ABB MINING USER CONFERENCE, MAY 02-05, 2017

Cyber Security in Mining Automation

Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division
Agenda

Why worry about cyber security?

ABB’s approach to cyber security

Cyber security roadmap – reaching maturity with ABB Cyber Security Services

May 8, 2017 Slide 2

Cyber security in power and automation
Why is cyber security an issue?

Power and automation today Cyber security issues

Modern automation, protection, and control systems
are highly specialized IT systems
– Leverage commercial off the shelf IT components Increased attack surface as compared to legacy, isolated systems
– Use standardized, IP-based communication protocols
– Are distributed and highly interconnected Communication with external (non-OT) systems
– Use mobile devices and storage media
– Based on software (> 50% of the ABB offering is software- Attacks from/over the IT world
related)

Attacks are real and have an actual safety, health, environmental, and financial impact

May 8, 2017 Slide 3

Cyber security in power and automation
Why is cyber security an issue?

Attacks are real and have an actual safety, health, environmental, and financial impact

May 8, 2017 Slide 4

A few common myths
Subtitle

Myth #1 – We are not interesting enough to be a target Myth #2 – Security doesn’t pay off
“Small companies and industries outside of media attention are “Strong security is a waste of time and money”
not a relevant target”
 False  False
– If it’s worth having, it’s worth stealing – Compromised control systems are NOT reliable and
– Attackers’ business models are often built on economies of trustworthy and can prevent the customer from achieving its
scale mission.

– Critical infrastructure is often a network of smaller entities – Misoperations due to cyber events can become a safety issue.
– Business continuity insurance can become more expensive or
even unavailable.

Anyone can become a target, defenses should be risk-driven

May 8, 2017 Slide 5

A few common myths
Subtitle

Myth #3 – We are air-gapped so we’re immune Myth #4 – We’re not on the Internet so we’re immune
“Our system is air-gapped so attackers have no way in” “Our system does not have a direct connection to the Internet so
attackers have no way in”
 False  False
– Staff needs to get data into and out of the system – Majority of incidents are staged attacks
• Production schedules, engineering updates, … • (Spear)phishing to compromise legitimate user accounts
• Production reports, emission reports, … • Compromise of perimeter networks first, e.g. DMZ,
– Entirely isolated systems are extremely cumbersome and enterprise network
expensive to operate • Lateral movement to reach more interesting targets
• If no communication is built-in, convenient workarounds are
improvised, e.g. unapproved networks, temporary
connections, portable media

Anyone can become a target, defenses should be risk-driven

May 8, 2017 Slide 6

The Biggest Challenges
Addressing a unique set of requirements

“Traditional” information technology Power and automation technology

Object under protection Information Physical process

Risk impact Information disclosure, financial loss Safety, health, environmental, financial

Main security objective Confidentiality, Privacy Availability, Integrity

Central Servers Distributed System

Security focus
(fast CPU, lots of memory, …) (possibly limited resources)

95 – 99% 99.9 – 99.999%

Availability requirements
(accept. downtime/year: 18.25 - 3.65 days) (accept. downtime/year: 8.76 hrs – 5.25 minutes)

System lifetime 3 – 10 Years 5 – 25 Years

May 8, 2017 Slide 7

Agenda

Why worry about cyber security?

ABB’s approach to cyber security

Cyber security roadmap – reaching maturity with ABB Cyber Security Services

May 8, 2017 Slide 8

Cyber Security @ ABB
Three guiding principles

Reality There is no such thing as 100% or absolute security

Process Cyber security is not destination but an evolving target – it is not a product but a process

Balance Cyber security is about finding the right balance – it impacts usability and increases cost

Cyber security is all about risk management

May 8, 2017 Slide 9

ABB Cyber Security
A word from ABB’s CEO

Ulrich Spiesshofer, CEO ABB

”ABB recognizes the importance of cyber security in

control-based systems and solutions for infrastructure
and industry, and is working closely withour customers
to address the new challenges.”

May 8, 2017 Slide 10

ABB Cyber Security Approach
Full lifecycle coverage

Project
Design
Product Engineering
FAT
Design
Commissioning
Implementation
SAT
Verification
Release
Support
Plant
Operation
Maintenance
Review
Upgrade

ABB addresses cyber security throughout the entire lifecycle and expects the same from our suppliers

May 8, 2017 Slide 11

Agenda

Why worry about cyber security?

ABB’s approach to cyber security

Cyber security roadmap – reaching maturity with ABB Cyber Security Services

May 8, 2017 Slide 12

Three phases in a journey
Subtitle

Diagnose Implement Sustain

Collect information for defined cyber KPIs Implement countermeasures to address ABB Customer Care service agreements
Identify risk and compliance status with the identified risks / gaps with defense- – tailored to fit customer needs for
in-depth regular maintenance
– international standards
– relevant regulations – ensure desired level of security is
maintained over time by
– ABB best practices
• maintaining and continuously
– customer policy and requirements improving implemented
•Data countermeasures
•Collect • adapting the security management
•Store
system and defense-in-depth
concept to changed threat landscape
•View
•Analyze
•Interpret
•Report

May 8, 2017 Slide 13

Security service offering

May 8, 2017 Slide 14

How to introduce a security management system?
Inspiration

Note:
IEC 62443-2-1 Ed 2.0 is
still a work in progress
and only available as draft
from ISA here

May 8, 2017 Slide 16

Two core concepts

Capability Maturity Indicator Levels Cyber Security Capability Domains

MIL 0: Generally, no practices are performed ISO/IEC 62443-2-1 C2M2 (ONG & ES)
MIL 1: Initial practices are performed but may be ad hoc 1. Risk Management 1. Risk Management
2. Information security policies 2. Asset, Change, and Configuration
MIL 2: Practices are established 3. Organization of information security Management
4. Human resource security 3. Identity and Access Management
– Documented practices 4. Threat and Vulnerability Management
5. Asset management
– Stakeholder involvement 6. Access control 5. Situational Awareness
7. Cryptography 6. Information Sharing and Communications
– Appropriate resources 8. Physical and environmental security 7. Event and Incident Response, Continuity
of Operations
– Relevant standards used 9. Operations security
8. Supply Chain and External Dependencies
10. Communication Security
MIL 3: Practices are continuously managed Management
11. System acquisition, development and
maintenance 9. Workforce Management
– Policies guide the practices, incl. compliance 12. Supplier relationships 10. Cybersecurity Program Management

– Continuous improvement 13. Information security incident management

14. Information security aspects of business
– Assigned responsibility and authority continuity management
15. Compliance
– Role-specific training
Approach progression vs. Institutionalization progression

May 8, 2017 Slide 17

Specific guidance from C2M2
Example: Reaching MIL-1

First step: Determine risk and define target maturity level for each domain

2 2

11 6

9 6

6 12

4 3

Moving from MIL 0 to MIL 1 is a fairly big step

May 8, 2017 Slide 18

Lean approach
Stage 0 – Getting started

Objectives ABB Cyber Security Services

Raise awareness in management and other relevant levels of the Awareness training
organization – Often more effective if done by external entities

Identify areas of biggest risk generically Security assessment / fingerprint

– Doesn‘t have to be a very detailed audit
– Leverage general experience with regards to common causes
of incidents
– Leverage general experience with regards to simple security
countermeasures

May 8, 2017 Slide 19

Lean approach
Stage 1 – Introduce basic protection

Objectives ABB Cyber Security Services

Establish a foundation for cyber security in operations Awareness training (continued)
Security Patch Management
Mitigate the most common risks with countermeasures which Malware Protection Management
the organization is capable of operating System Hardening
Backup & Recovery Management
Demonstrate risk reduction effectiveness by selected examples Network Security Management (at least perimeter)
Basic security monitoring (of the above practices)
Establish a context-specific, detailed understanding of risk Cyber Security Assessment
Cyber Security Risk Assessment

May 8, 2017 Slide 20

Lean approach
Stage 2 – Defend your system

Objectives ABB Cyber Security Services

Establish a security management system based on the risk Focused awareness training
assessment results Security policy & procedure development
Security Patch Management
Establish security practices systematically Malware Protection Management
System Hardening
Reach compliance to relevant standards Backup & Recovery Management
(e.g. NERC-CIP IEC 62443-2-1) Network Security Management
User & Access Management
Security Monitoring
Incident Response*
Cyber Security Assessment

May 8, 2017 Slide 21

Lean approach
Stage 3 – Manage your risks

Objectives ABB Cyber Security Services

Continuously adapt and improve the security management Security policy & procedure development
system based on evolving threat landscape Security Patch Management
Malware Protection Management
Maintain & document compliance with relevant standards System Hardening
Backup & Recovery Management
Network Security Management
User & Access Management
Security Monitoring
Incident Response*
Threat Intelligence*

May 8, 2017 Slide 22

Conclusion
Subtitle

Step-by-step to cyber security maturity

Introducing cyber security management into control system
operations is a major change and can be overwhelming

Early steps must work towards a solid understanding of context-

specific risks and prioritize these

In parallel, basic controls can be introduced which experience

shows will be part of any security management system

Competent partners are available on the market to bridge

transition periods or continuously provide services

Don‘t be the deer in headlights –

get started with small steps and look for partners!

May 8, 2017 Slide 23

Cyber Security Fingerprint & Benchmark
Assess & Diagnose

Overview
Provides a comprehensive view of your site’s cyber security
status
Identifies strengths and weaknesses for defending against an
attack within your plant’s control systems
Reduces potential for system and plant disruptions
Increases plant and community protection
Supplies a solid foundation from which to build a sustainable
cyber security strategy

It does NOT make the system completely secure.

May 8, 2017 Slide 25

Cyber Security Fingerprint
Sample results

May 8, 2017 Slide 26

Cyber Security Training
Consulting

Overview
Cyber security awareness training
– Raise awareness for cyber security threats and risks
– For various audiences (technical as well as management)

Product related security training

– Enables attendees to fully leverage the security capabilities of
ABB products, including e.g.
• Configuration
• Administration
• Operation

May 8, 2017 Slide 27

Security Patch Management
Implement / Sustain

Overview
Modern operating systems and embedded software often need
to be patched to defend against emerging threats.

Efficient patch management is an essential part of any security

policy, but one that is often neglected.

This service includes the implementation and maintenance of

systems that handle security updates for third party software
(e.g. Microsoft or Adobe products).

Service can include

– Patch qualification
– Patch delivery (online or offline)
– Patch deployment

May 8, 2017 Slide 28

Malware Protection Management
Implement / Sustain

Overview
A common threat to control systems is the infection with
malware, often generic malware circulating on the Internet but
also target malware for control systems. Common anti-virus
solutions are a part of the security architecture recommended by
ABB.

ABB experts secure your power and automation systems with

industry-standard malware and intrusion protection solutions,
like anti-virus protection and application whitelisting

Service can include

– AV signature updates qualification
– AV signature updates delivery (online)
– AV signature updates deployment

May 8, 2017 Slide 29

Patch & Malware Protection Management
Offline solution – Security Patch Disc

Overview
1) Patch Tuesday
The Security Patch Disc Service provides an
efficient way for customers with no remote 2) ABB Updates Status Document
- Microsoft Releases
connectivity with the need to deploy security monthly patches
3) Security Patch Testing Executed
patches and antivirus data files - 2nd Tuesday of the - ABB identifies the
month patches as tested
and marks them as 4) ABB Updates Status Document
- ABB teams install
"T" in the Security and test the various 5) Security Patch
Benefits: Updates Validation ABB products for Patches then go Disc Production
Status product compatibility issues from "Testing" to
 The resulting media removes the need for bulletin's with security "Qualified". Security Patch Disc
customers to locate the ABB documentation, - Product bulletins patches released
master is produced,
released to ABB Patches may remain
find the appropriate patches, download them Library, MCS, in the testing state manufactured, and
from the Internet, and transfer them via SolutionsBank if further work is shipped.
needed.
mobile media to the control system
 Significantly reduced effort, but also reduced
risk of transferring a virus or malware using
mobile media (e.g. USB drive)

May 8, 2017 Slide 30

Patch & Malware Protection Management
Online solution – ABB Security Update Service
Security Update Service for the
Overview 1. Microsoft automated distribution and
Patch deployment of ABB validated
The ABB Security Update Server is updated with the latest monthly Cyber Security updates using
patches validated and approved by ABB: deployment
highly secured methodology

– Microsoft patches (monthly update) WSUS (Server)

– McAfee and Symantec pattern files (as supported for the

connected system – daily update)
2. Antivirus
McAfee daily
The ABB Security Update Server synchronizes with the plant pattern
security server at the customer site. Servers are connected via updates ePo Server
the ABB’s RAP/RAS service. (ePolicy Orchestrator)

The plant security server on the customer site distributes the

security updates to the connected ABB control system(s).
3. Antivirus
Symantec Symantec Endpoint
daily pattern Protection Server
updates

May 8, 2017 Slide 31

System Hardening
Implement / Sustain

Overview
An important challenge in any cyber security management system
is to maintain a system configuration that is as secure as
possible – a task commonly referred to as system hardening.

This service lets you benefit from the in-depth expertise of ABB
and the hardening policies that have been vetted rigorously by
ABB’s product and service teams.

Hardening may include for example

– removal or deactivation of unused software and services and
specific ports
– removal or deactivation of unused user accounts
– generally proper utilization of security options provided by the
system, e.g.
• BIOS passwords in PCs
• disabling interactive login for service accounts

May 8, 2017 Slide 32

Backup and Recovery Management
Implement / Sustain

Overview
If the worst does happen, and cyber-attack or natural disaster
strikes, then ABB’s backup and emergency response services
enable a rapid recovery to normal operations.

ABB’s back-up solutions ensure the integrity, and availability, of

critical data and the system, no matter what happens to the
original.

May 8, 2017 Slide 33

Network Security Management
Implement / Sustain

Overview
Firewalls protect the perimeter of a network against outsider
intrusion.

ABB’s managed firewall service ensures your perimeter

protection is actively monitored and maintained.

Segregated networks allows for an easier enforcement of the

principle of least privilege on a network communication level.
Also, it is crucial to contain potential incidents to a defined
subsystem and to prevent a single breach of security to spread
throughout the entire system and into other systems.

A well-designed security policy will separate the network into

distinct, controlled zones, protected by internal firewalls to
ensure that a compromised server doesn’t mean compromising
the entire network.

May 8, 2017 Slide 34

Cyber Security Assessment
Diagnose

Overview
In-depth survey to obtain detailed information about
– the system infrastructure
– the effectiveness and status of existing cyber security measures.

The assessment is carried out by ABB in close cooperation with the

customer and within a clearly defined scope of work.

Collected data is compared against industry best practices and standards

to detect weaknesses within your system’s defense.

Pinpoints areas that require action to help protect your system by ensuring
it has multiple layers of security.

Proposes a solution that will maintain the system's cyber security at best-
practice levels

May 8, 2017 Slide 35

Cyber Security Risk Assessment
Consulting

Overview
This service contains an IEC 62443 based process for performing
a cyber security risk assessments. The assessment shall improve
the security of the products and systems, perform a threats /
risks based security status evaluation and a plan for prioritizing
the threats / risks for the control system.

Risk assessment  identifies and qualitatively assesses risk an

organization is exposed to

Security assessment checks compliance with given

requirements, e.g. from internal, national or international Risk
standards or regulations

May 8, 2017 Slide 36

Cyber Security Policies & Procedures
Consulting

Overview
Cyber Security will always be a challenge on a global scale; no
single solution can keep increasingly interconnected systems
secure

ABB works with customers to understand your processes and

procedures, group security policies and computer settings to
create a defense-in-depth approach

Multiple security layers detect and deter threats – if, where and
when they may arise.

May 8, 2017 Slide 37

User & Access Management
Implement / Sustain

Overview
Implementing user accounts and access rights is the
recommended mechanism to enforce the principle of least
privilege on the user level. Defining user access rights and user
policies, are all important measures.

Typical user definitions to be implemented are accounts of the

process control system, demilitarized zone and for remote work.

This service gives the customer peace of mind that users of the
system always have the approved and relevant access rights.

May 8, 2017 Slide 38

Cyber Security Monitoring Service
Sustain

Overview
Identifies, classifies and helps prioritize opportunities to improve
the security of your control system by comparing data collected
against industry best practices and standards to detect security
vulnerabilities.

Features:
– Automatic, non-invasive data gathering
– Proactive analysis of KPIs to detect possible security
weaknesses
– On-demand analysis
– On-site or remote access for site personnel and ABB experts
– Configurable alerts (locally and e-mail)

May 8, 2017 Slide 39

Cyber Security Monitoring Service
User interface

View Scan Track

Raw Data Math Function Notification

– View shows raw data associated with – Scan (scheduled) presents KPIs – Track (event-triggered) generates
each channel generated from raw data through notifications based on predefined KPIs
periodic diagnostic monitoring

May 8, 2017 Slide 40