Theme 3: Cyber Security
Just How Vulnerable is Your Safety System?
Colin Easton
MSc, CEng, FInstMC, MIET, ISA Senior Member
TUV Rhienland FS Senior Expert PHRA & SIS
6th July 2017
1
Safety System Security
Safety Systems are now more accessible and “open”
than ever before, due to the increasing use of COTS
solutions for networking and HMI purposes.
Business needs drive the interconnectivity between
between OT and IT systems at the same time as we
see control and safety system architectures merging.
This interconnectivity and merging of systems opens
up vulnerabilities in our systems that can be exploited
by cyber and physical threats.
2
Safety System Security
Safety Systems operate in real time to protect
our processes, tampering with them, either
intentionally or unintentionally, can lead to:
Loss of Production
Environmental releases
Heath & Safety consequences
Industrial Automation and Control System
(IACS) security is about preventing or mitigating
the exploitation of the vulnerabilities in our
control and safety systems.
3
What is the Problem?
2010 – Stuxnet – Siemens S7 PLCs access for reconfiguration
2012 - Project Basecamp looking for vulnerabilities in 6
specific IACS devices found several including the ability to
access PLC configurations and modify it.
These vulnerabilities have been released and are included in
publicly available databases for us to identify and protect
against threats, but also enabling anyone to find and exploit
them.
But, not all threats originate from the internet - maintenance
activities, software upgrades / patches, remote access,
wireless, physical security and unauthorised access are just as
big an issue for safety systems
4
IEC 62443 – Security for IACS
Therefore, the SIS must be secure from both physical
or cyber damage as a result of malicious acts or
accidental events that would impact on the SIS’s ability
to maintain its functional and safety integrity on
demand.
To prevent both physical or cyber damage the risk
reduction must be based on a mix of technical,
procedural and managerial protection measures taken
from the guidance in IEC 61511, IEC 62443 (ISA99) and
in ISA TR84.00.09.
5
Security Risk Assessment – IEC 61511 2ED Clause 8.2.4
States that a SRA must be carried out to identify the security vulnerabilities of the SIS.
The SRA output needs to include:
1. A description of the devices covered by the SRA – What is the scope of the System Under Assessment (SuC);
2. A description of the identified threats that could exploit vulnerabilities and result in security events;
3. The potential consequences resulting form the security events and the likelihood of these events occurring;
4. Consideration of vulnerabilities and threats at all of the lifecycle phases;
5. The determination of requirements for additional risk reduction;
6. A description of, or references to information on, the security and compensating measures to be taken to reduce or remove the threats.
6
A description of the devices covered by the SRA 7
IACS Device Asset Consequence
Rating
Likelihood
rating
IACS Device
Risk Level
Operator control room HMI
Remote operator Panel
Engineering Workstation
Historian Server
Controller
Pressure Sensor
Valve Positioner
Gateway
Clearly document the IACS and associated assets.
Gather and organise information such as:
System architecture diagrams – components, connectivity & location
Network diagrams – physical construct and assignments
Devices (Ethernet & IP Address)
Configurations – hardware & software - Scan & MAP tools
Identify known vulnerabilities
IEC 62443-2-1 Example IACS Asset table
Security Vulnerability Assessments (The clever stuff)
High Level – Gap Assessment:
Assessment of existing operational procedures and practices
Interviews, site audit, review of drawings, sample configurations, questionaire
(Questionnaire could make use of US - Cyber Security Evaluation Tool – ICS-CERT)
Passive vulnerability assessment:
Review architecture & network drawings & traffic analysis tools, Research using vulnerability databases – ICS-CERT, NVD, Nessus
Active vulnerability assessment
Active network scanning
Active vulnerability scanning
Penetration test.
Metasploit
8
Zones and Conduits
Review the system boundaries and
break it down into zones and
conduits.
The zones and conduits should
include assets that will be assumed
to require the same Security Level:
Then carry out a High-level SRA.
– 31 – ISA-TR84.00.09-2013
SIS BPCS
`
BPCS
Engineering
Workstation
Domain
Controller
SIS HMI
Control PES
Transmitter
Control
Valve
Pump
Controller
Transmitter
Block
Valve
Control
Center
`
Maintenance
WorkstationData
Historian
Domain
Controller
Plant DMZ
Internet
EnterpriseWLAN
Web
ServerEnterprise
Firewall
4-20 mA
24 VDC
4-20 mA 24 VDC
4-20 mA
Domain
Controller
IAMS
`
SIS
Engineering
Workstation
IAMS
Handheld
Programmer
BPCS HMI
SIS-PES
Figure A.3 – Example Network Security Architecture with Integrated 2 Zone SIS
9
A description of the identified threats that could
exploit vulnerabilities and result in security events 10
Stored data (e.g. history, programs) is intentionally modified or corrupted by unauthorised
individual through local access
Malware:
unintentionally installed on control system through remotely connected computer;
intentionally installed on control system through a remotely connected computer;
enters the system through a laptop connected to the control system network
enters the system through infected media (e.g. USB sticks etc.);
enters the system through the business network.
Confidential controls system data is intentionally disclosed through local or remote access
A network device fails causing a network storm impacting system communication
A denial of service attack is intentionally launched through remote access
High-level Risk Assessment Tools 11
IEC 62443-2-1 Example tables
The potential consequences resulting form the security
events and the likelihood of these events occurring 12
IACS Device Asset Consequence
Rating
Likelihood
rating
IACS Device Risk
Level
Operator control room HMI A Medium High-Risk
Remote operator Panel C High Medium-Risk
Engineering Workstation A High High-Risk
Historian Server B Medium Medium-Risk
Controller A Medium High-Risk
Pressure Sensor A Medium High-Risk
Valve Positioner A Medium High-Risk
Gateway B Low Low-Risk
Firewall B Low Low-Risk
IEC 62443-2-1 Example IACS Asset table with results
Draft IEC 62443-3-2 – Security for IACS Workflow diagram to establish zones and conduits ZCR – Zone & Conduit Requirement SuC – System under consideration PHA – Process Hazard Analysis
13 The determination of requirements for additional risk
reduction
Draft IEC 62443-3-2 – Security for IACS
Workflow diagram for detailed
cyber security risk assessment
DRAR – Detailed Risks Assessment
Requirement
September 2016 – 24 – ISA-62443-3-2, D6E3
612
DRAR 1 – Identify threatsList of threats
DRAR 2 – Identify
vulnerabilities
DRAR 4 – Determine
unmitigated likelihood
DRAR 3 – Determine
consequences and impact
DRAR 5 – Calculate
unmitigated cyber security
risk
List of vulnerabilities
Assessment of
likelihood
Assessment of impact
Likelihood, impact,
corporate risk matrix
Assessment of
unmitigated cyber
security risk
Lists of threats and
vulnerabilities
DRAR 9 – Calculate residual
risk
DRAR 10 – Are all
residual risks at or
below tolerable risk
DRAR 7 – Identify and
evaluate existing
countermeasures
DRAR 8 – Reevaluate
likelihood and impact
DRAR 6 – Determine
security level target
DRAR 11 – Apply additional
cyber security
countermeasures
No
DRAR 12 – Document and
communicate results
Yes
Corporate risk matrix
with tolerable riskSecurity level target
List of countermeasures
Residual cyber security
risk
Updated list of
countermeasures
Start
[Updated] List of
countermeasures
Updated likelihood,
impact and corporate
risk matrix
Detailed risk
assessment report
Updated likelihood and
impact assessment
Historical data and other
threat information sources
Vulnerability assessment,
prior audits, vulnerability
databases, etc.
Threats, vulnerabilities,
existing PHAs, other risk
assessments
This
doc
umen
t inc
lude
s w
orki
ng d
rafts
of,
or e
xtra
cts
from
doc
umen
ts in
the
ISA-
6244
3 se
ries.
New
ver
sion
s w
ill be
gen
erat
ed p
erio
dica
lly a
s in
divi
dual
doc
umen
ts a
re re
vise
d.
IS T
O B
E U
SED
SO
LELY
FO
R T
HE
PUR
POSE
S O
F FU
RTH
ER D
EVEL
OPM
ENT
OF
ISA
STAN
DAR
DS,
AN
D M
AY N
OT
BE O
FFER
ED F
OR
FU
RTH
ER R
EPR
OD
UC
TIO
N O
R F
OR
SAL
E. T
HE
CO
PYR
IGH
T R
ESTS
WIT
H IS
A.
14 The determination of requirements for additional risk
reduction
15
IEC 62443-3-2 Example table for mapping Cyber Risk Reduction Factor to Target Security Level
The determination of requirements for additional risk
reduction
Description of information on the security & compensating
measures taken to reduce / remove the threats 16
The counter measures to address a specific risk will be different depending on the system. For example, different “Authentication” rules will apply for controllers and HMI etc.
Counter measures must be documented along with the procedure / guidance for using them.
IEC 62443 approach similar to IEC 61508 – identified control measures that can be used to demonstrate risk is reduced broken down by requirements – IEC 62443-3-3.
ISA TR84.00.09 Management Process - Identifies additional requirements for Cyber security, including:
Clause 5 - Management of FS – Inventory of vulnerabilities, risk assessment, security of operation, host protection, patch upgrade management, confidentiality of cyber security information;
Clause 8 – Additional requirements for security protection, potential threats taken from IEC 62443 guidance;
Clause 9 – To include security counter measures and compensating measures for when it is not possible to implement security counter measures in the SIS;
Clause 10 – SRS should have a section dedicated to counter measures specifically considering that the counter measures do not degrade SIS performance such as response time or field devices;
Clause 11 & 12 – Additional requirements for when full independence and segregation is not feasible based on air gap, integrated zone hierarchy, firewalls & vendor to supply security concepts that cover the SIS lifecycle;
Clause 14 and 15 – consideration of mechanical integrity and ongoing cyber security;
Clause 16 - Ongoing cyber security, such protection during back up and restoration, patches and upgrades, remote access, bypasses and checking of tools .
Clause 17 & 18 – Modifications to the SIS related security counter measures should follow the MOC programme and an impact analysis carried out to include access control, authorisation and reasons for access, virus checking and control
17 Consideration of vulnerabilities and threats at all of
the lifecycle phases
It is critical that C&I Engineers acquire the skill set to be able to communicate and work along side Cyber Security Specialists.
ISA Europe has introduced the ISA Industrial Cyber security Certificate Program this provides practical hands training using IACS network hardware, firewalls, switches and Rockwell & Siemens PLCs to work on.
The training is tiered to ISA/IEC 62443:
ISA/IEC 62443 Cyber security Fundamentals Specialist
ISA/IEC 62443Cyber security Risk Assessment Specialist
ISA/IEC 62443 Cyber security Design Specialist
ISA/IEC 62443 Cyber security Maintenance Specialist
TÜV Rhienland are also developing a Cyber Security scheme for C&I and FS Eng that will be introduced in early 2018
18 Cyber Security - Competency and Training for C&I Engineers
Additional Guidance (UK HSE)
Compliance with OG-0086 will contribute towards a suitable demonstration of
compliance with UK H&S legislation and as part of the cyber security ALARP
demonstration for the facility.
OG-0086 – Cyber Security for IACS identifies BS EN 61511 as the recognised good
practice (RGP).
The reference is related to 2nd Edition Clause 8.2.4 requirements for a Security
Risk Assessment (SRA).
Both OG-0086 & IEC 61511 reference IEC 62443 as the applicable international
standard as well as ISA-TR84.00.09-2013 – Security Countermeasures Related to
SIS as the relevant standards for IACS SRA and implementation.
19
OG-0086 Framework
Process for the
management of Cyber
Security for IACS
20
Framework for Cyber Security
The OG-0086 approach is similar to the US NIST 800 Cyber security Framework of:
The UK HSE guiding principles are:
Protect, detect and respond - It is important to be able to detect possible attacks and respond in an appropriate and timely manner in order to minimise the impacts.
Defence in depth. No single security countermeasure provides absolute protection as new threats and vulnerabilities can be identified at any time. To reduce these risks, implementing multiple protection measures in series avoids single point failures.
Technical, procedural and managerial protection measures. Technology is insufficient on its own to provide robust levels of protection
21
IEC 61511 2nd Edition introduces the requirement for SRA.
UK HSE have produced guidance aligned to IEC 62443 and ISA-TR84.00.09
SRA Risk Matrix should be based on a subset of the Seveso RM to facilitate ALARP
demonstration.
Asset Register can be based on BOM, I/O
Schedule,Instrument List for SIS.
CSMS Gap Analysis required to help reduce
systematic failures through procedures.
EC&I Cyber security competence is increasing,
but still a large gap between process & IT.
22
23
Thank you for listening Any questions?