ICS Cybersecurity Lifecycle PDF 2013

Document Details

RefreshedRabbit

Uploaded by RefreshedRabbit

Mutah University - Faculty of Engineering

2013

John Cusimano, Gene Garmack

Tags

cybersecurity industrial control systems ICS security cyber threats

Summary

This white paper from exida discusses the ICS Cybersecurity Lifecycle, a continuous process crucial for industrial control systems (ICS) to prevent cyber-attacks. It highlights the importance of cybersecurity in national security and presents a lifecycle approach to managing cybersecurity throughout an ICS system.

Full Transcript

The ICS Cybersecurity Lifecycle White Paper exida 80 N. Main St. Sellersville, PA www.exida.com August 2013 exida White Paper Library http://www.exida.com/Resources/Whitepapers Copyright exida.com L.L.C. 20...

The ICS Cybersecurity Lifecycle White Paper exida 80 N. Main St. Sellersville, PA www.exida.com August 2013 exida White Paper Library http://www.exida.com/Resources/Whitepapers Copyright exida.com L.L.C. 2018-2020 excellence in dependable automation Abstract With the ever changing threats posed by cyber events of any nature, it has become critical to recognize these emerging threats, malicious or not, and identify the consequences these threats may have on the operation of an industrial control system (ICS). Cyber-attacks over time have the ability to take on many forms and threaten not only industrial but also national security. Saudi Aramco, the world's largest exporter of crude oil, serves as a perfect example depicting how devastating a cyber-attack can truly be on an industrial manufacturer. In August 2012, Saudi Aramco (SA) had 30,000 personal computers on its network infected by a malware attack better known as the "Shamoon" virus. According to InformationWeek Security this was roughly 75 percent of the company’s workstations and took 10 days to complete clean-up efforts.i The seriousness of cyber-attacks in regards to national security was addressed by former United States Secretary of Defense Leon W. Panetta in his speech on October 2012. Panetta issued a strong warning to business executives about cybersecurity as it relates to national security." A cyber-attack perpetrated by nation states [and] violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation," he stated. "For example, we know that foreign cyber actors are probing America's critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country."ii In addition to Panetta’s address, the U.S. Department of Homeland Security has issued several alerts about coordinated attacks on gas pipeline operators, according to a May 2012 report by ABC News.iii This whitepaper will focus on the significance of cyber-attacks on industrial control systems (ICS) and how these attacks can be prevented by proper practice of the ICS Cybersecurity lifecycle. Conclusion A lifecycle approach to cybersecurity will ensure that cybersecurity is properly addressed, not only during the initial design stage, but throughout the lifecycle of the system. We recommend that companies adopt this approach for existing systems (i.e. brownfield) as well as for new systems (i.e. greenfield) and develop and enforce the appropriate policies and procedures to ensure the process is consistently followed. ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 2 excellence in dependable automation What is the ICS Cybersecurity Lifecycle? The ICS Cybersecurity Lifecycle is a visual guide that recognizes the principle that cybersecurity is a continuous process that requires attention and care not only during the initial design stage but throughout the lifecycle of the system. We have divided the cybersecurity lifecycle into three main phases; the Assess Phase, the Implement Phase and the Maintain Phase. Each phase consists of multiple process steps. The major activities performed in each step are described as well as the inputs to and the outputs from each step. Additionally, there is an overall Cybersecurity Management Program that must be addressed throughout the lifecycle. This is visualized as the long white bar that spans all three phases. ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 3 excellence in dependable automation Figure 1: The ICS Cybersecurity Lifecycle ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 4 excellence in dependable automation The Cybersecurity Management Program, as illustrated by the tall white vertical bar in Figure 1, includes those activities, such as development of policies and procedures as well as deployment of training and awareness programs, which are vital to the long term success of the program. The Assess Phase, as illustrated by the red shaded section in Figure 1, is an assessment typically done early in the project (e.g. as part of the FEED study). It is focused on identifying and quantifying the current ICS risks allowing for resources to be applied to the highest-risk items first. The Implement Phase, as illustrated by the yellow shaded section in Figure 1, includes engineering, commissioning, and startup phases. This phase focuses on designing and implementing technical controls or countermeasures to mitigate the identified risks, particularly those that are unacceptably high. It also consists of verifying and testing the security of the system before deployment. The Maintain Phase, as illustrated by the green shaded section in Figure 1, as implied by the name, includes operating and maintaining the system. Security controls can deteriorate within a short amount of time because new vulnerabilities/threats appear almost daily. This makes planning for ongoing maintenance extremely important. Cybersecurity Management Program As previously stated, the Cybersecurity Management Program embodies those activities that are vital to the long term success of the program such as policy/procedure development and awareness/training programs. Such polices, awareness, and training should be in practice throughout all phases of the lifecycle. Policies It is important to establish security policies as a company, as a corporation, or even on a project specific basis in order to ensure that both the employees and suppliers understand their expectations and how to achieve them. Establishing security policies also allows for the demonstration of management support as well as the planning of options in the case of a security breach. Effective policies should describe what is projected to be achieved rather than how it is expected to be achieved. That being said, such policies should remain technology independent and solely focus on what aspects need to be accomplished. ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 5 excellence in dependable automation Figure 2: Key ICS Security Policy Topics Figure 2 displays the types of items that should be highlighted within security policies. As you can see, a significant portion of the items tend to coincide with general IT policy security topics. Although the items between IT and ICS security policies are highly similar, the application of such to industrial control system environment can vary quite drastically. Patch management for example is a typical part of both IT security policies and ICS security policies. However, unlike in an ICS policy, IT policies will advise a rapid response for the implementation and deployment of security patches from vendors such as Microsoft. As far as an enterprise setting, a rapid response method is perfectly acceptable if not expected. However, in a control system environment, patching systems can have significant repercussions if not tested or done properly. Therefore a rapid response method would not be advised but rather a slower, more cautious response. Overall, ICS policies may borrow from but must differ from those of the IT department. It is exida’s experience that the best results occur when IT and control system personnel collaborate and establish what they believe to be the best policies around control system security. Awareness Programs Aside from effective policies, the steadfastness of a security system is directly dependent on the awareness of its personnel. Typically an employee or contractor does not fully understand the potential impact of his or her actions which leads to a high amount of policy violations and social engineering involved in most security breaches. This is why it is vital to ensure that employees, contractors, and any other personnel in contact with the control system are aware of what exactly an ICS is, what risks/threats ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 6 excellence in dependable automation are present, and why these risks/threats need to be taken seriously. The majority of people believe that technical solutions take care of the security concerns therefore allowing them to come to the conclusion that their actions have little impact on the control system as a whole. It is important to remind personnel on a regular basis to be vigilant and attentive to matters of control system security to eliminate this misconception. Training Programs It is also vital to an ICS to properly train all its stakeholders and inform them of the reasons behind specific security policies, the acceptable procedures and practices, and the social engineering ploys. Training such people can aid in the understanding of updated security controls, ideas that can be utilized to reduce risks, and impacts on the company if security methods are not incorporated. The best training programs that have been observed by exida have been programs that are tailored and role-based providing information for someone’s specific skill level and job requirements. Assess Phase The Assess phase, as shown in Figure 3, can be divided into three subsections. The first subsection involves scoping and defining the project. This is followed by assessing the risk and vulnerability of the system, and lastly documenting the requirements. Figure 3: Diagram of Assess Phase ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 7 excellence in dependable automation Scope Definition and Project Setup The first step in the Assess Phase is Scope Definition and Project Setup. The purpose of this step is to define the parameters of the project and clearly identify what it is you will be assessing. Overall goals for this step are as follows: Identify and contain the scope of the project Identify project constraints Gather and organize information Define roles and responsibilities Establish training requirements The scope definition and project setup can be either a formal or informal process depending on the current state of the project; greenfield or brownfield. Other factors involved in properly defining the scope include corporate site policies and procedures, project-specific requirements, architectural drawings, and relevant regulations and standards. Once the scope definition and project setup is completed, documentation of all this information should be placed in a cybersecurity management plan, regardless of whether a corporate security plan is already in place. The plan should include project-specific issues, such as: Corporate security plans Project-specific requirements Joint venture partner issues Local regulations Processes Roles and responsibilities Vulnerability Assessment, Risk Assessment, & Target Selection The next subsection of the Assess Phase consists of determining the vulnerability and risk of the system and identifying risk reduction targets. The purpose of these steps is to classify the business risk in terms of impact on health, safety, environment, equipment, business continuity, and others that could result from compromise of the ICS. This portion requires a vulnerability assessment followed by a risk assessment in order to quantify or qualify the risks and to ensure that these risks are prioritized/addressed with the appropriate amount of resources. The comprehensive goals of this subsection of the assess phase include: Identifying and classifying key cyber assets Identifying and quantifying vulnerabilities, threats, and consequences, Determining risks Establishing risk reduction targets ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 8 excellence in dependable automation Vulnerability Assessment A vulnerability assessment is performed in order to identify weaknesses within a system. How these assessments are conducted can vary greatly depending on whether it is being performed on a new system or an existing system. Assessments on existing systems involve analyzing actual and potential security vulnerabilities by reviewing the current design, performing a site visit, collecting information, and analyzing the system as it is currently running. For new systems, an assessment can only be performed on the system design. Some of the important items to investigate while conducting a vulnerability assessment include: Network architecture diagrams Network component configurations (e.g., switches, routers, firewalls) Host device configurations (e.g., servers, workstations) Access control strategies (e.g., how will people and computers access) Software and firmware versions Once all items have been thoroughly investigated, a risk assessment can then be conducted. Risk Assessment A risk assessment analyzes the vulnerabilities presented in the vulnerability assessment and determines the consequential risks these vulnerabilities possess. Required by ISA/IEC 62443-2-1 [Ref. 2 & 3], the major steps of a cybersecurity risk assessment (also known as a Cyber HAZOP or Cyber PHA) include identifying the threats, vulnerabilities, and consequences, should the threats be realized or exploited, followed by a qualification of the severity of the consequences and the likelihood that the threat could occur, taking into account existing safeguards. The outcome of this process is the residual risk. An example of a Cyber HAZOP is shown in Figure 4. Characterizing threats is a crucial part of the risk assessment. Threats can vary depending on the type of process, the location, risks, and hazards. However in general, threat sources can be categorized in one of four types: Authorized personnel—non-malicious in nature; someone who may unintentionally misuse the system Unauthorized personnel—mischievous if not malicious in nature; someone attempting to do something beyond his or her level of authority Outsider—any non-authorized person with malicious intent Malware—any malicious software that enters the control system such as virus, worm, Trojan horse ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 9 excellence in dependable automation Figure 4: Example Cyber HAZOP Model the System, Document the Requirements The last section of the assess phase consists of modeling the system and documenting the requirements. Typically a zone and conduit model as introduced in ISA/IEC 62443-1-1 [Ref. 1 & 2] will be used to model the system. Applying this model to a standard control system requires defined security zones and the communication channels (conduits) between those zones. Possible zones could include: business or enterprise zone, process information zone, process operations zone, process safety zone, process control zone, and process measurement zone. Breaking the system down into defined electronic security zones allows for the containment of the threat within a specific area and the application of a certain level of security to all aspects in the zone. The following items must be documented into a cybersecurity requirements specification document for each zone and conduit to be in accordance with the ISA 61443-3-2 standard [Ref. 5]: Scope and purpose of the system Physical and environmental security requirements General cybersecurity requirements Zone and conduit-specific requirements o Name and/or unique identifier o Logical boundary o Physical boundary, if applicable o List of all access points and associated boundary devices o List of data flows associated with each access point o Connected zones or conduits o List of assets and associated consequences ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 10 excellence in dependable automation o Security level target o Applicable security policies o Assumptions and external dependencies Implementation Phase Subsequent to the Assess Phase is the Implementation Phase (Figure 5). The Implementation Phase consists of two main divisions; conceptual design and detailed design. Unlike conceptual design, detailed design is focused more on the testing the design rather than the validation of the design. Figure 5: Diagram of Implement Phase Conceptual Design The conceptual design will view and assess the following: Defense-in-depth strategies Selection of countermeasures Revised zone and conduit model Updated architecture diagrams Access control strategies ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 11 excellence in dependable automation Within the conceptual design, the selection of counter measures can be applied in order to mitigate risk. ISA 62443-3-3 [Ref. 6] provides excellent guidance on countermeasures. Each countermeasure is assigned to a category and a Security Level capability. Examples of counter measures include: Physical access controls Logical access controls Portable media management Malicious code protection Organizational and operational controls Communications filtering Data Encryption Design Validation Following the identification and application of proper counter measures, it is essential to verify that the new secure design has reached its objectives. One method of effectively verifying whether these objectives have been met is to return back to the risk assessment performed in the assess phase, document the newly implemented safe guards/mitigations and re-evaluate. If the new design goals have been achieved the risk following re-evaluation should be reduced to levels that are tolerable. Test Planning and Acceptance Testing Once reduced levels of risk have been accomplished, the next step is to develop a test plan. Thorough and proficient test plans should involve creating test objectives and test plans based on cybersecurity requirements and design specifications. A checklist to audit security settings is also helpful in implementing test plans. While such methods are still valid in any test plan, it is important to conduct more rigorous testing for greenfield projects such as abuse cases. Abuse cases will test the boundaries of the systems at its entry points to determine if the system operates as designed. Additionally, the abuse case will negatively test the system in order to conclude if the security in place can be violated. Abuse cases can be simulated by penetration or pen-testing. As implied by the name, pen-testing refers to the deliberate attempt to infiltrate safe guards. It is generally not appropriate to conduct such testing on operational (i.e. online) control systems as the testing may cause the system to behave in an unpredictable and thus unsafe manner. However, more aggressive testing can safely be performed and is encouraged during factory acceptance testing or site acceptance testing of a new or updated system. Conducting rigorous testing of these systems before deployment will ensure the safety of the system as well as the overall safety of the company and its employees. ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 12 excellence in dependable automation Maintain Phase The final stage of the cybersecurity lifecycle is the maintain phase (Figure 6). This phase encompasses the maintenance of implemented counter measures, monitoring security, modification/decommissioning, and periodic assessments of the systems in place. Figure 6: Diagram of Maintain Phase Countermeasure Maintenance and Security Monitoring As previously mentioned, threat environments are perpetually fluctuating and present new vulnerabilities almost daily. It is for this reason the implication of countermeasures cannot be a one-time process. The continual overseeing and preservation of the system is undeniably necessary in order to guarantee proper security. Such security could involve the monitoring of patches, anti-virus software, and system logs. Inspection of system logs can allow for the detection of unusual events as well as possible intrusions. Another method to reveal possible intrusions is the usage a technology called intrusion detection. Intrusion detection will analyze network traffic and indicate if the system is being invaded, in addition to recognizing any abnormalities/anomalies in the network communications. Incident Response Planning and Periodic Assessments Accompanying the monitoring of the system should be proper planning and preparation regarding the response to a security incident. Planning response mechanisms prior to a security incident is always recommended. Periodic audits are also a critical part of security maintenance due to the deterioration of measures and practices over time as well as the availability of new information and techniques. If it is determined that a modification must be made during one of these period assessments it is important to re-evaluate the system by returning to the appropriate phase of the cycle. Where to return in the lifecycle will be dependent of the severity and implications of the change. Sections of the process may need to be repeated but this replication will ultimately provide the necessary upto-date security required for proper system operation. ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 13 excellence in dependable automation References 1. ANSI/ISA 99.00.01-2007, “Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models”, 2007. 2.. 3. IEC/TS 62443-1-1 ED. 1.0 EN:2009, “Industrial communication networks - Network and system security - Part 1- 1: Terminology, concepts and models", 2009.. 4. ANSI/ISA 99.02.01-2009, “Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program”, 2009. 5.. 6. IEC 62443-2-1 ED. 1.0 EN:2010, “Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program”, 2010. 7. ISA-62443-3-2, “Security for Industrial Automation and Control Systems: Security assurance levels for zones and conduits”, Draft for Comment, http://isa99.isa.org/Documents/Drafts/ISA-62443-3-2-WD.pdf 8. ISA-62443-3-3, “Security for Industrial Automation and Control Systems: System security requirements and security assurance levels”, Approved, http://isa99.isa.org/Documents/Drafts/ISA-62443-3-3-WD.pdf Source Material The material for this White Paper was adapted from the following exida training courses: Understanding and Applying the ICS Cybersecurity Lifecycle (4-day) 7 Steps to Industrial Control System Security (1-day) Revision History Authors: John Cusimano, Gene Cammack ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 14 excellence in dependable automation exida – Who we are. exida is one of the world’s leading accredited certification and knowledge companies specializing in automation system cybersecurity, safety, and availability. Founded in 2000 by several of the world’s top reliability and safety experts, exida is a global company with offices around the world. exida offers training, coaching, project-oriented consulting services, standalone and internet-based safety and cybersecurity engineering tools, detailed product assurance and certification analysis, and a collection of online safety, reliability, and cybersecurity resources. exida maintains a comprehensive failure rate and failure mode database on electrical and mechanical components, as well as automation equipment based on hundreds of field failure data sets representing over 350 billion unit operating hours. exida Certification is an ANSI (American National Standards Institute) accredited independent certification organization that performs functional safety (IEC 61508 family of standards) and cybersecurity (IEC 62443 family of standards) certification assessments. exida Engineering provides the users of automation systems with the knowledge to cost- effectively implement automation system cybersecurity, safety, and high availability solutions. The exida team will solve complex issues in the fields of functional safety, cybersecurity, and alarm management, like unique voting arrangement analysis, quantitative consequence analysis, or rare event likelihood analysis, and stands ready to assist when needed. Training exida believes that safety, high availability, and cybersecurity are achieved when more people understand the topics. Therefore, exida has developed a successful training suite of online, on-demand, and web-based instructor-led courses and on-site training provided either as part of a project or by standard courses. The course content and subjects range from introductory to advanced. The exida website lists the continuous range of courses offered around the world. Knowledge Products exida Innovation has made the process of designing, installing, and maintaining a safety and high availability automation system easier, as well as providing a practical methodology for managing cybersecurity across the entire lifecycle. Years of experience in the industry have allowed a crystallization of the combined knowledge that is converted into useful tools and documents, called knowledge products. Knowledge products include procedures for implementing cybersecurity, the Safety Lifecycle tasks, software tools, and templates for all phases of design. Tools and Products for End User Support exSILentia® – Integrated Safety Lifecycle Tool ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 15 excellence in dependable automation o PHAx™ (Process Hazard Analysis) o LOPAx™ (Layer of Protection Analysis) o SILAlarm™ (Alarm Management and Rationalization) o SILect™ (SIL Selection and Layer of Protection Analysis) o Process SRS (PHA based Safety Requirements Specification definition) o SILver™ (SIL verification) o Design SRS (Conceptual Design based Safety Requirements Specification definition) o Cost (Lifecycle Cost Estimator and Cost Benefit Analysis) o PTG (Proof Test Generator) o SILstat™ (Life Event Recording and Monitoring) exSILentia® Cyber- Integrated Cybersecurity Lifecycle Tool o CyberPHAx™ (Cybersecurity Vulnerability and Risk Assessment) o CyberSL™ (Cyber Security Level Verification) Tools and Products for Manufacturer Support FMEDAx (FMEDA tool including the exida EMCRH database) ARCHx (System Analysis tool; Hardware and Software Failure, Dependent Failure, and Cyber Threat Analysis) For any questions and/or remarks regarding this White Paper or any of the services mentioned, please contact exida: exida.com LLC 80 N. Main Street Sellersville, PA, 18960 USA +1 215 453 1720 +1 215 257 1657 FAX [email protected] ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 16

Use Quizgecko on...
Browser
Browser