Agenda - OSIsoft · comprehensive awareness materials by end of 1Q 2011 – Target specified industry conferences to deliver ICS Security messaging 2. Develop a cyber incident response

2

Presented by

Roadmap to Secure Control Systems in the Chemical Sector

Dan Strachan

National Petrochemical & Refiners Association (NPRA)

3 © Copyright 2011 OSIsoft, LLC.

Agenda

• Is the risk real?

• Doing a security analysis

• Developing a business case

• Training of employees

• Implementing existing standards


About The Chemical Sector Coordinating Council (CSCC)

• Comprised of chemical industry trade association staff & owner/operators

• Chaired and co-chaired by security officers from owner/operator organizations


About The Chemical Sector Coordinating Council (CSCC)

• This roadmap is for the chemical industry

• Similar roadmaps for other industries


Owner/Operator Companies

• Air Products

• AkzoNobel

• Ashland

• CSC

• The Dow Chemical Company

• DuPont

• Eastman Chemical

• ExxonMobil

• Infineum

• Western Refining


Business Challenge/Problem Addressed

• Industrial Control Systems (ICS) have changed

– Moving from proprietary to open systems

• Open systems carry more cyber security risks

• ICS incidents can range from loss of production to facility damage and personnel injury


“Why Should I Care?”

• Chemical industry dedicates immense time and resources

• Trend of ICS to open system platforms introduces new vulnerabilities

• Increasing cyber threats

• Potential consequences of ICS incident are similar to those of a safety breach


“Is The Risk Real?”

• Federal agencies reported 30,000 incidents to US-CERT during fiscal yr 2009 [GAO report 6/16/2010]

>400% increase over what was reported in 2006

• Increases in Advanced Persistent Threat (APT)

• Stuxnet signaled a paradigm shift in the ICS environment


Developing a Business Case

• For those companies interested in developing a business case for investing in ICS security, – Under development at this time

– Authored by the Industrial Control Systems Joint Working Group

– Guidance for developing a business case

• For more information contact the Industrial Control Systems

Joint Working Group at [email protected]


Training Resources – Who Benefits

• ICS Operations– Includes all operations personnel who routinely interact with the industrial control system as part of their regular duties



• Security Managers – Includes supervisory and support personnel who have primary responsibility for configuration, monitoring and operation of tools and systems required to secure the control system.



• Engineers – Includes those who are responsible for design and configuration of the functional elements of the control system. (e.g., control program development)



• IT Personnel – Includes any additional personnel who have responsibility for the operation and support of the IT infrastructure supporting the control system (e.g., networks, servers, etc.)


Training Resources

• Chemical Sector ICS Security Training Resource

– Developed by the Roadmap Implementation Working Group

– Designed for professionals in the process control and automation industries.

– Lists selected and representative security trainings … not a comprehensive list


Training Resources (cont.)

– Organized by levels of difficulty (introductory; intermediate; advanced)

– Matrix includes: Level, Sponsor, Format (e.g. online), Descriptions, Suitable Audiences, Costs, Location, and Websites for additional information


Implementing Existing Standards

• Developed by the Roadmap Implementation Working Group

– Guideline to standards and guidance that currently exists

– Highlighted standards resources

– Identified relevant guidance available now


Standards

• ISA99/IEC 62443, Industrial Automation and Control Systems Security

• ISO/IEC 15408-1:2009


Guidelines

• ACC Guidance for Addressing Cyber Security in the Chemical Sector

• DHS Catalog of Control Systems Security: Recommendations for Standards Developers

• NIST Special Publication (SP) 800-82, Guide to ICS Security, final public draft Sept 29, 2008


Milestone Themes for 2011 - 2012

• Building / Increasing Awareness

• Cyber Incident Response capability

• Secure information sharing forum

• Metrics


Initial Milestone Focus

1. Address the milestones that would provide initial comprehensive awareness materials by end of 1Q 2011 – Target specified industry conferences to deliver ICS

Security messaging

2. Develop a cyber incident response process

3. Establish a secure information sharing forum

4. Agree upon metrics to report progress on implementation of Roadmap



Roadmap Alignment for OSIsoft Customers

• Training

– Control Systems Cyber Security Advanced Training

– PI MCN Health Monitor

• Best Practices

– Secure connectivity between business systems and industrial control systems

– Technical support access procedures


Questions

• Dan Strachan

– [email protected]

• DHS Industrial Control Systems Joint Working Group


• Additional materials


mailto:[email protected]



Thank you

© Copyright 2011 OSIsoft, LLC.

Documents

Agenda - OSIsoft · comprehensive awareness materials by end of 1Q 2011 – Target specified industry conferences to deliver ICS Security messaging 2. Develop a cyber incident response