ABB PowerPoint template - ABB Group

Tomas Lindström Cyber Security Manager BU Control Technologies 2013-01-16

Cyber Security for System 800xA The SD3+C framework

3BSE072454

Security – Not just a technical solution …

Process Control Security

Compliance

© ABB Group September 27/28, 2012 | Slide 3

There is no single solution that is effective for all organizations and applications



Security is a continuous process, not a once and for all technology solution



Security begins and ends with human behavior



100% security is not feasible

Personnel

Organization

Physical Security



Access Control

Administration & Maintenance

Security is ultimately the user’s responsibility



Proper implementation, configuration, operation, and maintenance of security procedures and equipment is the responsibility of the user of the automation system However …





Effective security solutions require the joint efforts of 

User’s IT and Process Control organizations



Control System vendors



Teams for Commissioning and Maintenance

Vendor support needed in complete System Lifecycle 

System Capabilities (from Product organization, main focus for this presentation)




SAT & Commissioning



Maintenance & Support

Good Security Practices Implement a Security Management System




Use standards e.g. as guidelines: IEC 27000, ISA/IEC62443 (ISA99)



Do a risk assessment



Develop a security policy and define clear organizational responsibilities



Select security countermeasures as an “risk insurance”: Balance Value for me  Value for X  Mitigation cost: 

Who should use the system for what



Protect the system



Detect problems



Manage system resource availability



Plan for incident response and disaster recovery



Audit security systems and procedures for compliance with the security policy

Defense in depth Perimeter Defenses



The coordinated use of multiple lines of prevention and detection measures to protect the integrity of a system



Examples

Network Defenses Host Defenses Application Defenses Data Defenses Physical Security Policies and Procedures




Security policy and procedures



Perimeter firewalls



Network segregation with Security zones Resources in the same zone: same minimum security level Access between zones only through secure conduits



Intrusion detection



Host based firewalls



Host hardening



Malware protection



User authentication and authorization



Data encryption



Secure application development



…

Security for System 800xA The SD3 + C Security Framework Secure by Design Secure by Default Secure in Deployment



Security in the Product Development Process: Requirements, Design, Implementation, Verification



Default installation with minimal attack surface Defense in Depth Least privileges used

 



 

Communication


Product support for Secure Configuration, Operation, Maintenance Support for system updating Openly and responsibly communicate with users about detected security flaws: Implications, corrections and/or workarounds

Secure by Design Security in the Product Development Process 


Security integrated in the Quality Management System 

Security check points at Project Gates



Threat modeling 

On existing products  Finding Vulnerabilities?



For new products  Identifying Requirements



Secure coding guidelines



Design and code reviews with checklists with security checkpoints and tool support



Aligning with Microsoft’s SDL



Testing (next slide)

Secure by Design Testing in Product Development 

Requirement verification by R&D 



Functional and non functional

Security Testing in R&D Projects (more next slide) 1) by R&D 

Some tools



Scope: Single products and the whole system

2) by Device Security Assurance Center More tools Scope: Devices 


3rd party testing 

Achilles Communications Certification by Wurldtech



MUSIC certification by Mu Dynamics

Secure by Design ABB’s Device Security Assurance Center 

Product independent center for Device Robustness Testing 

Controllers, Communication Interfaces, Field Devices, …



Assisting R&D Projects e.g. Improving methods



State-of-the-art security testing tools (commercial and open source): Mu8000, Achilles Satellite Unit, Nessus,…



Multi-test method approach with defined policies 

Profiling Tools to determine vulnerable services



Check for well-known flaws



Resource Starvation Testing (DoS attacks)



Robustness testing (protocol fuzzing) 




Systematically subjecting the target to a set of invalid packets that violate the protocol’s specification

More than Achilles/MUSIC Certification!

Secure by Default Secure Default settings out of the box 

Automated installation with System Installer 




Consistent and repeatable

Secure default settings and hardening 

Unnecessary services disabled or not installed



Windows Firewall Enabled and Configured for used functions



Secure default settings for user privileges



Embedded OS with only needed features

Secure by Default, Defense in Depth Network Defenses 

Network Redundancy with Dual Separated Networks



Client-Server communication protected with IPSec 



IPSec Configuration Tool in SV 5.1 Rev A 

For installed systems with SV 5.1 or later



For new systems

Storm protection in Network Switches (Recommended 3rd party addition)

Redundancy with Separated networks


IPSec protection

Secure by Default, Defense in Depth Host Defenses 

Windows Firewall in Servers and Workstations



Network filter in Controllers and Communication Modules 

Blocks unsupported traffic



Network Storm protection



RNRP’s Network Loop Protection in Servers and Workstations



System supervision 

Controller self supervision



PNSM (PC Network and Software Monitoring) Storm/Loop protection action: Disable affected network. Communication survives Network Loops/Storms Thanks to Architecture with Separated Networks!


Secure by Default, Defense in Depth User Authentication and Access Control 

Product features designed to meet regulatory requirements



User Authentication based on Windows 






Active Directory or Workgroup

800xA Access Control 

Based on User, Role, and Location



Set on Structure, Object and Attribute level

Special Authentication functions 

Re-authentication, Double authentication



Log over



Audit trail of user actions



Digital signatures

Secure in Deployment Product Organization Support overview




Primarily a task for Project/Support organizations.



Supported from product organization: 

User manuals, guidelines and system functions



Recommendations for Secure Architectures



Backup/Restore solutions



Malware Protection solutions



Patch Management solutions



Security Event Management solutions



Asset Inventory/Management solutions



Product Support organization

Secure in Deployment Secure Architecture: Security Zones Security Zones: Multiple Network layers


Secure in Deployment Patch Management, Security Updates 




Validation of Microsoft security updates 

All relevant updates are tested for compatibility



At least every month



Dedicated Security Test Lab covering all supported 800xA system versions



Result published typically within 3 – 7 days



Available through ABB Automation Sentinel

Other 3rd party SW (e.g. Adobe Reader) 

Released from SW vendor without schedule



Verified with next Microsoft Security Update

Secure in Deployment Patch Management, Deployment solutions 

800xA System Revisions 



The System Update Tool

Microsoft Security Updates 



The System 800xA Qualified Security Updates 

for node by node deployment



Security Updates delivered from ABB

WSUS for centralized management (Recommended 3rd party additions)


Secure in Deployment Malware Protection solutions (Qualified 3 

McAfee VirusScan® Enterprise and Symantec Endpoint Protection 

Configuration guidelines



Verified in system tests



Node based or centralized management



‘Daily’ verification of Definition files 


party additions)

Accreditation of Anti-virus SW 



rd

Update production systems with 48h delay

Application Whitelisting 

SE46: To be released with FP4 Q1 2013



Industrial Defender HIPS: Under testing

Communication Cyber security response, Reporting




Cyber security response system to handle security vulnerabilities and incidents (issues)



Customers and other stakeholders are encouraged to use the “Contact us” feature on ABB’s Cyber security webpage http://www.abb.com/cybersecurity to report any security issue

Communication Cyber security response, Issue handling 

When reporting Provide contact information with short message (without details of the security issue)



ABB Cyber security response team






Contacts the user to get details of the issue and provide responses via a protected communication method.



Analyses the issue involving security and product experts and provides mitigation measures.

Product responsible provide final mitigation solution and/or product correction.

Communication Cyber security response, Vulnerability disclosure When mitigation solution or product correction exists:




Confidentially reported or internally found vulnerability  Disclosure to ABB and customers



Publically announced vulnerability  Public disclosure on www.abb.com and ICS-CERT

Communication Vulnerability disclosure for Customers 

To all customers known to ABB regardless of maintenance contracts



Security Bulletin Security related Product defect or problem not related to safety My Control System planned to be used



Safety Report Product defect or problem which has the potential to cause a loss of safety in the use of the product



Product Alert Product defect that may result in, although not directly cause or create, a safety issue or a process misbehavior.




A security problem which is or may result in a safety problem will be announced as Safety Report or Product Alert

Communication Security via ABB Automation Sentinel 


Product Bulletins with Security Validation status 

Microsoft Security Updates (monthly update)



Virus Definition files (after each update, almost daily)



3rd party SW (after each update)



E-mail notification service on updates



Product Updates

What do I get from where? Solutions from ABB 

System 800xA 



ABB Automation Sentinel 



Configuration compliance management service

E163 – Cyber Security for System 800xA 


Keeps you up to date

ABB’s Cyber Security Fingerprint 



Covering your essential needs/The good start…

Expert Workshop training

What do I get from where? Solutions from ABB’s partners 








Malware protection: AntiVirus 

Anti Virus Enterprise and ePO Server from McAfee



Symantec Endpoint Protection

Malware protection: Application Whitelisting 

SE46 from Cryptzone (Q1 2013)



…

Security Event Monitoring 

Industrial Defender Monitor



…

Configuration compliance management (24*7) 

Industrial Defender Manage (Q1 2013)



…

SD3 + C for System 800xA For current solutions and future improvements Secure by Design Secure by Default



Project gates, Threat modeling, Static Code analysis, Reviews, Testing



Automated installation Default settings and hardening Host defenses, Network defenses

 



Architecture recommendations Malware protection, Patch Management Centralized security monitoring



Cyber Security Response



Vulnerability disclosure ABB Automation Sentinel



Secure in Deployment

Communication





