Control System Cyber-Security in Industry Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop, Knoxville (U.S.) October 14th 2007.

Slides:

Advertisements

Similar presentations

International Course on Development and Disasters with Special Focus on Health February 10 – 21, 2003: St Anns, Jamaica CDERA Experience in Institutional.

Advertisements

BS-25999: Business Continuity Management System PS-Prep: The Voluntary Private Sector Preparedness Program Kathleen Lucey, FBCI Practice Manager, EMC

Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Interstate Natural Gas Association of America INGAA Action Plan to Build Confidence in Pipeline Safety INGAA Integrity Management Continuous Improvement.

11 th International Symposium Loss Prevention and Process Safety Promotion in the Process Industries 1 OECD Workshop on Sharing Experience in the Training.

Smart Grid Security Architecture Development based on IntelliGrid Methodologies Authors Joe Hughes Technical Manager Madhava Sushilendra.

Jeffery J. Gust IOWA INDUSTRIAL ENERGY GROUP FALL CONFERENCE Tuesday, October 14, 2014 MidAmerican Energy Company.

AEF – Ag Industry’s initiative in electronics standards implementation 1 Fourth World Summit on Agriculture Machinery December 5-6, 2013 ~ New Delhi, India.

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

Erik Hansson DG Health and Consumer Protection (DG SANCO) European Commission Developments on product safety in the EU.

IGF Remote Hub. History of the IGF Created as an outcome of the World Summit on the Information Society (WSIS) Phase I – Geneva, 2003 Phase II – Tunis,

IT Security Policy in Japan 23 September 2002 Office of IT Security Policy Ministry of Economy, Trade and Industry JAPAN.

European Commission Further Impact Assessment of REACH ETUC Conference Brussels, 11 February 2005 Patrick Hennessy DG Enterprise and Industry.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.

1 9/15/2015 Gogita Todradze National Statistics Office of Georgia Institutional Arrangements for Energy Statistics in Georgia.

Prague, 30th November 2012 Russia´s accession to the WTO Expectations of the Confederation of Industry of the Czech Republic Prague, 30th November 2012.

1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.

ISA–The Instrumentation, Systems, and Automation Society SP99 Work Group 2 Planning for TR#2 Second Edition Long Beach Meeting April 28, 2004.

IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.

© OECD/IEA 2010 Energy Policies of the Czech Republic 2010 In-depth Review Energy Policies of the Czech Republic 2010 In-depth Review Prague, 7 October.

Control System Cyber-Security Workshop A Summary of Yesterday’s Meeting Dr. Stefan Lüders (CERN IT/CO) with slides from P. Chochula (ALICE), S. Gysin (FNAL),

© OECD A joint initiative of the OECD and the European Union, principally financed by the EU Co-operation Between the Ministry of Finance and the Court.

The NIGF CONFERENCE © 2013 ADDRESSING THE VULNERABILITY OF CRITICAL ICT INFRASTRUCTURE by Ernest Ndukwe, OFR Chairman Openmedia Communications Ltd 18 th.

© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.

Sandra C Security Advisor Energy Dan B Security Advisor Water

Standards Certification Education & Training Publishing Conferences & Exhibits ISA SP-99 Working Group #3 October 27, 2005 Chicago, IL Eric Cosman, Evan.

ISA–The Instrumentation, Systems, and Automation Society ISA SP-99 Introduction: Manufacturing and Control Systems Security -- Kickoff Meeting Call to.

Future European issues on off-shore wind power deployment Steffen Nielsen Head of Section Danish Energy Authority Ministry of Transport and Energy European.

Standards Certification Education & Training Publishing Conferences & Exhibits 1Copyright © 2006 ISA ISA-SP99: Security for Industrial Automation and Control.

Annual Conference October 2011 Water Services Training Group 15 th Annual Conference Water Services in Ireland – Organisational modernisation and new challenges.

Participation in 7FP Anna Pikalova National Research University “Higher School of Economics” National Contact Points “Mobility” & “INCO”

ENISA efforts for securing European Internet Infrastructure

DGS Recommendations to the Governor’s Task Force on Contracting & Procurement Review Report Overview August 12, 2002.

CIP 2015 Smart Grid Vulnerability Assessment Using National Testbed Networks IHAB DARWISHOBINNA IGBETAREQ SAADAWI.

A Global Approach to Protecting the Global Critical Infrastructure Dr. Stephen D. Bryen.

1 MARKET SURVEILLANCE IN SWEDEN UN-ECE MARS GROUP, Bratislava October 2010 Amina Makboul

ISPE Cyber Security S99 Update December 08, 2009.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Problems to Overcome Implementation Issues at CERN Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan) October 11th 2009.

ISA99 - Industrial Automation and Controls Systems Security

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Control System Cyber-Security Workshop A Summary of Yesterday’s Meeting Dr. Stefan Lüders (CERN Computer Security Officer) with slides from B. Copy (CERN),

IAEA International Atomic Energy Agency TM/WS TOPICAL ISSUES ON INFRASTRUCTURE DEVELOPMENT: MANAGING THE DEVELOPMENT OF NATIONAL INFRASTRUCTURE FOR NUCLEAR.

3 rd Control System Cyber-Security Workshop Exchanging ideas on HEP security Dr. Stefan Lüders (CERN Computer Security Officer) 3 rd (CS) 2 /HEP Workshop,

European Developments Transmission Workgroup 1 st December 2011.

Control System Cyber-Security Workshop Exchanging ideas on HEP security Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan)

LSEC H2020-DS - & CIP Ulrich Seldeslachts, Brussels, January 27th, 2016.

Information Security tools for records managers Frank Rankin.

Quality Management Systems Advice from ISO/TC 176 for Sector-specific applications.

Common borders. Common solutions. EUROPEAN UNION GOVERNMENT OF ROMANIA SERBIAN GOVERNMENT Structural Funds Romania – Republic of Serbia IPA Cross-border.

Dr. Nyamajeje C. Weggoro Director, Productive and Social Sectors EAC Secretariat THE DAR ES SALAAM-TANGA- MOMBASA NATURAL GAS PIPELINE AND EAST AFRICAN.

Overview July 2011 INMM Nuclear Security and Physical Protection Technical Division.

A Layered Solution to Cybersecurity Dr. Erfan Ibrahim Cyber-Physical Systems Security & Resilience Center National Renewable Energy Laboratory.

Open-source fuzzing testing for critical equipment robustness Brice Copy Engineering Department CERN, Switzerland (CS)2/HEP Workshop 18 th October 2015,

Standards Certification Education & Training Publishing Conferences & Exhibits 1 Copyright © ISA, All Rights reserved ISA99 - Industrial Automation and.

ISA-SP99: Security for Industrial Automation and Control Systems

Standards for success in city IT and construction projects

Cyber-security and IEC International Standards

IEC and Information Technology

NERC Critical Infrastructure Protection Advisory Group (CIP AG)

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Substation Automation System

Group Meeting Ming Hong Tsai Date :

Securing Critical Chemical Assets: The Responsible Care® Security Code

Cyber Security ISA 99 / IEC D14 DLC-Meet, Jan 2019.

Presentation transcript:

Control System Cyber-Security in Industry Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop, Knoxville (U.S.) October 14th 2007

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Overview

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Control Systems for Living …in the electricity sector ► transmission & distribution, fossil, hydro, nuclear …in the oil & gas sector …in the water & waste sector …in the chemical and pharmaceutical industry …in the transport sector …for production: ► e.g. cars, planes, clothes …in supermarkets ► e.g. scales, fridges …for facility management ► electricity, water, C&V COBB County Electric, Georgia Middle European Raw Oil, Czech Republic Athens Water Supply & Sewage Merck Sharp & Dohme, Ireland CCTV Control Room, UK Reuters TV Master Control Room

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 CERN: Standards, if possible ! standard desktop PCs

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Severe Consequences Loss of control or safety: ► Blocking of CPU or other resources ► Dysfunction or interruptions of process ► Halt of equipment Perturbations in a factory / industry: ► Reduction or loss of production ► Damage or destruction of equipment ► Injuries or casualties ► Bad PR or loss of confidence

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Critical Infrastructure Increased focus since 9/11 and due to today’s general security situation: ► Electricity ► Oil & Gas ► Water & Waste ► Chemical & Pharmaceutical ► Transport

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007

►“►“Manufacturing and Control Systems Security” (American National Standards Institute & Int'l Society for Measurement and Control) (ANSI/ISA SP99) ►“►“Good Practice Guidelines” (U.K. Centre for the Protection of National Infrastructure CPNI) ►“►“Code of Practice for Information Security Management” (Int'l Organization for Standardization / Int'l Electrotechnical Commission / British Standard) (ISO/IEC aka :2005, BS7799) ►“►“Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security” (U.S. National Institute of Standards and Technology NIST SP800-82) ►“►“System Protection Profile - Industrial Control Systems” (NIST) ►C►Common Criteria (ISO/IEC 15408) ►“►“Cyber-Security Vulnerability Assessment Methodology Guidance” (U.S. Chemical Industry Data Exchange CIDX) ►“►“Good Automated Manufacturing Practices: Guideline for Automated System Security” (Int’l Society for Pharmaceutical Engineering ISPE) ►N►NERC & AGA standards (North American Electric Reliability Council, American Gas Association) (Too?) Many Standards, …

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 ISA SP99: “Manufacturing and Control Systems Security” Standards 01 to 04: ► “Scope, Concepts, Models and Terminology” (ISA ) ► “Establishing a Manufacturing and Control Systems Security Program“ (ISA ) ► “Operating a Manufacturing and Control Systems Security Program” (ISA ) ► “Specific Security Requirements for Manufacturing and Control Systems” (ISA ) Technical Reports 01 & 02: ► “Technologies for Protecting Manufacturing and Control Systems” (ISA TR ) ► “Integrating Electronic Security into the Manufacturing and Control Systems Environment” (ISA TR — obsolete)

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th CPNI Good Practice Guidelines

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Regulations Special Pub’s and 53A ► Help to identify, control, and mitigate risks to information and information systems ► Recommendations and guidelines for selecting and specifying safeguards & countermeasures ► Foundation for risk assessment …how does this apply to “Controls” (e.g. SP800-82) ?

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007

Cooperation & forwarding ► …together with governmental bodies ► …of the corresponding manufacturers to third parties ► …“Hamburger Liste” on Follow-Up of CERN’s TOCSSiC Discussions with corresponding manufacturers ► Acknowledgement only after a lot of persuasion ► Some now perform vulnerability scans themselves …results improve with more recent firmware versions Presentations to industry ► Discussions on “Requirements for the Cyber-Security of Control Systems” …but lots of ignorance: “There is no market demand !”

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 EuroSCSIE “European Information Exchange on SCADA and Control System Security” ► “…members from European based government, industry and research institutions depending upon and/or whose responsibility it is to improve the security of SCADA and Control Systems…” ► Currently chaired by CERN Objectives: ► Exchange good practices & recommendations, incidents & mitigations ► Provide interface between governmental regulators & end-users ► Channel information between regional information exchange groups ► Address cyber-security issues jointly to vendors & manufacturers ► In preparation: “Questionnaire on Cyber-Security for Control Systems” EuroSCSIE

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 “Procurement Language” Manufacturers and vendors are part of the solution ! ► Security demands must be included into orders and call for tenders “Procurement Language” document ► “… collective buying power to help ensure that security is integrated into SCADA systems.” ► “Copy & Paste” paragraphs for System Hardening, Perimeter Protection, Account Management, Coding Practices, Flaw Remediation, …

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Penetration Tests & Certification Full scale penetration test ► …on complete control systems used e.g. in power plants ► Manufacturers can participate “Achilles” black box tester ► Random testing of protocol fields’ possible values & combinations ► Product certification: “OSI Stack”, “Modbus/TCP”, …

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007

Major Players “To accelerate the design, development, and deployment of more secure control and legacy systems.” On Board: Chemical industry, U.S. government, vendor community, water & waste management ► Tests on OPC vulnerabilities ► Dedicated “Snort” rule-sets for Controls ► Dedicated plug-ins for “Nessus” on Modbus/TCP, OPC, DNP3, ICCP ► SCADA Honeynets

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Conferences ► Annual spring meetings ► Next: March/April 2008 ► “SCADA Security Scientific Symposium” ► Next: January 2008, Miami ► Annual exposition ► Incl. dedicated “Security Exchange“ ► Last: October 2007, Houston ► Irregular workshops and webcasts ► Lots of regional workshops by consulting services, governments, etc.

“(CS)2 in Industry” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 YOU ARE NOT ALONE !!! Dialog to discuss Control System Cyber-Security ► …at CERN ► …with industry, consultants, governments ► …in the HEP community EuroSCSIE