The growing cyber threat to reliable operations - ABB Group
Transcript of The growing cyber threat to reliable operations - ABB Group
APRIL 12, 2017
The growing cyber threat to reliable operationsX Jornadas Técnicas ABB en ChileMike Radigan, Senior Advisor, Cyber Risk Management
Lobby of ABB Power Generation in Wickliffe, Ohio USA
April 18, 2017 Inpiration from the founder of Bailey Meter CompanySlide 2
The growing cyber threat to reliable operations
April 18, 2017 Slide 3
The growing cyber threat to reliable operationsLobby of ABB Power Generation in Wickliffe, Ohio USA
The growing cyber threat to reliable operations
Introduction
What is Cyber Risk?
- Plant manager objective
Cyber threat landscape
- Malware, Ransomware
Cost effective cyber risk management
- ABB services and solutions
April 18, 2017 Slide 4
Agenda
What is Cyber Risk?
April 18, 2017The Open FAIR Risk Ontology – is a set of analytic models for performing Quantitative Risk Analysis and deriving a financial representation of risk(loss exposure). See resource slide for more informationSlide 5
The growing cyber threat to reliable operations
Risk = the probable frequency and probable magnitude of future loss
What is Cyber Risk?
April 18, 2017The Open FAIR Risk Ontology – is a set of analytic models for performing Quantitative Risk Analysis and deriving a financial representation of risk(loss exposure). See resource slide for more informationSlide 6
The growing cyber threat to reliable operations
Risk = the probable frequency and probable magnitude of future loss
Question: Estimate the most likely range for the number of Loss Events due to cyber incident atyour plant in next 5 yrs:
Loss event = an unplanned outage or loss of production as a result of a cyber incident
Audience Answer Choices:1. Zero, it will never happen2. Zero to One3. One to Two4. Two to Three5. Three to Four
April 18, 2017 Slide 7
The growing cyber threat to reliable operationsWhat is Cyber Risk?
What is Cyber Risk?
April 18, 2017 Survey of 225 US based power generation sites conducted during the ABB Customer Cyber Security Special Interest Group 2016Slide 8
The growing cyber threat to reliable operations
Question: Estimate the mostlikely range for the number ofLoss Events due to cyber incidentat your plant in next 5 yrs:
US Customer Survey Results77% < One23 % > One
How much cyber risk do theseanswers represent?
What is Cyber Risk?
April 18, 2017 Results for 1800MW Power PlantSlide 9
Risk increases 3X when the estimate of a cyber incident goes from 0-1 to1-2 over a 5 yr period
The growing cyber threat to reliable operations
Cyber Incident => Forced OutageFrequency = (0-1) / 5 yrsAnnualized Risk = $157,207
Cyber Incident => Forced OutageFrequency = (1-2) / 5 yrsAnnualized Risk = $577,498
Min Avg Most Likely Max
Primary
LEF/Year 0.04 0.10 0.11 0.16
LM $996,049 $1,827,610 $1,700,991 $2,781,095
Secondary
LEF/Year 0.02 0.05 0.05 0.09
LM $4,032 $10,517 $8,664 $21,539
Total LE $59,410 $183,781 $157,207 $389,974
Min Avg Most Likely Max
Primary
LEF/Year 0.22 0.30 0.28 0.36
LM $982,152 $1,843,837 $1,739,665 $2,793,489
Secondary
LEF/Year 0.11 0.15 0.15 0.19
LM $3,775 $10,516 $10,776 $22,568
Total LE $295,403 $554,769 $577,498 $922,840
What is Cyber Risk?The growing cyber threat to reliable operations
April 18, 2017 Slide 10
Fragile “Low” Risk Condition
Exist when the low risk rating is dependentupon a single control or a low threat eventfrequency.
§ Network isolation
§ Disconnected from the Internet
§ No connection to the corporate network
§ No thumb (pen) drives
Current State of Industry
“I just love thesethings! … Crunchyon the outside anda chewy center!”
Cost effective cyber risk management
The growing cyber threat to reliable operations
April 18, 2017 Slide 11
Is to simply find ways that either outagefrequency, outage duration, or both, can bereduced and kept at a level that allows theoperation to consistently and cost effectivelydeliver its value proposition.
Reduce Outage Frequency(Loss event)
Reduce Outage Duration(Loss Magnitude)
Plant Manager Game Plan
The growing cyber threat to reliable operations
Introduction
What is Cyber Risk?
- Plant manager objective
Cyber threat landscape
- Ransomware
Cost effective cyber risk management
- ABB services and solutions
April 18, 2017 Slide 12
Agenda
Level 2 NERCAlert
© ABB GroupApril 18, 2017 | Slide 13
Issued in response to thecyber attack methods onthe Ukraine power grid
NERC AlertLevels
© ABB Inc.April 18, 2017 | Slide 14
Cyber threat landscape
© ABB GroupApril 18, 2017 | Slide 15
Cyber threat landscape
© ABB Inc.April 18, 2017 | Slide 16
Ransomware Case Studies presentedat S4x17 ICS Cyber Security Sessions,Jan 10-12, 2017 in Miami South Beach:• US based “small energy firm”,
knocked out power to its powerclients.
• Brazilian “global electric utilitycompany”, control center takendown.
Cyber threat landscape
© ABB GroupApril 18, 2017 | Slide 17
Cyber threat landscape
April 18, 2017 Slide 18
Cyber threat landscape
April 18, 2017 Slide 19
Cyber threat landscape
Cyber threat landscape
April 18, 2017 Slide 20
The growing cyber threat to reliable operations
Most Common Detectionscount Trojan Virus-like (PE Infector)
Virus-like (storagehopping) Approximate First Seen
sivis 15863 ❔ ✅ ✅ 2012lamer 6830 ❔ ✅ ✅ 2012ramnit 3716 ✅ ✅ ✅ 2011sinowal 2909 ✅ ❌ ❌ 2006cosmu 2769 ✅ ✅ ✅ 2013virut 1814 ✅ ✅ ✅ 2007eldorado 1554 ❔ ❔ ❔ 2012skeeyah 1486 ✅ ❔ ❔ 2015androm 1471 ✅ ❌ ❌ 2013sality 1225 ❔ ✅ ✅ 2003zatoxp 1093 ❌ ✅ ✅ 2012neshta 1085 ❌ ✅ ❌ 2008nimnul 963 ✅ ✅ ✅ 2013visisig 905 ❔ ✅ ✅ 2012siggen 642 ❌ ✅ ✅ 2012graftor 586 ❌ ✅ ✅ 2012virtob 468 ✅ ✅ ✅ 2007
Source: Dragos MIMICS Report 2017
© ABB GroupApril 18, 2017 | Slide 22
Regulatory Requirements Cyber Threats & Due Care
The vice will tighten over next 3-5 years until cybersecurityis no longer “optional”
Fines & Penalties Cyber Incidents & Losses
The growing cyber threat to reliable operationsExternal business drivers
The growing cyber threat to reliable operations
Introduction
What is Cyber Risk?
- Plant manager objective
Cyber threat landscape
- Ransomware
Cost effective cyber risk management
- ABB services and solutions
April 18, 2017 Slide 23
Agenda
© ABB GroupApril 18, 2017 | Slide 24
The growing cyber threat to reliable operationsCost effective cyber risk management
Cost effective cyber risk managementThe growing cyber threat to reliable operations
April 18, 2017 Slide 25
Reduce Outage Frequency(Loss event)
ABB Services and SolutionsCyber Security FingerprintNetwork SegmentationSystem HardeningMicrosoft Security Patch UpdatesAnti-Virus UpdatesIntelligent WhitelistingFile Sanitizer (removable media protection)
Plant Manager Game PlanReduce Outage Duration
(Loss Magnitude)
ABB Services and SolutionsSoftware Backup & RecoveryAnnual validation of ability to recoverAutomation & Power Generation CareSpare equipment
Cost effective cyber risk managementThe growing cyber threat to reliable operations
April 18, 2017 Slide 26
• Is a non-intrusive assessment, can be performed onlive system
• Comparative analysis to ABB security baseline• Provides a comprehensive view of your site’s cyber
security status• Identifies strengths and weaknesses for defending
against an attack within your plant’s control systems• Reduces potential for system and plant disruptions• Supplies a solid foundation from which to build a
sustainable cyber security strategy• Is a Benchmark against industry best practices for
cyber security
Cyber Security Fingerprint
Cost effective cyber risk managementThe growing cyber threat to reliable operations
April 18, 2017 Slide 27
• ABB Secure Deployment Guides for Symphony Plusand System 800xA
• Applies principle of least function• Applies principle of least privilege• Reduces attack surface
Get down to PT boat sized
System Hardening
April 18, 2017 Slide 28
Simple, accurate and secure patch deployment
Monthly delivery of approved security patch updates onsecure media (DVD)
– Includes:
• ABB software security patch validation documents
• Microsoft and approved software security patchupdates
• McAfee anti-virus DAT file
– Use stand-alone or with the ABB Patch ManagementUtility software
– Organized by system profile folders for ease ofdeployment to node
Security Patch Delivery
The growing cyber threat to reliable operationsCost effective cyber risk management
April 18, 2017 Slide 29
Simplified means of managing site patching process
– ABB IAPG developed and maintained
– Ability to support all major ABB Platforms
• 800xA Symphony Plus
• Advabuild PGP
• P14
– Aligned with monthly ABB Patch Validation Documents
– Uses Patch DVD for input
– Reduces time and effort in deploying Microsoftpatches
• Removes human error from process
• Provides patch update statistics
Patch Management Utility
The growing cyber threat to reliable operationsCost effective cyber risk management
Cost effective cyber risk managementThe growing cyber threat to reliable operations
April 18, 2017 Slide 30
Service Options Include:• Basic – Security Patch Disc (monthly approved
patches)• Select – Security Patch Disc + Quarterly system report• Proactive – ABB installs patches periodically + system
report• Remediation – One-time site visit to update system
with current patches
Security Patch ManagementSolution Options Include:• Security Workplace (SWP)– Centrally Managed Server
• Patch Management Utility• McAfee Anti-Virus management• Software Backup and Restore
• Security Update Service (SUS) – Centrally ManagedServer while using a RAP Connection (Global)
Security Workplace MAINTAINBaseline Security: Automated Backup and Recovery
© ABB Inc.April 18, 2017 | Slide 31
ABB provides an Automated Backup and Recovery solution that is validated and tested to maximizeDCS and plant availability. The backup software is configured to capture full disk images and criticalfiles to cover the full range of restoration requirements such as restoring an entire server or a simplerestoration of a deleted file such as a graphic.
Default backup plan
− Full backups once a month
− Differential backups once a week
− Incremental backups every day
− Images shall be retained for 90 days
− Conversion to VM to test backup
Each machine will have:
Cost effective cyber risk managementThe growing cyber threat to reliable operations
April 18, 2017 Slide 32
§ Ideal for static environments§ Superior protection to Anti Virus§ Protects systems in between patch cycles§ Enables flexibility in patch scheduling§ Will stop “zero day” attacks§ Pre-Approved Proposal§ Installed base customers
Intelligent Whitelisting“If I can have one thingfor Christmas it wouldbe Whitelisting”
Mark Bristow
Deputy Chief, NCCICIncident Response atU.S. Department ofHomeland Security
Monthly Anti Virus &Software updates
Logs (HTTPS)
Anti virusupdate (HTTPS)
SANITIZED FILES
Process for Trusted File Transfer
CD/DVD Storage devices
Powered by
FILE SANITIZER
Administration network Operational network
Management Server
Addresses Two Major Threats:
§ Weaponized Files
§ Compromised Device
The growing cyber threat to reliable operations
If you have questions, please contact me further
Q&A and Contact information
April 18, 2017 Slide 34
Mike Radigan
ABB Inc.
– +1 614-398-6241
Speaker
Heidelberg Castle, Germany
ISA-99/IEC-62443 International Society of Automation’s Industrial Automation andControl Systems Security, also adopted by the International ElectrotechnicalCommission
NERC CIP v5 North American Electric Reliability Corporation Critical InfrastructureProtection
NIST Cyber Security Framework National Institute of Standards and Technology’sCyber Security Framework
NIST Special Publication 800-82 Rev 2 Guide to Industrial Control Systems (ICS)Security
ICS-CERT Industrial Control System Cyber Emergency Response Team Defense-in-Depth Recommended Practices
NEI 08-09 US Nuclear Energy Institute’s Cyber Security Plan for Nuclear PowerReactors
ISO 27000 International Organization for Standardization’s Information technology
© ABB GroupApril 18, 2017 | Slide 35
Industry Standards & Regulatory RequirementsExercise Due Care
Resources for Open FAIR
April 18, 2017 Slide 36
Established FAIR as an International Standard§ Standard for Risk Analysis§ Standard for Risk Taxonomy§ Certification for FAIR Analyst in Nov 2013
Factor Analysis of Information Risk (FAIR) is a set of analytic models forperforming Quantitative Risk Analysis and deriving a financial representation ofrisk (loss exposure).
The growing cyber threat to reliable operations