Unit 3. Industrial Cyber Security Lifecycle PDF

Unit 3. Industrial Cyber security lifecycle Professor AlTarawneh M.S Agenda 3.1 ICS life cycle 3.2 Special considerations of industrial systems 3.3 End-to-end cyber security 3.4 Cyber security by design 3.5 Cyber security in depth (multi-layered) 3.6 The four Ps of cyber security: people, products, processes, and property https://blackbear-ics.com/industrial-cybersecurity- guide/#:~:text=Implementing%20ICS%20cybersecurity%20involves%20a,to%20identify %20and%20prioritize%20vulnerabilities What is the ICS Cyber security Lifecycle? The ICS Cyber security Lifecycle is a visual guide that recognizes the principle that Cyber security is a continuous process that requires attention and care not only during the initial design stage but throughout the lifecycle of the system. We have divided the Cyber security lifecycle into three main phases; the Assess Phase, the Implement Phase and the Maintain Phase. Each phase consists of multiple process steps. The major activities performed in each step are described as well as the inputs to and the outputs from each step. Additionally, there is an overall Cyber security Management Program that must be addressed throughout the lifecycle. This is visualized as the long white bar that spans all three phases. Industrial cyber security lifecycle Notice IEC 61508 and IEC 61511 standards for functional safety for the process industry (IEC 61508 is the international standard for electrical, electronic and programmable electronic safety related systems. It sets out the requirements for ensuring that systems are designed, implemented, operated and maintained to provide the required safety integrity level (SIL) and 61511 for the process control sector). IEC 62443 for industrial control system cyber security (it is an international series of standards on "Industrial communication networks - IT security for networks and systems". The standard is divided into different sections and describes both technical and process-related aspects of industrial cyber security). Industrial cyber security lifecycle ISA (International Society of Automation)-18.2 for alarm management; ISO 26262 for functional safety of automotive(addresses the needs for an automotive-specific international standard that focuses on safety critical components. ISO 26262 is a derivative of IEC 61508, the generic functional safety standard for electrical and electronic (E/E) systems.) IEC(International Electrotechnical Commission) 62061 (Functional safety of electrical, electronic and programmable electronic control systems”, is the machinery specific implementation of IEC/EN 61508. )and ISO 13849 ( provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems) for safety of machinery, and ANSI/RIA (American National Standards Institute / Robotic Industries Association 1506 for robot safety. The Cyber security Management Program, as illustrated by the tall white vertical bar in Figure 1, includes those activities, such as development of policies and procedures as well as deployment of training and awareness programs, which are vital to the long term success of the program. The Assess Phase, as illustrated by the red shaded section in Figure 1, is an assessment typically done early in the project (e.g. as part of the FEED study). It is focused on identifying and quantifying the current ICS risks allowing for resources to be applied to the highest-risk items first. The Implement Phase, as illustrated by the yellow shaded section in Figure 1, includes engineering, commissioning, and startup phases. This phase focuses on designing and implementing technical controls or countermeasures to mitigate the identified risks, particularly those that are unacceptably high. It also consists of verifying and testing the security of the system before deployment. The Maintain Phase, as illustrated by the green shaded section in Figure 1, as implied by the name, includes operating and maintaining the system. Security controls can deteriorate within a short amount of time because new vulnerabilities/threats appear almost daily. This makes planning for ongoing maintenance extremely important. Cyber security Management Program CSMP As previously stated, the Cyber security Management Program embodies those activities that are vital to the long term success of the program such as policy/procedure development and awareness/training programs. Such polices, awareness, and training should be in practice throughout all phases of the lifecycle. Policies It is important to establish security policies as a company, as a corporation, or even on a project specific basis in order to ensure that both the employees and suppliers understand their expectations and how to achieve them. Establishing security policies also allows for the demonstration of management support as well as the planning of options in the case of a security breach. Effective policies should describe what is projected to be achieved rather than how it is expected to be achieved. That being said, such policies should remain technology independent and solely focus on what aspects need to be accomplished. Figure 2 displays the types of items that should be highlighted within security policies. As you can see, a significant portion of the items tend to coincide with general IT policy security topics. Although the items between IT and ICS security policies are highly similar, the application of such to industrial control system environment can vary quite drastically. Patch management for example is a typical part of both IT security policies and ICS security policies. However, unlike in an ICS policy, IT policies will advise a rapid response for the implementation and deployment of security patches from vendors such as Microsoft. As far as an enterprise setting, a rapid response method is perfectly acceptable if not expected. However, in a control system environment, patching systems can have significant repercussions if not tested or done properly. Therefore a rapid response method would not be advised but rather a slower, more cautious response. Overall, ICS policies may borrow from but must differ from those of the IT department. The best results occur when IT and control system personnel collaborate and establish what they believe to be the best policies around control system security. Awareness Programs Aside from effective policies, the steadfastness of a security system is directly dependent on the awareness of its personnel. Typically an employee or contractor does not fully understand the potential impact of his or her actions which leads to a high amount of policy violations and social engineering involved in most security breaches. This is why it is vital to ensure that employees, contractors, and any other personnel in contact with the control system are aware of what exactly an ICS is, what risks/threats are present, and why these risks/threats need to be taken seriously. The majority of people believe that technical solutions take care of the security concerns therefore allowing them to come to the conclusion that their actions have little impact on the control system as a whole. It is important to remind personnel on a regular basis to be vigilant and attentive to matters of control system security to eliminate this misconception. Training Programs It is also vital to an ICS to properly train all its stakeholders and inform them of the reasons behind specific security policies, the acceptable procedures and practices, and the social engineering ploys. Training such people can aid in the understanding of updated security controls, ideas that can be utilized to reduce risks, and impacts on the company if security methods are not incorporated. Assess Phase The Assess phase, as shown in Figure 3, can be divided into three subsections. The first subsection involves scoping and defining the project. This is followed by assessing the risk and vulnerability of the system, and lastly documenting the requirements. Scope Definition and Project Setup The first step in the Assess Phase is Scope Definition and Project Setup. The purpose of this step is to define the parameters of the project and clearly identify what it is you will be assessing. Overall goals for this step are as follows: Identify and contain the scope of the project Identify project constraints Gather and organize information Define roles and responsibilities Establish training requirements The scope definition and project setup can be either a formal or informal process depending on the current state of the project; green field or brown field. Other factors involved in properly defining the scope include corporate site policies and procedures, project-specific requirements, architectural drawings, and relevant regulations and standards. Once the scope definition and project setup is completed, documentation of all this information should be placed in a cyber security management plan, regardless of whether a corporate security plan is already in place. The plan should include project-specific issues, such as: Corporate security plans Project-specific requirements Joint venture partner issues Local regulations Processes Roles and responsibilities Vulnerability Assessment, Risk Assessment, & Target Selection The next subsection of the Assess Phase consists of determining the vulnerability and risk of the system and identifying risk reduction targets. The purpose of these steps is to classify the business risk in terms of impact on health, safety, environment, equipment, business continuity, and others that could result from compromise of the ICS. This portion requires a vulnerability assessment followed by a risk assessment in order to quantify or qualify the risks and to ensure that these risks are prioritized/addressed with the appropriate amount of resources. The comprehensive goals of this subsection of the assess phase include: Identifying and classifying key cyber assets Identifying and quantifying vulnerabilities, threats, and consequences, Determining risks Establishing risk reduction targets Vulnerability Assessment A vulnerability assessment is performed in order to identify weaknesses within a system. How these assessments are conducted can vary greatly depending on whether it is being performed on a new system or an existing system. Assessments on existing systems involve analyzing actual and potential security vulnerabilities by reviewing the current design, performing a site visit, collecting information, and analyzing the system as it is currently running. For new systems, an assessment can only be performed on the system design. Some of the important items to investigate while conducting a vulnerability assessment include: Network architecture diagrams Network component configurations (e.g., switches, routers, firewalls) Host device configurations (e.g., servers, workstations) Access control strategies (e.g., how will people and computers access) Software and firmware versions Once all items have been thoroughly investigated, a risk assessment can then be conducted. Risk Assessment A risk assessment analyzes the vulnerabilities presented in the vulnerability assessment and determines the consequential risks these vulnerabilities possess. Required by ISA/IEC 62443-2-1 , the major steps of a cyber security risk assessment (also known as a Cyber HAZOP or Cyber PHA) include identifying the threats, vulnerabilities, and consequences, should the threats be realized or exploited, followed by a qualification of the severity of the consequences and the likelihood that the threat could occur, taking into account existing safeguards. The outcome of this process is the residual risk. An example of a Cyber HAZOP is shown in Figure 4. Characterizing threats is a crucial part of the risk assessment. Threats can vary depending on the type of process, the location, risks, and hazards. However in general, threat sources can be categorized in one of four types: Authorized personnel—non-malicious in nature; someone who may unintentionally misuse the system Unauthorized personnel—mischievous if not malicious in nature; someone attempting to do something beyond his or her level of authority Outsider—any non-authorized person with malicious intent Malware—any malicious software that enters the control system such as virus, worm, Trojan horse Figure 4: Exemple Cyber HAZOP Model the System, Document the Requirements The last section of the assess phase consists of modeling the system and documenting the requirements. Typically a zone and conduit model as introduced in ISA/IEC 62443-1-1 will be used to model the system. Applying this model to a standard control system requires defined security zones and the communication channels (conduits) between those zones. Possible zones could include: business or enterprise zone, process information zone, process operations zone, process safety zone, process control zone, and process measurement zone. Breaking the system down into defined electronic security zones allows for the containment of the threat within a specific area and the application of a certain level of security to all aspects in the zone. The following items must be documented into a cyber security requirements specification document for each zone and conduit to be in accordance with the ISA 61443-3-2 standard : Scope and purpose of the system Physical and environmental security requirements General cyber security requirements Zone and conduit-specific requirements o Name and/or unique identifier o Logical boundary o Physical boundary, if applicable o List of all access points and associated boundary devices o List of data flows associated with each access point o Connected zones or conduits o List of assets and associated consequences o Security level target o Applicable security policies o Assumptions and external dependencies Implementation Phase Subsequent to the Assess Phase is the Implementation Phase (Figure 5). The Implementation Phase consists of two main divisions; conceptual design and detailed design. Unlike conceptual design, detailed design is focused more on the testing the design rather than the validation of the design. Conceptual Design The conceptual design will view and assess the following: Defense-in-depth strategies Selection of countermeasures Revised zone and conduit model Updated architecture diagrams Access control strategies Within the conceptual design, the selection of counter measures can be applied in order to mitigate risk. ISA 62443-3-3 provides excellent guidance on countermeasures. Each countermeasure is assigned to a category and a Security Level capability. Examples of counter measures include: Physical access controls Logical access controls Portable media management Malicious code protection Organizational and operational controls Communications filtering Data Encryption Design Validation Following the identification and application of proper counter measures, it is essential to verify that the new secure design has reached its objectives. One method of effectively verifying whether these objectives have been met is to return back to the risk assessment performed in the assess phase, document the newly implemented safe guards/mitigations and re-evaluate. If the new design goals have been achieved the risk following re-evaluation should be reduced to levels that are tolerable. Test Planning and Acceptance Testing Once reduced levels of risk have been accomplished, the next step is to develop a test plan. Thorough and proficient test plans should involve creating test objectives and test plans based on cyber security requirements and design specifications. A checklist to audit security settings is also helpful in implementing test plans. While such methods are still valid in any test plan, it is important to conduct more rigorous testing for green field projects such as abuse cases. Abuse cases will test the boundaries of the systems at its entry points to determine if the system operates as designed. Additionally, the abuse case will negatively test the system in order to conclude if the security in place can be violated. Abuse cases can be simulated by penetration or pen-testing. As implied by the name, pen-testing refers to the deliberate attempt to infiltrate safe guards. It is generally not appropriate to conduct such testing on operational (i.e. online) control systems as the testing may cause the system to behave in an unpredictable and thus unsafe manner. However, more aggressive testing can safely be performed and is encouraged during factory acceptance testing or site acceptance testing of a new or updated system. Conducting rigorous testing of these systems before deployment will ensure the safety of the system as well as the overall safety of the company and its employees. Maintain Phase The final stage of the cyber security lifecycle is the maintain phase (Figure 6). This phase encompasses the maintenance of implemented counter measures, monitoring security, modification/decommissioning, and periodic assessments of the systems in place. Countermeasure Maintenance and Security Monitoring As previously mentioned, threat environments are perpetually fluctuating and present new vulnerabilities almost daily. It is for this reason the implication of countermeasures cannot be a one-time process. The continual overseeing and preservation of the system is undeniably necessary in order to guarantee proper security. Such security could involve the monitoring of patches, anti-virus software, and system logs. Inspection of system logs can allow for the detection of unusual events as well as possible intrusions. Another method to reveal possible intrusions is the usage a technology called intrusion detection. Intrusion detection will analyze network traffic and indicate if the system is being invaded, in addition to recognizing any abnormalities/anomalies in the network communications. Incident Response Planning and Periodic Assessments Accompanying the monitoring of the system should be proper planning and preparation regarding the response to a security incident. Planning response mechanisms prior to a security incident is always recommended. Periodic audits are also a critical part of security maintenance due to the deterioration of measures and practices over time as well as the availability of new information and techniques. If it is determined that a modification must be made during one of these period assessments it is important to re-evaluate the system by returning to the appropriate phase of the cycle. Where to return in the lifecycle will be dependent of the severity and implications of the change. Sections of the process may need to be repeated but this replication will ultimately provide the necessary up to-date security required for proper system operation

Unit 3. Industrial Cyber Security Lifecycle PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue