InduSoft Speaks at Houston Infragard on February 17, 2015

Cybersecurity Guidance for Industrial

Automation in Oil and Gas Applications

February 17, 2015

Agenda

Agenda

Introductions

Agenda

Introductions

Discussion of the current state of Cybersecurity for

Controls Systems with discussions from outside sources

Agenda

Introductions



New Cybersecurity Guidance eBook and Engineering

Services available from InduSoft

Agenda

Introductions





Deeper dive into the Security eBook – a look inside.

Agenda

Introductions






Discussion of the new SCADA Cybersecurity Framework

eBook and the associated certificate courses at Eastern

New Mexico University-Ruidoso

Agenda

Introductions






Discussion of the new SCADA Cybersecurity Framework

eBook and the associated certificate courses at Eastern

New Mexico University-Ruidoso

Q&A Session

Speakers Today (in order of presentation)

Richard Clark

– Technical Marketing and Cybersecurity Engineer

Richard H Clark

Cybersecurity Background

Mr. Clark has been in Automation, Process System, and Control System

design and implementation for more than 25 years and was employed by

Wonderware where he developed a non-proprietary means of using IP-Sec

for securing current and legacy Automation, SCADA, and Process Control

Systems, and developed non-proprietary IT security techniques. Industry

expert by peer review and spokesperson on IT security; consultant, analyst

and voting member of ISA- SP99. Contributor to PCSF Vendor Forum.

Consultant to NIST and other government labs and NSA during the

development of NIST Special Publication 800-82. Published engineering

white papers, manuals, and instruction documents, developed and given

classes and lectures on the topic of ICS/SCADA Security.

– Participated in forming the NIST Cybersecurity Framework during the

workshops last year along with our second speaker today…

Speakers Today (in order of presentation)

Richard Clark

– Technical Marketing and Cybersecurity Engineer

Stephen Miller

– Associate Professor and Department Chair of Business and

Information Systems/Cybersecurity Center of Excellence at

Eastern New Mexico University-Ruidoso

Stephen Miller

Cybersecurity Background

Mr. Miller (Associate Professor/Director of Eastern New Mexico University-

Ruidoso Cybersecurity Center of Excellence) has been in the Information

Systems profession since 1966 working in many business, government,

and educational sectors; including being IT/Technology Manager and

Advisor at ExxonMobil Global Information Systems. Mr. Miller worked for

Univac Corp at NASA Mission Control for the Apollo Mission, including

Apollo 13 and Skylab missions, he also worked for Ford Tech-rep Division

and TRW Controls, among others.

Stephen developed the online computer and network Cybersecurity

Certification program at ENMU-Ruidoso, and revised the Information

Systems Associates Applied Science Degree Programs under INFOSEC

4011, 4016E, and Center of Academics (CAE-2Y) certifications

RICHARD H CLARKCybersecurity eBooks/Guidance

Introduction

Introduction

InduSoft is used in various Oil and Gas, Refinery, and

Pipeline applications around the world

Introduction



We strive to assist customers in designing and building

safe, secure and functional applications

Introduction





We have condensed a great deal of our security guidance

and discussions into a single eBook

Introduction







InduSoft has recently added On-Demand Engineering

Services to assist your development and engineering

teams

Introduction







InduSoft has recently added On-Demand Engineering

Services to assist your development and engineering

teams

InduSoft has assisted in creating the NIST Cybersecurity

Framework and collaborated with ENMU-Ruidoso in

creating a curriculum textbook

The Scope of the Problem


IT Departments believe that they are equipped to handle

Control System Cybersecurity.



Control System Cybersecurity. They aren’t.




– Example: AutomationWorld, February 10, 2015, “Shell Works with

Yokogawa and Cisco on a Unified Cybersecurity Approach”









































– Major Problems that I have with this “Unified Approach”:







• They’ve thrown the SME’s (plant engineers) “under the bus”








• They are only addressing security patches and antivirus









• It is being managed from a central location which is the same entry vector

used in the retail and healthcare cyberattacks









• It is being managed from a central location which is the same entry vector

used in the retail and healthcare cyberattacks

• They are considering the refinery as part of the IOT, which is to say that they

think it is just as important as Mrs. Fitsby’s new hot water heater, not critical

infrastructure.

New SCADA Cybersecurity eBooks

InduSoft Security Guide NIST Cybersecurity Framework

ISBN 978-1311-49042-1 ISBN 978-1310-30996-0

Available at Smashwords.com and other major booksellers

Available to you as “Name Your Price”

InduSoft Security Guide NIST Cybersecurity Framework

ISBN 978-1311-49042-1 ISBN 978-1310-30996-0

Download at Smashwords.com to “Name Your Price”

All eBook Proceeds Benefit the Eastern New Mexico University-Ruidoso Foundation

InduSoft Security Guide– Why?


The eBook is a compilation of InduSoft cybersecurity

guidance making it available in one place




– There is a chapter on guidelines for designing and building your

projects





projects

– Includes reprints of many InduSoft white papers and published

articles on cybersecurity guidance describing everything from

runtime servers and IT guidance for control system networks, to

handheld smart devices and wireless networks





projects





– The eBook contains transcripts of many InduSoft webinars on

securing InduSoft Web Studio as well as broader IT and SCADA

security guidance





projects







security guidance

– Also contains an Appendix with NIST Framework information





projects







security guidance

– Also contains an Appendix with NIST Framework information

– Available in .mobi (Kindle), .epub, .pdf, .html, and .doc formats

Contents of “Security Guidance” eBook

The Chapters and Sections contain many useful topics

Chapter 1: New Projects and Security as a Design Consideration

Section 1: Building your Project

– Extract from the InduSoft Technical Note: Application Guidelines

Chapter 2: Existing Projects

Chapter 3: Cloud Based Applications

Section 1: Working with Cloud Based Applications

– The following is an extract from the InduSoft White Paper: Cloud Computing for SCADA

Chapter 4: InduSoft Application Security

Section 1: SCADA System Security Best Practices

– The following is a transcript extract from the InduSoft Webinar: SCADA System Security Webinar

Chapter 5: InduSoft Security Discussion for Web Based Applications

Section 1: Using Security with Distributed Web Applications

– Extract 1 - From InduSoft White Paper: Security Issues with Distributed Web Applications

Section 2 – Using Security with Web-Based Applications

– Extract 2 - From the InduSoft Tech Note: IWS Security System for Web Based Applications

Section 3 – Using Security with Web-Based Applications

– Reprint - Control Engineering Magazine - August 2014: Cybersecurity for Smart Mobile Devices

Chapter 6: InduSoft Recommendations for IT Security

Section 1: Firewalls and other SCADA Security Considerations

– Transcript extract from the InduSoft Webinar: SCADA and HMI Security in InduSoft Web Studio

Section 2: Control Systems Security Overview

– Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Overview

Section 3: SCADA Security - Operational Considerations

– Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Operational

Section 4: SCADA Security - Management Considerations

– Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Management

Appendix A: NIST Cybersecurity Framework Core

Appendix B: Cyber Security Evaluation Tool (CSET) Information

Examples of topics and subjects covered

New SCADA Projects Should be

Designed with Security as a Primary Goal

Good project design includes the following:




Security as a primary design

consideration





consideration

Safety needs to be

considered throughout

project design and

implementation





consideration

Safety needs to be


project design and

implementation

Functionality should be

moderated based on the first

two design goals





consideration

Safety needs to be


project design and

implementation



two design goals





consideration

Safety needs to be


project design and

implementation



two design goals





consideration

Safety needs to be


project design and

implementation



two design goals





consideration

Safety needs to be


project design and

implementation



two design goals





consideration

Safety needs to be


project design and

implementation



two design goals





consideration

Safety needs to be


project design and

implementation



two design goals





consideration

Safety needs to be


project design and

implementation



two design goals

Diverse SCADA Projects Require

Different Types of Security Profiles



We recognize that customers use InduSoft Web Studio in many different ways.



We recognize that customers use InduSoft Web Studio in many different ways.– This fact presents many differing security scenarios for our

customers




customers

– A specific type of security implementation to a particular SCADA system may be entirely inappropriate for a differing system.




customers


We have recommended many different ways that security can be implemented into SCADA and HMIs




customers


We have recommended many different ways that security can be implemented into SCADA and HMIs– Talks, classes, white papers, webinars, forums, Technical

Support, and individualized guidance on projects has been available for quite some time




customers


We have recommended many different ways that security can be implemented into SCADA and HMIs– Talks, classes, white papers, webinars, forums, Technical

Support, and individualized guidance on projects has been available for quite some time

– InduSoft now has on-demand engineering assistance available on our website!

Services On Demand is Now Live!

Engineering assistance is available when designing

projects and implementing project security

Stay Informed…

How to get Product Update and Webinar Announcements

Stay Informed…

How to get Product Update Announcements

THANKS FOR ATTENDING!Here’s how to contact us…

Email(US) [email protected](Brazil) [email protected](Germany) [email protected]

Support [email protected] site

(English) www.indusoft.com(Portuguese) www.indusoft.com.br(German) www.indusoft.com.de

Phone (512) 349-0334 (US)+55-11-3293-9139 (Brazil)+49 (0) 6227-732510 (Germany)

Toll-Free 877-INDUSOFT (877-463-8763)Fax (512) 349-0375

Germany

USA

Brazil

Contact InduSoft Today

mailto:[email protected]




http://www.indusoft.com/

http://www.indusoft.com.br/

http://www.indusoft.com.de/






Germany

USA

Brazil

Contact InduSoft TodayEmail [email protected] if you

would like to request a copy of this

presentation or with other questions.














Germany

USA

Brazil




The upcoming InduSoft webinar tomorrow

(Feb 18th) month will focus on Engineering

Services and how you can get the most out

of them. Visit: http://www.indusoft.com















Germany

USA

Brazil




The upcoming InduSoft webinar tomorrow

(Feb 18th) month will focus on Engineering

Services and how you can get the most out

of them. Visit: http://www.indusoft.com

Join our webinars and we will send you an

InduSoft webinar series Tee-Shirt!










Next: STEPHEN MILLERSCADA Cybersecurity Framework

CAE-2Y Accredited

http://academic.enmu.edu/millerst/


Topics Covered

• E-Book Purpose

• Key Objectives

• Outline Of Content

• Training Plans

– Cybersecurity Programs

– Boot Camp

• About ENMU-Ruidoso

• Q & A?

76

CAE-2Y Accredited

E-Book Purpose

• Provide a quick reference guide to the framework

Promote awareness of

• Cybersecurity Critical Infrastructure Framework

• SCADA Cybersecurity threats and vulnerabilities

• The importance of risk assessments

• How to use the framework

• Look into applying security to Indusoft Web Studio

77

CAE-2Y Accredited

Key Objectives

• Knowledge of SCADA and cybersecurity environment

– Types of SCADA systems

– Threats and risks

Understanding of framework

Knowledge of tools and processes for risk analysis

Ability to apply risk management processes to obtain the right framework tier for an organization

78

CAE-2Y Accredited

Outline Of Content

• Chapter 1 - SCADA Cybersecurity Introduction and Review– What is SCADA

• How it works, In Depth Look, field devices, control units, HMI

– Overview of Cybersecurity Vulnerabilities• Security Challenges, Understanding & defining information security,

Cyber Threat Source to Control/SCADA Systems, GAO Threats, Attacks & Defenses, Vulnerability Scanning vs Penetration Testing

– Understanding Control System Cyber Vulnerabilities• Gaining control of SCADA Systems, Categories of SCADA Systems

79

CAE-2Y Accredited

Information security components

Gov’t Acct. OfficeThreat Table

Steps of a cyberattack

Geographic Layer

Physical Network Layer

Logical Network Layer

Cyber Organization/Personal

Layer “Internet of Things”

One individual…

…with multiple, complex relationships to other levels of the environment...

…that also change over time.

Control System Environment

Three Categories of SCADA Systems

Modern/Common Diagram Modern/Proprietary Diagram

Legacy/ProprietaryDiagram

Outline Of Content

• Chapter 2 – Cybersecurity Framework Introduction

• Framework Introduction

– Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity”

• Risk Management Process

• The Cybersecurity Framework

90

CAE-2Y Accredited

Overview of the Framework

Risk Management Decomposition Diagram

Outline Of Content

• Chapter 3 – Cybersecurity Framework Basics

– Basic framework overview

– Framework core

CAE-2Y Accredited

Business Process Management (BPM) Approach to the Framework

How Does it All Come Together?

Outline Of Content

• Chapter 4 – How to Use the Framework

Basic Review of Cybersecurity Practices

Establishing or Improving a Cybersecurity Program

Communicating Cybersecurity Requirements with Stakeholders

CAE-2Y Accredited

Using the CSET Tool for Risk Management and Future Framework Analysis

Select Standard(s)

NIST Framework for Improving Critical Infrastructure Cybersecurity V1 (Recommended) NIST Special Publication 800-53 Rev 3 and NIST Special Publication 800-53 Rev 3 App l

NIST Special Publication 800-53 Rev 4 and NIST Special Publication 800-53 Rev 4 App l

Consensus Audit Guidelines (CAG)

Components Questions Set

CFATS Risk Based Performance Standard (RBPS) 8: Chemical Facilities Anti-Terrorism Standard, Risk- Based Performance Standards

Guidance 8 - Cyber, 6 CFR Part 27

CNSSI No. 1253 Baseline

CNSSI No. 1253 Industrial Control System (ICS) Overlay V1

Catalog of Recommendations Rev 7 – (DHS Catalog of Control Systems Security: Recommendations for Standards Developers,

Revisions 6 and 7)

INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry Key Questions Set

DoD Instruction 8500.2 Information Assurance Implementation, February 2, 2003

ISO/IEC 15408 revision 3.1: Common Criteria for Information Technology Security Evaluation, Revision 3.1

NERC Reliability Standards CIP-002-009 Revisions 3 and 4

NIST Special Publication 800-82 Guide to Industrial Control Systems Security, June 2011

NIST Special Publication 800-82 Rev 1

NIST Special Publication 800-82 Rev 2 (Draft)

NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems Rev 3 and with Appendix I, ICS

Controls

NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010

NEI 0809 Cyber Security Plan for Nuclear Power Reactors

TSA Pipeline Security Guidelines April 2011

Universal Questions Set

Outline Of Content

• Chapter 5 – Indusoft Security Guide

– Embedded in this chapter.

• Appendix (Framework Core, CSET Tool, References, and Glossary)

CAE-2Y Accredited

CSET 6.1 Tool

100

https://ics-cert.us-cert.gov/Assessments

CAE-2Y Accredited

https://ics-cert.us-cert.gov/Assessments

ENMU-Ruidoso Cybersecurity Programs

• Computer and Network Security Certification Program (Online) Credited or Self-paced ($2,495)

• Associates of Applied Science Degree - Information Systems Cybersecurity

• The programs are designed to prepare students as:

– Information Systems Security (INFOSEC) Professionals NSTISSI No. 4011

– CNSSI No. 4016 Entry Level Risk Analysts

– CAE-2Y Information Assurance/Cyber Defense Accredited • IS 131: Network Security Fundamentals-3

• IS 136: Guide to Disaster Recovery- 3

• IS 153/L: Introduction to Information System- 4

• IS 253: Firewalls and How They Work- 3

• IS 257: Network Defense and Counter Measures- 3

• IS 258: Cyber Ethics, Professionalism, and Career Development- 3

• IS 285: Ethical Hacking – 3

• IS 289: Capstone/Internship/NCL Cybersecurity Challenge

CAE-2Y Accredited

Training Plans: Boot Camp

Four day Boot Camp covering:

• Course Orientation and Introduction to Cybersecurity and SCADA

• CompTIA-Security+ Key Topics

• SCADA Cybersecurity Recommended Practice/ Infrastructure

Guiding Principles/National Infrastructure Protection Plan– IS-821 Critical Infrastructure and Key Resources Support Annex

– IS-860.a National Infrastructure Protection Plan (NIPP)

• Cybersecurity Critical Infrastructure Framework / CAP

Process/Intro to a SCADA Product (IDUSOFT)

• CSET Department of Homeland Security Risk Assessment Process

and Tools Using the Cybersecurity Critical Infrastructure Framework

102

CAE-2Y Accredited

About ENMU-Ruidoso

The National Security Agency and the Department of Homeland Security have designated Eastern New Mexico University - Ruidoso National Center of Academic Excellence in Information

Assurance/Cybersecurity Defense through academic year 2019. “CAE-2Y”

Based on the universities ability to meet the increasing demands of the program criteria will serve the nation well in contributing to the protection of the National Information Infrastructure. Meets the eleven Knowledge Units learning objectives

Recognized by the National Initiative in Cybersecurity Education (NICE) as a certified Training Institution for the NIST National Cybersecurity Workforce Framework. http://csrc.nist.gov/nice/index.htm

103

CAE-2Y Accredited

http://csrc.nist.gov/nice/index.htm

ENMU-Ruidoso Foundation

Foundation, as noted below.

If you find this ebook useful in your business, tax deductable donations to the

university 501 (c) (3) foundation are encouraged by contacting:

http://www.us-cert.gov/control_systems/csstandards.html

CAE-2Y Accredited


http://www.ruidoso.enmu.edu/






http://www.us-cert.gov/control_systems/csstandards.html