Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
2
Presented by
Roadmap to Secure Control Systems in the Chemical Sector
Dan Strachan
National Petrochemical & Refiners Association (NPRA)
3 © Copyright 2011 OSIsoft, LLC.
Agenda
• Is the risk real?
• Doing a security analysis
• Developing a business case
• Training of employees
• Implementing existing standards
4 © Copyright 2011 OSIsoft, LLC.
About The Chemical Sector Coordinating Council (CSCC)
• Comprised of chemical industry trade association staff & owner/operators
• Chaired and co-chaired by security officers from owner/operator organizations
5 © Copyright 2011 OSIsoft, LLC.
About The Chemical Sector Coordinating Council (CSCC)
• This roadmap is for the chemical industry
• Similar roadmaps for other industries
6 © Copyright 2011 OSIsoft, LLC.
Owner/Operator Companies
• Air Products
• AkzoNobel
• Ashland
• CSC
• The Dow Chemical Company
• DuPont
• Eastman Chemical
• ExxonMobil
• Infineum
• Western Refining
7 © Copyright 2011 OSIsoft, LLC.
Business Challenge/Problem Addressed
• Industrial Control Systems (ICS) have changed
– Moving from proprietary to open systems
• Open systems carry more cyber security risks
• ICS incidents can range from loss of production to facility damage and personnel injury
8 © Copyright 2011 OSIsoft, LLC.
“Why Should I Care?”
• Chemical industry dedicates immense time and resources
• Trend of ICS to open system platforms introduces new vulnerabilities
• Increasing cyber threats
• Potential consequences of ICS incident are similar to those of a safety breach
9 © Copyright 2011 OSIsoft, LLC.
“Is The Risk Real?”
• Federal agencies reported 30,000 incidents to US-CERT during fiscal yr 2009 [GAO report 6/16/2010]
>400% increase over what was reported in 2006
• Increases in Advanced Persistent Threat (APT)
• Stuxnet signaled a paradigm shift in the ICS environment
10 © Copyright 2011 OSIsoft, LLC.
Developing a Business Case
• For those companies interested in developing a business case for investing in ICS security, – Under development at this time
– Authored by the Industrial Control Systems Joint Working Group
– Guidance for developing a business case
• For more information contact the Industrial Control Systems
Joint Working Group at [email protected]
11 © Copyright 2011 OSIsoft, LLC.
Training Resources – Who Benefits
• ICS Operations– Includes all operations personnel who routinely interact with the industrial control system as part of their regular duties
12 © Copyright 2011 OSIsoft, LLC.
Training Resources – Who Benefits
• Security Managers – Includes supervisory and support personnel who have primary responsibility for configuration, monitoring and operation of tools and systems required to secure the control system.
13 © Copyright 2011 OSIsoft, LLC.
Training Resources – Who Benefits
• Engineers – Includes those who are responsible for design and configuration of the functional elements of the control system. (e.g., control program development)
14 © Copyright 2011 OSIsoft, LLC.
Training Resources – Who Benefits
• IT Personnel – Includes any additional personnel who have responsibility for the operation and support of the IT infrastructure supporting the control system (e.g., networks, servers, etc.)
15 © Copyright 2011 OSIsoft, LLC.
Training Resources
• Chemical Sector ICS Security Training Resource
– Developed by the Roadmap Implementation Working Group
– Designed for professionals in the process control and automation industries.
– Lists selected and representative security trainings … not a comprehensive list
16 © Copyright 2011 OSIsoft, LLC.
Training Resources (cont.)
– Organized by levels of difficulty (introductory; intermediate; advanced)
– Matrix includes: Level, Sponsor, Format (e.g. online), Descriptions, Suitable Audiences, Costs, Location, and Websites for additional information
17 © Copyright 2011 OSIsoft, LLC.
Implementing Existing Standards
• Developed by the Roadmap Implementation Working Group
– Guideline to standards and guidance that currently exists
– Highlighted standards resources
– Identified relevant guidance available now
18 © Copyright 2011 OSIsoft, LLC.
Standards
• ISA99/IEC 62443, Industrial Automation and Control Systems Security
• ISO/IEC 15408-1:2009
19 © Copyright 2011 OSIsoft, LLC.
Guidelines
• ACC Guidance for Addressing Cyber Security in the Chemical Sector
• DHS Catalog of Control Systems Security: Recommendations for Standards Developers
• NIST Special Publication (SP) 800-82, Guide to ICS Security, final public draft Sept 29, 2008
20 © Copyright 2011 OSIsoft, LLC.
Milestone Themes for 2011 - 2012
• Building / Increasing Awareness
• Cyber Incident Response capability
• Secure information sharing forum
• Metrics
21 © Copyright 2011 OSIsoft, LLC.
Initial Milestone Focus
1. Address the milestones that would provide initial comprehensive awareness materials by end of 1Q 2011 – Target specified industry conferences to deliver ICS
Security messaging
2. Develop a cyber incident response process
3. Establish a secure information sharing forum
4. Agree upon metrics to report progress on implementation of Roadmap
22 © Copyright 2011 OSIsoft, LLC.
23 © Copyright 2011 OSIsoft, LLC.
Roadmap Alignment for OSIsoft Customers
• Training
– Control Systems Cyber Security Advanced Training
– PI MCN Health Monitor
• Best Practices
– Secure connectivity between business systems and industrial control systems
– Technical support access procedures
24 © Copyright 2011 OSIsoft, LLC.
Questions
• Dan Strachan
• DHS Industrial Control Systems Joint Working Group
• Additional materials
Thank you
© Copyright 2011 OSIsoft, LLC.