Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Fingerprint Secure systems, protect production

Published byMaria Patrycja Lewandowska Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Security Fingerprint Secure systems, protect production"— Presentation transcript:

1 Cyber Security Fingerprint Secure systems, protect production
ABB Process Automation Lifecycle Services, Patrik Boo Cyber Security Fingerprint Secure systems, protect production © ABB Group September 19, 2018 | Slide 1

2 *Merriam-Webster’s dictionary
Cyber Security What is cyber security? Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack* The term cyber security was first used 1994 according to Merriam-Websters dictionary. © ABB Group *Merriam-Webster’s dictionary

3 Cyber Security Security breaches
Control System Personal computer Anytime a plant’s control system has an unintended intrusion, it’s considered a cyber security breach. This intrusion can have a number of causes, including hacking; or a disgruntled employee installing malicious software via a USB port; or something as simple as an unintentional download from the Internet; or other common employee mistakes. By definition of cyber attack, every one of our customer sites are being attacked as we speak. That doesn’t mean that someone is trying to hack; it’s more likely to be system glitches or negligence, such as downloading corrupt files or unauthorized access to systems. Interestingly, only 24% of security breaches are caused by a malicious attack. Hacking Malicious software Unauthorized use © ABB Group | Slide ‹#›

4 Cyber Security in industrial control systems Stuxnet: the game changer
Stuxnet is an extraordinarily advanced malware designed to target and corrupt industrial control systems. While certain processes were affected, many system aspects were infected without users knowing it because they were not part of the “target”. The scary part about this is that the source code is now available for download on the internet. People with bad intent can tweak it and use it. WIKIPEDIA: Stuxnet is a computer worm discovered in June It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment. While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit. The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices. Different variants of Stuxnet targeted five Iranian organizations, with the probable target widely suspected to be uranium enrichment infrastructure in Iran; Symantec noted in August 2010 that 60% of the infected computers worldwide were in Iran. Siemens stated on 29 November that the worm has not caused any damage to its customers, but the Iran nuclear program, which uses embargoed Siemens equipment procured clandestinely, has been damaged by Stuxnet. Stuxnet was the first malware targeting industrial control systems © ABB Group September 19, 2018 | Slide 4

5 Bill Would Have Businesses Foot Cost Of Cyberwar
Congress would task businesses with increasing cyber security NPR magazine article – May 8, 2012: The United States Congress and other governments are planning to regulate cyber security. If businesses such as our customers are not addressing this issue, governments will institute rules and regulations that everyone must follow. While this is not be a bad idea, what if the government-imposed regulations miss the mark, or are onerous, or add unnecessary cost? The way to avoid having the wrong medicine prescribed by well-meaning governments is for industry to show that it is correctly and proactively addressing cyber security itself. The ABB Cyber Security Fingerprint can help our customers achieve this important business objective. © ABB Group

6 Enterprise IT vs. Industrial Control Systems
Cyber Security Enterprise IT vs. Industrial Control Systems Enterprise IT Industrial Control Systems Enterprise IT Industrial Control Systems Primary risk impact Information disclosure, financial Safety, health, environment, financial Availability 95 – 99% (accept. downtime/year: days) 99.9 – % (accept. downtime/year: 8.76 hrs – 5.25 minutes) Typical System Lifetime 3-5 years 15-30 years Problem response Reboot, patching/upgrade Fault tolerance, online repair Confidentiality Availability Integrity Availability Integrity Confidentiality Information technology systems (such as Enterprise Resource Planning) hold confidentiality, integrity and availability (known as the “CIA triad”) to be the core principles of information security. Although all are important, confidentiality outweighs the other two as the most important component. For industrial control systems, availability is more important than confidentiality. This is because the main purpose of control systems is not to store sensitive documents, but to enable production uptime. Let’s take a more detailed look: while data can be compromised in an enterprise IT breach, a breach in an industrial control system will not only affect availability, but also has the potential to impact the safety and health of employees, the community and the environment. Take a look at the availability numbers: enterprise IT can generally sustain several hours or even days of downtime, as long as information is secure, without severely damaging a business’s financial performance. Industrial control systems, however, can only be down for a few hours, if not minutes, before severely jeopardizing plant safety or financial performance. Control systems will not be shut down unless its absolutely crucial. Another thing to look at is the problem response. In enterprise IT, common mitigation is rebooting the system or applying security patches. That’s not as easy with control system. Shutdowns as a result of rebooting a system can be very costly in terms of lost production, and patches can sometimes have negative effects, resulting in more money lost. © ABB Group September 19, 2018 | Slide 6

7 Cyber Security Vulnerability disclosure growth by year
1 new vulnerability every hour, every day. © ABB Group | Slide ‹#› Source: IBM X-Force®

8 Cyber Security Security cost
The cost of security measures should be balanced against the achieved risk reduction Risk = (probability of successful attack) x (potential consequences) Optimal security for minimum cost Cost of security According to a study by the Ponemon Institute, the cross-industry average cost of a cyber security breach in 2011 was $5.9 MUSD Cost Probable cost of a security breach Money cannot just be thrown at the problem. One has to measure the cost of security against the risk reduction, which varies on the anticipated risk. It’s important that it’s balanced. For instance, if someone is producing hammers, the consequence of a breach isn’t very high. But in a chemical plant or nuclear facility, the risk is big. But the risk still must be weighed. The cost of the breach will go down the higher security level we have, but it doesn’t level out. At a certain point, we can’t reduce the cost of a security breach much further, but the cost will continue to grow significantly. So the average cost – across industries – is $5.9 MUSD. For the hammer factory, that’s a high number. Nuclear, low. Regardless, it’s a figure that is worth avoiding. Security Level © ABB Group September 19, 2018 | Slide 8

9 Why traditional approaches don’t work
Cyber Security Why traditional approaches don’t work Action Consequence Lock out accounts after three bad password tries Operator has no control over process for 10 minutes Install patches as soon as they are released and reboot A control system reboot means shutting down the whole plant, and it might take days to get everything running again Frequently update antivirus scan engine and virus definitions False positives might have fatal consequences Use of crypto functions to protect data in transit Real time constraints cannot be met due to limited resources on embedded devices Use of firewalls and intrusion detection systems Do you speak IEC , IEC 61850, OPC, HART, ProfiNet, Modbus... Use of intrusion prevention systems One false positive might have fatal consequences Information Systems Security is a good starting point, but approaches and technologies need to be applied with care Traditional approaches don’t work. If you are locked out of a computer system, after three unsuccessful attempts to enter, you simply call the Help Desk. But imagine a plant operator, on nightshift, punching in an incorrect password and getting locked out of the control system that is critical to operating the plant. This is not an acceptable situation in a real-time process plant environment. We also can’t just install patches or reboot. Patches must be validated (by ABB if it’s an ABB system) first. Antivirus can be updated, but we have incidents where antivirus updates encrypt the network. Again, it must be verified first. Crypto functions won’t work on control systems because they rely on communication and it’s not ideal to slow down a real-time control system. Nothing should impede control system functionality. Regarding firewalls and intrusion detection, control systems speak different languages and protocols than other enterprise IT systems. If the prevention program identifies something it should not, the entire system could fail. Be careful when you apply any of these to a control system environment. © ABB Group September 19, 2018 | Slide 9

10 Cyber Security If it’s worth having it’s worth stealing
Source Code Diagrams, Plans and Blueprints Design documents and Metrics data Mechanisms for infrastructure improvements Certificates and Credentials Source: MSI Microsolved Inc. © ABB Group | Slide ‹#›

11 Fingerprint - Service with a defined scope
Cyber Security Fingerprint - Service with a defined scope Benefits: Consistent – same everywhere High and even quality Repeatable Based on best practicies Data Collect Store View Analyze Interpret Report Definition of a fingerprint is a service with a defined scope. All fingerprints are following the same method of collecting data, storing it, ba able to view the data, analyze the data, interpret the data and gererate a report with the findings. © ABB Group Month DD, Year

12 System Performance Potential
ABB Cyber Security Optimization Diagnose, implement and sustain performance 4 Track 2 3 Manage Performance Gap Scan Hands-on System Performance Potential 1 Fingerprint Objective : Summary of value proposition. Sustainable results through a business-oriented partnership Diagnose Implement Sustain Time © ABB Group September 19, 2018 | Slide 12 12

13 Cyber Security Fingerprint
What does the Fingerprint do? Provides a comprehensive view of your site’s cyber security status Identifies strengths and weaknesses for defending against an attack within your plant’s control systems Reduces potential for system and plant disruptions Increases plant and community protection Supplies a solid foundation from which to build a sustainable cyber security strategy It does NOT make the system completely secure. The ABB Cyber Security Fingerprint identifies strengths and weaknesses within a customer plant’s control systems by gathering critical data and comparing them to ABB and industry best practices. The Fingerprint is currently designed for ABB System 800xA, Process Portal B, and Conductor NT version 6. Coverage for additional systems will be made available. By now, many ABB customers have read about Stuxnet, and know they need to do something, but they don’t know where to start. The Fingerprint can help define the basics and outline a strong cyber security strategy. It does not make the system secure. That’s an impossible task. © ABB Group

14 Cyber Security Fingerprint Security in depth
Physical Security Procedures and Policies Firewalls and Architecture Computer Policies Account Management Security Updates Antivirus Solutions How do we do this? We apply the principle “Security in Depth.” This means that the more layers of protection you have, the better risk mitigation you have. Antivirus solutions are verified. Security updates for Microsoft software. Old threats avoided with updates. Account Management: Ensures things like the right person has the right security level, and not everyone uses a general administration account. Everyone should have an account with the rights to do exactly what is needed to complete his or her job. Computer policies: Ensures settings are properly configured, such as users changing passwords every 90 days. Don’t reuse passwords. Etc. Firewalls and Architecture: Ensures that the correct software firewalls are active in the system. This is extremely important because it ensures if someone should gain access to one part of the system, they’ll have a hard time accessing the rest. Procedures: Focuses on the human factor. What is the procedure for when someone is laid off for instance? Physical security: Who can gain access to the servers? © ABB Group September 19, 2018 | Slide 14

15 Scope and completeness of standards
Cyber Security Scope and completeness of standards Design Details Energy Industrial Automation IT IEC 62351 Technical Aspects ISA 99* NIST IEEE P 1686 NERC CIP Details of Operations Relevance for Manufacturers ISO 27K CPNI The Fingerprint is nothing we invented ourselves. Instead, it’s based on widely-used industry standards and best practices. We’ve taken portions from each and applied them in a meaningful way to make sure our customers have all the basic safety precautions in place. Examples: IT standards - ISO Industrial - ISA Energy – NERC Operator Manufacturer Completeness © ABB Group September 19, 2018 | Slide 15 * Since the closing of the ESCoRTS project, ISA decided to relabel the ISA 99 standard to ISA to make the alignment with the IEC series more explicit and obvious.

16 Cyber Security Fingerprint Key Performance Indicators
Another way to look at it is through our three-part data collection. The first area, Procedures and Protocols, is based on a qualitative analysis and indicates how secure the organization is by means of written instructions and policies. The next area covers Group Security Policies. These are the policies implemented on the system, enforced from a central server or implemented on an individual computer. Last are the Computer Settings, which cover the settings and applications that reside on an individual computer within the system. We check all this and produce a report showing strengths and weaknesses, and making recommendations for further mitigating actions. © ABB Group September 19, 2018 | Slide 16

17 Cyber Security Fingerprint Security Logger Data Collection Tool
Collects data without affecting the production No installation Only collects data The collected data is saved as an encrypted file Serves as support during interviews with key plant personnel Over 90% timesaving compared to manual data collection How do we do this? With our proprietary tools. The first is the Security Logger Data Collection Tool, used to collect the data and system settings from the control system and computers on the plant network It only collects data from computers in the control system. Data is encrypted so that it can’t be read by anyone else. So if there’s a breach, the data will be meaningless. This data is supported by interviews with key plant personnel to assess the human factor of the security level. © ABB Group | Slide ‹#›

18 Cyber Security Fingerprint Security Analyzer Tool
Analyze the collected data The only tool that can read the encrypted file Apply different profiles The Security Analyzer tool is used to calculate the Key Performance Indicators, shown on slide 14, for all three areas of the collected data. A report is then automatically generated. If customer wants us to correct findings, we can. Hardening is another word for making the system more secure. © ABB Group | Slide ‹#›

19 Cyber Security Fingerprint Data collection
After raw data is collected with the security logger, it’s compared to the Control System Master Profile to determine where recommendations are needed. If the customer’s data shows the setting to be below standard, the description and recommendation are included in the report. Setting Description Recommendation Minimum password age There should be a predetermined amount of days a password must be used before the user is allowed to change it. The number of days can vary between 1 and 998 days, or the user can input 0 to change the password immediately. If a user does not set a minimum password age, he or she can use passwords repeatedly. Set the minimum password age value greater than or equal to one day. There is a Control System Master Profile, or the ideal procedures and settings for the particular control system, which we compare the data too. Before we apply the profile, the data is just data. When we have filtered out what is correct for each control system, we know what recommendations to give. © ABB Group September 19, 2018 | Slide 19

20 Cyber Security Fingerprint
Report with recommendations and action plan The resulting comprehensive report lists security strengths and weaknesses; risks; and recommendations and action plans. © ABB Group | Slide ‹#›

21 Cyber Security Fingerprint
Report: Risk Profile High risk Low risk Included in the report is a risk profile, which covers the three groups we discussed and shows the strengths and weaknesses of all the components that were analyzed within the control system infrastructure. While a diagram with less coloring indicates a low-risk environment, it does not mean the system is safe from attack. It does, however, indicate that good basic security is in place, and the risk of an attack is reduced. One of the computer settings (the circled area on the left), has the highest risk. The report will tell why and provide recommendations. The arrow points to a low-risk area, but one can never be 100% secure. While the Fingerprint is an indicator of your security status at a given time, any system, no matter how many precautions are taken, can be compromised. © ABB Group | Slide ‹#›

22 Cyber Security Fingerprint Control System Architecture - what to protect
The main point here is that: The control layer is very hard to secure due to the very specific hardware in use. The office network is secured by the IT department and we do not need to focus on this. The fingerprint is focused on securing the server-client layer of the control system. If this is achieved and the procedures and policies are in place it will be very hard to attack the control system or to get access to the control hardware item 1 above. © ABB Group | Slide ‹#›

23 Cyber Security Fingerprint Schedule of activities
Information Gathering Analysis (off-site) Delivery (off-site) Day 1 - 3 Project introduction meeting Set up data collection software Interview key plant personnel Check data and make configurations accordingly Complete data collection Day 4 Data Analysis Day 5 Complete report Expert review Present findings and recommended actions One man week. Collect data. Verify data. Travel home Create report. Analyze data. Manual adjustments. Peer review. Deliver report.

24 Cyber Security Fingerprint Success Stories
Three different success stories from different parts of the world as well as different industries. © ABB Group INTERNAL USE ONLY

25 Cyber Security Fingerprint ServicePort - Cyber Security Channel
We can also offer a solution where the cyber security status in monitored on a weekly schedule, we call this the cyber security channel. This is a new channel that can be added to a ServicePort. The security channel includes 2 fingerprints per year as well as two scan reports (a report showing the cyber security status over time, you can see if you have improved or not as well as anomalies over the holidays etc.) and gives you access to the scan view showed in this slide. A long bar indicates high risk and a short one a low risk. © ABB Group INTERNAL USE ONLY

26 Cyber Security Fingerprint www.abb.com
9AKK105408A9402 D © ABB Group | Slide ‹#›

27 © ABB Group September 19, 2018 | Slide 27

Download ppt "Cyber Security Fingerprint Secure systems, protect production"

Similar presentations

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Introducing Computer and Network Security

Introducing Computer and Network Security
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
A sophisticated Malware Arpit Singh CPSC 420

A sophisticated Malware Arpit Singh CPSC 420
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.

Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
INTERNET SAFETY FOR KIDS

INTERNET SAFETY FOR KIDS
Computer security By Isabelle Cooper.

Computer security By Isabelle Cooper.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Computer Security By Duncan Hall.

Computer Security By Duncan Hall.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

Similar presentations

Ads by Google