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS); critical business systems; and other sensitive computerized systems.

CFATS RBPS 8 - Cyber

In addition, cyber security is implicated in other RBPSs:RBPS 2: Secure Site Assets

Cyber components can be compromised physically, and thus critical cyber components should be physically secure as well

RBPS 6: DiversionFor facilities with theft chemicals of interest, cyber components should be designed to prevent diversion of chemicals of interest to unauthorized individuals

RBPS 11: TrainingA comprehensive security training and awareness plan typically will include targeted training on cyber security issues

RBPS 12: Personnel SuretyBackground checks should be performed on individuals with access to critical cyber systems

Leveraging Best Practices

Procurement Language•Department of Homeland Security: Cyber Security Procurement Language for Control Systems•Provides sample recommended language for control systems security requirements, including

• New SCADA/control systems• Legacy systems• Maintenance contracts• Information and personnel

security

Leveraging Best Practices

Secure Connectivity

•Objective is to restrict the highest probable attack path to the ICS.

•Cyber-attacks on ICS have been most often initiated through the internet to the business system and then to the ICS

•Adequate firewalls and other isolation methods exist today

NIST Catalog of Control Systems Security: Recommendations for Standards Developers / Section 2.15

Leveraging Best Practices

Secure Remote Access•Objective is to deter cyber-attacks from remote location access devices and control centers•Includes devices that have access to the control system and system state sensors, senders and receivers

• Wireless communication devices• Personal communication devices• Virtual private network (VPN)

connections• Authorized vendor and support

systems access

NIST Catalog of Control Systems Security: Recommendations for Standards Developers / Section 2.15

Leveraging Best Practices

Incident ManagementICS-CERT definition of Incident: •“In the context of cybersecurity, including ICS, an incident typically entails unauthorized access to computer networks and equipment with actions resulting in some form of negative consequence to the asset owners. Damage might include stolen data, exposure of private or business sensitive information, interruption of key services, a shutdown of production operations, damage to physical equipment and the environment, and defaced public websites. The economic and social consequences of a breach could be quite severe when considering negative publicity, loss of customer confidence, potential lawsuits, and direct financial loss caused by interruptions in production operations or equipment replacement and repair.”

Leveraging Best Practices

Incident Management•Cyber-attack trends have demonstrated how rapid an incident can escalate•Many chemical companies have corporate and/or site incident management processes•Information Sharing is a two-way street•ICS-CERT is available as a resource to assist in addressing an incident

In doing so, contacting ICS-CERT will contribute to building situational awareness

•ICS-CERT Conducts vulnerability and malware analysesProvides onsite support for incident response and forensic analysis, when askedProvides situational awareness with actionable intelligenceCoordinates responsible disclosure of vulnerability information and threat analysis

For access to the ICS-CERT portal, please email: chemicalsector@dhs.gov

What Can You Do?• Ensure someone takes ownership of ICS security and

is accountable

• Open lines of communication between engineering, security, information technology, process safety and manufacturing operations communities within your own company

• Conduct an audit of current ICS security measures and implement obvious fixes

• Follow-up with an ICS security vulnerability analysis (risk assessment)

• Implement an ICS security management program that is integrated with existing company management systems for security, safety, quality, etc

• Become an advocate in your company on this important issue

www.chemicalcybersecurity.com/ICSroadmap

20 OCT 2010

Questions?