tomas lindström, abb control technologies security · pdf filesecurity for process...

© ABB Group November 26, 2015 | Slide 13BSE072042

Security for Process Control systems

Embedded products with long lifecycle

Tomas Lindström, ABB Control Technologies


Process Control Systems, Application examplesBreweries Mines

Steel mills

Gas pipelines

Oil rigs Power plants

Pulp & paper mills Container terminals


A Process Control System: System 800xAMany types of embedded devices to secure…


How ABB works with Cyber Security An important factor in all phases

Design

Implementation

Verification

Release

Support

T=0,5-2 Years

Design

Engineering

FAT

Commissioning

SAT

T=0,5-5 Years

Operation

Maintenance

Review

Upgrade

T = 5-20 Years

Product

Lifecycle

Project

LifecyclePlant Lifecycle


Security in the Product Development Process:Requirements, Design, Implementation, Verification

Secure by Design

Default installation and usage withminimal attack surface

Built in functions for Defense in Depth

Secure by Default

Support for Secure Project and Plant Lifecycle

Validation of 3rd party software and solutions

Secure in Deployment

Correct information to those who need to knowCommunication

Cyber Security for a product organizationThe SD3 + C Security Framework


Secure by DesignSecurity in the Product Development Process


Secure by DesignSecurity in the product development process

Aligning with Microsoft’s SDL, IEC 61508, IEC 62443-4-1

Examples:

Security check points at Project Gates

Threat modeling

Attack surface analysis

Design & Coding: Guidelines and reviews

Static Code analysis

Security Testing with Fuzzing

SD3 + C

Secure by Design

Secure by Default


Communication


Reporting

Communication Robustness TestingABB’s Device Security Assurance Center

Development team:

Correction

OK

Analysis

Vulnerability scanning

Protocolfuzzing

Network flooding

Re-Test PASS

FAIL

SD3 + C

Secure by Design

Secure by Default


Communication


Secure by Design Lifecycle considerations

How to design for long lifetime?

Impact on architecture selection?

What to do in SW/HW?

Example:

HW solutions “below” the Operating System:

+ Allows updating of all SW

– Is the HW solution itself secure in the future?

Security Training for developers?

For HW developers?

Improve testing methods:

Correct & robust implementation of

security functions (SW/HW)

Do other functions add vulnerabilities?

Design

Implementation

Verification

Release

Support

TD=0,5-2 Years

TL=5-20 Years

Product

Lifecycle

SD3 + C

Secure by Design

Secure by Default


Communication


Secure by DefaultDefense in Depth for Process control systems


Defense in DepthThe coordinated use of multiple security measures, addressing people, technology and operations.

The 7 Foundational Requirements (FRx) in IEC 62443

Who should use the system for what FR1: User (human, device, SW) authentication

Account management

FR2: Authorization enforcement

Security event logging

Protect FR3: Data/SW Integrity

Against Malicious code

FR4: Confidentiality

FR5: Data flows by network segmentation

Detect problems FR6: Continuous monitoring, log availability

Manage system resource availability FR7: Denial of service protection

Backup functions

SD3 + C

Secure by Design

Secure by Default


Communication


Windows Firewall in Servers and Workstations

Secure communication (IPSec, TLS, HTTPS)

Network redundancy based on dual separated networks

Network filter in Controllers and Communication Modules

Blocks unsupported traffic

Network Storm protection

Defense in Depth, examplesSecurity functions for Networks and Hosts

Separated networks

enable fault isolation

SD3 + C

Secure by Design

Secure by Default


Communication

IPSec protection of the

Client Server Network

IP


Solutions to support long lifecycles

Whitelisting: Block the unknown (FR3)

Firmware, Applications, Communication

Monitoring (FR6)

Current status

Evolving threats

Maintenance (FR7)

Upgrading (FR7)

…

Defense in Depth for Long LifecyclesWhat features/solutions should be there?

SD3 + C

Secure by Design

Secure by Default


Communication

IP


Secure in DeploymentSupport for Secure Project and Plant Lifecycle


Secure in Deployment, exampleThe Security Update Service

Plant Security ServerABB-WSUS/EPO

ABB verifies

3rd part SW Security updates

Anti-virus SW with updates

ABB server updated with verified files

ABB server synchronizes with

Plant Server.

DCS

WSUS1 Server

ePO2 Server

SEP3 Server

The Plant Security Server distributes the

updates to the connected Control Systems

Remote

Access

PlatformAPPROVEDa

1 Windows Security

Update Service

2 McAfee ePolicy

Orchestrator

3 Symantec Endpoint

Protection

SD3 + C

Secure by Design

Secure by Default


Communication


Secure in Deployment, exampleThe Cyber Security Fingerprint service

Interview

Data collection

Analysis

Cyber security status:

Strengths and weaknesses

Recommendations:

How to maintain & improve

Standard: Manual service

“Monitoring”:

Automatic KPI tracking

Security in Depth – 7 Layers of defense

Cyber Security Risk Profile

SD3 + C

Secure by Design

Secure by Default


Communication


Security considerations for the Plant LifecycleHow to keep the plant secure for many years?

Is Up to date = secure or

is Fixed functionality = secure?

When to install updates?

At stops? Are there stops?

During operation?

Who should deploy updates?

Owner?

Vendor?

3rd party service provider?

All or some of the above?

Implications? Key management?

Operation

Maintenance

Review

Upgrade

T = 5-20 Years

Plant Lifecycle

SD3 + C

Secure by Design

Secure by Default


Communication


Cyber Security for a Control SystemDepends on the vendor and the owner

tomas lindström, abb control technologies security · pdf filesecurity for process...

Documents