cyber security for industrial automation control systems ... · •guarantee vendors supplying...
TRANSCRIPT
Cyber Security for Industrial Cyber Security for Industrial Automation Control Systems (IACS) & Automation Control Systems (IACS) & networks and Security Requirements networks and Security Requirements
for PCD Systemsfor PCD SystemsTed Angevaare, Team Leader Automation at Shell andChairman Plant Security Group at WIB
8 December 2011 / 13.50-14.10TU DelftAula Congrescentrum
New Cyber threats per yearSource: Symantec
Ref: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
Symantec Internet Security Threat Report: Volume XV: April Symantec Internet Security Threat Report: Volume XV: April 2010 2010
Intro Windows in PCD
The risk to the worldThe risk to the world’’s oil & gas production facilities s oil & gas production facilities is increasing exponentially over timeis increasing exponentially over time
So, is this a threat to PCD systemsSo, is this a threat to PCD systems??
Ø Viruses are now detected in the Process Control Domain around the world, causing production loss or significant costs to repair
Ø Some examples from around the world:– Disgruntled ex-contractor hacked into a sewage plant, releasing millions of liters of
sewage into the local river (Australia, 2001),– Slammer worm disabled Davis-Besse nuclear power plant safety monitoring system
(USA, 2003),– Blaster worm suspected of jamming alarm systems and escalating power blackouts
(USA, 2003),– Worm: 13 auto plants in the USA were shut down by a simple Internet worm named
Zotob introduced via a laptop. The infection resulted in $14 million loss and 50.000 workers had to cease work (USA 2005),
– Virus: Browns Ferry Nuclear plant had to be shut down for 2 days because of excessive control bus network traffic. (USA 2006),
– Worm: Intramar, the French Navy computer network, was infected with the Conficker worm on 15th of January 2009 (EUR 2009).
YES!YES!
Malware specifically targeting PCD……named STUXNETas recent as Q3 2010
STUXNETSTUXNET hits Siemens Control Systems (WinCC/PCS 7)!!
“ With the cyber forensics we now have, it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge.”
Conclusion: This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house !!
“ It is the first virus known to target and infiltrate DCSs and PLCsused to run our production facilities worldwide.”
“ the virus is extremely intelligent and complex, capable to take over control of a computer system, without the user taking any action other than inserting an infected USB stick”
STUXNET
These threats may come from unexpected These threats may come from unexpected sourcessourcesInternet is NOT the main source (17%), most infections originate from inside !
Removable media today in industry is the major reason for infections.……
What is the potential impact of an infection ? What is the potential impact of an infection ? In industry a virus infection could result in……
Missing of Production TargetsDue to unavailability of production system
• Loss of reputation • Contractual Obligations not fulfilled
Repair and Restart of Production systems
• Manpower / contractor• Mob/Demob staff to site
Overreacting; excessive measuresFear of the unknown, reoccurrence
• Increased efforts• Additional costs
Shell Shell ‘‘s positioning towards PCD s positioning towards PCD securitysecurity
• Standardization of design & implementation,• Shell Assets must comply with a Minimum Standard
(ESS = Enterprise Security Standard) & IT-Framework!• Skill and competencies; continuous education/training of staff,• Vendor Certification; only allow Security Certified Vendors in
the PCD,• Audit, Reviews and Self assessments,• As-Built; “secure by design” architecture,• Security built–in as fundamental component,• Evergreening and Improvement initiatives• Initiate improvement steps during life-cycle• Being active outside Shell, share with industry and follow
research and developments
ESS
• Guarantee Vendors supplying secure systems & services at all stages of the lifecycle!
• Fit-for-purpose security, based on best practices in Shell and all the good work by many others
• Affordable solution for Vendors to gain certificate• Suitable for big Industrial Automation Vendors and Suppliers• Suitable for many small Vendors and Suppliers (>300)• Minimum Standard freely available for everyone• Many end-users to join, such that Vendors are only facing one
requirement à saving costs• Step change now and evolve over time!
A Vendor security certification program A Vendor security certification program now!now!
What does the EndWhat does the End--user want?user want?
We can only be successful when working We can only be successful when working together!together!
??
?
?
• Annemarie Zielstra – NICC• André Schepens – Dow• Auke Huistra – NICC• Frank Pijnenburg – DSM• Geert Soulje – DuPont• Marnix Haije – Shell• Herman Suselbeek – WIB• Ian Henderson – BP• Jos Menting – Laborelec• Peter Kwaspen – Shell• Lex Boekel – Wintershall
WIB Plant Security Group:
• Lou Verhagen – AkzoNobel• Mart Louisse – Aramco Overseas Co• Martin Visser – Waternet• Michiel Kleisen – Dupont• Nate Kube – Wurldtech• Maarten Oosterink – Shell• Sierk Goedemoed – Heineken• Tom Kuperij – WIB• Pascal van den Boogaard – Shell• Wim Breugom – Waternet• Ted Angevaare – Shell and Chairman
Who worked on the WIB Standard Who worked on the WIB Standard vsvs2.0?2.0?
Evolution towards international Evolution towards international standardstandard
Cyber Security Procurement Language for
Control Systems
From DHS
Cyber Security Procurement Language for
Control Systems
From DHS
WIB Report M 2784 X10,
version 2
WIB Report M 2784 X10,
version 2
DACA security standards and experiences
DACA security standards and experiences
IDEAL standard is selection of relevant IT
requirements from various
standards
IDEAL standard is selection of relevant IT
requirements from various
standards
Less than 50% content from ISO 27002
Development International
standard
Development International
standard
1400+ downloads
2008-2009 2010 2011
IEC proposal
WIB Report M 2784 X10,
version 1
WIB Report M 2784 X10,
version 1
Some stakeholdersSome stakeholders1. The NIST Cyber Security Working Group (CSWG) has created a task
force (http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/IEC6244324TaskForce) that has studied the alignment of the IEC 62443-2-4 draft and concluded it is well aligned with the NISTIR 7628 guidelines for cyber security and is currently working towards harmonization of the two documents.
2. Lisa Kaiser of the US Department of Homeland Security (DHS) has received approval to participate in the IEC 62443-2-4 standards resolution process. The DHS is currently actively considering moving forward with the IEC 62443 series, but has found the ISA 99 parts somewhat confusing. They feel that the IEC 62443-2-4 requirements are easily understood, and the fact that they align closely with the NISTIR 7628 (which is largely based on the NIST SP 800-53 guidelines) has peaked their interest.
Now you!Now you!Go to the WIB Homepage and download the document: http://www.wib.nl/
You are free to use it!
Be prepared and make sure that your systems, facilities and/or services are compliant to the WIB vs. 2.0.
Go for certification now and be secure!