The Department of Homeland Security (DHS) is tasked with many things. One area of focus is Industrial Control Systems (ICS). The Industrial Control Systems Joint Working Group (ICSJWG) was formed to facilitate this focus. This group holds semi-annual conferences (Spring and Fall) in various US cities. These meetings are filled with presentations by industry experts on cyber security for ICS. The meeting format can vary somewhat but usually includes several tracks of presentations that cater to the interest of the attendees. There is also one day set aside for cyber security training for either a beginner or intermediate level. One of the best things about these conferences … they are FREE to attend. You only have to pay your…
Product Certification
Over 60 new products received functional safety or cybersecurity certification this year. Those products and more can be found on our Safety Automation Element List. Most significant to me are the new product categories including:
exida Certification has expanded its scope…
About 5 years ago I was sitting around a big table in a conference room at a major LNG terminal. Outside the window I could see a big city harbor filled with boats, bridges, sky scrapers and approximately 5 million people. I could also see two huge LNG storage tanks that, I was told, had the hazard potential to form a vapor cloud that could cover the harbor and, under the right conditions, could burn and explode.
I was brought to the facility by a control system integrator who had been working onsite and had concerns about the control system security and the potential risk that it represented. They wanted me to discuss options to evaluate and improve the…
Last week I attended the ISA Water/Wastewater and Automatic Controls Symposium in Bethesda, Maryland. The conference was attended by equipment manufacturers and municipalities, but system integrators composed the largest group. The technical sessions mainly discussed new opportunities for implementing the industrial internet of things (IoT) and cybersecurity concerns. Both topics are central for the future of IACS (industrial automation and control systems) and SCADA (supervisory control and data acquisition) systems, but they provide disparate advice regarding remote access, a critical component of SCADA systems.
Due to the remote nature of the control devices in SCADA systems, wireless networks are a necessity for the overall cost and feasibility of the design. Industrial IoT focuses on helping integrators design an…
ICS cybersecurity standards such as ISA 62443 (formerly ISA 99) and NERC CIP require operators to have policies and procedures in place to monitor and maintain their critical ICS cyber assets. For anything other than very small systems, the obvious choice is to implement systems to automate these procedures. So, in our practice of performing cybersecurity vulnerability assessments, we are seeing a large number of servers being installed to provide services such as asset management, user authentication, anti-virus management, whitelisting management, patch management, backup/restore, etc. These servers are being installed “in the name of” improving cybersecurity but are they really? These are generally IT-driven projects, so, in most cases these servers are being installed on the…
I don’t know whether you’ve noticed recently, but the number of cybersecurity alerts issued by CISA (Cybersecurity and Infrastructure Security Agency) seems to be increasing at an alarming rate. The latest alert I’ve seen now relates to GPS tracking systems for children. A device which is supposed to keep your children, pets, and elderly loved-ones safe, which has been sold online in the hundreds of thousands, now appears to have a number of vulnerabilities that can potentially be exploited by attackers. This was just one notification I saw, which was closely followed by one regarding a nation state issued malware attack from North Korea: ELECTRICFISH and BADCALL, referred to as HIDDEN COBRA.
According to CISA, the…
The Oldsmar Water Treatment Facility in Pinellas County Florida was compromised by hackers on February 5th. Hackers took advantage of the TeamViewer application that was still installed on the water facilities network to gain remote access1. The TeamViewer was originally installed to allow for status checks and troubleshooting of alarms or other issues, but it had not been used in around six months1. Additionally, each computer used to monitor the system remotely had a single password.
The attackers successfully gained access to the system were able to modify the concentration of water treatment chemicals and increased the amount of sodium hydroxide (lye) by a factor of 1002. This much higher concentration had the potential to cause illness to the public…
This is the first in a series of blogs and papers on the benefits of cyber certification. Certification provides you with the opportunity to work with an experienced cyber team here at exida,. It also allows you to gain access to our network of cyber experts worldwide codified in the IEC 62443 family of standards.
The following chart came from a Symantec publication in 2018. While it shows that financial and government sectors are experiencing the highest level of attacks, there still is a significance presence in industrial and infrastructure sectors (Energy, Construction, Telecom, Petrochemical). Where ever you fall in this spectrum, cyber certification can help significantly reduce the likelihood of being successfully attacked.
Certification can…
This is the next in a series of blogs and papers on the benefits of cyber certification. Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.
TripWire published this article on January 24, 2016, more than 4 years ago. It contains 22 recommendations on how to secure your systems. This is the first part of a 2-part series reviewing the first 11 of those recommendations.
Given the last 4 years, look back at any security issues you have experienced, and see if any fall into these categories. Clearly mitigation for these attacks will not secure your system…
This is the next in a series of blogs and papers on the benefits of cyber certification. You can read part 1 here. Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.
TripWire published this article on January 24, 2016, more than 4 years ago. It contains 22 recommendations on how to secure your systems. This is the first part of a 2-part series reviewing the first 11 of those recommendations.
Given the last 4 years, look back at any security issues you have experienced, and see if any fall into these categories. Clearly mitigation for…
This is the next in a series of blogs and papers on the benefits of cyber certification. You can read part 1 here and part 2 here. Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.
The European Union has the General Data Protection Regulation (GDPR) which fines companies if they do not properly manage user data. Such a regulation does not exist in the United States although some groups are trying to make that happen. It is easy to see why large corporations do not want this, more systems to spend money on, so there…
This is the next in a series of blogs and papers on the benefits of cyber certification. You can read part 1 here , part 2 here, and part 3 here . Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.
Last year Kevin Mandia, CEO FireEye published a white paper – “Validation for Security Effectiveness”. This is not directly focused at the control industry but does offer valuable insight into cyber management. Mandia splits his concerns into 5 areas:
Personnel responsible for protecting organizational assets within Operations Technology (OT) groups would seem to have the same mission as those responsible for protecting organizational assets within Information Technology (IT) groups, and be tightly aligned. Spending any amount of time with Industrial Control System (ICS) clients, however, shows that is certainly not the case. Let’s look at some reasons why this is and what can be done about it.
Profit-producing entities seek to organize themselves to generate revenues, minimize costs, and maximize profits. They do themselves an injustice when they create business units that are not aligned in strategic intent or in operational execution.
It is logical to have an IT services organization support the entire enterprise and list…
An April 2019 report from the Institute of Critical Infrastructure Technology (ICIT) makes the point that even though software ‘runs the world’, software security is an afterthought across virtually all industries.
The report states that this lack of software security is actually a National Threat given that this approach leads to non-resilient software being utilized in highly interconnected environments to run private and public critical infrastructures.
A Microfocus 2018 report states that 33% of applications are never tested for security vulnerabilities. Data such as that reinforces the thought that ‘secure by design’ is not a priority for most enterprises.
The robust connectivity of the Internet of Things (IIOT) only exacerbates this situation making users ‘crash test dummies’ since robust security…
Cyberattacks have become the new norm for industrial control systems. A recent study found that 54% (more than half) of companies surveyed had experienced a cyber-attack on their Industrial control system within the last two years[1].
The need for well-trained, competent individuals to address cybersecurity for industrial control systems is higher than ever before. It’s clear that having the right skills and experience to address cybersecurity is a must, but sometimes it can be difficult to identify exactly what training or competency program is right for you.
With exida’s new CACE Specialties its as easy as one, two, three.
The first step is to identify which level of professional…
Today, we are going to talk a little bit about Contractor Cyber Training. What's in a good contractor cyber training course? Why do you need one? Why aren't policies, practices, and contract language enough?
Today's operators of industrial production facilities frequently utilize contract labor. This means a number of contractors have physical access to the site. Contractors could include your electrical contractor, your process automation contractor, your instrument and control technicians, or your electrical technicians.
As a point, remember contractors serve many clients, travel to many sites, have their own engineering tools, files, and copies of code. If you grant contractors access to your network, you need to provide a level of due diligence…
The exposure of industrial facilities to cybersecurity threats has never been higher. An analysis performed by IBM security found that the number of attacks on SCADA systems increased 636% from 2012 to 2014, with 675,816 cybersecurity incidents in January 20141. Finding an effective method for evaluating the current level of risk in a facility and implementing additional security risk reduction as needed is becoming an essential part of managing the safety, security, and operability of industrial systems.
The three fundamental activities for the analysis of cybersecurity risk are High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. This is the second of a three-part blog series breaking down the IEC 62443 lifecycle steps for evaluating cybersecurity risk, with…
As the number, scale, and connectivity of industrial automation systems continues to grow, it becomes increasingly crucial to fundamentally understand, evaluate, and manage cybersecurity risks. The objective of an effective cybersecurity management program should be to maintain the industrial automation system consistent with corporate risk criteria.
Ownership for industrial automation cybersecurity concerns often fall to someone with a different full-time focus, as just one more task piled onto an already overbooked schedule. This makes it even more critical to manage cybersecurity both efficiently and effectively. The cost for failing to adequately manage risk for cybersecurity concerns can be seen from an ever-growing list of industry examples.
The first step in actively managing cybersecurity risk is understanding the current level of…
The exposure of industrial facilities to cybersecurity threats has never been higher. An analysis performed by IBM security found that the number of attacks on SCADA systems increased 636% from 2012 to 2014, with 675,816 cybersecurity incidents in January 2014 [1]. Finding an effective method for evaluating the current level of risk in a facility and implement additional security risk reduction as needed is becoming an essential part of managing the safety, security, and operability of industrial systems.
The three fundamental activities for the analysis of cybersecurity risk are High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. This is the final installment of a three-part blog series breaking down the IEC 62443 lifecycle steps for evaluating…
The world of automation has changed significantly over the past 30 years. I have fond memories of starting my career by calibrating, adjusting, and tuning pneumatic control loops while working my way through the electronic age right up to the present digital and cyber generation of automation. If you are like me, it is easy to get lost in all the technical changes that have made our jobs so rewarding and challenging. I want to highlight these changes by sharing my thoughts related to “Cyber Security.”
At the beginning of my career, the biggest concern was having clean dry air supplied at 20 psig and a 3 to 15 psi control signal. This may be a bit simplified,…
Have you noticed that over the last several years, cybersecurity seems to be “trending?”
Companies of all sizes are starting to learn how to prevent, or at least minimize, these attacks. They hire third-party experts and attend trainings to learn more about the human and system weaknesses that are common because competency is lacking.
For example, the mechanisms of attack listed below are only successful with the existence of human and system weaknesses:
The thought of tackling a threat model (TM) might not be the most appetizing to some people. Doing a quick Internet search, someone could get stuck under a mountain of acronyms and terms. I mean, what is a CVSS anyway? And then there are the diagrams, attack trees and feedback loops that could drive even the sanest person mad. Oh, and then you encounter the Threat Model Manifesto which sounds like something that’s straight out of an occult. What does this all mean and where in the world does someone begin?? Take a deep breath and relax.
The first logical step is to identify what threat modeling actually is. The National Institute of Standards…
Today’s owner operators and lease operators of industrial production facilities frequently employ service providers for projects and upgrades, as well as operations and maintenance. These contractors often travel to many sites, carry their own copies of source code and files, and use multiple PCs with multiple engineering tools for the automation platforms they support.
What quality practices does the contractor have in place to keep their client’s networks from being exposed to a virus or other vulnerability? How is downloadable content (e.g., drivers, firmware) that the contractor brings on site for the ICS system managed? And how does the contractor handle portable media?
What are the limits of authority allowed to the contractor? How is access to the network granted?…
To be clear, the above title is meant to capture your attention. We all understand and know that it is unusual for a Process Safety engineer and the IT architect to possess detailed knowledge of both safety and security. In today’s world, the operators, engineers, design and support personnel of an operating asset are required to be aware of the implications of cybersecurity attacks that can not only impact the business from a financial perspective, but can also initiate process safety-related incidents.
There are two clear hurdles in the interaction of these two disciplines. The first is technological vocabulary. I have often found that these two disciplines have completely different vocabularies and especially from a different context. A process safety engineer…
Co-written by Todd Stauffer, Director of Alarm Management Services at exida
A wise man once said, “You can’t manage what you don’t measure.” Let's apply this to the world of cybersecurity to discuss the importance of cybersecurity metrics and how they are different from a cyber diagnostic and a cyber alarm.
Cybersecurity Metrics are usually defined in terms of either leading or lagging performance. Think of cyber metrics as the Key Performance Indicators (KPI’s) that help you evaluate your cybersecurity performance and whether things are improving or getting worse. Audits or performance measurements /calculations of specific work processes or cyber events are the norm. However, the addition of performance expectations or specific target goals for each metric allows for an…
exida would like to welcome our new director of cybersecurity services Dave Gunter. Dave will be taking us through a multi part blog series based on general cybersecurity evolving into how it pertains to your industrial work environment and what you should do to protect your company and its assets from cyber criminals.
In a manner of speaking, cyber hygiene is an individual’s base behavior when it comes to handling, managing, operating, and maintaining today's computing devices and software. The term computing devices is a broad term, however in pragmatic terms, it can viewed to represent computers, tablets, phones as well as boundary devices used to connect to the internet.
That’s a great question.
A cyber sensitive position is a subset of a job position description that can be graded as Ultra, High, Medium or Low sensitivity with respect to cybersecurity assets and associated potential consequences that may impact an operating company.
What this means is that more and more companies are qualifying their operating assets within the context of cybersecurity risk. These risk qualifications of operating assets require having engineering, operation and maintenance positions defined as cyber sensitive positions as appropriate for their role with respect to the asset(s) they support.
Today’s companies have an obligation to ensure they manage the risk envelope of their operating assets to tolerable levels. In the past,…
The travel and group meeting restrictions from COVID-19 have allowed me to catch up on some reading about viruses; not the type that get transmitted to humans. This article is about the Stuxnet virus and what I learned from the book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon” by Kim Zetter (Published in 2014). It focuses on how Stuxnet manipulated control and safety systems to inflict physical damage to the equipment under control (centrifuges). Some information is also taken from “To Kill a Centrifuge”, by Ralph Langner, one of the people credited with uncovering Stuxnet.
Stuxnet was way more than “just” a virus. It was a combination worm (for spreading) and virus (for infecting) that ultimately propagated to…
Oh look! Squirrel!
I am not much of a blogger. I should be but I’m not. This is strange, because I always have plenty to say.
This subject just gets me going so I am writing about it. I welcome feedback and opinions.
I have been in cybersecurity in one form or another for over 30 years, whether it be as the target of the attacks as an IT Manager, or a consultant trying to educate and help client companies with products and services, I have seen the same trend over and over again.
When a company has a realized or suspected a cyber-event, they go into proactive response mode, begin investigating and at that point my phone generally rings…
The IEC 62443 series of cybersecurity standards include over ten documents covering various subjects. Buying a full set is a bit expensive, but for me the real cost is the time needed to read and understand them. So I often ask one of the experts at exida for a quick overview. Since not everyone has the IEC 62443 expertise that exida has, we hope that the overview info in this blog is useful.
Integrators must perform a number of important tasks if they wish to improve the cybersecurity of any automation system they deliver. And in today’s environment, end users demand strong cybersecurity strength. The IEC 62443 committee has documented their list of these important tasks; IEC 62443-2-4…
During an IACS cybersecurity risk analysis, each zone of a network is given a target security level. The levels are one to four, with one being the least amount of protection and four giving the most protection. For each zone we ask, “How much cybersecurity protection do we need?” “Is there any real need to get products with cybersecurity certification?” “If so, to what security level?”
I just read the September 2018 issue of WIRED magazine. The cover article is “The Untold Story of Notpetya, the Most Devastating Cyberattack in History .”
After reading, I come away with one strong thought:
it is amazing how threat agents can get through so many defense mechanisms. The…
As an end-user, do you know how reliable and safe your Safety Instrumented Systems (SIS) and Basic Process Control Systems (BPCS) are from potential cyber issues? Do you rely on your vendor statements regarding the robustness of their products? If the answer to these questions is “don’t know” or “yes” then maybe you should be considering using an independent 3rd party to perform a cybersecurity vulnerability assessment (for existing installations) and/or performing a cyber-risk assessment (as part of a HAZOP) for new installations. This is especially true for legacy systems that are still in operation using products from the mid-1990s. Although most software engineers won’t admit it, they often used to have “back doors” to enable fault-finding and…
As the cybersecurity threats in the industrial world continue to rise, the automation world continues to grapple with how to address these issues. As such, the newly released IEC61511-1: 2016 edition has included a new clause to address this (Clause 8.2.4). In essence, End Users have to carry out a security risk assessment to identify any potential security vulnerabilities of the Safety Instrumented System (SIS).
Clause 8.2.4 then goes on to specify that there needs to be a description of the devices covered by this risk assessment (e.g., SIS, BPCS or any other device connected to the SIS); together with a description of identified threats that could exploit vulnerabilities and result in security events. This should also include intentional attacks…
I was driving one of exida’s top risk experts from Europe to a business meeting. We parked and I locked the car door. He commented “I noticed you did not lock the car door when you parked at the exida office.” He was right. In an area I do not know, I always lock the car door. But not always in the exida lot. He added “A risk analysis will show car theft is a low risk due to random events, but remember cars are stolen by humans. These are not random events as we know them.” He added “A good risk return on investment analysis would show you should always lock the car door. The cost is so little,…
Industrial Automation Control Systems (IACS) Cybersecurity based on IEC 62443 was created to be compatible with agile development methodology. The standard deliberately talks about processes and not phases, such as those in the waterfall model. The processes defined can be met simultaneously and are, most likely, already being followed as part of your agile process; however, you may not be explicitly calling them out. One of these processes is documentation.
Agile does not mean no documentation; it means useful documentation. To start, documentation helps you and your team review the cybersecurity aspects of your current sprint, and provides evidence for the certification process. It also allows you to understand the impact of any changes, track down security issues and find…
When we were doing safety system designs in the 1980s, there was no Windows, there was no TCP/IP, there was no in Ethernet. We had to write our own protocols to transmit data to our I/O and our controllers.
Fault-finding was always a challenge . What we ended up doing was putting in what were known as “back doors”. I could go up to some of our equipment that's running in automatic, I could plug into the RS-232 port on the front with a handheld RS-232 ASCII keypad. I could put in a sequence of ASCII keys and it would take the controller out of automatic. It would allow me then to start looking at the serial registers to see what…
As the incidence of cybersecurity threats in automation systems continue to rise, the automation world continues to grapple with how to address these issues. There are many good practices published in the IEC 62443 series of standards available to end users such as creating demilitarized zones between the business network and the industrial network, banning the use of portable devices on the industrial network, ensuring that security patches are installed regularly, etc. While these solutions all make a lot of sense, I recommend attacking the problem at its core. Patching, for example, is very important, but it is also very expensive and carries some extra risks in an automation system such as impacting the performance of a critical process. Wouldn’t…
exida has traditionally been involved in industries such as oil and gas, chemicals, power generation and automotive. While these are a diverse set of industries, many of the techniques that we use such as FMEDA (Failure Modes Effects and Diagnostic Analysis), Risk Assessment, Threat Modelling, etc. can be applied across these different industries, usually with minor variations. A recent trend we have seen involves medical devices applying some of these same techniques. Recently, we performed an FMEDA on a ventilator which was being designed for the COVID-19 crisis.
Another area where there seems to be some overlap is in cybersecurity. exida has been certifying devices, processes, and system to the IEC 62443 series of standards for…
By now we’ve all become familiar with safety integrity levels (SIL), as they have become part of our everyday lives. However, with the recent release of several cybersecurity standards in the IEC 62443 series, things are getting more complicated. This series of standards introduces two more levels that we will need to get used to quickly: maturity levels and security levels. The new levels may appear similar to SIL, but they need to be viewed in their own applicable context.
The standard defines three types of security levels:
IEC 62443-3-2 requires that you break down your system into security zones. Then, using the…
Last Saturday, I read an article about hackers who were behind at least two potentially fatal intrusions on oil and gas industrial facilities (Yes I read cyber articles on the weekend 
). Besides the fact that I enjoy learning about cybersecurity on my days off, what I noticed is that these articles aren’t going away, but are becoming more prevalent. Even with the countless number of attacks, much effort and focus on cybersecurity today is still on cleaning up problems after vulnerabilities have been found.
Sure we’ve learned from these attacks, however, even with these efforts of keeping up with testing, installing the latest security patches and adding multiple layers of defense to make…
Approaches to Cybersecurity Lifecycle for Existing and New Facilities
Which road should you take?
Cybersecurity attacks on industrial control systems (ICS) are now considered a credible risk. Due to this risk, the demand for Cybersecurity Automation Personnel Certification per IEC 62443 is greatly increasing. The question now becomes, which path is best suited for you in your organization/company? How do you get the most out of your certification? This presentation will describe the different Cybersecurity paths for personnel per IEC 62443 for those seeking Certification.
This webinar will focus on activities performed after the Cybersecurity Vulnerability Assessment is complete and the recommendations to segment your network have been made. We will review multiple manufacturers product offerings, evaluate selection criteria, and delve into the actual process taken to isolate critical devices from the general control network. Actual network traffic screen shots will be used to demonstrate the steps that will be required to identify and isolate the devices from unwanted traffic while allowing necessary traffic to pass to the devices.
Many vendors are producing firewalls designed for the Industrial Control environment. Some very simple; some quite complex. One idea that is rapidly expanding on the Defense-in-Depth concept and becoming more important is that of “Deep Packet Inspection” or DPI. The idea of not only firewalling a protocol, but firewalling what that message is trying to do, allowing for example, a read but not a write command to pass. A number of vendors have released some sort of DPI firewall, and more are adding theirs to the list.
This webinar will explore the uses and special aspects of the industrial control firewall and will review how a firewall works to protect an ICS network. Subsequent webinars will present some of the specific DPI products available on the market today. Who they are from, what protocols they can filter, and what additional functionality they offer.
While many standards have changed, and more information is constantly becoming available, what has not changed is the responsibility of the equipment owner to assure his process is reliable, secure and safe. One major step in that process is the Cybersecurity Vulnerability Assessment. This webinar will discuss the need and the path towards accomplishing that goal.
This three webinar series will walk through the fundamental methodology behind High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. The series will also discuss the relationships between the lifecycle steps, and the flow of information from one analysis to the next. The second webinar will provide a detailed review of the steps and objectives for a Detailed Risk Assessment as well as the benefits of completing a Detailed Risk Assessment, and the information that feeds the Security Level verification.
This three webinar series will walk through the fundamental methodology behind High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. The series will also discuss the relationships between the lifecycle steps, and the flow of information from one analysis to the next. The first webinar will provide a detailed review of the steps and objectives for a High-Level Risk Assessment as well as the benefits of completing a High-Level Risk Assessment, and frame the scope of discussion for the remaining webinars in this series.
This three webinar series will walk through the fundamental methodology behind High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. The series will also discuss the relationships between the lifecycle steps, and the flow of information from one analysis to the next. The final webinar in this series will provide a detailed review of the steps and objectives for performing a semi-quantitative Security Level (SL) Verification as well as the benefits of completing SL Verification, and the information that feeds future lifecycle steps.
In today’s industrial control environment, where over half of ICS have experienced an attack in the last two years, it is not a question of if an attack will occur, but a question of when. When an attack does occur, how will your organization respond? Do you have monitoring in place to detect security excursions? Once the excursion is identified what measures are in place today to respond to and mitigate the concern? This webinar will focus on the keys to an effective Cybersecurity Response and Recovery plan, starting at the moment the attack is discovered all the way to when operation is successfully restored.
Cybersecurity monitoring and metrics are keys to measuring cybersecurity performance, improving the ability to respond when incidents occur, and improving cybersecurity maturity. What metrics does your organization use to measure cybersecurity performance? Do you have monitoring in place today to identify security excursions? In this webinar we will break down how leading and lagging indicators can be used to improve cybersecurity monitoring as well as how improved continuous monitoring capabilities are becoming a critical part of the automation cybersecurity lifecycle. This non-vendor specific webinar will provide general guidelines and criteria that can be used for establishing an effective continuous monitoring capability for any system.
This webinar focuses on a methodology to perform a cybersecurity risk assessment designed to identify potential hazards that can arise from a cybersecurity attack on process control and protection systems. This is done in the context of the functional safety and cybersecurity lifecycles, and the potential process safety, environmental, and financial consequences.
This is the second in a series of webinars which will review vendor products who offer Deep Packet Inspection (DPI). In this webinar we will review the background and steps required to implement an Industrial Control System (ICS) firewall using DPI for Modbus/TCP. Multiple vendors products will be shown and their specific configurations reviewed.
Cybersecurity for industrial control systems has changed significantly in the past two decades as the question has changed from “who would want to target an industrial automation and control system?” to “which industrial facility will be affected next?” This webinar will review major industrial cybersecurity incidents including: Stuxnet, the attack on the Sadara Petrochemical Facility, NotPetya, and the German Steel Mill. These events and others will be used as case studies to outline how industrial cybersecurity has been shaped over the years, and introduce key lessons learned that will help IACS be better prepared to defend against and respond to cybersecurity incidents.
This webinar will discuss how to make an objective assessment of a vendors equipment to see where it meets (or doesn’t meet) the IEC 62443 requirements through the use of a report card. The report provides a visual presentation of the results that are easy to view and follow. It covers the 7 fundamental requirements of IEC 62443, as well as communications robustness testing and the security development lifecycle. This will give the end user confidence that the products they are using are as secure as possible.
This webinar will introduce and discuss the exida Automation Cybersecurity (ACS) program. This is a certificate program that addresses a growing need to provide confirmation that an attendee showed competency by retaining the knowledge presented in a training course. The ACS program will also provide an analysis of where the candidate’s strengths and weaknesses lie. This program will also help a participant judge their competency level if interested in obtaining a certification like the Certified Automation Cybersecurity Expert (CACE) or Certified Automation Cybersecurity Specialist (CACS).
Many integrators and service providers are realizing the benefits of cybersecurity certification both as a business differentiator and way to reach new clients, and even as a prerequisite for consideration in some applications. The IEC 62443-2-4 and IEC 62443-3-3 standards provide detailed requirements for the integration and maintenance practices and security system requirements, respectively. At first the process for achieving compliance and certification may seem daunting, but in this webinar, we will cover all of the information needed to begin making progress towards the goal of process or system certification based on lessons learned from many certification projects.
This webinar will demonstrate how exSILentia cyber supports the completion of high-level risk assessments consistent with the methodology described in part one of the Cybersecurity Risk Assessment and Security Level Verification series. This webinar will provide a brief description of the method and then focus on how the exSILentia cyber tool can be used to effectively complete and document high-level risk assessments in a consistent manner considering the example chemical plant. The main track of the Cybersecurity Risk Assessment and Security Level Verification series will continue later this month with Part Two - Detailed Risk Assessments
Many organizations have mature processes in place for evaluating process or machinery hazards in traditional safety risk assessments, but fewer have developed a robust approach to cybersecurity risk assessment. Alignment between safety risk assessment and cybersecurity risk assessment is critical, and the 2016 version of IEC 61511 now requires that a cybersecurity risk assessment be conducted for all Safety Instrumented Systems (SIS) and connected systems. Fortunately, traditional process hazard analyses (PHAs) have valuable information that can be used to improve the speed and efficiency of the cybersecurity assessment, including corporate risk criteria, potential consequences resulting from control system failures, severity rankings for consequence scenarios, existing mechanical protection layers. With this information organizations can jumpstart their approach to managing cybersecurity risk.
Cybersecurity management is critical for maintaining a secure Industrial Control System over time. Having well documented procedures from risk assessment, through system design, and into the operations and maintenance phase is a key difference between a purely reactive cybersecurity posture and a mature approach that builds on continuous improvement. Using templates for these policies and procedures not only speeds up the development process, but also ensures alignment with the IEC 62443 standards and industry best practice.
Cybersecurity management has become a business imperative for organizations across many industries. The first attempt can result in mounds of unruly and often unhelpful paperwork. This problem can be emphasized by identifying the correct location of cybersecurity requirements: Is the correct file for documenting the firewall rules, the firewall policy overview, firewall installation procedure, the access control philosophy, the system zone & conduit diagram, or some combination of all the above?
With a Cybersecurity Management System (CSMS), one central document outlines the “what” an organization aims to achieve for cybersecurity and provides clear direction on where to find the procedures that outline the “how” for a given security task, leading to effective cybersecurity management and fewer headaches.
Cybersecurity has become a significant and credible threat to process safety. The consequences of cyber-attacks are well understood for business networks (e.g. data theft, ransomware, denial of service), but for Industrial Automation and Control Systems (IACS) there is the potential for even more severe consequences because IACS control physical systems in the real world. Case studies will be used to demonstrate how cyber-attacks on IACS can cause damage to equipment, the environment, and safety. This webinar will look at how cybersecurity is impacting process safety, considering the impact of cybersecurity events on traditional strategies for safeguarding and risk assessment, as well as introduce key steps for managing cybersecurity risk.
This webinar examines the revision in IEC61511-1 earlier this year to include a new clause regarding Cybersecurity and how this will impact end users. It has been recognized for sometime now that Industrial Control Systems can be susceptible to cybersecurity events, which could have potentially disastrous effects on Safety Instrumented Systems and Basic Process Control Systems. How immune a SIS or BPCS is depends upon how it was designed, its network topology and “openness” to the outside world. Compromising a SIS could result in a loss of protection, or worse still initiate unsafe or unstable process conditions.
After a number of cybersecurity attacks on industrial control systems (ICS), most plant owner/operators now consider a cybersecurity attack to be a credible risk. In 2007 the ISA Security Compliance Institute (ISCI) was founded and defined the first cybersecurity certification scheme. Now in 2018, IEC 62443 standards have since been released, new schemes have been defined based on cybersecurity experience and these new standards. The presentation will describe the IEC 62443 Certification Program based on the progression of the IEC62443 standard.
This webinar gives a short overview of IEC 62443 and agile/Scrum and then shows one way to incorporate the requirements for IEC 62443-4-1/2 into an agile/Scrum process.
When it comes to process safety, most companies will focus on the functional safety lifecycle and compliance with IEC61511. However, with the advent of the industrial internet of things (IIOT) and the growing use of wireless technologies, it is becoming more important to consider cybersecurity and the consequences of control and safety systems being compromised due to a cyber-related incident. Recent ransomware attacks such as Wannacry and NotPetya have again highlighted the need to be more vigilant when it comes to protecting control systems and OT infrastructure. The number of Malware attacks has risen exponentially over the past 10 years but still companies have been slow to react.
The update to IEC61511 in 2016 to include a cybersecurity assessment of an SIS, means companies can no longer procrastinate and/or delay reviewing any SIS for cyber vulnerabilities. Since the standards for functional safety (IEC61511) and cybersecurity (IEC62443) both follow a similar 3 phase lifecycle, it makes sense to consider these two together, when it comes to process safety. This means being just as vigilant with cybersecurity, as with functional safety. As such an integrated lifecycle approach will help in mitigating risk.
This webinar highlights the risks and need to address cybersecurity per the IEC61511 standard and the reasons why. Ignorance may be bliss until your system, network and plant becomes compromised. Then it’s a whole other story.
Proactive cybersecurity efforts have been on the rise. Some even call it “Trending.” ISA and the global IEC 62443 committee have taken the baton and created a set of standards to help protect manufacturers, end users, and people. The IEC 62443 document series is an international standard intended to provide a flexible framework to enhance Industrial Automation Control System (IACS) cybersecurity. IEC62443-4-1 and IEC62443-4-2 were created with the Software Developer’s roles and responsibilities in mind.
Software Development Experts have started taking the initiative and are taking this exam to become a Certified Automation Cybersecurity Expert (CACE).
If you are someone that has ever wanted to become a leader, a mentor, or someone that just wants to stay ahead of the curve, then this webinar will be extremely valuable.
The presence of threats, and the success of attacks has been felt by virtually every individual and organization around the world. Protecting assets must be a well-organized, wide ranging effort that involves everyone who has assets to protect. There are organizational conflicts to understand, policies to create, and specific security activities to coordinate. This webinar discusses key aspects of a Industrial Automated Control System (IACS) Cybersecurity Program, provides concrete recommendations for getting started, and references that provide additional insight.
IEC 62443-3-3 System Security Requirements and Security Levels documents the seven foundational requirements for achieving robust system cybersecurity. These requirements can be applied to integrated industrial automation and control systems (either implemented in-house by an end-user or provided as an automation solution by a service provider). This webinar will cover the structure and key concepts from the standard, as well as introduce the process of IEC 62443-3-3 certification, and the benefits that system certification can provide to integration service providers and end-users.
IEC 62443-2-4 documents “a comprehensive set of requirements for security capabilities for IACS service providers.” These requirements can be applied to integration or maintenance service providers and documents a framework for negotiations between asset owners and IACS service providers for cybersecurity requirements. This webinar will cover the structure and key concepts from the standard, as well as introduce the process of IEC 62443-2-4 certification, and the benefits that certification can provide to integration and maintenance service providers.
This webinar provides an introduction to Control System Cyber Security and the Security Lifecycle for managers and engineers involved in operating, maintaining and integrating Industrial Automation and Control Systems. While the course follows the Security Level Lifecycle from ANSI/ISA-99.01.01 and ANSI/ISA-99.02.01, it also references other relevant industry standards and industry best practices, in particular drawing parallels to the well established Functional Safety Lifecycle from ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod).
Information Technology and Operational Technology are the two groups responsible for managing industrial cybersecurity, but often they work separately with little communication or common understanding of how each groups’ objectives play a role in the overall cybersecurity of the IACS. Developing clear communication and common understanding between IT and OT groups is essential for securing the IACS from the business network to the BPCS and SIS zones.
Co-presented by exida Senior Cybersecurity Engineer Robert Michalsky.
This webinar outlines the steps and process exida takes to perform its Cybersecurity Vulnerability Assessment without it taking on the uncomfortable feeling of an audit. The spirit of the assessment needs to be cooperative to be successful for both parties. We are not issuing pass/fail criteria, we are not hiding the results to give you a simple pass/fail rating. We are looking to evaluate you against best practice and standards, recommend enhancements, and document what you have already done right.
We discuss:
In early February of this year a water treatment facility was compromised in Florida. The attackers successfully increased the concentration of sodium hydroxide (also known as lye) by a factor of 100 risking potential illness for the public as well as significant erosion and pipe damage. Fortunately, operators of the Oldsmar water treatment facility saw the attackers increase the concentration and were able to return the concentration to normal levels before there was any risk for harm to the public. This near-miss highlights several important trends for industrial cybersecurity: Industrial cybersecurity incidents can have major health and safety implications, Critical infrastructure makes an attractive target to a variety of hackers, Critical infrastructure is highly susceptible to cybersecurity attack. In this webinar we will review what is known so far about the attack on the Florida water system and identify practical steps that can be taken to improve the cybersecurity of critical infrastructure systems.
Lessons Learned From Actual Control System Security Incidents and Assessments
The IEC 62443 document series is an international standard intended to provide a flexible framework to enhance Industrial Automation Control System (IACS) cybersecurity. Seven core functional requirements are used to assist with the design, development, testing and construction of an integrated security architecture. As the Security Level (SL) targets and capabilities are defined, cybersecurity metrics become necessary to be able to assess the efficacy and comprehensiveness of the design. These Security Levels are organized into four increasing tiers each requiring more stringent controls be in place.
As the security architecture matures and the logical and physical assets are grouped into zones, they need to be evaluated along with the connections and data flows between zones that are called conduits. Both the zones and conduits need appropriate security controls to insure plant operational safety. Cybersecurity Best Practices have principles (such as ‘defense in depth’) that can be evaluated through cybersecurity metrics that evaluate architectural components such as zones and conduits.
Furthermore, security is a process that requires continual risk management and risk reduction via the mitigation of identified threats. Cybersecurity metrics are generated and evaluated to determine if adequate risk management is being enabled. Through the usage of well defined, repeatable and accurate cybersecurity metrics, SL adequacy can be assessed.
This presentation goes through the IEC 62443 foundational requirements and describes appropriate and relevant security metrics for evaluating that architectural components such as zones and conduits have appropriate cybersecurity controls in place and that the SL target has been achieved.
The Industrial Internet of Things (IIoT) offers companies many potential benefits such as decreased operational costs and further optimized processes; however, the increased use of wireless control networks also introduces the potential for additional cybersecurity risks. This webinar will briefly review the trends in IIoT and discuss important factors to consider when mitigating the additional risk of wireless control networks.
Cybersecurity Threat Analysis is the process of creating an abstract model of an automation system in an assumed cybersecurity threat environment in order to identify security problems and mitigation measures. This webinar explains the Threat Analysis method, objectives, and output using the exida ARCHx tool. An example of how one threat might impact an automation component and possible mitigation techniques from the Cybersecurity Knowledge Base will be described.
This webinar focuses on a methodology to perform a cybersecurity risk assessment designed to identify potential hazards that can arise from a cybersecurity attack on process control and protection systems. This is done in the context of the functional safety and cybersecurity lifecycles, and the potential process safety, environmental, and financial consequences.
As we have read in the media recently, regarding the Colonial Pipeline cybersecurity incident, the vulnerability of critical infrastructure to cybersecurity incidents is very real. However, it is not just cybersecurity incidents that can adversely affect pipeline operators but also functional safety issues too. It is quite alarming the statics regarding pipeline incidents that have occurred over the past 10 years, as published by the Pipelines and Hazardous Materials Safety Administration (PHMSA). According to PHMSA, since 2010 there have been 906 incidents that have occurred in pipelines that were installed within the decade, up to 2020. This is compared to the same number of incidents occurring in the same period for pipes installed in the 40 years between 1970 and 2009. Clearly, there needs to be closer attention paid to pipeline safety and security.
From its studies, PHMSA established that the primary cause of these incidents was equipment failure, with leakage being the second highest cause. The American Petroleum Institute (API) issued API 1160 3rd edition in 2019 to cover overall pipeline safety with updates on pipeline mechanics, as well as API 1164 (2009) to cover SCADA cybersecurity. However, is this really, enough or should a more risk-based, performance approach based upon a 3-phase lifecycle, as proposed by International Standards, be adopted?
The webinar highlights some of the issues, concerns, standards involved with pipelines and proposes some further considerations for pipeline safety and security.
What you will learn?
Who should attend?
This webinar will provide a brief overview of the IEC62443 family of standards, and then look at recent security breaches to see if they could have been avoided by following the best practices described in these standards. Completely avoiding cyber-attacks is likely not possible, but significantly decreasing the probability of a successful attack is feasible by following these guidelines.
Cybersecurity is rapidly becoming something the process safety can no longer ignore. It is part of the Chemical Facility Anti-Terrorism Standards (CFATS). In addition, the President’s Executive Order 13636– “Improving Critical Infrastructure Cybersecurity,” has drawn attention to the need for addressing cybersecurity in our plants as it has been demonstrated that in our new world, they are now a source of potential process safety incident.
IEC 61508[2], “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES)” now has a requirement to address cybersecurity in safety instrumented systems and ANSI/ISA 84.00.01, “Functional Safety: Safety Instrumented Systems for the Process Industry Sector” is looking to include this requirement in the next revision. Currently the industry is playing catch up as there tends to be a gap in understanding between information technologists, traditionally responsible for cybersecurity, and the process automation and process safety engineers responsible for keeping our plants safe with help from automated controls and safety instrumented systems. As a result, guidance is being developed, but much of it continues to be a work in progress.
The past two years have been a wakeup call for the industrial automation industry. It has been the target of sophisticated cyber attacks like Stuxnet, Night Dragon and Duqu. An unprecedented number of security vulnerabilities have been exposed in industrial control products and regulatory agencies are demanding compliance to complex and confusing regulations. Cyber security has quickly become a serious issue for professionals in the process and critical infrastructure industries.
If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices. This white paper will give you the information you need to get started. It won’t make you a security expert, but it will put you on the right path in far less time than it would take if you were to begin on your own.
We began by condensing the material from numerous industry standards and best practice documents. Then we combined our experience in assessing the security of dozens of industrial control systems. The result is an easy-to-follow 7-step process:
Step 1 – Assess Existing Systems
Step 2 – Document Policies & Procedures
Step 3 – Train Personnel & Contractors
Step 4 – Segment the Control System Network Step 5 – Control Access to the System
Step 6 – Harden the Components of the System Step 7 – Monitor & Maintain System Security
The remainder of this white paper will walk through each of these steps, explaining the importance of each step and best practices for implementing it. We will also provide ample references for additional information
With the ever changing threats posed by cyber events of any nature, it has become critical to recognize these emerging threats, malicious or not, and identify the consequences these threats may have on the operation of an industrial control system (ICS). Cyber-attacks over time have the ability to take on many forms and threaten not only industrial but also national security.
Saudi Aramco, the world’s largest exporter of crude oil, serves as a perfect example depicting how devastating a cyber-attack can truly be on an industrial manufacturer. In August 2012, Saudi Aramco (SA) had 30,000 personal computers on its network infected by a malware attack better known as the “Shamoon” virus. According to InformationWeek Security this was roughly 75 percent of the company’s workstations and took 10 days to complete clean-up efforts.
The seriousness of cyber-attacks in regards to national security was addressed by former United States Secretary of Defense Leon W. Panetta in his speech on October 2012. Panetta issued a strong warning to business executives about cybersecurity as it relates to national security.” A cyber-attack perpetrated by nation states [and] violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation,” he stated. “For example, we know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country.”
In addition to Panetta’s address, the U.S. Department of Homeland Security has issued several alerts about coordinated attacks on gas pipeline operators, according to a May 2012 report by ABC News.
This whitepaper will focus on the significance of cyber-attacks on industrial control systems (ICS) and how these attacks can be prevented by proper practice of the ICS Cybersecurity lifecycle.