The Department of Homeland Security (DHS) is tasked with many things. One area of focus is Industrial Control Systems (ICS). The Industrial Control Systems Joint Working Group (ICSJWG) was formed to facilitate this focus. This group holds semi-annual conferences (Spring and Fall) in various US cities. These meetings are filled with presentations by industry experts on cyber security for ICS. The meeting format can vary somewhat but usually includes several tracks of presentations that cater to the interest of the attendees. There is also one day set aside for cyber security training for either a beginner or intermediate level. One of the best things about these conferences … they are FREE to attend. You only have to pay your…
Product Certification
Over 60 new products received functional safety or cybersecurity certification this year. Those products and more can be found on our Safety Automation Element List. Most significant to me are the new product categories including:
exida Certification has expanded its scope…
About 5 years ago I was sitting around a big table in a conference room at a major LNG terminal. Outside the window I could see a big city harbor filled with boats, bridges, sky scrapers and approximately 5 million people. I could also see two huge LNG storage tanks that, I was told, had the hazard potential to form a vapor cloud that could cover the harbor and, under the right conditions, could burn and explode.
I was brought to the facility by a control system integrator who had been working onsite and had concerns about the control system security and the potential risk that it represented. They wanted me to discuss options to evaluate and improve the…
Last week I attended the ISA Water/Wastewater and Automatic Controls Symposium in Bethesda, Maryland. The conference was attended by equipment manufacturers and municipalities, but system integrators composed the largest group. The technical sessions mainly discussed new opportunities for implementing the industrial internet of things (IoT) and cybersecurity concerns. Both topics are central for the future of IACS (industrial automation and control systems) and SCADA (supervisory control and data acquisition) systems, but they provide disparate advice regarding remote access, a critical component of SCADA systems.
Due to the remote nature of the control devices in SCADA systems, wireless networks are a necessity for the overall cost and feasibility of the design. Industrial IoT focuses on helping integrators design an…
ICS cybersecurity standards such as ISA 62443 (formerly ISA 99) and NERC CIP require operators to have policies and procedures in place to monitor and maintain their critical ICS cyber assets. For anything other than very small systems, the obvious choice is to implement systems to automate these procedures. So, in our practice of performing cybersecurity vulnerability assessments, we are seeing a large number of servers being installed to provide services such as asset management, user authentication, anti-virus management, whitelisting management, patch management, backup/restore, etc. These servers are being installed “in the name of” improving cybersecurity but are they really? These are generally IT-driven projects, so, in most cases these servers are being installed on the…
Today, we are going to talk a little bit about Contractor Cyber Training. What's in a good contractor cyber training course? Why do you need one? Why aren't policies, practices, and contract language enough?
Today's operators of industrial production facilities frequently utilize contract labor. This means a number of contractors have physical access to the site. Contractors could include your electrical contractor, your process automation contractor, your instrument and control technicians, or your electrical technicians.
As a point, remember contractors serve many clients, travel to many sites, have their own engineering tools, files, and copies of code. If you grant contractors access to your network, you need to provide a level of due diligence…
As the number, scale, and connectivity of industrial automation systems continues to grow, it becomes increasingly crucial to fundamentally understand, evaluate, and manage cybersecurity risks. The objective of an effective cybersecurity management program should be to maintain the industrial automation system consistent with corporate risk criteria.
Ownership for industrial automation cybersecurity concerns often fall to someone with a different full-time focus, as just one more task piled onto an already overbooked schedule. This makes it even more critical to manage cybersecurity both efficiently and effectively. The cost for failing to adequately manage risk for cybersecurity concerns can be seen from an ever-growing list of industry examples.
The first step in actively managing cybersecurity risk is understanding the current level of…
The world of automation has changed significantly over the past 30 years. I have fond memories of starting my career by calibrating, adjusting, and tuning pneumatic control loops while working my way through the electronic age right up to the present digital and cyber generation of automation. If you are like me, it is easy to get lost in all the technical changes that have made our jobs so rewarding and challenging. I want to highlight these changes by sharing my thoughts related to “Cyber Security.”
At the beginning of my career, the biggest concern was having clean dry air supplied at 20 psig and a 3 to 15 psi control signal. This may be a bit simplified,…
To be clear, the above title is meant to capture your attention. We all understand and know that it is unusual for a Process Safety engineer and the IT architect to possess detailed knowledge of both safety and security. In today’s world, the operators, engineers, design and support personnel of an operating asset are required to be aware of the implications of cybersecurity attacks that can not only impact the business from a financial perspective, but can also initiate process safety-related incidents.
There are two clear hurdles in the interaction of these two disciplines. The first is technological vocabulary. I have often found that these two disciplines have completely different vocabularies and especially from a different context. A process safety engineer…
Co-written by Todd Stauffer, Director of Alarm Management Services at exida
A wise man once said, “You can’t manage what you don’t measure.” Let's apply this to the world of cybersecurity to discuss the importance of cybersecurity metrics and how they are different from a cyber diagnostic and a cyber alarm.
Cybersecurity Metrics are usually defined in terms of either leading or lagging performance. Think of cyber metrics as the Key Performance Indicators (KPI’s) that help you evaluate your cybersecurity performance and whether things are improving or getting worse. Audits or performance measurements /calculations of specific work processes or cyber events are the norm. However, the addition of performance expectations or specific target goals for each metric allows for an…
exida would like to welcome our new director of cybersecurity services Dave Gunter. Dave will be taking us through a multi part blog series based on general cybersecurity evolving into how it pertains to your industrial work environment and what you should do to protect your company and its assets from cyber criminals.
In a manner of speaking, cyber hygiene is an individual’s base behavior when it comes to handling, managing, operating, and maintaining today's computing devices and software. The term computing devices is a broad term, however in pragmatic terms, it can viewed to represent computers, tablets, phones as well as boundary devices used to connect to the internet.
That’s a great question.
A cyber sensitive position is a subset of a job position description that can be graded as Ultra, High, Medium or Low sensitivity with respect to cybersecurity assets and associated potential consequences that may impact an operating company.
What this means is that more and more companies are qualifying their operating assets within the context of cybersecurity risk. These risk qualifications of operating assets require having engineering, operation and maintenance positions defined as cyber sensitive positions as appropriate for their role with respect to the asset(s) they support.
Today’s companies have an obligation to ensure they manage the risk envelope of their operating assets to tolerable levels. In the past,…
Oh look! Squirrel!
I am not much of a blogger. I should be but I’m not. This is strange, because I always have plenty to say.
This subject just gets me going so I am writing about it. I welcome feedback and opinions.
I have been in cybersecurity in one form or another for over 30 years, whether it be as the target of the attacks as an IT Manager, or a consultant trying to educate and help client companies with products and services, I have seen the same trend over and over again.
When a company has a realized or suspected a cyber-event, they go into proactive response mode, begin investigating and at that point my phone generally rings…
The IEC 62443 series of cybersecurity standards include over ten documents covering various subjects. Buying a full set is a bit expensive, but for me the real cost is the time needed to read and understand them. So I often ask one of the experts at exida for a quick overview. Since not everyone has the IEC 62443 expertise that exida has, we hope that the overview info in this blog is useful.
Integrators must perform a number of important tasks if they wish to improve the cybersecurity of any automation system they deliver. And in today’s environment, end users demand strong cybersecurity strength. The IEC 62443 committee has documented their list of these important tasks; IEC 62443-2-4…
During an IACS cybersecurity risk analysis, each zone of a network is given a target security level. The levels are one to four, with one being the least amount of protection and four giving the most protection. For each zone we ask, “How much cybersecurity protection do we need?” “Is there any real need to get products with cybersecurity certification?” “If so, to what security level?”
I just read the September 2018 issue of WIRED magazine. The cover article is “The Untold Story of Notpetya, the Most Devastating Cyberattack in History .”
After reading, I come away with one strong thought:
it is amazing how threat agents can get through so many defense mechanisms. The…
As an end-user, do you know how reliable and safe your Safety Instrumented Systems (SIS) and Basic Process Control Systems (BPCS) are from potential cyber issues? Do you rely on your vendor statements regarding the robustness of their products? If the answer to these questions is “don’t know” or “yes” then maybe you should be considering using an independent 3rd party to perform a cybersecurity vulnerability assessment (for existing installations) and/or performing a cyber-risk assessment (as part of a HAZOP) for new installations. This is especially true for legacy systems that are still in operation using products from the mid-1990s. Although most software engineers won’t admit it, they often used to have “back doors” to enable fault-finding and…
As the cybersecurity threats in the industrial world continue to rise, the automation world continues to grapple with how to address these issues. As such, the newly released IEC61511-1: 2016 edition has included a new clause to address this (Clause 8.2.4). In essence, End Users have to carry out a security risk assessment to identify any potential security vulnerabilities of the Safety Instrumented System (SIS).
Clause 8.2.4 then goes on to specify that there needs to be a description of the devices covered by this risk assessment (e.g., SIS, BPCS or any other device connected to the SIS); together with a description of identified threats that could exploit vulnerabilities and result in security events. This should also include intentional attacks…
I was driving one of exida’s top risk experts from Europe to a business meeting. We parked and I locked the car door. He commented “I noticed you did not lock the car door when you parked at the exida office.” He was right. In an area I do not know, I always lock the car door. But not always in the exida lot. He added “A risk analysis will show car theft is a low risk due to random events, but remember cars are stolen by humans. These are not random events as we know them.” He added “A good risk return on investment analysis would show you should always lock the car door. The cost is so little,…
Industrial Automation Control Systems (IACS) Cybersecurity based on IEC 62443 was created to be compatible with agile development methodology. The standard deliberately talks about processes and not phases, such as those in the waterfall model. The processes defined can be met simultaneously and are, most likely, already being followed as part of your agile process; however, you may not be explicitly calling them out. One of these processes is documentation.
Agile does not mean no documentation; it means useful documentation. To start, documentation helps you and your team review the cybersecurity aspects of your current sprint, and provides evidence for the certification process. It also allows you to understand the impact of any changes, track down security issues and find…
As the incidence of cybersecurity threats in automation systems continue to rise, the automation world continues to grapple with how to address these issues. There are many good practices published in the IEC 62443 series of standards available to end users such as creating demilitarized zones between the business network and the industrial network, banning the use of portable devices on the industrial network, ensuring that security patches are installed regularly, etc. While these solutions all make a lot of sense, I recommend attacking the problem at its core. Patching, for example, is very important, but it is also very expensive and carries some extra risks in an automation system such as impacting the performance of a critical process. Wouldn’t…
By now we’ve all become familiar with safety integrity levels (SIL), as they have become part of our everyday lives. However, with the recent release of several cybersecurity standards in the IEC 62443 series, things are getting more complicated. This series of standards introduces two more levels that we will need to get used to quickly: maturity levels and security levels. The new levels may appear similar to SIL, but they need to be viewed in their own applicable context.
The standard defines three types of security levels:
IEC 62443-3-2 requires that you break down your system into security zones. Then, using the…
As the details of STUXNET’s design unfolded last fall, like many, I was truly impressed by the pin-point precision that the malware authors used to ensure that their target, and only their target, was impacted by the virus. In this regard, STUXNET may be one of the most responsible piece of malware ever written, because it was carefully designed to avoid any collateral damage.
However, one of the unexpected outcomes of STUXNET is the extent to which it has aroused the “security researcher” community and has turned their attention from commercial IT products to industrial automation and control systems. While their motives vary, from seeking recognition and monetary gain to intending to cause harm, the…
There is a lot of concern around cyber security in Industrial Control Systems. With new threats like Stuxnet and Flame, the perceived risk to critical infrastructure has increased dramatically. There are increased calls for legislation and new methods for dealing with these threats. The history of how we have dealt with similar risk issues around process safety tells us that there are two ways to address the issues with very different results. On the one hand, there is a prescriptive approach where you define the remediation that should be required. This approach might work in very well-defined systems where there is very little change in technology.
The other approach is to define functional requirements and set performance standards that need…
Over the next couple of blogs, I plan to map out the importance of ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment. I'll also explain some of our services so that you can see what might pertain to you.
For part 1, I will start from the beginnning and outline what exactly ICS Security is and why it is important.
To put it bluntly, it's somebody messing around with your process control system that you don't want. It's keeping the bad guys out and the good guys in.
It can be done through computers, through the networks, through wireless devices, through USBs plugged in, etc. Anything that can cause your system not to operate in…
Over the next couple of blogs, I plan to map out the importance of ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment. I'll also explain some of our services so that you can see what might pertain to you. For part 1, I started from the beginning and outlined what exactly ICS cybersecurity is and why it is important.
For part 2, I will explain the difference between IT vs. ICS cybersecurity and differing the security focus between IT and ICS.
The most important things in IT is confidentiality, then integrity, and then the availability. If your network goes down, you're going to be mad, but nothing's really going to…
Over the next couple of blogs, I plan to map out the importance of ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment. I'll also explain some of our services so that you can see what might pertain to you.
For part 1, I started from the beginning and outlined what exactly ICS cybersecurity is and why it is important.
For part 2, I explained the difference between IT vs. ICS cybersecurity and differing the security focus between IT and ICS.
In this blog, I will explain the structure of the standards that pertain to ICS cybersecurity.
Today everyone’s involved with security, from the people who are originally designing and building the systems, the Emersons,…
Over the last couple of blogs, I mapped out the importance of ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment.
For part 1, I started from the beginning and outlined what exactly ICS cybersecurity is and why it is important.
For part 2, I explained the difference between IT vs. ICS cybersecurity and differing the security focus between IT and ICS.
For part 3, I explained the structure of the standards that pertain to ICS cybersecurity.
In this blog, I will talk about control system assessments.
The difference between a risk and the vulnerability assessment. A lot of people use the names interchangeably. A risk assessment tells you, if this device were compromised, what could…
Last week a security researcher, Dillon Beresford of NSS Labs, presented at the Blackhat conference on the security vulnerabilities he found in Siemens PLC firmware. One of many stories on Dillon’s findings can be found here. Among other things, Dillon found “dancing monkeys” in the code! Actually, what he found was this graphic of four dancing monkeys inserted in the firmware as an “Easter Egg” - meaning it was intentionally put there by a developer as a joke. Easter Eggs are cute in websites and video games but not in software that is operating critical infrastructure. This finding raises concerns about Siemens software quality assurance practices. While this prank is most likely harmless, imagine, for…
Operations and facility managers have a level of responsibility that requires a great deal of judgment, technical understanding, and the ability to make the right call when managing risk.
Safe, secure, and profitable plant operations are the cornerstones of how a plant manager is judged. The plant manager relies on a team of experts that provide the facts of what the risk is—the probability, and the plan(s). (Providing a single option to a plant manager is usually an invitation for a series of questions that dive deep into the issues.)
Safety is the keystone. Without safe operation, a plant manager would not sleep at night, as no one wants to be responsible for negatively impacting the quality of someone’s health…
Unconfirmed vulnerabilities are not usually a big issue, but when one occurs like Supermicro, plant management will ask a simple question: “Do we have an issue or not?”
Having been on the receiving end of this blunt exchange, I realize it can be painful and embarrassing to communicate, “I do not know right now.” This type of exchange can play out day to day or week to week due to any given company’s leadership becoming aware of cybersecurity-related news.
It has been my experience that three fundamental steps can help clarify the issue. To better define this, let’s look at a relevant example of the management of an unconfirmed vulnerability. Below is a working example based on the Bloomberg report…
One of the best parts of my job is I get to walk around and look over what has been implemented in the way of physical and cyber security. Most of the time I am very impressed by what has been done as more and more companies are realizing what is at stake should their infrastructure be compromised. Whether its intellectual property or malicious activity, the costs of a breach could be significant, even catastrophic if the right circumstances were realized.
Ok, here is where it gets really fun. I was recently performing a Cybersecurity Vulnerability Assessment on an oil refinery. The main PCS in place was a form of redundant Ethernet. The main communication was broadcast and multicast traffic…
How should you react to news of PLC security vulnerabilities?
Project Basecamp was an exercise conducted at the S4 Security Conference that was held last month in Miami, Florida. At the event, six security researchers reported their findings on the security vulnerabilities found after testing several PLCs and field devices from several companies. With relative ease, the security researchers were able to discover, verify and in many cases exploit basic security vulnerabilities such as backdoors, weak or no authentication, buffer overflows, etc.
Dale Peterson of Digital Bond, the organizer of the event, recently blogged asking, “Where is the outrage?” Dale had expected industry…
A recent, disturbing trend I’ve seen in industrial control system (ICS) security is that, in response to concerns about the security of their ICS & SCADA systems, companies are performing penetration (pen) testing on operational systems. Often times they request these services as one of the first steps in their plans to improve ICS security.
Pen testing, as the name implies, is intrusive testing whereby the tester behaves like an attacker and attempts to penetrate the system. This often means the tester will deliberately send probe packets or malformed packets on the network. Pen testing is common practice in IT security as a means to testing the effectiveness of the security controls (e.g. firewall, intrusion detection, etc.) that have been…
There are three main components of the safety lifecycle: analysis, realization, and operation. We will be taking a look at the analysis phase, particularly related to the cyber industry.
To start, the first thing to do in both safety and security is do a detailed process, hazard and risk analysis of the system. In the case of safety, you should allocate safety functions that will protect against those risks that you have identified and create a safety specification or set of requirements for each of those safety functions that you are going to apply. Once those requirements are in place, the realization phase is similar to other realization efforts, including design and engineering, acceptance testing and installation, and various…
Stuxnet has, rightly, generated a significant amount of discussion and concern with the industrial automation community. Fortunately, unless you operate a uranium enrichment facility using Siemens S7 PLC’s and some very specific variable frequency drives (VFDs) you probably haven’t been directly impacted by the Stuxnet virus. However, that doesn’t lessen the concern that variants of Stuxnet or “the next Stuxnet” will not be as targeted and may impact a much broader range of industrial applications.
So, in my opinion the “real” impact of Stuxnet is that it has opened the eyes of many who were either unaware of the dangers of control system insecurity or those that were aware but dismissed the issue as…
Hacking public transportation systems is always depicted on TV and movies. And they make it seem so easy… it only takes seconds for these fictional experts. Is it a reality?
Well, the Amtrak train derailment that occurred earlier this year in Philadelphia got me thinking about “hacking” as a possible cause of the accident. This is only my conjecture at this point, as there has been no indication that it was related to terrorism and all the facts of this unfortunate tragedy are still being collected and determined. But some data reported from the train’s “black box” and engine cabin camera have been released.
Cybersecurity continues to be a big problem for the world at large and for control systems specifically. The amount of time and effort that it can take to simply keep all of the security patches up to date on a large control system can be mind boggling. No matter how up-to-date the security patches are, however, and no matter how well the network was designed, there will still be security vulnerabilities in the system. Why is this? This is because of the large number of security vulnerabilities in the underlying software used throughout the system.
At the time when most of today’s control systems were developed, the software engineers were not aware of the root causes of security vulnerabilities…
Approaches to Cybersecurity Lifecycle for Existing and New Facilities
Which road should you take?
Cybersecurity attacks on industrial control systems (ICS) are now considered a credible risk. Due to this risk, the demand for Cybersecurity Automation Personnel Certification per IEC 62443 is greatly increasing. The question now becomes, which path is best suited for you in your organization/company? How do you get the most out of your certification? This presentation will describe the different Cybersecurity paths for personnel per IEC 62443 for those seeking Certification.
This webinar will focus on activities performed after the Cybersecurity Vulnerability Assessment is complete and the recommendations to segment your network have been made. We will review multiple manufacturers product offerings, evaluate selection criteria, and delve into the actual process taken to isolate critical devices from the general control network. Actual network traffic screen shots will be used to demonstrate the steps that will be required to identify and isolate the devices from unwanted traffic while allowing necessary traffic to pass to the devices.
Many vendors are producing firewalls designed for the Industrial Control environment. Some very simple; some quite complex. One idea that is rapidly expanding on the Defense-in-Depth concept and becoming more important is that of “Deep Packet Inspection” or DPI. The idea of not only firewalling a protocol, but firewalling what that message is trying to do, allowing for example, a read but not a write command to pass. A number of vendors have released some sort of DPI firewall, and more are adding theirs to the list.
This webinar will explore the uses and special aspects of the industrial control firewall and will review how a firewall works to protect an ICS network. Subsequent webinars will present some of the specific DPI products available on the market today. Who they are from, what protocols they can filter, and what additional functionality they offer.
While many standards have changed, and more information is constantly becoming available, what has not changed is the responsibility of the equipment owner to assure his process is reliable, secure and safe. One major step in that process is the Cybersecurity Vulnerability Assessment. This webinar will discuss the need and the path towards accomplishing that goal.
This three webinar series will walk through the fundamental methodology behind High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. The series will also discuss the relationships between the lifecycle steps, and the flow of information from one analysis to the next. The first webinar will provide a detailed review of the steps and objectives for a High-Level Risk Assessment as well as the benefits of completing a High-Level Risk Assessment, and frame the scope of discussion for the remaining webinars in this series.
This webinar focuses on a methodology to perform a cybersecurity risk assessment designed to identify potential hazards that can arise from a cybersecurity attack on process control and protection systems. This is done in the context of the functional safety and cybersecurity lifecycles, and the potential process safety, environmental, and financial consequences.
This is the second in a series of webinars which will review vendor products who offer Deep Packet Inspection (DPI). In this webinar we will review the background and steps required to implement an Industrial Control System (ICS) firewall using DPI for Modbus/TCP. Multiple vendors products will be shown and their specific configurations reviewed.
This webinar will discuss how to make an objective assessment of a vendors equipment to see where it meets (or doesn’t meet) the IEC 62443 requirements through the use of a report card. The report provides a visual presentation of the results that are easy to view and follow. It covers the 7 fundamental requirements of IEC 62443, as well as communications robustness testing and the security development lifecycle. This will give the end user confidence that the products they are using are as secure as possible.
This webinar will introduce and discuss the exida Automation Cybersecurity (ACS) program. This is a certificate program that addresses a growing need to provide confirmation that an attendee showed competency by retaining the knowledge presented in a training course. The ACS program will also provide an analysis of where the candidate’s strengths and weaknesses lie. This program will also help a participant judge their competency level if interested in obtaining a certification like the Certified Automation Cybersecurity Expert (CACE) or Certified Automation Cybersecurity Specialist (CACS).
This webinar will demonstrate how exSILentia cyber supports the completion of high-level risk assessments consistent with the methodology described in part one of the Cybersecurity Risk Assessment and Security Level Verification series. This webinar will provide a brief description of the method and then focus on how the exSILentia cyber tool can be used to effectively complete and document high-level risk assessments in a consistent manner considering the example chemical plant. The main track of the Cybersecurity Risk Assessment and Security Level Verification series will continue later this month with Part Two - Detailed Risk Assessments
This webinar examines the revision in IEC61511-1 earlier this year to include a new clause regarding Cybersecurity and how this will impact end users. It has been recognized for sometime now that Industrial Control Systems can be susceptible to cybersecurity events, which could have potentially disastrous effects on Safety Instrumented Systems and Basic Process Control Systems. How immune a SIS or BPCS is depends upon how it was designed, its network topology and “openness” to the outside world. Compromising a SIS could result in a loss of protection, or worse still initiate unsafe or unstable process conditions.
After a number of cybersecurity attacks on industrial control systems (ICS), most plant owner/operators now consider a cybersecurity attack to be a credible risk. In 2007 the ISA Security Compliance Institute (ISCI) was founded and defined the first cybersecurity certification scheme. Now in 2018, IEC 62443 standards have since been released, new schemes have been defined based on cybersecurity experience and these new standards. The presentation will describe the IEC 62443 Certification Program based on the progression of the IEC62443 standard.
The presence of threats, and the success of attacks has been felt by virtually every individual and organization around the world. Protecting assets must be a well-organized, wide ranging effort that involves everyone who has assets to protect. There are organizational conflicts to understand, policies to create, and specific security activities to coordinate. This webinar discusses key aspects of a Industrial Automated Control System (IACS) Cybersecurity Program, provides concrete recommendations for getting started, and references that provide additional insight.
This webinar provides an introduction to Control System Cyber Security and the Security Lifecycle for managers and engineers involved in operating, maintaining and integrating Industrial Automation and Control Systems. While the course follows the Security Level Lifecycle from ANSI/ISA-99.01.01 and ANSI/ISA-99.02.01, it also references other relevant industry standards and industry best practices, in particular drawing parallels to the well established Functional Safety Lifecycle from ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod).
This webinar outlines the steps and process exida takes to perform its Cybersecurity Vulnerability Assessment without it taking on the uncomfortable feeling of an audit. The spirit of the assessment needs to be cooperative to be successful for both parties. We are not issuing pass/fail criteria, we are not hiding the results to give you a simple pass/fail rating. We are looking to evaluate you against best practice and standards, recommend enhancements, and document what you have already done right.
We discuss:
Lessons Learned From Actual Control System Security Incidents and Assessments
The IEC 62443 document series is an international standard intended to provide a flexible framework to enhance Industrial Automation Control System (IACS) cybersecurity. Seven core functional requirements are used to assist with the design, development, testing and construction of an integrated security architecture. As the Security Level (SL) targets and capabilities are defined, cybersecurity metrics become necessary to be able to assess the efficacy and comprehensiveness of the design. These Security Levels are organized into four increasing tiers each requiring more stringent controls be in place.
As the security architecture matures and the logical and physical assets are grouped into zones, they need to be evaluated along with the connections and data flows between zones that are called conduits. Both the zones and conduits need appropriate security controls to insure plant operational safety. Cybersecurity Best Practices have principles (such as ‘defense in depth’) that can be evaluated through cybersecurity metrics that evaluate architectural components such as zones and conduits.
Furthermore, security is a process that requires continual risk management and risk reduction via the mitigation of identified threats. Cybersecurity metrics are generated and evaluated to determine if adequate risk management is being enabled. Through the usage of well defined, repeatable and accurate cybersecurity metrics, SL adequacy can be assessed.
This presentation goes through the IEC 62443 foundational requirements and describes appropriate and relevant security metrics for evaluating that architectural components such as zones and conduits have appropriate cybersecurity controls in place and that the SL target has been achieved.
The Industrial Internet of Things (IIoT) offers companies many potential benefits such as decreased operational costs and further optimized processes; however, the increased use of wireless control networks also introduces the potential for additional cybersecurity risks. This webinar will briefly review the trends in IIoT and discuss important factors to consider when mitigating the additional risk of wireless control networks.
This webinar focuses on a methodology to perform a cybersecurity risk assessment designed to identify potential hazards that can arise from a cybersecurity attack on process control and protection systems. This is done in the context of the functional safety and cybersecurity lifecycles, and the potential process safety, environmental, and financial consequences.
This webinar will provide a brief overview of the IEC62443 family of standards, and then look at recent security breaches to see if they could have been avoided by following the best practices described in these standards. Completely avoiding cyber-attacks is likely not possible, but significantly decreasing the probability of a successful attack is feasible by following these guidelines.
This webinar is the third of a 4 part series to look at the cybersecurity lifecycle. Part 3 introduces the Operate and Maintain phase and focuses on the steps involved. Key topics of this second part includes:
This webinar is the fourth of a 4 part series to look at the cybersecurity lifecycle. Part 4 looks at how to implement the lifecycle within existing facilities where it is not currently in place. Key topics of this fourth part includes:
This webinar is the first of a 4 part series to look at the cybersecurity lifecycle. Part 1 introduces the overall lifecycle and focuses on the steps involved in the analysis phase. Key topics of this first part includes:
This webinar is the second of a 4 part series to look at the cybersecurity lifecycle. Part 2 introduces the design and implementation phase and focuses on the steps involved. Key topics of this second part includes:
Not that long ago, the move towards “open systems” and the resulting incorporation of off-the-shelf technologies represented a huge step forward in control system design. System integration became easier, product development by manufacturers was accelerated, and training leveraged common tools and concepts. While the benefits have been tremendous, open technology has made control systems open to security vulnerabilities, putting production and human safety at risk. Nothing has made that risk more evident than the Stuxnet virus which has made headlines since it was discovered in July 2010. Countering these threats requires organizations to develop a better understanding of their process control system security risks and how to address them. In this webinar, we will discuss the seven things that every plant manager and automation professional should know about industrial control system security. We will also discuss how to apply best practices from standards such as ISA 99.02.01 to mitigate these risks.
A lot of time and effort is spent installing security patches. The number of security vulnerabilities in a product, and thus the number of patches, can be significantly reduced if a Security Development Lifecycle (SDL) is followed during product development.
This webinar will help explain the following:
Operators of industrial facilities, particularly those that operate critical, potentially dangerous processes or produce product for consumer consumption, are rightfully very concerned about the potential for cyber threats that can accidentally or intentionally manipulate their industrial control systems (ICS). Modern ICS are highly vulnerable to cyber threats due to their increased use of commercial IT technology and extensive network connectivity. At the same time, the prospect of cyber threats to an ICS is all too real. In the last few years, there have been numerous documented attempts to hack or inject a virus into an ICS in order to intentionally cause harm or destruction. This presentation explores the challenges that most industrial companies face in understanding the true risk of cyber threats to their industrial processes and introduces Cyber PHA as a solution. Based on Process Hazard Analysis (PHA), which has been used in the process industries for decades to assist in understanding and ranking operational risks so they can be properly mitigated, a Cyber PHA is an organized and systematic assessment of the potential cyber threats to an ICS. It aids in understanding the true risk by identifying and qualifying threats, vulnerabilities and consequences.
Cybersecurity is rapidly becoming something the process safety can no longer ignore. It is part of the Chemical Facility Anti-Terrorism Standards (CFATS). In addition, the President’s Executive Order 13636– “Improving Critical Infrastructure Cybersecurity,” has drawn attention to the need for addressing cybersecurity in our plants as it has been demonstrated that in our new world, they are now a source of potential process safety incident.
IEC 61508[2], “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES)” now has a requirement to address cybersecurity in safety instrumented systems and ANSI/ISA 84.00.01, “Functional Safety: Safety Instrumented Systems for the Process Industry Sector” is looking to include this requirement in the next revision. Currently the industry is playing catch up as there tends to be a gap in understanding between information technologists, traditionally responsible for cybersecurity, and the process automation and process safety engineers responsible for keeping our plants safe with help from automated controls and safety instrumented systems. As a result, guidance is being developed, but much of it continues to be a work in progress.
The past two years have been a wakeup call for the industrial automation industry. It has been the target of sophisticated cyber attacks like Stuxnet, Night Dragon and Duqu. An unprecedented number of security vulnerabilities have been exposed in industrial control products and regulatory agencies are demanding compliance to complex and confusing regulations. Cyber security has quickly become a serious issue for professionals in the process and critical infrastructure industries.
If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices. This white paper will give you the information you need to get started. It won’t make you a security expert, but it will put you on the right path in far less time than it would take if you were to begin on your own.
We began by condensing the material from numerous industry standards and best practice documents. Then we combined our experience in assessing the security of dozens of industrial control systems. The result is an easy-to-follow 7-step process:
Step 1 – Assess Existing Systems
Step 2 – Document Policies & Procedures
Step 3 – Train Personnel & Contractors
Step 4 – Segment the Control System Network Step 5 – Control Access to the System
Step 6 – Harden the Components of the System Step 7 – Monitor & Maintain System Security
The remainder of this white paper will walk through each of these steps, explaining the importance of each step and best practices for implementing it. We will also provide ample references for additional information
With the ever changing threats posed by cyber events of any nature, it has become critical to recognize these emerging threats, malicious or not, and identify the consequences these threats may have on the operation of an industrial control system (ICS). Cyber-attacks over time have the ability to take on many forms and threaten not only industrial but also national security.
Saudi Aramco, the world’s largest exporter of crude oil, serves as a perfect example depicting how devastating a cyber-attack can truly be on an industrial manufacturer. In August 2012, Saudi Aramco (SA) had 30,000 personal computers on its network infected by a malware attack better known as the “Shamoon” virus. According to InformationWeek Security this was roughly 75 percent of the company’s workstations and took 10 days to complete clean-up efforts.
The seriousness of cyber-attacks in regards to national security was addressed by former United States Secretary of Defense Leon W. Panetta in his speech on October 2012. Panetta issued a strong warning to business executives about cybersecurity as it relates to national security.” A cyber-attack perpetrated by nation states [and] violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation,” he stated. “For example, we know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country.”
In addition to Panetta’s address, the U.S. Department of Homeland Security has issued several alerts about coordinated attacks on gas pipeline operators, according to a May 2012 report by ABC News.
This whitepaper will focus on the significance of cyber-attacks on industrial control systems (ICS) and how these attacks can be prevented by proper practice of the ICS Cybersecurity lifecycle.
