Upload
alaa-mahjoub
View
429
Download
0
Embed Size (px)
Citation preview
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Security for Oil Industry Operators’ Cyber Critical Infrastructure Key Security Issues of Communication Conversion Strategies
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Agenda- Process Automation Infrastructure- Business Automation Infrastructure- Integrated Business & Process Automation- Enterprise Digital Nervous System- Traditional Communication Architecture- Comm. Convergence Strategies / Architecture - Security Challenges / Mitigation - Q & A
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Real-time Process Automation (Operations Perspective)
Human Layer
Physical LayerPetroleum Industry Process Infrastructure Civil facilities Infrastructure
etc
Flow lines & Pumping Units
Power & Water Structures
Reservoirs, Wells, Surface & subsurface Facilities
etc
Real-time Operation Centers
Administration Buildings
Fields Constructions
etc
RTU s / PLC s / Meters
Process Control Communication Networks
Supervisory Stations
Recovery from Failures / etc
Management
Security Enforcement
Operations staff: Monitoring & Control of Physical process
Process Control Layer (SCADA/DTC, etc)
Communications equipment Status Monitoring / etc
Valves Status & Control Signals
Access Control / Fire Fighting/ HVAC / Surveillance
Oil Flow Monitoring / Pressure Readings
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Business Automation (IT Perspective)
Human Layer
IS/IT Layer
Physical Layer
HRMS / Financial/
etc
Petroleum Industry Process Infrastructure
Civil Infrastructure Other Physical Assets
Internet Access
KM Office Automation
/Collaboration
EmailGISCMMSERP
etc
Transportation Facilities
Labs
Maintenance Workshops
IT Networks
IT Services
Computers
IS Applications
Operations-Staff / etc
Employees
Non-Operations Staff
Managers
Petroleum Technical
Applications
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
IS/IT Layer
Human Layer
Physical Layer
Petroleum Industry Process
Infrastructure
Civil Infrastructure Other Physical Assets
IS/IT Applications & ServicesInfrastructure
IT PerspectiveGlobal Perspective
Enterprise Communications
Human Layer
Enterprise IS/IT
Physical Layer
Petroleum Industry Process Infrastructure
Civil Infrastructure Other Physical Assets
Process control Layer
Operations Users Non-Operational Users
Non-operational Information
operational Information
Enterprise Information (Operational + Non-Operational
Integrated Business & Process Automation
Muxs, Routers, Switches, Security Appliances, etc
Copper Twisted Pairs, Coaxial, etc
Carrier Waves (Satellite, Microwave, etc
Fiber Cables
Process Control Layer
Human Operations Layer
Physical LayerPetroleum Industry Process
InfrastructureCivil Infrastructure
Operational Perspective
Process Control ApplicationsInfrastructure
+=
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Enterprise Communications
Oil Operator’s Operating Model
Technology Domain
Cyber Critical Infrastructure
Business Domain
IS/IT RT Process Control
Enterprise Digital Nervous System
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
The Analogy
Enterprise Information Systems
Process Control Systems
Enterprise Communications
External world
Corporate IT Systems Data
Input & reporting
Field Equipment: PLC, RTU, Meters, etc
Actuators
Process
Sensors
Brain
Autonomic Nervous System
Spinal cord & Other Nerves
Somatic Nervous System
Human Senses
Muscles
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
RT Monitoring & Control Field Equipment @ Rigs, Wells, De-gassing Stations, etc
Traditional Communications Architecture
Field 1 Field 2 Field 3 Field 4 Field 5
Onshore HQ : Back office Support, Administration &
Integrated Operations
RTU PLC Meter RTU PLC
Process Control Network
IS/ IT NetworkTelephony Network
- Separate Networks
- Different Network Management Systems- Different Services: Voice, data, Process
- Separate Support Staff
Key Issues:
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Converged Communications ArchitectureVision: Connected EnterpriseFrom Wells to Terminals
- Network conversions
- Network Management convergence- Service Convergence: UC
- Comm. Management Centralization
Key Strategies:
Key Security Challenges :- Maintaining the Security of Process Control Systems- Maintaining the Networks Security- Maintaining Network Management Security - Securing UC
instant messaging presence informationIP telephony video conferencingspeech control Voicemaile-mail SMS fax
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Securing the Integration of Process Control Systems
ISA99 / EttF based defense-in-depth architecture
ANSI/ISA99 (International Society of Automation): Security Guidelines and User Resources for Industrial Automation and Control Systems
ISA-S95/ IEC 62264: International Standard for Enterprise Control System Integration (object model, data, …).
Defense-in-depth Strategies: such as Ethernet-to-Factory (EttF) and others
Mirroring:Use applications and historian servers’ mirroring to ‘de-stage’ the interface between IS and process control systems.
Multi-homing:Use of multi-homed servers to ‘proxy’ the interface between the IS and the process control systems.
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Maintaining the Networks SecurityOPC UA: Use OPC Unified Architecture for secures date exchange between the process control systems and enterprise IS
Signed Message Exchange: Messages exchanged via OPC UA should be signed
VLAN security best practices Separate VLANs should be used for process control systems to ensure separate broadcast domains are dedicated to their traffic. Best Practice for mitigating MAC Flooding, ARP Spoofing, VLAN hopping, etc IEEE 802.1X: Standard for Network Access Control for IEEE 802.16 and IEEE 802.11 based networks
Computer & User certificates: If wireless devices (e.g. Laptops or PDAs) are used to access the network, they should be secured by computer digital certificates. Users certificates should be used as well
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Maintaining Network Management Security MRP (IEEE 802.1ak-2007 amendment): Multiple Registration Protocol (MRP) can be used for LAN convergence to allow the same hardware switches to comprise computers from both control system VLANs and IS/UC VLANs
SNMPv3: Simple Network Management protocol version 3 for WAN management.
X.509: An authentication certificates standard which can be used for authenticating remote dialup users and computers intended to do network management tasks.
Dedicated Management Platform(s): The management VLAN should be accessed only by the network management computers which are dedicated for management purposes.
Dedicated Trusted Specialists: Access should be limited to specific specialized authorized persons.
Private Networks:If remote access is needed for network troubleshooting, Internet should not be used. Instead, PSTN or ISDN dialup access should be used. If third party access to the network is allowed (e.g. for vendor support), ISDN/PSTN should be also used, Internet VPN based access should be avoided for network management purposes.
Certificates: Authentication should be done in the user level and computer level. Support from third party should be secure.
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Securing UC Secure Real-time Transport Protocol (SRTP): It defines a profile of RTP (Real-time Transport Protocol) and is intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications.Transport Layer Security (TLS):To encrypt network connections at the Transport Layer end-to-end. Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).Session Initiation protocol (SIP): is a signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol.Ports:Use UC software with reduced open ports requirements for audio /video support.Encryption:Use encrypted network communications.Configuration:Use vendor provided best practice for secure deployment and configuration of UC applicationsSIP Configuration:Ensure that all SIP communications between servers and communications between clients and servers occur over TLSEdge Servers:Deploy edge servers to allow internal and external users to safely engage in Instant Messaging (IM),
20 Oct 2009
Security for Oil Industry Operators’Cyber Critical Infrastructure
Q & A
Thank You