As presented at AIST 2014: The proliferation of cyber threats and recent facts have prompted asset owners in industrial environments to search for security solutions that can protect plant assets and prevent potentially significant monetary loss and safety issues While some industries have made progress in reducing the risk of cyber attacks, the barriers to improving cybersecurity remain high. More open architectures and different networks exchanging data among different levels have made systems more vulnerable to attack. With the increased use of commercial off-the-shelf IT solutions in industrial environments, control system integrity started to be vulnerable to malware originally targeted for commercial applications and already opened a new world of new threats dedicated for control systems. The objective of this presentation is to describe a multi-layered Defense-in-Depth approach through a holistic, step-by-step plan to mitigate risk.

1. Cyber security for Industrial Plants
Threats and defense approach
Dave Hreha
System Architect Engineer

2. Cyber security for Industrial Plants
Threats and Defense Approach
• The proliferation of cyber threats and recent facts have prompted
asset owners in industrial environments to search for security
solutions that can protect plant assets and prevent potentially
significant monetary loss and safety issues.
• While some industries have made progress in reducing the risk of
cyber attacks, the barriers to improving cyber security remain high.
• More open architectures and different networks exchanging data
among different levels have made systems more vulnerable to
attack.
• With the increased use of commercial off-the-shelf IT solutions in
industrial environments, control system integrity started to be
vulnerable to malware originally targeted for commercial
applications and already opened a new world of new threats
dedicated for control systems.

3. What is Cyber security?
• Cyber security is a branch of network administration
that addresses attacks on or by computer systems and
through computer networks that can result in
accidental or intentional disruptions.
• The objective of cyber security is to provide increased
levels of protection for information and physical
assets from theft, corruption, misuse, or accidents
while maintaining access for their intended users.
• Cyber security is an ongoing process that
encompasses procedures, policies, software, and
hardware and it must be continually re-evaluated.

4. An Example of Facility

5. Facilities may include:
• Coke ovens
• Blast Furnaces
• Electric Arc Furnaces
• Continuous Casting
• Rolling Mills
• Finishing Lines
• Water Treatment
Typical Facilities

6. Security Challenges
• Impact on Control system being secured
• Exposure to malicious software from “friendly
sources”
• Exposure from linked systems
• Adverse effects from implementation
• Multiple sites and geography
• Physical and logical boundaries

7. Security Threats
Internal threats:
• Good intentions from misinformed employees
• Non-appropriate behavior from employees or contractors
• Disgruntled employees or contractors
External threats:
• Hackers
• Virus writers
• Activists
• Criminal groups
• Terrorists
• Foreign governments

8. System Access
• Peer utilities
• Poorly configured firewalls
• Database links
• Corporate VPN (Virtual Private Network)
• IT controlled communication equipment
• Spear phishing
• Supplier access
• Legacy dial up systems

9. System Access Points
Supplier access points
Peer utilities
VPN
Dial up access
Poorly configured firewall
Database links
IT controlled products

10. Accessing the Process
• System databases
• SCADA or HMI screens
• PC systems
• “Man-in-the-Middle”
• Denial of Service
• Accidents

11. Defense in Depth
• Risk assessment
• Security plan based on the assessment
• Develop training
• Define network separation and segmentation
• Define system access control
• Device hardening
• Network monitoring and continued
maintenance

12. Risk assessment
• Identify threats
• Prioritize
Safety
Severity
Business impact
• Deploy resources
• Document with infrastructure diagrams

13. Security Plan
• Roles and responsibilities of those affected by the policy and procedures
• Actions, activities, and processes that are allowed and not allowed
• Consequences of non-compliance
• Incident response policies and procedures
• Who to notify and what actions to perform to contain the incident
• Role-specific procedures for restoring devices and process to known good
operating state
• Details equipment, software, protocols, procedures, and personnel
• Summarizes the risk assessment and includes infrastructure diagrams
• Defines the training plan.
The security plan should be reviewed periodically for changes in threats,
environment, and adequate security level

14. Training
Cyber security awareness program
• Understanding the organization’s security policies,
procedures, and standards
• Job and role based training classes that detail the
relevant security policies, procedures, and standards
• Classes that provide specific steps for applying the
security policies and procedures.
• Classes on how to respond if a cyber attack or accident
has occurred.
• Classes for vendors and other visitors

15. Network separation
Firewall - DMZ (Demilitarized Zone)
• No direct communication between Enterprise
and Control network
• Only certain server types allowed in DMZ
– Data servers (Historian)
– Patch management
– Proxy servers
– RADIUS (Remote Authentication Dial In User Service)
– VPN

16. Network segmentation
Still behind Firewall - DMZ
• Logical segments
• Security zones
Virtual Local Area Network (VLAN)
• Managed switches
• Routers
– Access control list

17. Network segmentation
Benefits
• Contains infection if occurs
• Limits node visibility
• Stops intruder scans of network
• Limits impact if breach
• Restricts broadcasts and multicasts
• Improved network performance
• Provides higher level of security

18. Access Control
Security for remote access
RADIUS (Remote Authentication Dial In User Service)
AAA Protocol
– Authentication
– Authorization
– Accounting
RAS (Remote Access Services)
VPN (Virtual Private Network)

19. Access Control
VPN Protocols and components
• Secure Socket Layer (SSL)
• Internet Protocol Security (Ipsec)
• Internet Key Exchange (IKE)
• Advanced Encryption Standard (AES)
• Data Encryption Standard (DES)
• Encapsulating Security Payload (ESP)

20. Device Hardening
Configuring device settings to strengthen security
• Network devices
– Firewalls
– Managed Switches
– Routers
• Control system devices
– Distributed Control Systems (DCS)
– Supervisory Control and Data Acquisition (SCADA)
– Programmable Automation Controllers (PAC)
– Programmable Logic Controllers (PLC)

21. Device Hardening
• Implement Password protection
• Implement access control
• Disable any unused services
• Maintain up to date patches and hot fixes
(especially security)
• Use strong authentication

22. Network monitoring
& maintenance
Users should monitor for any suspicious activity
• Use intrusion detection systems
• Monitor network loading
• Examining log files
• Use SNMP (Simple Network Management
Protocol) traps
By being proactive, any attempts to gain access to
the system should be discovered and stopped
before any entry is made

23. Conclusion
The Defense in Depth recommendations can
decrease the risk of attack.
No single component provides adequate
defense. It is important to consider all of the
Defense in Depth recommendations to mitigate
risk.