Theme 3: Cyber Security

Just How Vulnerable is Your Safety System?

Colin Easton

MSc, CEng, FInstMC, MIET, ISA Senior Member

TUV Rhienland FS Senior Expert PHRA & SIS

6th July 2017

1

Safety System Security

Safety Systems are now more accessible and “open”

than ever before, due to the increasing use of COTS

solutions for networking and HMI purposes.

Business needs drive the interconnectivity between

between OT and IT systems at the same time as we

see control and safety system architectures merging.

This interconnectivity and merging of systems opens

up vulnerabilities in our systems that can be exploited

by cyber and physical threats.

2

Safety System Security

Safety Systems operate in real time to protect

our processes, tampering with them, either

intentionally or unintentionally, can lead to:

Loss of Production

Environmental releases

Heath & Safety consequences

Industrial Automation and Control System

(IACS) security is about preventing or mitigating

the exploitation of the vulnerabilities in our

control and safety systems.

3

What is the Problem?

2010 – Stuxnet – Siemens S7 PLCs access for reconfiguration

2012 - Project Basecamp looking for vulnerabilities in 6

specific IACS devices found several including the ability to

access PLC configurations and modify it.

These vulnerabilities have been released and are included in

publicly available databases for us to identify and protect

against threats, but also enabling anyone to find and exploit

them.

But, not all threats originate from the internet - maintenance

activities, software upgrades / patches, remote access,

wireless, physical security and unauthorised access are just as

big an issue for safety systems

4

IEC 62443 – Security for IACS

Therefore, the SIS must be secure from both physical

or cyber damage as a result of malicious acts or

accidental events that would impact on the SIS’s ability

to maintain its functional and safety integrity on

demand.

To prevent both physical or cyber damage the risk

reduction must be based on a mix of technical,

procedural and managerial protection measures taken

from the guidance in IEC 61511, IEC 62443 (ISA99) and

in ISA TR84.00.09.

5

Security Risk Assessment – IEC 61511 2ED Clause 8.2.4

States that a SRA must be carried out to identify the security vulnerabilities of the SIS.

The SRA output needs to include:

1. A description of the devices covered by the SRA – What is the scope of the System Under Assessment (SuC);

2. A description of the identified threats that could exploit vulnerabilities and result in security events;

3. The potential consequences resulting form the security events and the likelihood of these events occurring;

4. Consideration of vulnerabilities and threats at all of the lifecycle phases;

5. The determination of requirements for additional risk reduction;

6. A description of, or references to information on, the security and compensating measures to be taken to reduce or remove the threats.

6

A description of the devices covered by the SRA 7

IACS Device Asset Consequence

Rating

Likelihood

rating

IACS Device

Risk Level

Operator control room HMI

Remote operator Panel

Engineering Workstation

Historian Server

Controller

Pressure Sensor

Valve Positioner

Gateway

Clearly document the IACS and associated assets.

Gather and organise information such as:

System architecture diagrams – components, connectivity & location

Network diagrams – physical construct and assignments

Devices (Ethernet & IP Address)

Configurations – hardware & software - Scan & MAP tools

Identify known vulnerabilities

IEC 62443-2-1 Example IACS Asset table

Security Vulnerability Assessments (The clever stuff)

High Level – Gap Assessment:

Assessment of existing operational procedures and practices

Interviews, site audit, review of drawings, sample configurations, questionaire

(Questionnaire could make use of US - Cyber Security Evaluation Tool – ICS-CERT)

Passive vulnerability assessment:

Review architecture & network drawings & traffic analysis tools, Research using vulnerability databases – ICS-CERT, NVD, Nessus

Active vulnerability assessment

Active network scanning

Active vulnerability scanning

Penetration test.

Metasploit

8

Zones and Conduits

Review the system boundaries and

break it down into zones and

conduits.

The zones and conduits should

include assets that will be assumed

to require the same Security Level:

Then carry out a High-level SRA.

– 31 – ISA-TR84.00.09-2013

SIS BPCS

`

BPCS

Engineering

Workstation

Domain

Controller

SIS HMI

Control PES

Transmitter

Control

Valve

Pump

Controller

Transmitter

Block

Valve

Control

Center

`

Maintenance

WorkstationData

Historian

Domain

Controller

Plant DMZ

Internet

EnterpriseWLAN

Web

ServerEnterprise

Firewall

4-20 mA

24 VDC

4-20 mA 24 VDC

4-20 mA

Domain

Controller

IAMS

`

SIS

Engineering

Workstation

IAMS

Handheld

Programmer

BPCS HMI

SIS-PES

Figure A.3 – Example Network Security Architecture with Integrated 2 Zone SIS

9

A description of the identified threats that could

exploit vulnerabilities and result in security events 10

Stored data (e.g. history, programs) is intentionally modified or corrupted by unauthorised

individual through local access

Malware:

unintentionally installed on control system through remotely connected computer;

intentionally installed on control system through a remotely connected computer;

enters the system through a laptop connected to the control system network

enters the system through infected media (e.g. USB sticks etc.);

enters the system through the business network.

Confidential controls system data is intentionally disclosed through local or remote access

A network device fails causing a network storm impacting system communication

A denial of service attack is intentionally launched through remote access

High-level Risk Assessment Tools 11

IEC 62443-2-1 Example tables

The potential consequences resulting form the security

events and the likelihood of these events occurring 12

IACS Device Asset Consequence

Rating

Likelihood

rating

IACS Device Risk

Level

Operator control room HMI A Medium High-Risk

Remote operator Panel C High Medium-Risk

Engineering Workstation A High High-Risk

Historian Server B Medium Medium-Risk

Controller A Medium High-Risk

Pressure Sensor A Medium High-Risk

Valve Positioner A Medium High-Risk

Gateway B Low Low-Risk

Firewall B Low Low-Risk

IEC 62443-2-1 Example IACS Asset table with results

Draft IEC 62443-3-2 – Security for IACS Workflow diagram to establish zones and conduits ZCR – Zone & Conduit Requirement SuC – System under consideration PHA – Process Hazard Analysis

13 The determination of requirements for additional risk

reduction

Draft IEC 62443-3-2 – Security for IACS

Workflow diagram for detailed

cyber security risk assessment

DRAR – Detailed Risks Assessment

Requirement

September 2016 – 24 – ISA-62443-3-2, D6E3

612

DRAR 1 – Identify threatsList of threats

DRAR 2 – Identify

vulnerabilities

DRAR 4 – Determine

unmitigated likelihood

DRAR 3 – Determine

consequences and impact

DRAR 5 – Calculate

unmitigated cyber security

risk

List of vulnerabilities

Assessment of

likelihood

Assessment of impact

Likelihood, impact,

corporate risk matrix

Assessment of

unmitigated cyber

security risk

Lists of threats and

vulnerabilities

DRAR 9 – Calculate residual

risk

DRAR 10 – Are all

residual risks at or

below tolerable risk

DRAR 7 – Identify and

evaluate existing

countermeasures

DRAR 8 – Reevaluate

likelihood and impact

DRAR 6 – Determine

security level target

DRAR 11 – Apply additional

cyber security

countermeasures

No

DRAR 12 – Document and

communicate results

Yes

Corporate risk matrix

with tolerable riskSecurity level target

List of countermeasures

Residual cyber security

risk

Updated list of

countermeasures

Start

[Updated] List of

countermeasures

Updated likelihood,

impact and corporate

risk matrix

Detailed risk

assessment report

Updated likelihood and

impact assessment

Historical data and other

threat information sources

Vulnerability assessment,

prior audits, vulnerability

databases, etc.

Threats, vulnerabilities,

existing PHAs, other risk

assessments

This

doc

umen

t inc

lude

s w

orki

ng d

rafts

of,

or e

xtra

cts

from

doc

umen

ts in

the

ISA-

6244

3 se

ries.

New

ver

sion

s w

ill be

gen

erat

ed p

erio

dica

lly a

s in

divi

dual

doc

umen

ts a

re re

vise

d.

IS T

O B

E U

SED

SO

LELY

FO

R T

HE

PUR

POSE

S O

F FU

RTH

ER D

EVEL

OPM

ENT

OF

ISA

STAN

DAR

DS,

AN

D M

AY N

OT

BE O

FFER

ED F

OR

FU

RTH

ER R

EPR

OD

UC

TIO

N O

R F

OR

SAL

E. T

HE

CO

PYR

IGH

T R

ESTS

WIT

H IS

A.

14 The determination of requirements for additional risk

reduction

15

IEC 62443-3-2 Example table for mapping Cyber Risk Reduction Factor to Target Security Level

The determination of requirements for additional risk

reduction

Description of information on the security & compensating

measures taken to reduce / remove the threats 16

The counter measures to address a specific risk will be different depending on the system. For example, different “Authentication” rules will apply for controllers and HMI etc.

Counter measures must be documented along with the procedure / guidance for using them.

IEC 62443 approach similar to IEC 61508 – identified control measures that can be used to demonstrate risk is reduced broken down by requirements – IEC 62443-3-3.

ISA TR84.00.09 Management Process - Identifies additional requirements for Cyber security, including:

Clause 5 - Management of FS – Inventory of vulnerabilities, risk assessment, security of operation, host protection, patch upgrade management, confidentiality of cyber security information;

Clause 8 – Additional requirements for security protection, potential threats taken from IEC 62443 guidance;

Clause 9 – To include security counter measures and compensating measures for when it is not possible to implement security counter measures in the SIS;

Clause 10 – SRS should have a section dedicated to counter measures specifically considering that the counter measures do not degrade SIS performance such as response time or field devices;

Clause 11 & 12 – Additional requirements for when full independence and segregation is not feasible based on air gap, integrated zone hierarchy, firewalls & vendor to supply security concepts that cover the SIS lifecycle;

Clause 14 and 15 – consideration of mechanical integrity and ongoing cyber security;

Clause 16 - Ongoing cyber security, such protection during back up and restoration, patches and upgrades, remote access, bypasses and checking of tools .

Clause 17 & 18 – Modifications to the SIS related security counter measures should follow the MOC programme and an impact analysis carried out to include access control, authorisation and reasons for access, virus checking and control

17 Consideration of vulnerabilities and threats at all of

the lifecycle phases

It is critical that C&I Engineers acquire the skill set to be able to communicate and work along side Cyber Security Specialists.

ISA Europe has introduced the ISA Industrial Cyber security Certificate Program this provides practical hands training using IACS network hardware, firewalls, switches and Rockwell & Siemens PLCs to work on.

The training is tiered to ISA/IEC 62443:

ISA/IEC 62443 Cyber security Fundamentals Specialist

ISA/IEC 62443Cyber security Risk Assessment Specialist

ISA/IEC 62443 Cyber security Design Specialist

ISA/IEC 62443 Cyber security Maintenance Specialist

TÜV Rhienland are also developing a Cyber Security scheme for C&I and FS Eng that will be introduced in early 2018

18 Cyber Security - Competency and Training for C&I Engineers

Additional Guidance (UK HSE)

Compliance with OG-0086 will contribute towards a suitable demonstration of

compliance with UK H&S legislation and as part of the cyber security ALARP

demonstration for the facility.

OG-0086 – Cyber Security for IACS identifies BS EN 61511 as the recognised good

practice (RGP).

The reference is related to 2nd Edition Clause 8.2.4 requirements for a Security

Risk Assessment (SRA).

Both OG-0086 & IEC 61511 reference IEC 62443 as the applicable international

standard as well as ISA-TR84.00.09-2013 – Security Countermeasures Related to

SIS as the relevant standards for IACS SRA and implementation.

19

OG-0086 Framework

Process for the

management of Cyber

Security for IACS

20

Framework for Cyber Security

The OG-0086 approach is similar to the US NIST 800 Cyber security Framework of:

The UK HSE guiding principles are:

Protect, detect and respond - It is important to be able to detect possible attacks and respond in an appropriate and timely manner in order to minimise the impacts.

Defence in depth. No single security countermeasure provides absolute protection as new threats and vulnerabilities can be identified at any time. To reduce these risks, implementing multiple protection measures in series avoids single point failures.

Technical, procedural and managerial protection measures. Technology is insufficient on its own to provide robust levels of protection

21

IEC 61511 2nd Edition introduces the requirement for SRA.

UK HSE have produced guidance aligned to IEC 62443 and ISA-TR84.00.09

SRA Risk Matrix should be based on a subset of the Seveso RM to facilitate ALARP

demonstration.

Asset Register can be based on BOM, I/O

Schedule,Instrument List for SIS.

CSMS Gap Analysis required to help reduce

systematic failures through procedures.

EC&I Cyber security competence is increasing,

but still a large gap between process & IT.

22

23

Thank you for listening Any questions?