Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Measures for ESS PSS Software Development

Published byJuliet Sharp Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Measures for ESS PSS Software Development"— Presentation transcript:

1 Security Measures for ESS PSS Software Development
6th Control System Cyber-Security Workshop (CS)2/HEP Security Measures for ESS PSS Software Development   Denis Paulic Deputy Group Leader, Protection and Safety Systems ESS/ICS/PS Date:

2 Contents ESS Overview Personnel Safety Systems Governance
PSS Software Decisions System Integrity Measures for PSS

3 ESS Linac Overview The European Spallation Source (ESS) will house the most powerful proton LINAC ever built. Parameter Value Units Max energy 2 GeV Peak current 62.5 mA Repetition rate 14 Hz Pulse length 2.86 ms Average power 5 MW RF frequency 352/704 MHz Maximum losses 1 W/m Target station Neutron science instruments Linear proton accelerator (600 m) 75 keV 3.6 MeV 90 MeV 216 MeV 571 MeV 2 GeV H+ source LEBT RFQ MEBT DTL Spoke β=0.5 Medium β β=0.67 High β β=0.86 HEBT & contingency MHz MHz *N. Gazis X 13 X 30

4 Personnel Safety Systems
Safety interlock system If the Beam is ON  No Access If Access is allowed  No Beam permit If Emergency  Hard switch-off all hazardous equipment Access control system Authorisation and authentication Entry stations Access point sub-systems ODH detection system If oxygen level is below treshold  No Access, activate lights and sounders ODH = Oxygen Deficiency Hazard

5 Governance IEC : 2010 Functional safety of electrical/electronic/programmable electronic safety-related systems IEC : 2016 Functional safety - Safety instrumented systems for the process industry sector PSS application program The Swedish Radiation Safety Authority (SSM) Radiation risk analysis will be carried out before the facility is taken into operation. A formalised search of each PSS controlled area will be carried out before the facility is operated. Two independent technical design solutions will be used in each system. External events Single failure Common cause failure Redundancy Diversity Separation

6 Governance for Software Security
IEC : 2016 Part 1, Clause A security risk assessment shall be carried out to identify the security vulnerabilities of the SIS. It shall result in: A description of devices covered by this assessment (SIS, BPCS, any device connected to SIS) A description of identified threats that could exploit vulnerabilities and result in security events A description of potential consequences resulting from security events and likelihood of these events occurring. Consideration of various phases, such as design, implementation, commissioning, operation, and maintenance The determination of requirements for additional risk reduction A description of, or references to information on, the measures taken to reduce the… threats. IEC : 2010 Part 1, Clause If the hazard analysis identifies the malevolent or unauthorised action, constituting a security threat,…, then a security threats analysis should be carried out IEC Security for Industrial Automation and Control Systems NIST Special publication : Guide to Industrial Control Systems (ICS) Security NIST = National Institute of Standards and Technology SIS = Safety Instrumented System

7 Cyber Security Study Defence-in-Depth – applying multiple countermeasures in a layered manner. Network security layer: In-kind partner from Estonia: Cyber security risk assessment and mitigation plan for the ICS, based on IEC Initial meeting: PSS planned actions: IEC 61511:2016 HSE operational guidance (based on IEC 62443) NIST framework (NIST SP ) Plant security Network security System integrity HSE = Health and Safety Executive NIST = National Institute of Standards and Technology SP = Special Publication

8 HSE Operational Guidance
HSE Guidance Appendix 1 – Process for the management of cybersecurity on IACS Appendix 2 – Example of simple network drawings Appendix 3 – Risk Assessment (based on IEC high level one) Appendix 4 – Security Contermeasures Appendix 5 – Additional SIS Considerations HSE Operational Guidance

9 HSE Guidance - Example Example of proposed risk assessment scheme from HSE: Consequence Category Major Accident A (High) Failure of or unauthorised access to a high integrity layer of protection (PFD < 0.1), including systems that are capable of manipulating this LOP B (Medium) Failure of or unauthorised access to a low integrity layer of protection (PFD ≥ 0.1), including systems that are capable of manipulating this LOP C (Low) Failure of or unauthorised access to a system that doesn’t have a safety function. Security risk = Likelihood * Consequence category LOP = Layer of Protection

10 PSS Software Decisions
Latest version of Siemens SIMATIC STEP 7 V13 SP1  V14 SP1, TIA Portal including: Safety Advanced: Safety checks are automatically performed in the software; Fail-safe blocks for error detection and error reaction are inserted automatically when the safety program is compiled; WinCC Comfort for HMI programming. 2-train fail-safe PLC system Siemens fail-safe CPUs allow the processing of standard and safety programs on a single CPU. Certified to satisfy the Safety Integrity Level SIL3 in accordance with IEC 61508:2010. Integrated system diagnostics; 4-level security concept. Siemens fail-safe CPUs allow the processing of standard and safety programs on a single CPU. This allows fail-safe data to be evaluated in the standard user program and thus, this integration provides the system advantages and the extensive functionality of SIMATIC also for fail-safe applications. Besides this, Siemens fail-safe CPUs (and SIMATIC Safety F-systems in general) are certified to satisfy the Safety Integrity Level SIL3 in accordance with IEC 61508:2010, which means it is suitable for the SIL required by each SIF it services in PSS accelerator system Verification tests that the system was built right (according to the requirements). Validation checks that the right system was built (truly meets the needs and intent of the customer). V&V primarily involve testing of the software system, though it encompasses analyses, inspections, and reviews as well. The amount of testing can be tailored, with safety critical units and subsystems receiving the majority of the test effort. Traceability from the requirements, through design and coding, and into test is an important part of V&V.

11 Integrated Access Protection Measures
Components with integrated security features S controller with activated ”Protection level” The access to PSS safety software will be protected by two password prompts: one for the safety program and another for the safety CPU! Checking the collective signature of the safety program (Checksum test): In case of the software misuse, the system goes to Alarm mode; PSS system administrator shall be informed immediately; Checksum will change after any error-free safety software re-generation. HMI panels in ”Secure mode” Managed network switches (password protected) Firewalls passwords/certificates Central user administration user accounts and policies Enforcing of security guidelines password validity, incorrect logging on monitoring, etc. Harden PC Up-to-date; 2x anti-virus; Remove: Acrobat, Flash, Java, Office, no internet, no intranet (no browsing), no Internet Explorer, no wireless connection. Locked cabinets On-line (automatic) patching not possible Physical protection of the PC/ES New USB stick every time Password change procedures

12 Checksum Test - F-runtime Group Information DB

13 PSS Software - System Integrity Layer
Application Level - Authentication and use administration - Detection of attacks - Integrated access protection - Passwords management - System hardening - Recovery procedures Database Level - Database authentication and permissions - Data management (logging, storing, retrieving…) - Data encryption and encryption keys management Update Management Level - Patch management – software and firmware updating Hardware Replacement Level System Integrity

14 System Hardening and Antivirus Software Measures
Engineering workstation requirements: No Internet/Intranet connection, disabled WLAN and Bluetooth. Most of the activated services disabled: Booting and auto-start mechanisms, Flash, Java, Webserver, FTP, Remote Desktop, Adobe, Internet Explorer… Unused interfaces will be deactivated or mechanically blocked: Ethernet/Profinet ports; USB, Firewire, etc.; Configured / activated user accounts will be reduced to the necessary minimum. Regular checks, particularly of locally configured user accounts are planned. Siemens supports compatibility tests with: Trend Micro Office Scan, Symantec Endpoint Protection, McAfee VirusScan Enterprise (+ McAfee Application Control as a whitelisting mechanism). Safety and availability must generally be assured even in the case of infection with malware. This means that the virus scanner must under no circumstances execute the following actions without permission: Remove files or block access thereto; Place files in quarantine; Block communication; Shut systems down.

15 Patch Management and Firmware Updates Measures / Options
Siemens supports with compatibility tests of Microsoft security patches. Recommendation from Siemens: Patch distribution via central patch server in DMZ and Windows Server Update Services (WSUS). Set up the update groups and processes for online updates to simplify patch distribution. Firmware updates might be needed to fix security related vulnerabilities Modifications included in Configuration management As soon as information on a vulnerability becomes available, the weak point will be evaluated for relevance to the application concerned.

16 Requirements For Operator Interface
SIS status information critical to maintaining the SIL shall be available as part of the operator interface: where the process is in its sequence indication that SIS protective action has occurred indication that a protective function is bypassed information about automatic actions from PSS system status of sensors and final elements the loss of energy where that energy loss impacts safety the results of diagnostics SIS operator interface shall prevent changes to SIS application software. Any writing from standard to safety part of the SW shall be documented and tested to make sure it cannot lead the system to an unsafe state. It is essential to provide access protection in operation mode for the access to the safety part of the software. The access to PSS safety software shall be protected by two password prompts: one for the safety program and another for the safety CPU. To optimise the access protection, the passwords for safety CPU and safety program shall be different. More information about password protection of safety related software can be found in ESS Initially, no access protection is necessary for test purposes, commissioning, etc. That is, it is allowed to execute all offline and online actions without access protection, but the safety of the system shall be guaranteed through other organizational measures, for example, restricted access to certain areas. To prevent the misuse, the system shall automatically check the collective signature of the safety program (Checksum test) and in case of the software misuse; the system shall go to Alarm mode and PSS system administrator must be informed immediately. Note that checksum will change after any error-free safety software re-generation. In Siemens S series, the F-runtime group information DB is used for that purpose, where data about F-signature of the safety program, safety program’s compilation date and F-runtime group collective signature can be found and used for checking. Note that these are standard program data and should not be part of the safety program. SIS = Safety Instrumented System

17 PSS Configuration Management
Objective: To describe the generic configuration management process during the development of Personnel Safety Systems; To ensure procedures to be used for uniquely identifying all constituent parts of hardware and software items. To specify procedures for preventing unauthorized items from entering the process. In addition to IEC 61508: ISO 9001 Quality management systems – Requirements ISO 10007:2004 Quality managements systems – Guidelines for configuration management

18 Thank you for your attention!
Questions? Thank you for your attention!

Download ppt "Security Measures for ESS PSS Software Development"

Similar presentations

/// MELSEC Safety /// QS001CPU /// QS0J61BT12 /// QS0J65BTB2-12DT /// MELSEC Safety /// Mitsubishi Electric - MELSEC Safety - Training Documentation -

/// MELSEC Safety /// QS001CPU /// QS0J61BT12 /// QS0J65BTB2-12DT /// MELSEC Safety /// Mitsubishi Electric - MELSEC Safety - Training Documentation -
Safety Software QA at BNL’s Collider-Accelerator Department (C-AD) Accelerator Safety Workshop E. Lessard Collider-Accelerator Department August 12-14,

Safety Software QA at BNL’s Collider-Accelerator Department (C-AD) Accelerator Safety Workshop E. Lessard Collider-Accelerator Department August 12-14,
1 BROOKHAVEN SCIENCE ASSOCIATES NSLS-II Shielding Workshop S. Buda Personnel Protective Systems March 27, 2007.

1 BROOKHAVEN SCIENCE ASSOCIATES NSLS-II Shielding Workshop S. Buda Personnel Protective Systems March 27, 2007.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.

E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.
הקריה למחקר גרעיני - נגב Nuclear Research Center – Negev (NRCN) Society of Electrical and Electronics Engineers in Israel (SEEEI) 2012 Eran Salfati, Amir.

הקריה למחקר גרעיני - נגב Nuclear Research Center – Negev (NRCN) Society of Electrical and Electronics Engineers in Israel (SEEEI) 2012 Eran Salfati, Amir.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
FLOOR CANDY.

FLOOR CANDY.

Similar presentations

Ads by Google