docCASE: Implementation of Cyber Security for Yara Glomfjord
download 
Report Transcription
CASE: Implementation of Cyber Security for Yara Glomfjord
Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord Implementation of Cyber Security for Yara Glomfjord Speaker profile – Olav Mo § ABB Norway § Integrated Operations § § Cyber Security Manager Oil, Gas and Chemicals § § © ABB Group September 27, 2015 | Slide 2 Team Lead Cyber Security & Infrastructure Member of the global ABB Cyber Security organization since 2010 Working with Cyber Security for Automation since 2003 § Master's degree in Engineering Cybernetics at NTNU § Thesis on Remote Access to Offshore Oil & Gas Installations Implementation of Cyber Security for Yara Glomfjord Agenda § Cyber security best practices § Yara Glomfjord § © ABB Group September 27, 2015 | Slide 3 § Target and timeline § Installed Base § Deployment Project § Service Agreement Secure in Deployment § Cyber Security Guidelines § Cyber Security Services Cyber security best practices Lots of support available Design Details Industrial Autom. Energy IT IEC 62351 Technical Aspects NIST 800-53 IEEE P 1686 NIST Cyber Security Framework Details of Operations Relevance for Manufacturers NERC CIP Management/ Process Aspects ISA 99* IEC 62443 ISO 27K Operator Manufacturer Completeness © ABB Group September 27, 2015 | Slide 4 Source: ESCoRTS Project (European network for the Security of Control and Real-Time Systems), with ABB additions. * Since the closing of the ESCoRTS project, ISA decided to relabel the ISA 99 standard to ISA 62443 to make the alignment with the IEC 62443 series more explicit and obvious. Cyber security best practices ABB’s view § ISA 99 / IEC 62443 Applicable for operators/users & manufacturers/vendors and has the most significant scope § § NIST Cyber Security Framework § NERC CIP § © ABB Group September 27, 2015 | Slide 5 The most prominent standard and it is international ABB will target compliance for 800xA Limited details, but a good way to get started for control system users. In the US, bulk electric systems has to comply. Industrial Autom. Energy IT PA Cyber security best practices IEC 62443 Published © ABB Group September 27, 2015 | Slide 6 (may be under review) PA Cyber security best practices IEC 62443-2 & IEC 62443-3 2. Policies & procedures 3. System requirements FR 1 Identification and authentication control • User, software, & device authentication • Account management FR 2 Use control • Authorization enforcement • Auditable events FR 3 System integrity • Communication integrity • Malicious code protection FR 4 Data confidentiality • Information confidentiality FR 5 Restricted data flow • Network segmentation FR 6 Timely response to events • Audit log accessibility • Continuous monitoring FR 7 Resource availability • Denial of service protection • Control system backup © ABB Group September 27, 2015 | Slide 7 Cyber security best practices Defense in Depth The coordinated use of multiple security measures, addressing people, technology, and operations. © ABB Group September 27, 2015 | Slide 8 Yara Glomfjord Setting the target § Yara Technical and Operational Standard 1-17: Production IT Security Standard § § © ABB Group September 27, 2015 | Slide 9 Describes the security requirements regarding the procurement, set-up, operation and retirement of Production IT systems... ABB Cyber Security Guidelines § Security Policy § Security Design Specification Yara Glomfjord Timeline © ABB Group September 27, 2015 | Slide 10 § 2011: GAP analysis made by Yara Glomfjord towards internal standard § 2012 Q1: Pre-study by ABB § System upgrade seen as most effective solution to get Cyber Security issues addressed § Estimated time saving: 55% § This would also address system lifetime issues § 2012 Q2: ABB Cyber Security Guidelines used as basis with necessary adjustments required in Yara internal standards § 2012 Q4: Upgrade completed and Cyber Security implemented § 2014: Service Agreement with Cyber Security Services included § 2015: Renewal of Service Agreement Yara Glomfjord Installed base § § § § © ABB Group August 29, 2015 | Slide 11 External Infrastructure § Secure Update Server § Firewall Computers § 12 Operator Workstations § 2 Engineering Workstations § 7 System Servers § Management Server § Backup Server Controllers § 14 800xA AC800M § 4 * Advant AC450 Network Equipment Yara Glomfjord Deployment Project – Security Design Specification § 2. IT Infrastructure § 3. Security Implementation § § § © ABB Group August 29, 2015 | Slide 12 § Secure Update Servers § Backup and Recovery § Patch Management § Anti-Virus § Hardening 4. Computer and User Configuration § Group Policy Management § Organizational Units § Role Based Access Control § Security Configuration (in System 800xA) 5. Network and Interface § Monitoring § Network planning and documentation § Communication Interfaces § Network Setup for the Execute Project Phase 6. Upgrade to System 800xA Rev. A Yara Glomfjord Service Agreement § § § © ABB Group September 27, 2015 | Slide 13 Basic services (required) § Service Desk § Change Management § Configuration Management (Inventory Database) § Field Alert Management (e.g. Security Update and Vulnerabilities) Cyber Security Services § Service Maintenance and Incident Handling § Security Patch Management § Antivirus Management § System Security Monitoring § System Backup and Restore Optional Services Yara Glomfjord Operational Tasks § All Cyber Security Services are based on Operational Tasks § Operational tasks are defined in the Cyber Security Guidelines § © ABB Group September 27, 2015 | Slide 14 § The Engineering team run the Operational Tasks in the Project Deployment phase § The Service organization take over the responsibility for the Operational phase Operational tasks definition § Title: Name of task § Type: Frequency (Ad-hoc, Daily, Weekly, Monthly, Yearly) § Estimated effort: Number of hours § Purpose: Brief description of scope § Description: Detailed step by step list of actions Secure in Deployment Defense in Depth SD3 + C Secure by Design Secure by Default Secure in Deployment Communication © ABB Group September 27, 2015 | Slide 15 The coordinated use of multiple security measures, addressing people, technology, and operations. Secure in Deployment Cyber Security Guidelines Set of documents describing how to engineer and commission projects and maintain and service a system. § 100 - Security Policy § 101 - Security Design Specification SD3 + C § 102 - Antivirus Software Secure by Design § 103 - Patch Management § 104 - Secure Default Settings & Hardening § 105 - Access & Account Management § 106 - Backup & Recovery § 107 - Plant Network Topology § 108 - Secure Remote Access § 109 - System Connectivity § 110 - Security Monitoring & Diagnostics Secure by Default Secure in Deployment Communication © ABB Group September 27, 2015 | Slide 16 Secure in Deployment Cyber Security Services Fingerprint SD3 + C Assessment Secure in Deployment Communication © ABB Group September 27, 2015 | Slide 17 Sustain The Cyber Security Services is established to maintain Information Security for critical process systems. Secure by Design Secure by Default Implementation § Security Patch Management § Antivirus Management § User and Access Management § System Security Monitoring § System Backup and Restore § Network Management § Cyber Security Fingerprint Secure in Deployment Cyber Security Fingerprint Fingerprint SD3 +C Secure by Design Secure by Default Assessment Benefits: § § Consistent – same everywhere High and even quality Secure in Deployment § Repeatable Communication § Based on best practicies Implementation Sustain • Data • Collect • Store • View • Analyze • Interpret • Report © ABB Group September 27, 2015 | Slide 18 Secure in Deployment Cyber Security Assessment Fingerprint Assessment Implementation What to protect and how to protect: SD3 + C Secure by Design Secure by Default Secure in Deployment Communication © ABB Group September 27, 2015 | Slide 19 Sustain Secure in Deployment Cyber Security Implementation Fingerprint SD3 + C Secure by Design Secure by Default Secure in Deployment Assessment Physical Security Procedures and Policies Microsoft Firewall Computer Policies Account Management Security Updates Antivirus Solutions Communication © ABB Group September 27, 2015 | Slide 20 Implementation Sustain Secure in Deployment Cyber Security Sustain Fingerprint SD3 +C Secure by Design Secure by Default Secure in Deployment Communication Assessment Service agreements are tailored to fit customer needs and can represent everything from a fast response service to a longterm partnership including a wide range of services. Implementation Sustain Site service desk Scheduled services Service Environment Integrated roles © ABB Group September 27, 2015 | Slide 21 Shared work processes How ABB works with Cyber Security An integral part of ABB’s products and systems © ABB Group September 27, 2015 | Slide 22 ©©ABB ABBGroup Group September 27, 2015 | Slide 24 September 27, 2015 | Slide 24
