SlideShare ist ein Scribd-Unternehmen logo

Designing a security policy to protect your automation solution

Schneider Electric India
Schneider Electric India

This white paper discusses the importance of developing a comprehensive security policy to protect automation systems. It outlines several security guidelines that can be included in a policy, such as restricting physical access, implementing strong authentication and authorization practices, designing secure network architectures, controlling remote access securely, and establishing wireless and maintenance security procedures. The document emphasizes that a security policy coupled with secure products and ongoing maintenance is essential for securing modern automation networks that now connect to open enterprise networks.

Technologie
1 von 14
Downloaden Sie, um offline zu lesen
Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1
White paper: Designing a security policy to protect your automation solution Contents Executive Summary ................................................... p 3 Introduction................................................................. p 4 Security Guidelines .................................................... p 7 Conclusion ................................................................. p 13 2
White paper: Designing a security policy to protect your automation solution Executive summary Network security for automation solutions is a concept that has been getting increased attention over the last decade. In the past, security was not a major concern because automation systems utilized proprietary components and were isolated from other networks within the business. Today, many automation systems are comprised of commercial off the shelf components, including Ethernet networking and Windows operating systems. In addition, legacy products are being updated to operate in these new network environments. The consequence is that formerly closed systems are suddenly connected to open enterprise networks and the Internet, exposing improperly protected systems to modern IT threats. 3
White paper: Designing a security policy to protect your automation solution Introduction Security threats can be initiated from 4 different sources. Each source is defined below along with an example of a recent incident that illustrates the threat. > Targeted External Attack – The CIA revealed that cyber attacks on utilities have caused at least one power outage affecting multiple cities. > Random External Attack – The “Slammer Worm” penetrated a nuclear power plant and disabled a safety monitoring system for nearly 5 hours. The worm entered through an interconnected contractor’s network, bypassing the firewall. > Internal Malicious Attack – A disgruntled former contractor gained access to the control system of a sewage treatment facility in Australia and flooded the surrounding area with millions of litres of untreated sewage. > Internal Networking/ Configuration Issue – A data storm initiated by a PLC at a nuclear power plant required operators to shut down the reactor after two water pumps failed. One way to address solution security is through the implementation of secure products. Secure products take two forms. The first is security features implemented in classic automation products. Examples include authentication and security logging in a PLC. The second form is stand-alone products developed specifically to address solution security. Examples include firewalls and intrusion detection software. It is important to note that secure products by themselves will not enable a secure solution. Companies also need to implement a comprehensive security policy. A security policy states the security objectives and guidelines that must be in place to ensure solution security. A company’s security policy should be a living document, not a static policy. 4
White paper: Designing a security policy to protect your automation solution Introduction (continued) A company should also conduct a vulnerability assessment prior to creating their security policy. The vulnerability assessment is performed by reviewing the network architecture and auditing the equipment and software within the network. The assessment produces a document that defines and prioritizes the potential risks along with costs to address potential vulnerabilities. Many companies have defined and implemented security policies, while others have added security products (firewalls) but not addressed a security policy. This document is designed to assist companies in creating a security policy by providing a list of accepted security guidelines. Companies can review the list and select those that are suited to their application requirements. 5
White paper: Designing a security policy to protect your automation solution A disgruntled former contractor gained access to the control system of a sewage treatment facility in Australia and flooded the surrounding area with millions of litres of untreated sewage. 6
White paper: Designing a security policy to protect your automation solution Security Guidelines Many individual guidelines comprise a comprehensive security policy. Individual guidelines will be grouped into sub-categories to simplify presentation. Physical Access to the Network One key to security involves restricting network access to specified personnel and equipment. > Critical infrastructure should be placed in a secure location (preferably a locked room) to prevent unauthorized access. Ensure that portals to critical infrastructure are closed and locked. > Disable all unused ports. > Do not let unauthorized laptops or memory sticks into a secure location. If laptops or memory sticks are required, set up processes to ensure that all portable media are scanned for malware with up to date scanning software before allowing contact with a network host. Authentication/ Authorization Authentication refers to the verification process to confirm identification for the purpose of accessing network resources. Authorization refers to access permissions allowing users to connect with devices. This combination allows the system to restrict network access and ensure that only the right personnel are accessing network resources. > Each user should have a unique user name and password. User names and passwords should not be shared to enable easier tracking of system events. > Solutions must enable the creation, editing, and deletion of users while the system is active. > System must not provide a “back door” allowing bypass of authentication procedures. > Critical data like user names and passwords must be stored in a secure data repository using encryption technology. Access rights to the repository require authentication and should be made available only to trusted personnel. > Implement password aging. > Passwords should be more than 8 characters, alphanumeric, and a mix of upper and lower case characters. > Staff should change default passwords on equipment. > Use switch port-based MAC address management to deny access to non-authorized users. > Remote authentication should use encryption technology to transfer user name and password through the system. 7
White paper: Designing a security policy to protect your automation solution > Limit software installation and execution privileges to specific employees. When risk is high, implement two and three factor authentication (password, physical device - smart key, and biometrics) or real-time confirmation by a second person. > Restrict user access to data archives. > Authentication should be required to modify product firmware. Network Design Vulnerability assessment will provide the data needed to create a secure network design. One key to securing the automation network is understanding the entry/connection points between it and the greater IT system. Potential connection points between networks include OPC servers, gateways, modems, and safety network connectivity. One key concept to network design is Defense in Depth. Defense in Depth is designed to protect control and safety systems. There is no single mechanism to protect against all types of attacks. Therefore it is best to create a series of protection layers designed to impede attackers. The layers also improve probability that attacks will be detected and repelled. Safety networks should be at least one layer deeper in a Defense in Depth architecture than the control network. > If the automation network connects to a larger corporate network, a “demilitarized zone” should be created to buffer common resources between the two networks. A demilitarized zone is a buffer between a trusted network and an untrusted network. The zone is separated by firewalls and routers. > Elements in the automation network or trusted zones within the network should be in a separate subnet from the greater network and should be isolated via a router and or firewall. > The firewall fronting the automation system should include an intrusion detection system. > If using multiple firewalls, consider centralized firewall policies. > It should be possible to easily isolate the automation network from the corporate network if an intrusion is detected. > Configure the network to eliminate requests from the control network to external computers. A firewall should block all connections from the outside. > Remove or disable all unrequired services from automation hosts. 8
White paper: Designing a security policy to protect your automation solution > Utilize port restriction. For example, if you would like to allow an individual to program Modbus but not access the web server, then enable the device access to TCP port 502 (Modbus) but not port 80. > Older Windows systems with limited security features should not be connected with an industrial system unless they are compartmentalized. > Examine contractor network access levels. Prevent unprotected access to automation network. > Prevent incoming e-mail or Instant Messaging traffic to hosts in the automation network. Disable or do not install e-mail or IM clients on computers in the automation domain. Additionally, block corresponding protocols at the firewall. > Prohibit web browsing from hosts in the automation network. Prevent access by filtering at the firewall. > Provide internet access from a separate host on a different network than the automation network so that information and updates from the Internet Plant network Connection to supervisory can be obtained if the main network is down. and information systems > Prohibit drive sharing between hosts inside and Demilitarized zone outside the automation network. Enforce with firewalls. > If necessary, restrict ability for personnel to Control network/ Automation systems configure devices via the web. > Prohibit direct transfer of files into the control Fiber optic ring system. An intermediate staging server should Gateway Drive be used to scan all incoming data for malware. Modbus Digital signatures can help verify that the file Advantys OTB IP67 I/O Advantys STB Momentum Advantys OTB really originated from the assumed server and that it wasn’t modified between the scan and Figure above import into the control system. Typical security-enabled automation network design > Firewalls should provide network address translation to protect the address data from the corporate network. > Use trained, authorized personnel to add/remove new devices to/from the control network. > Non essential services with known weaknesses should be offered on one of several redundant servers to reduce the effect of infection. 9
White paper: Designing a security policy to protect your automation solution Remote Access Remote access should be enabled with the highest level of security available to the organization. Remote access should be provided with strong authentication, encryption, and, if possible, include the exchange and verification of certificates. Remote access policies should be restrictive, allowing the minimum number of rights for the minimum number of remote users. Remote access is typically provided through dial-up or VPN. > If remote access is provided by dial up, protection can be provided via: • Dial-out – connection initiated from inside the automation system. • Dial-in with Call-back – the remote user dials into a server in the system which calls back to one of a limited set of pre-defined phone numbers. • Temporarily enabled Dial-in – the modem is enabled for a specific dial-in event. The modem connection is disabled when there is no intended use, either physically or by switching it off, or by software means. > VPN – The preferred way to provide remote access. If configuring safety or mission critical functions, organizations should define a fallback behaviour if there is a temporary loss of remote connection. > Enforce application settings on both the client and server to change well known port numbers frequently targeted by virus attacks. Wireless Many of the guidelines presented below require wireless devices to support specific security features. The guidelines below can provide input to features required in wireless devices. > Place access points behind firewalls and use IPsec to prevent rogue access point access. > Network access points should be positioned and arranged such that the useful signal strength is limited as far as possible to within the physically secured perimeter. Directional antennas can assist in forming a wireless footprint. 10
White paper: Designing a security policy to protect your automation solution > Many access points have the ability to define a list of approved clients (listed via MAC address). Undefined clients can not access the network. Network administrators should define approved clients. The ability to provision approved clients should be restricted to key personnel. > Client devices must authenticate to enter the network. For authentication, use extensible authentication protocols such as EAP-TTLS, EAP-MSCHAPV2, or RADIUS. > Do not utilize WEP security. Use WPA-2 security in addition to AES-CCMP or equivalent encryption. > Do not broadcast SSIDs to prevent the network from showing up in wireless network scans. Also, do not enable ad-hoc connections. > Monitor networks for denial of service attacks and alarm if detected. > Utilize frequency hopping radios to limit unauthorized access from external equipment. > Frequently review access logs to identify rogue devices and access points. Proactive review can provide early warning of intrusion attempts. Maintenance > Create procedures for dealing with security issues. Procedures include event identification, containment, root cause determination, resolution, and recurrence protection. > Monitor system logs or use intrusion detection software to help anticipate attacks (configuration changes and creation of secondary accounts for example). Insure that there are no foreign IP addresses on your network or logs. If so, locate IP address origin and take action. > Create detailed plans defining how to recover from attack. Examples include warm standby backup hosts isolated from the network and system backups on swappable and bootable hard disks for immediate restart. Generate a list of personnel to be contacted if an incident occurs and keep copies of device configuration files, programs, and SCADA images. > Run virus checks on equipment on a regular basis. For critical infrastructure, scan communications to prevent viruses from accessing the platform. > Software can be updated via CD/DVD or file transfer. If CD/DVD, insure that the discs are of proper origin and are virus free. If downloaded via file, insure the authenticity of the file via certificates and digital signatures and insure they are virus free. All files should be stored on a dedicated distribution server. Updates can only be administered by an authorized person operating inside the automation network. > Monitor network traffic to enable early detection of possible data storms. > Test and approve software patches on standard machines that match the plant floor prior to installing on live systems. 11
White paper: Designing a security policy to protect your automation solution General Security Policy > Ensure that all security incidents are reported. > Hold regular audits of security policy. > Review incidents and new technologies to see if changes are required to existing policies. > For legacy systems where upgrades may have occurred over the years, obtain current documentation to ensure knowledge of what is operating in the network. > Test detection and alert systems. > Test disaster recovery implementations. > Perform background checks on personal with access to critical systems. > Review people-management practices including methods to escalate and resolve grievances to curb internally generated attacks. 12
White paper: Designing a security policy to protect your automation solution Conclusion A well designed Security Policy is essential to secure your automation solution Automation networks using standards-based operating systems and networks require greater security than the proprietary systems used in decades past. Standards-based solutions can be secured using existing products and technologies. Products and technology alone can not effectively secure an automation solution; they must be deployed in conjunction with a security policy. A well designed security policy coupled with diligent maintenance and oversight are essential to securing modern automation networks. 13
White paper: Designing a security policy to protect your automation solution Make the most of your energy © 2009 Schneider Electric. All rights reserved. Schneider Electric 1 High Street North Andover, MA 01810 USA Phone: + 01 978 794 08000 14 http://www.schneider-electric.com October 2009

Empfohlen

Efficient security to meet modern day challenges
Efficient security to meet modern day challengesEfficient security to meet modern day challenges
Efficient security to meet modern day challengesSchneider Electric
 
Understanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationUnderstanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationSchneider Electric
 
Cyber Security resilience - what's in a number? The real threat to industrial...
Cyber Security resilience - what's in a number? The real threat to industrial...Cyber Security resilience - what's in a number? The real threat to industrial...
Cyber Security resilience - what's in a number? The real threat to industrial...Schneider Electric
 
Creating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemCreating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemSchneider Electric
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber SecuritySchneider Electric
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Are your industrial networks protected...Ethernet Security Firewalls
Are your industrial networks protected...Ethernet Security Firewalls Are your industrial networks protected...Ethernet Security Firewalls
Are your industrial networks protected...Ethernet Security Firewalls Schneider Electric
 
Cyber security of smart grid communication: Risk analysis and experimental te...
Cyber security of smart grid communication: Risk analysis and experimental te...Cyber security of smart grid communication: Risk analysis and experimental te...
Cyber security of smart grid communication: Risk analysis and experimental te...sidhota
 

Empfohlen

Efficient security to meet modern day challenges
Efficient security to meet modern day challengesEfficient security to meet modern day challenges
Efficient security to meet modern day challengesSchneider Electric
 
Understanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationUnderstanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationSchneider Electric
 
Cyber Security resilience - what's in a number? The real threat to industrial...
Cyber Security resilience - what's in a number? The real threat to industrial...Cyber Security resilience - what's in a number? The real threat to industrial...
Cyber Security resilience - what's in a number? The real threat to industrial...Schneider Electric
 
Creating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemCreating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemSchneider Electric
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber SecuritySchneider Electric
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Are your industrial networks protected...Ethernet Security Firewalls
Are your industrial networks protected...Ethernet Security Firewalls Are your industrial networks protected...Ethernet Security Firewalls
Are your industrial networks protected...Ethernet Security Firewalls Schneider Electric
 
Cyber security of smart grid communication: Risk analysis and experimental te...
Cyber security of smart grid communication: Risk analysis and experimental te...Cyber security of smart grid communication: Risk analysis and experimental te...
Cyber security of smart grid communication: Risk analysis and experimental te...sidhota
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Schneider Electric
 
Critical Infrastructure and Security
Critical Infrastructure and SecurityCritical Infrastructure and Security
Critical Infrastructure and SecurityCan Demirel
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramEnergySec
 
Cyber security of power grid
Cyber security of power gridCyber security of power grid
Cyber security of power gridP K Agarwal
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...EnergySec
 
Smart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of ThingsSmart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of ThingsCreekside Marketing Group, LLC
 
Cps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranCps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranAhmadreza Ghaznavi
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Security and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 finalSecurity and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 finalJohn Chowdhury
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionJim Gilsinn
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorEnergySec
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar Nnull The Open Security Community
 
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Schneider Electric
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodClubHack
 
DTN ProphetX® - At a Glance
DTN ProphetX® - At a GlanceDTN ProphetX® - At a Glance
DTN ProphetX® - At a GlanceSchneider Electric
 
Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsSchneider Electric
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsJim Gilsinn
 
Cybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureCybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureYokogawa1
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attackAnalynk Wireless, LLC
 

Weitere ähnliche Inhalte

Was ist angesagt?

Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Schneider Electric
 
Critical Infrastructure and Security
Critical Infrastructure and SecurityCritical Infrastructure and Security
Critical Infrastructure and SecurityCan Demirel
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramEnergySec
 
Cyber security of power grid
Cyber security of power gridCyber security of power grid
Cyber security of power gridP K Agarwal
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...EnergySec
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Security and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 finalSecurity and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 finalJohn Chowdhury
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionJim Gilsinn
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorEnergySec
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar Nnull The Open Security Community
 
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Schneider Electric
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodClubHack
 
Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsSchneider Electric
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsJim Gilsinn
 
Cybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureCybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureYokogawa1
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 

Was ist angesagt? (20)

Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...
 
Critical Infrastructure and Security
Critical Infrastructure and SecurityCritical Infrastructure and Security
Critical Infrastructure and Security
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure Program
 
Cyber security of power grid
Cyber security of power gridCyber security of power grid
Cyber security of power grid
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
 
Smart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of ThingsSmart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of Things
 
Cps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranCps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iran
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
Security and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 finalSecurity and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 final
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and Production
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy Sector
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
 
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
DTN ProphetX® - At a Glance
DTN ProphetX® - At a GlanceDTN ProphetX® - At a Glance
DTN ProphetX® - At a Glance
 
Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network Operations
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
 
Cybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureCybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, Secure
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 

Ähnlich wie Designing a security policy to protect your automation solution

CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attackAnalynk Wireless, LLC
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsNCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsMiller Energy, Inc.
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackCTi Controltech
 
Seven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securitySeven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securityCTi Controltech
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcKristen Wilson
 
Secure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-BusinessSecure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-BusinessMarc S. Sokol
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET Journal
 
Network security architecture is the planning and design of the camp.pdf
Network security architecture is the planning and design of the camp.pdfNetwork security architecture is the planning and design of the camp.pdf
Network security architecture is the planning and design of the camp.pdfaquazac
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
 
Scenario Overview Now that you’re super knowledgeable about se.docx
Scenario Overview Now that you’re super knowledgeable about se.docxScenario Overview Now that you’re super knowledgeable about se.docx
Scenario Overview Now that you’re super knowledgeable about se.docxtodd331
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowNuuko, Inc.
 
How to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxHow to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxNeilStark1
 
How to Secure Your Enterprise Network.pdf
How to Secure Your Enterprise Network.pdfHow to Secure Your Enterprise Network.pdf
How to Secure Your Enterprise Network.pdfNeilStark1
 
How to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxHow to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxNeilStark1
 
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENT
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENTEMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENT
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENTIJNSA Journal
 
Employee trust based industrial device
Employee trust based industrial deviceEmployee trust based industrial device
Employee trust based industrial deviceIJNSA Journal
 
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENT
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENTEMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENT
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENTIJNSA Journal
 

Ähnlich wie Designing a security policy to protect your automation solution (20)

CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICS
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attack
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsNCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Seven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securitySeven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber security
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of Nc
 
Secure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-BusinessSecure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-Business
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
 
Network security architecture is the planning and design of the camp.pdf
Network security architecture is the planning and design of the camp.pdfNetwork security architecture is the planning and design of the camp.pdf
Network security architecture is the planning and design of the camp.pdf
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
Scenario Overview Now that you’re super knowledgeable about se.docx
Scenario Overview Now that you’re super knowledgeable about se.docxScenario Overview Now that you’re super knowledgeable about se.docx
Scenario Overview Now that you’re super knowledgeable about se.docx
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should Know
 
How to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxHow to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docx
 
How to Secure Your Enterprise Network.pdf
How to Secure Your Enterprise Network.pdfHow to Secure Your Enterprise Network.pdf
How to Secure Your Enterprise Network.pdf
 
How to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxHow to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docx
 
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENT
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENTEMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENT
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENT
 
Employee trust based industrial device
Employee trust based industrial deviceEmployee trust based industrial device
Employee trust based industrial device
 
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENT
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENTEMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENT
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENT
 

Mehr von Schneider Electric India

Smart City - Cornerstone of Efficiency - V2
Smart City - Cornerstone of Efficiency - V2Smart City - Cornerstone of Efficiency - V2
Smart City - Cornerstone of Efficiency - V2Schneider Electric India
 
LIDAR cinemometers for detecting speed limit violations
LIDAR cinemometers for detecting speed limit violationsLIDAR cinemometers for detecting speed limit violations
LIDAR cinemometers for detecting speed limit violationsSchneider Electric India
 
Designing a metering system for small and mid sized buildings
Designing a metering system for small and mid sized buildingsDesigning a metering system for small and mid sized buildings
Designing a metering system for small and mid sized buildingsSchneider Electric India
 
Delivering urban efficiency through collaboration. Today
Delivering urban efficiency through collaboration. TodayDelivering urban efficiency through collaboration. Today
Delivering urban efficiency through collaboration. TodaySchneider Electric India
 
The Smart City Cornerstone: Urban Efficiency by Charbel Aoun
The Smart City Cornerstone: Urban Efficiency by Charbel AounThe Smart City Cornerstone: Urban Efficiency by Charbel Aoun
The Smart City Cornerstone: Urban Efficiency by Charbel AounSchneider Electric India
 
Schneider Electric Smart energy Presentation - Smart Gird domains
Schneider Electric Smart energy Presentation - Smart Gird domainsSchneider Electric Smart energy Presentation - Smart Gird domains
Schneider Electric Smart energy Presentation - Smart Gird domainsSchneider Electric India
 
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric India
 
Making Smart & Intelligent Buildings a Reality
Making Smart & Intelligent Buildings a RealityMaking Smart & Intelligent Buildings a Reality
Making Smart & Intelligent Buildings a RealitySchneider Electric India
 
Urban Efficiency as the Cornerstone of Attractive Cities
Urban Efficiency as the Cornerstone of Attractive CitiesUrban Efficiency as the Cornerstone of Attractive Cities
Urban Efficiency as the Cornerstone of Attractive CitiesSchneider Electric India
 
Implementing energy efficient data centers
Implementing energy efficient data centersImplementing energy efficient data centers
Implementing energy efficient data centersSchneider Electric India
 
Eco-mode: Benefits and Risks of Energy-saving Modes of UPS Operation
Eco-mode: Benefits and Risks of Energy-saving Modes of UPS OperationEco-mode: Benefits and Risks of Energy-saving Modes of UPS Operation
Eco-mode: Benefits and Risks of Energy-saving Modes of UPS OperationSchneider Electric India
 
An improved architecture for high efficiency, high-density data centers
An improved architecture for high efficiency, high-density data centersAn improved architecture for high efficiency, high-density data centers
An improved architecture for high efficiency, high-density data centersSchneider Electric India
 

Mehr von Schneider Electric India (20)

Smart City - Cornerstone of Efficiency
Smart City - Cornerstone of EfficiencySmart City - Cornerstone of Efficiency
Smart City - Cornerstone of Efficiency
 
Smart City - Cornerstone of Efficiency - V2
Smart City - Cornerstone of Efficiency - V2Smart City - Cornerstone of Efficiency - V2
Smart City - Cornerstone of Efficiency - V2
 
LIDAR cinemometers for detecting speed limit violations
LIDAR cinemometers for detecting speed limit violationsLIDAR cinemometers for detecting speed limit violations
LIDAR cinemometers for detecting speed limit violations
 
Designing a metering system for small and mid sized buildings
Designing a metering system for small and mid sized buildingsDesigning a metering system for small and mid sized buildings
Designing a metering system for small and mid sized buildings
 
SEI Smart City Offers Catalogue
SEI Smart City Offers CatalogueSEI Smart City Offers Catalogue
SEI Smart City Offers Catalogue
 
Delivering urban efficiency through collaboration. Today
Delivering urban efficiency through collaboration. TodayDelivering urban efficiency through collaboration. Today
Delivering urban efficiency through collaboration. Today
 
The Smart City Cornerstone: Urban Efficiency by Charbel Aoun
The Smart City Cornerstone: Urban Efficiency by Charbel AounThe Smart City Cornerstone: Urban Efficiency by Charbel Aoun
The Smart City Cornerstone: Urban Efficiency by Charbel Aoun
 
Schneider Electric Smart energy Presentation - Smart Gird domains
Schneider Electric Smart energy Presentation - Smart Gird domainsSchneider Electric Smart energy Presentation - Smart Gird domains
Schneider Electric Smart energy Presentation - Smart Gird domains
 
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)
 
What is a Green Building
What is a Green BuildingWhat is a Green Building
What is a Green Building
 
Making Smart & Intelligent Buildings a Reality
Making Smart & Intelligent Buildings a RealityMaking Smart & Intelligent Buildings a Reality
Making Smart & Intelligent Buildings a Reality
 
Urban Efficiency as the Cornerstone of Attractive Cities
Urban Efficiency as the Cornerstone of Attractive CitiesUrban Efficiency as the Cornerstone of Attractive Cities
Urban Efficiency as the Cornerstone of Attractive Cities
 
Smart Energy Systems of Future
Smart Energy Systems of FutureSmart Energy Systems of Future
Smart Energy Systems of Future
 
Innovate Something Wonderful
Innovate Something Wonderful Innovate Something Wonderful
Innovate Something Wonderful
 
Energy management
Energy managementEnergy management
Energy management
 
Energy STEP
Energy STEPEnergy STEP
Energy STEP
 
Trinity success
Trinity successTrinity success
Trinity success
 
Implementing energy efficient data centers
Implementing energy efficient data centersImplementing energy efficient data centers
Implementing energy efficient data centers
 
Eco-mode: Benefits and Risks of Energy-saving Modes of UPS Operation
Eco-mode: Benefits and Risks of Energy-saving Modes of UPS OperationEco-mode: Benefits and Risks of Energy-saving Modes of UPS Operation
Eco-mode: Benefits and Risks of Energy-saving Modes of UPS Operation
 
An improved architecture for high efficiency, high-density data centers
An improved architecture for high efficiency, high-density data centersAn improved architecture for high efficiency, high-density data centers
An improved architecture for high efficiency, high-density data centers
 

Kürzlich hochgeladen

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Kürzlich hochgeladen (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

Designing a security policy to protect your automation solution

  • 1. Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1
  • 2. White paper: Designing a security policy to protect your automation solution Contents Executive Summary ................................................... p 3 Introduction................................................................. p 4 Security Guidelines .................................................... p 7 Conclusion ................................................................. p 13 2
  • 3. White paper: Designing a security policy to protect your automation solution Executive summary Network security for automation solutions is a concept that has been getting increased attention over the last decade. In the past, security was not a major concern because automation systems utilized proprietary components and were isolated from other networks within the business. Today, many automation systems are comprised of commercial off the shelf components, including Ethernet networking and Windows operating systems. In addition, legacy products are being updated to operate in these new network environments. The consequence is that formerly closed systems are suddenly connected to open enterprise networks and the Internet, exposing improperly protected systems to modern IT threats. 3
  • 4. White paper: Designing a security policy to protect your automation solution Introduction Security threats can be initiated from 4 different sources. Each source is defined below along with an example of a recent incident that illustrates the threat. > Targeted External Attack – The CIA revealed that cyber attacks on utilities have caused at least one power outage affecting multiple cities. > Random External Attack – The “Slammer Worm” penetrated a nuclear power plant and disabled a safety monitoring system for nearly 5 hours. The worm entered through an interconnected contractor’s network, bypassing the firewall. > Internal Malicious Attack – A disgruntled former contractor gained access to the control system of a sewage treatment facility in Australia and flooded the surrounding area with millions of litres of untreated sewage. > Internal Networking/ Configuration Issue – A data storm initiated by a PLC at a nuclear power plant required operators to shut down the reactor after two water pumps failed. One way to address solution security is through the implementation of secure products. Secure products take two forms. The first is security features implemented in classic automation products. Examples include authentication and security logging in a PLC. The second form is stand-alone products developed specifically to address solution security. Examples include firewalls and intrusion detection software. It is important to note that secure products by themselves will not enable a secure solution. Companies also need to implement a comprehensive security policy. A security policy states the security objectives and guidelines that must be in place to ensure solution security. A company’s security policy should be a living document, not a static policy. 4
  • 5. White paper: Designing a security policy to protect your automation solution Introduction (continued) A company should also conduct a vulnerability assessment prior to creating their security policy. The vulnerability assessment is performed by reviewing the network architecture and auditing the equipment and software within the network. The assessment produces a document that defines and prioritizes the potential risks along with costs to address potential vulnerabilities. Many companies have defined and implemented security policies, while others have added security products (firewalls) but not addressed a security policy. This document is designed to assist companies in creating a security policy by providing a list of accepted security guidelines. Companies can review the list and select those that are suited to their application requirements. 5
  • 6. White paper: Designing a security policy to protect your automation solution A disgruntled former contractor gained access to the control system of a sewage treatment facility in Australia and flooded the surrounding area with millions of litres of untreated sewage. 6
  • 7. White paper: Designing a security policy to protect your automation solution Security Guidelines Many individual guidelines comprise a comprehensive security policy. Individual guidelines will be grouped into sub-categories to simplify presentation. Physical Access to the Network One key to security involves restricting network access to specified personnel and equipment. > Critical infrastructure should be placed in a secure location (preferably a locked room) to prevent unauthorized access. Ensure that portals to critical infrastructure are closed and locked. > Disable all unused ports. > Do not let unauthorized laptops or memory sticks into a secure location. If laptops or memory sticks are required, set up processes to ensure that all portable media are scanned for malware with up to date scanning software before allowing contact with a network host. Authentication/ Authorization Authentication refers to the verification process to confirm identification for the purpose of accessing network resources. Authorization refers to access permissions allowing users to connect with devices. This combination allows the system to restrict network access and ensure that only the right personnel are accessing network resources. > Each user should have a unique user name and password. User names and passwords should not be shared to enable easier tracking of system events. > Solutions must enable the creation, editing, and deletion of users while the system is active. > System must not provide a “back door” allowing bypass of authentication procedures. > Critical data like user names and passwords must be stored in a secure data repository using encryption technology. Access rights to the repository require authentication and should be made available only to trusted personnel. > Implement password aging. > Passwords should be more than 8 characters, alphanumeric, and a mix of upper and lower case characters. > Staff should change default passwords on equipment. > Use switch port-based MAC address management to deny access to non-authorized users. > Remote authentication should use encryption technology to transfer user name and password through the system. 7
  • 8. White paper: Designing a security policy to protect your automation solution > Limit software installation and execution privileges to specific employees. When risk is high, implement two and three factor authentication (password, physical device - smart key, and biometrics) or real-time confirmation by a second person. > Restrict user access to data archives. > Authentication should be required to modify product firmware. Network Design Vulnerability assessment will provide the data needed to create a secure network design. One key to securing the automation network is understanding the entry/connection points between it and the greater IT system. Potential connection points between networks include OPC servers, gateways, modems, and safety network connectivity. One key concept to network design is Defense in Depth. Defense in Depth is designed to protect control and safety systems. There is no single mechanism to protect against all types of attacks. Therefore it is best to create a series of protection layers designed to impede attackers. The layers also improve probability that attacks will be detected and repelled. Safety networks should be at least one layer deeper in a Defense in Depth architecture than the control network. > If the automation network connects to a larger corporate network, a “demilitarized zone” should be created to buffer common resources between the two networks. A demilitarized zone is a buffer between a trusted network and an untrusted network. The zone is separated by firewalls and routers. > Elements in the automation network or trusted zones within the network should be in a separate subnet from the greater network and should be isolated via a router and or firewall. > The firewall fronting the automation system should include an intrusion detection system. > If using multiple firewalls, consider centralized firewall policies. > It should be possible to easily isolate the automation network from the corporate network if an intrusion is detected. > Configure the network to eliminate requests from the control network to external computers. A firewall should block all connections from the outside. > Remove or disable all unrequired services from automation hosts. 8
  • 9. White paper: Designing a security policy to protect your automation solution > Utilize port restriction. For example, if you would like to allow an individual to program Modbus but not access the web server, then enable the device access to TCP port 502 (Modbus) but not port 80. > Older Windows systems with limited security features should not be connected with an industrial system unless they are compartmentalized. > Examine contractor network access levels. Prevent unprotected access to automation network. > Prevent incoming e-mail or Instant Messaging traffic to hosts in the automation network. Disable or do not install e-mail or IM clients on computers in the automation domain. Additionally, block corresponding protocols at the firewall. > Prohibit web browsing from hosts in the automation network. Prevent access by filtering at the firewall. > Provide internet access from a separate host on a different network than the automation network so that information and updates from the Internet Plant network Connection to supervisory can be obtained if the main network is down. and information systems > Prohibit drive sharing between hosts inside and Demilitarized zone outside the automation network. Enforce with firewalls. > If necessary, restrict ability for personnel to Control network/ Automation systems configure devices via the web. > Prohibit direct transfer of files into the control Fiber optic ring system. An intermediate staging server should Gateway Drive be used to scan all incoming data for malware. Modbus Digital signatures can help verify that the file Advantys OTB IP67 I/O Advantys STB Momentum Advantys OTB really originated from the assumed server and that it wasn’t modified between the scan and Figure above import into the control system. Typical security-enabled automation network design > Firewalls should provide network address translation to protect the address data from the corporate network. > Use trained, authorized personnel to add/remove new devices to/from the control network. > Non essential services with known weaknesses should be offered on one of several redundant servers to reduce the effect of infection. 9
  • 10. White paper: Designing a security policy to protect your automation solution Remote Access Remote access should be enabled with the highest level of security available to the organization. Remote access should be provided with strong authentication, encryption, and, if possible, include the exchange and verification of certificates. Remote access policies should be restrictive, allowing the minimum number of rights for the minimum number of remote users. Remote access is typically provided through dial-up or VPN. > If remote access is provided by dial up, protection can be provided via: • Dial-out – connection initiated from inside the automation system. • Dial-in with Call-back – the remote user dials into a server in the system which calls back to one of a limited set of pre-defined phone numbers. • Temporarily enabled Dial-in – the modem is enabled for a specific dial-in event. The modem connection is disabled when there is no intended use, either physically or by switching it off, or by software means. > VPN – The preferred way to provide remote access. If configuring safety or mission critical functions, organizations should define a fallback behaviour if there is a temporary loss of remote connection. > Enforce application settings on both the client and server to change well known port numbers frequently targeted by virus attacks. Wireless Many of the guidelines presented below require wireless devices to support specific security features. The guidelines below can provide input to features required in wireless devices. > Place access points behind firewalls and use IPsec to prevent rogue access point access. > Network access points should be positioned and arranged such that the useful signal strength is limited as far as possible to within the physically secured perimeter. Directional antennas can assist in forming a wireless footprint. 10
  • 11. White paper: Designing a security policy to protect your automation solution > Many access points have the ability to define a list of approved clients (listed via MAC address). Undefined clients can not access the network. Network administrators should define approved clients. The ability to provision approved clients should be restricted to key personnel. > Client devices must authenticate to enter the network. For authentication, use extensible authentication protocols such as EAP-TTLS, EAP-MSCHAPV2, or RADIUS. > Do not utilize WEP security. Use WPA-2 security in addition to AES-CCMP or equivalent encryption. > Do not broadcast SSIDs to prevent the network from showing up in wireless network scans. Also, do not enable ad-hoc connections. > Monitor networks for denial of service attacks and alarm if detected. > Utilize frequency hopping radios to limit unauthorized access from external equipment. > Frequently review access logs to identify rogue devices and access points. Proactive review can provide early warning of intrusion attempts. Maintenance > Create procedures for dealing with security issues. Procedures include event identification, containment, root cause determination, resolution, and recurrence protection. > Monitor system logs or use intrusion detection software to help anticipate attacks (configuration changes and creation of secondary accounts for example). Insure that there are no foreign IP addresses on your network or logs. If so, locate IP address origin and take action. > Create detailed plans defining how to recover from attack. Examples include warm standby backup hosts isolated from the network and system backups on swappable and bootable hard disks for immediate restart. Generate a list of personnel to be contacted if an incident occurs and keep copies of device configuration files, programs, and SCADA images. > Run virus checks on equipment on a regular basis. For critical infrastructure, scan communications to prevent viruses from accessing the platform. > Software can be updated via CD/DVD or file transfer. If CD/DVD, insure that the discs are of proper origin and are virus free. If downloaded via file, insure the authenticity of the file via certificates and digital signatures and insure they are virus free. All files should be stored on a dedicated distribution server. Updates can only be administered by an authorized person operating inside the automation network. > Monitor network traffic to enable early detection of possible data storms. > Test and approve software patches on standard machines that match the plant floor prior to installing on live systems. 11
  • 12. White paper: Designing a security policy to protect your automation solution General Security Policy > Ensure that all security incidents are reported. > Hold regular audits of security policy. > Review incidents and new technologies to see if changes are required to existing policies. > For legacy systems where upgrades may have occurred over the years, obtain current documentation to ensure knowledge of what is operating in the network. > Test detection and alert systems. > Test disaster recovery implementations. > Perform background checks on personal with access to critical systems. > Review people-management practices including methods to escalate and resolve grievances to curb internally generated attacks. 12
  • 13. White paper: Designing a security policy to protect your automation solution Conclusion A well designed Security Policy is essential to secure your automation solution Automation networks using standards-based operating systems and networks require greater security than the proprietary systems used in decades past. Standards-based solutions can be secured using existing products and technologies. Products and technology alone can not effectively secure an automation solution; they must be deployed in conjunction with a security policy. A well designed security policy coupled with diligent maintenance and oversight are essential to securing modern automation networks. 13
  • 14. White paper: Designing a security policy to protect your automation solution Make the most of your energy © 2009 Schneider Electric. All rights reserved. Schneider Electric 1 High Street North Andover, MA 01810 USA Phone: + 01 978 794 08000 14 http://www.schneider-electric.com October 2009