Cyber Security for Industrial Cyber Security for Industrial Automation Control Systems (IACS) & Automation Control Systems (IACS) & networks and Security Requirements networks and Security Requirements

for PCD Systemsfor PCD SystemsTed Angevaare, Team Leader Automation at Shell andChairman Plant Security Group at WIB

8 December 2011 / 13.50-14.10TU DelftAula Congrescentrum

New Cyber threats per yearSource: Symantec

Ref: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf

Symantec Internet Security Threat Report: Volume XV: April Symantec Internet Security Threat Report: Volume XV: April 2010 2010

Intro Windows in PCD

The risk to the worldThe risk to the world’’s oil & gas production facilities s oil & gas production facilities is increasing exponentially over timeis increasing exponentially over time

So, is this a threat to PCD systemsSo, is this a threat to PCD systems??

Ø Viruses are now detected in the Process Control Domain around the world, causing production loss or significant costs to repair

Ø Some examples from around the world:– Disgruntled ex-contractor hacked into a sewage plant, releasing millions of liters of

sewage into the local river (Australia, 2001),– Slammer worm disabled Davis-Besse nuclear power plant safety monitoring system

(USA, 2003),– Blaster worm suspected of jamming alarm systems and escalating power blackouts

(USA, 2003),– Worm: 13 auto plants in the USA were shut down by a simple Internet worm named

Zotob introduced via a laptop. The infection resulted in $14 million loss and 50.000 workers had to cease work (USA 2005),

– Virus: Browns Ferry Nuclear plant had to be shut down for 2 days because of excessive control bus network traffic. (USA 2006),

– Worm: Intramar, the French Navy computer network, was infected with the Conficker worm on 15th of January 2009 (EUR 2009).

YES!YES!

Malware specifically targeting PCD……named STUXNETas recent as Q3 2010

STUXNETSTUXNET hits Siemens Control Systems (WinCC/PCS 7)!!

“ With the cyber forensics we now have, it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge.”

Conclusion: This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house !!

“ It is the first virus known to target and infiltrate DCSs and PLCsused to run our production facilities worldwide.”

“ the virus is extremely intelligent and complex, capable to take over control of a computer system, without the user taking any action other than inserting an infected USB stick”

STUXNET

These threats may come from unexpected These threats may come from unexpected sourcessourcesInternet is NOT the main source (17%), most infections originate from inside !

Removable media today in industry is the major reason for infections.……

What is the potential impact of an infection ? What is the potential impact of an infection ? In industry a virus infection could result in……

Missing of Production TargetsDue to unavailability of production system

• Loss of reputation • Contractual Obligations not fulfilled

Repair and Restart of Production systems

• Manpower / contractor• Mob/Demob staff to site

Overreacting; excessive measuresFear of the unknown, reoccurrence

• Increased efforts• Additional costs

Shell Shell ‘‘s positioning towards PCD s positioning towards PCD securitysecurity

• Standardization of design & implementation,• Shell Assets must comply with a Minimum Standard

(ESS = Enterprise Security Standard) & IT-Framework!• Skill and competencies; continuous education/training of staff,• Vendor Certification; only allow Security Certified Vendors in

the PCD,• Audit, Reviews and Self assessments,• As-Built; “secure by design” architecture,• Security built–in as fundamental component,• Evergreening and Improvement initiatives• Initiate improvement steps during life-cycle• Being active outside Shell, share with industry and follow

research and developments

ESS

• Guarantee Vendors supplying secure systems & services at all stages of the lifecycle!

• Fit-for-purpose security, based on best practices in Shell and all the good work by many others

• Affordable solution for Vendors to gain certificate• Suitable for big Industrial Automation Vendors and Suppliers• Suitable for many small Vendors and Suppliers (>300)• Minimum Standard freely available for everyone• Many end-users to join, such that Vendors are only facing one

requirement à saving costs• Step change now and evolve over time!

A Vendor security certification program A Vendor security certification program now!now!

What does the EndWhat does the End--user want?user want?

We can only be successful when working We can only be successful when working together!together!

??

?

?

• Annemarie Zielstra – NICC• André Schepens – Dow• Auke Huistra – NICC• Frank Pijnenburg – DSM• Geert Soulje – DuPont• Marnix Haije – Shell• Herman Suselbeek – WIB• Ian Henderson – BP• Jos Menting – Laborelec• Peter Kwaspen – Shell• Lex Boekel – Wintershall

WIB Plant Security Group:

• Lou Verhagen – AkzoNobel• Mart Louisse – Aramco Overseas Co• Martin Visser – Waternet• Michiel Kleisen – Dupont• Nate Kube – Wurldtech• Maarten Oosterink – Shell• Sierk Goedemoed – Heineken• Tom Kuperij – WIB• Pascal van den Boogaard – Shell• Wim Breugom – Waternet• Ted Angevaare – Shell and Chairman

Who worked on the WIB Standard Who worked on the WIB Standard vsvs2.0?2.0?

Evolution towards international Evolution towards international standardstandard

Cyber Security Procurement Language for

Control Systems

From DHS

Cyber Security Procurement Language for

Control Systems

From DHS

WIB Report M 2784 X10,

version 2

WIB Report M 2784 X10,

version 2

DACA security standards and experiences

DACA security standards and experiences

IDEAL standard is selection of relevant IT

requirements from various

standards

IDEAL standard is selection of relevant IT

requirements from various

standards

Less than 50% content from ISO 27002

Development International

standard

Development International

standard

1400+ downloads

2008-2009 2010 2011

IEC proposal

WIB Report M 2784 X10,

version 1

WIB Report M 2784 X10,

version 1

Business case of certificationBusiness case of certification

Impact in industry Impact in industry

Current IEC 62443 frameworkCurrent IEC 62443 framework

IECIEC ProcessProcess

NOW

Some stakeholdersSome stakeholders1. The NIST Cyber Security Working Group (CSWG) has created a task

force (http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/IEC6244324TaskForce) that has studied the alignment of the IEC 62443-2-4 draft and concluded it is well aligned with the NISTIR 7628 guidelines for cyber security and is currently working towards harmonization of the two documents.

2. Lisa Kaiser of the US Department of Homeland Security (DHS) has received approval to participate in the IEC 62443-2-4 standards resolution process. The DHS is currently actively considering moving forward with the IEC 62443 series, but has found the ISA 99 parts somewhat confusing. They feel that the IEC 62443-2-4 requirements are easily understood, and the fact that they align closely with the NISTIR 7628 (which is largely based on the NIST SP 800-53 guidelines) has peaked their interest.

Now you!Now you!Go to the WIB Homepage and download the document: http://www.wib.nl/

You are free to use it!

Be prepared and make sure that your systems, facilities and/or services are compliant to the WIB vs. 2.0.

Go for certification now and be secure!