The growing cyber threat to reliable operations - ABB Group

APRIL 12, 2017

The growing cyber threat to reliable operationsX Jornadas Técnicas ABB en ChileMike Radigan, Senior Advisor, Cyber Risk Management

Lobby of ABB Power Generation in Wickliffe, Ohio USA

April 18, 2017 Inpiration from the founder of Bailey Meter CompanySlide 2

The growing cyber threat to reliable operations

April 18, 2017 Slide 3

The growing cyber threat to reliable operationsLobby of ABB Power Generation in Wickliffe, Ohio USA


Introduction

What is Cyber Risk?

- Plant manager objective

Cyber threat landscape

- Malware, Ransomware

Cost effective cyber risk management

- ABB services and solutions


Agenda

What is Cyber Risk?

April 18, 2017The Open FAIR Risk Ontology – is a set of analytic models for performing Quantitative Risk Analysis and deriving a financial representation of risk(loss exposure). See resource slide for more informationSlide 5


Risk = the probable frequency and probable magnitude of future loss

What is Cyber Risk?

April 18, 2017The Open FAIR Risk Ontology – is a set of analytic models for performing Quantitative Risk Analysis and deriving a financial representation of risk(loss exposure). See resource slide for more informationSlide 6


Risk = the probable frequency and probable magnitude of future loss

Question: Estimate the most likely range for the number of Loss Events due to cyber incident atyour plant in next 5 yrs:

Loss event = an unplanned outage or loss of production as a result of a cyber incident

Audience Answer Choices:1. Zero, it will never happen2. Zero to One3. One to Two4. Two to Three5. Three to Four


The growing cyber threat to reliable operationsWhat is Cyber Risk?

What is Cyber Risk?

April 18, 2017 Survey of 225 US based power generation sites conducted during the ABB Customer Cyber Security Special Interest Group 2016Slide 8


Question: Estimate the mostlikely range for the number ofLoss Events due to cyber incidentat your plant in next 5 yrs:

US Customer Survey Results77% < One23 % > One

How much cyber risk do theseanswers represent?

What is Cyber Risk?

April 18, 2017 Results for 1800MW Power PlantSlide 9

Risk increases 3X when the estimate of a cyber incident goes from 0-1 to1-2 over a 5 yr period


Cyber Incident => Forced OutageFrequency = (0-1) / 5 yrsAnnualized Risk = $157,207

Cyber Incident => Forced OutageFrequency = (1-2) / 5 yrsAnnualized Risk = $577,498

Min Avg Most Likely Max

Primary

LEF/Year 0.04 0.10 0.11 0.16

LM $996,049 $1,827,610 $1,700,991 $2,781,095

Secondary

LEF/Year 0.02 0.05 0.05 0.09

LM $4,032 $10,517 $8,664 $21,539

Total LE $59,410 $183,781 $157,207 $389,974

Min Avg Most Likely Max

Primary

LEF/Year 0.22 0.30 0.28 0.36

LM $982,152 $1,843,837 $1,739,665 $2,793,489

Secondary

LEF/Year 0.11 0.15 0.15 0.19

LM $3,775 $10,516 $10,776 $22,568

Total LE $295,403 $554,769 $577,498 $922,840

What is Cyber Risk?The growing cyber threat to reliable operations


Fragile “Low” Risk Condition

Exist when the low risk rating is dependentupon a single control or a low threat eventfrequency.

§ Network isolation

§ Disconnected from the Internet

§ No connection to the corporate network

§ No thumb (pen) drives

Current State of Industry

“I just love thesethings! … Crunchyon the outside anda chewy center!”




Is to simply find ways that either outagefrequency, outage duration, or both, can bereduced and kept at a level that allows theoperation to consistently and cost effectivelydeliver its value proposition.

Reduce Outage Frequency(Loss event)

Reduce Outage Duration(Loss Magnitude)

Plant Manager Game Plan


Introduction

What is Cyber Risk?



- Ransomware




Agenda

Level 2 NERCAlert

© ABB GroupApril 18, 2017 | Slide 13

Issued in response to thecyber attack methods onthe Ukraine power grid

NERC AlertLevels


Ransomware Case Studies presentedat S4x17 ICS Cyber Security Sessions,Jan 10-12, 2017 in Miami South Beach:• US based “small energy firm”,

knocked out power to its powerclients.

• Brazilian “global electric utilitycompany”, control center takendown.


Most Common Detectionscount Trojan Virus-like (PE Infector)

Virus-like (storagehopping) Approximate First Seen

sivis 15863 ❔ ✅ ✅ 2012lamer 6830 ❔ ✅ ✅ 2012ramnit 3716 ✅ ✅ ✅ 2011sinowal 2909 ✅ ❌ ❌ 2006cosmu 2769 ✅ ✅ ✅ 2013virut 1814 ✅ ✅ ✅ 2007eldorado 1554 ❔ ❔ ❔ 2012skeeyah 1486 ✅ ❔ ❔ 2015androm 1471 ✅ ❌ ❌ 2013sality 1225 ❔ ✅ ✅ 2003zatoxp 1093 ❌ ✅ ✅ 2012neshta 1085 ❌ ✅ ❌ 2008nimnul 963 ✅ ✅ ✅ 2013visisig 905 ❔ ✅ ✅ 2012siggen 642 ❌ ✅ ✅ 2012graftor 586 ❌ ✅ ✅ 2012virtob 468 ✅ ✅ ✅ 2007

Source: Dragos MIMICS Report 2017


Regulatory Requirements Cyber Threats & Due Care

The vice will tighten over next 3-5 years until cybersecurityis no longer “optional”

Fines & Penalties Cyber Incidents & Losses

The growing cyber threat to reliable operationsExternal business drivers


Introduction

What is Cyber Risk?



- Ransomware




Agenda


The growing cyber threat to reliable operationsCost effective cyber risk management

Cost effective cyber risk managementThe growing cyber threat to reliable operations


Reduce Outage Frequency(Loss event)

ABB Services and SolutionsCyber Security FingerprintNetwork SegmentationSystem HardeningMicrosoft Security Patch UpdatesAnti-Virus UpdatesIntelligent WhitelistingFile Sanitizer (removable media protection)

Plant Manager Game PlanReduce Outage Duration

(Loss Magnitude)

ABB Services and SolutionsSoftware Backup & RecoveryAnnual validation of ability to recoverAutomation & Power Generation CareSpare equipment



• Is a non-intrusive assessment, can be performed onlive system

• Comparative analysis to ABB security baseline• Provides a comprehensive view of your site’s cyber

security status• Identifies strengths and weaknesses for defending

against an attack within your plant’s control systems• Reduces potential for system and plant disruptions• Supplies a solid foundation from which to build a

sustainable cyber security strategy• Is a Benchmark against industry best practices for

cyber security

Cyber Security Fingerprint



• ABB Secure Deployment Guides for Symphony Plusand System 800xA

• Applies principle of least function• Applies principle of least privilege• Reduces attack surface

Get down to PT boat sized

System Hardening


Simple, accurate and secure patch deployment

Monthly delivery of approved security patch updates onsecure media (DVD)

– Includes:

• ABB software security patch validation documents

• Microsoft and approved software security patchupdates

• McAfee anti-virus DAT file

– Use stand-alone or with the ABB Patch ManagementUtility software

– Organized by system profile folders for ease ofdeployment to node

Security Patch Delivery



Simplified means of managing site patching process

– ABB IAPG developed and maintained

– Ability to support all major ABB Platforms

• 800xA Symphony Plus

• Advabuild PGP

• P14

– Aligned with monthly ABB Patch Validation Documents

– Uses Patch DVD for input

– Reduces time and effort in deploying Microsoftpatches

• Removes human error from process

• Provides patch update statistics

Patch Management Utility




Service Options Include:• Basic – Security Patch Disc (monthly approved

patches)• Select – Security Patch Disc + Quarterly system report• Proactive – ABB installs patches periodically + system

report• Remediation – One-time site visit to update system

with current patches

Security Patch ManagementSolution Options Include:• Security Workplace (SWP)– Centrally Managed Server

• Patch Management Utility• McAfee Anti-Virus management• Software Backup and Restore

• Security Update Service (SUS) – Centrally ManagedServer while using a RAP Connection (Global)

Security Workplace MAINTAINBaseline Security: Automated Backup and Recovery


ABB provides an Automated Backup and Recovery solution that is validated and tested to maximizeDCS and plant availability. The backup software is configured to capture full disk images and criticalfiles to cover the full range of restoration requirements such as restoring an entire server or a simplerestoration of a deleted file such as a graphic.

Default backup plan

− Full backups once a month

− Differential backups once a week

− Incremental backups every day

− Images shall be retained for 90 days

− Conversion to VM to test backup

Each machine will have:



§ Ideal for static environments§ Superior protection to Anti Virus§ Protects systems in between patch cycles§ Enables flexibility in patch scheduling§ Will stop “zero day” attacks§ Pre-Approved Proposal§ Installed base customers

Intelligent Whitelisting“If I can have one thingfor Christmas it wouldbe Whitelisting”

Mark Bristow

Deputy Chief, NCCICIncident Response atU.S. Department ofHomeland Security

Monthly Anti Virus &Software updates

Logs (HTTPS)

Anti virusupdate (HTTPS)

SANITIZED FILES

Process for Trusted File Transfer

CD/DVD Storage devices

Powered by

FILE SANITIZER

Administration network Operational network

Management Server

Addresses Two Major Threats:

§ Weaponized Files

§ Compromised Device


If you have questions, please contact me further

Q&A and Contact information


Mike Radigan

ABB Inc.

– +1 614-398-6241

– [email protected]

Speaker

Heidelberg Castle, Germany

ISA-99/IEC-62443 International Society of Automation’s Industrial Automation andControl Systems Security, also adopted by the International ElectrotechnicalCommission

NERC CIP v5 North American Electric Reliability Corporation Critical InfrastructureProtection

NIST Cyber Security Framework National Institute of Standards and Technology’sCyber Security Framework

NIST Special Publication 800-82 Rev 2 Guide to Industrial Control Systems (ICS)Security

ICS-CERT Industrial Control System Cyber Emergency Response Team Defense-in-Depth Recommended Practices

NEI 08-09 US Nuclear Energy Institute’s Cyber Security Plan for Nuclear PowerReactors

ISO 27000 International Organization for Standardization’s Information technology


Industry Standards & Regulatory RequirementsExercise Due Care

Resources for Open FAIR


Established FAIR as an International Standard§ Standard for Risk Analysis§ Standard for Risk Taxonomy§ Certification for FAIR Analyst in Nov 2013

Factor Analysis of Information Risk (FAIR) is a set of analytic models forperforming Quantitative Risk Analysis and deriving a financial representation ofrisk (loss exposure).


The growing cyber threat to reliable operations - ABB Group

Documents

Transcript of The growing cyber threat to reliable operations - ABB Group