Embed Size (px)
Citation preview
1
Industrial Control System
Cybersecurity
Overview
2
About aeSolutions
• Engineering and consulting services for process safety, industrial cybersecurity and critical automation systems since 1998
• Core Competencies:
• Process Safety• Industrial Cybersecurity• SIS Engineering• SIS, BMS, F&G Integration• Alarm Management• Automation System Engineering• Process Safety Lifecycle Software
• 170 employees across 3 offices, with additional satellite presence across the nation in 21 states.
• Comprehensive project lifecycle services
• 14,000 sq ft FM-Approved/UL 508a-certified panel fabrication
facility
• Siemens, Rockwell and Schneider Electric Partner
3
John A. Cusimano
• Director of ICS Cybersecurity Solutions for aeSolutions
• 25 years experience in industrial automation
• Kodak, Moore Products, Siemens, exida, aeSolutions
• Specialization in:
• Process Safety
• Safety Instrumented Systems (BMS, F&G)
• High-availability systems
• Industrial Networking
• ICS Cybersecurity
• Certifications:
• CFSE, Certified Functional Safety Expert
• CISSP, Certified Information Systems Security Professional
• GICSP, Global Industrial Control Security Professional
• ISA99/IEC 62443 Cybersecurity Fundamentals Specialist
4
Industry Associations
• ISA S99 Committee
− WG4 TG3 Chair (62443-3-2 Security Risk Assessment)
− TG6 Co-Chair (62443-4-1 Product Development)
• ISA S84 Committee, WG9 (TR84.00.09)
• US Expert to IEC TC65 WG10 (62443-2-4)
• Lead developer/instructor for ISA IC32 Training Course
• ISA Security Compliance Institute, technical steering committee
• ISA Safety & Security Division – Security Co-chair
• ICSJWG Workforce Development & Vendor Subgroups
• Author of Public Safety Canada “TR12-002 Industrial Control
System (ICS) Cyber Security: Recommended Best Practices”
5
Our Approach
6
Understanding Risk is Fundamental to Determining How to
Best Protect Our Systems
• We must first understand the risk• Identify the critical assets
• Determine the realistic threats
• Identify existing vulnerabilities
• Understand the consequence of compromise
• Assess effectiveness of current safeguards
• Develop a plan to address unacceptable risk• Recommend existing countermeasures
• Recommend additional countermeasures
• Recommend changes to current policies and procedures
• Prioritize recommendations (based upon relative risk)
• Evaluate cost / complexity versus effectiveness
Cyber security is all about RISK MANAGEMENT!!!
7
Cybersecurity Program
Cybersecurity Philosophy
Cybersecurity Culture
Strategic Plan
Policy & Procedures Awareness & Training Compliance & Audit
Site Vulnerability Assessments Risk Assessments Evaluate Mitigations Engineering Standards
Implementation Plan
Do
AssessAdjust
Plan
8
Basic Process
• Scope and document system(s)
• Vulnerability/gap assessment
• Partition the system
• Risk assessment workshop
• Prioritization of recommendations
• Implementation roadmap Polic
ies,
pro
ced
ure
s,
stan
dar
ds,
tra
inin
g
9
“Cyber PHA” Risk Assessment Methodology
• Builds upon well-established PHA (e.g. HAZOP / LOPA) methodologies
• Leverages existing PHAs
– Extract cyber initiating events and associated consequences
– Identify cyber vulnerable IPLs and safeguards
• Aligns with corporate risk matrix
• Being documented in ISA 62443-3-2
10
Cyber PHA Example
FS-PES
`
BPCS
Engineering
Workstation
Control PES
Operator
Consoles
Operator
Consoles
Corporate
WAN
Business LAN
PCN
Business
LAN
`
SIS
Engineering
Workstation
BPCS HMI
PCN
PCN
DCS Server DCS Server
Equipment Room
Field
Control Room
IT Data Center
Data
Historian
Domain
Controller
Enterprise
Firewall
11
Cyber PHA Example
Example © aeSolutions 2014
12
Initial Zone & Conduit Diagram
13
Cybersecurity Strategy Considerations
• Assemble Core Team
– Internal• Cross functional (IT, Operations, Engineering, HSE, Corp Security)
– External Partner• Experience , Reputation
• External benchmarks, Independent view
• Core focus, proven work process
• Standards based approach – ISA 99.02/ IEC 62443, NIST
• Develop an “as-built” model of the entire system
• Phased Approach (High Level Assessment first)
• Cross training opportunity/ common language(e.g. field trip)
• Document deliverables
• Sustainable processes and systems
14
Typical Risk Assessment Deliverables
– Plant ICS “security” architecture drawings
– Cyber security requirement specification
– Cyber Vulnerability Assessments
– Peer comparison and gap analysis
– Zone and Conduit model
– Deployment strategy
– Cyber security policy and standards
15
aeSolutions ICS Cybersecurity Expertise
• Strong process industry and industrial automation background
• Experience in oil & gas, pipeline, chemical /petrochemical, power and water/wastewater industries
• Extensive involvement in industrial cybersecurity organizations and standards committees (e.g. ISA, AIChE, IEC, NIST, ISASecure)
• Instructors for ICS Cybersecurity training (private and ISA IC32)
• Experience in development and implementation of ICS cybersecurity management programs
• Certifications
– Certified Information System Security Professional (CISSP)
– Global Industrial Cyber Security Professional (GICSP)
– ISA 99 / IEC 62443 Cybersecurity Fundamentals Specialist
– Certified Ethical Hacker (C|EH)
16
Oil & Gas / Chemical Clients
• Air Products
• Alyeska Pipeline
• Chevron
• CNRL
• ConocoPhillips
• Dow
• FMC
• Kraton Polymers
• Merck
• Praxair
• Sasol
• Sunoco Logistics
• Syncrude
• Valspar
17
Industrial Cybersecurity Lifecycle Services
Assess
• Cybersecurity Gap Assessment
• Vulnerability Assessment (CSVA)
• Risk Assessment (Cyber PHA)
Define
• Network & Dataflow Diagrams
• Asset Inventory
• Zone & Conduit Models
• Cybersecurity Requirements Specification
Design, Commission, Implement
• Network Architecture Design
• Firewall Design / Commissioning
• Access Control
• Remote Access
• Wireless Communications
• Security Hardening
• Cybersecurity Acceptance Testing
Operations & Maintenance
• Intrusion Detection Design
• Change Management
• Patch Management
• Malware Prevention
• Backup / Restore
CorporateGovernance
• Cyber Security Management System (CSMS) Development
• Deployment Strategy Consulting
• Standard Training (ISA)
• Customized Training & Awareness
• ICS Cybersecurity Audits
Process Safety & Security Lifecycle
18
Why aeSolutions?
• Deep expertise in critical industrial processes and critical automation systems
• Focus on Oil & Gas / Petrochemical/Specialty Chemical industries
• Understand the relationships between process safety, cybersecurity, alarm management, SIS design
• Comprehensive automation lifecycle services
• Professional, high-quality solutions
• Expertise leveraged into work products
