INDUSTRIAL CONTROL SYSTEMS requirements (ICSR)

Laying the foundation, Lessons Learned from Cold Eyes Review

Ana Girdner, EMPC, Global Programmatics

Agenda
What is ICSR Scope - ICSE Brief history Paradigm Shift ICSR Sections Lessons Learned from Cold Eyes Review Defense in Depth: The Layers of Security

WHAT IS ICSR
is a global standard for Process Control Systems Security merges OIMS expectations and SMC standards as they relate to Industrial Control Systems Environment (ICSE) provides requirements for cost-effective risk-reduction controls and associated procedures that reduce risk to acceptable levels Applies to the ICSE in the following ExxonMobil business units - Downstream Refining (excluding JV not operated by EM) - Downstream Pipeline North American Operations - Chemicals Manufacturing (excluding JV not operated by EM) - Upstream Production Company - Upstream Development Company - Lubricants and Petroleum Specialties Has been recently endorsed and approved by Robert Olsen, Executive VP for Production, August 2008
3

Standards & Policies

SMC

CIMS
040-009 Systems Computing & Networks

OIMS

MAP
Measurement & Analysis for Production

SSGP System Security General Practices (Grey Book)

ICSR Industrial Control System Requirements

Practices & Specific Guidance

ICSR SCOPE:
Industrial Control Systems Environment (ICSE)

L4 Business Network

Internet Network Control Point L4 Server (Process History, etc) L4 Desktop

Internet

L4 Switch L4 Business Network

L3 Advanced Control

L3 Server (PCTS, DC, Adv. Control, Optimization, etc)

L3/L4 Network Control Point

L3/L4 DMZ L3 Workstation Wireless Access Network Control Point

L3 Control Systems Network

L2 Supervisory Control

L3 Backbone Switch Standalone System L1/L2 Workstation L2 DCS Server L2/L3 Network Control Point Subsystem Server Subsystem Workstation

L1/L2 DCS Network L1/L2 Switch Sub System Switch

L1/L2 Subsystem Network (PLC, EHM, TGS, Metering, Analyzer, Subsea, Ballast Control, etc)

L1 Basic Control

DCS Controller In Scope

Packaged System

Metering

Process

L0 Field Devices

Single Loop Controller

L1 Basic Control
In Scope

PS Network Control Point PS Data Network PS Switch PS Safety Network

Protective System

PS Switch

Control Systems Scope

As per ICSR 0.4.4 Control Systems consist of: Devices, such as but not limited to DCS Controller (Honeywell, Delta V, Yokogawa, Foxboro, Fire Alerting Systems, etc.) PLC, PCS, SIS, HVAC, UPS (Triconex, Fire & Gas, Turbotronics, Solar, etc.) HMI (Human Machine Interface), SCADA (Ifix, Wonderware, etc.) Monitoring system (e.g. Bentley Nevada Vibration Monitoring) Historian (e.g. PI) Alarm Management Servers Networks, Routers, Firewalls, L3/L4 (DMZ) Maintenance Laptops (any kind of transportable equipment) Navigation Units, Positioning systems

PARADIGM SHIFT : A look at the changes in technology and business

Technology changes: Micro-computing and open technology paved the way for integration of commercial off-the-shelf components for use in the ICSE (Windows O/S, Dell PCs, etc.) proprietary control protocols are now being replaced by low-cost Internet Protocol devices (routers, switches, etc.)

PARADIGM SHIFT : A look at the changes in technology and business

Business-driven changes: process optimization opportunities, significant cost-savings in internal and external remote system support and process monitoring ability to inter-connect ICSE with business LAN provided a medium to extract and collect process data availability of process data spurred a generation of decision analysis applications and monitoring tools (process optimization, vibration monitoring, alarm management, etc.) the ability to leverage IT telecomm infrastructure for remote and external connectivity have opened the doors to a broader traffic (vendor LANs, internet, etc.)

PARADIGM SHIFT : A look at the changes in technology and business

Auditing strategies: have been re-aligned and re-designed to evaluate new weaknesses and vulnerabilities brought on by IT-type technology IT-related control assessment and evaluation programs have been applied to Process Control audits Top 4 Audit Concerns: External connectivity third-party vendor connectivity Remote connectivity control systems network connectivity to business network (L3 to L4 connectivity and vice versa) Access Management - Administrator accounts, Privileged IDs Information security Virus protection

10

ICSR SECTIONS
1. Management Leadership, Commitment and Accountability 2. Risk Assessment and Management 3. Facilities Design and Construction 4. Information Availability and Protection 5. Personnel and Training 6. Operation and Maintenance 7. Management of Change 8. Third Party Services 9. Incident Investigation and Analysis 10. Community Awareness and Emergency Preparedness 11. Assessment and Improvement 12. Control System Networks 13. Operating Systems

11

Management, Leadership, commitment and accountability

1.1 1.2 1.3 1.4 Establish Ownership Responsibilities of Business Owner Responsibilities of Custodian Responsibilities of Process Organization and Process Operator 1.5 Responsibilities of Technical Support Personnel 1.6 Role of Production Unit or EMDC Control System Security Subject Matter Expert / Contact

12

Risk Assessment and management

2.1 Risk Management 2.2 Industrial Control System Technology Evaluation 2.3 Industrial Control System Risk Assessment

13

Facilities design and construction

3.1 Project Management Programs 3.2 Facilities Design

14

Information availability and protection

4.1 Managing Information Availability 4.2 Protection of Hardware Infrastructure Systems 4.3 Protection of Hardware Physical Access Management Protection of Information and Software from Unintended Change 4.4 Physical Access Mgmt. 4.5 Software Access Controls 4.6 Protection of Personnel Infrastructure Systems 4.7 Protection of Personnel Work Practices 4.8 Data Privacy

15

Personnel & training

5.1 Control System Personnel and Training

16

Operation and maintenance

6.1 Control System Personnel 6.2 Segregation of Duties 6.3 Routine System Operations and Maintenance 6.4 Business Continuity 6.5 Disaster Recovery 6.6 License Management

17

Management of change
7.1 Management of Change

18

Third party services

8.1 Third party services for control systems

19

Incident investigation and analysis

9.1 Process Incidents and Near Misses 9.2 In-Scope Equipment Abnormal Events

20

Community awareness and emergency preparedness

10.1 Control System Role in Emergency Response

21

Assessment and improvement

11.1 Self-Assessment 11.2 ICSR Improvements 11.3 RWP improvements

22

Control system networks

12.1 Network Controls 12.2 External Connections

23

Operating systems
13.1 13.2 13.3 13.4 13.5 13.6 Operating System Setup Naming Conventions Windows Domains Security Policies Virus Protection Operating Patches and Security Updates

24

ICSR SECTIONS
1. Management Leadership, Commitment and Accountability 2. Risk Assessment and Management 3. Facilities Design and Construction 4. Information Availability and Protection 5. Personnel and Training 6. Operation and Maintenance 7. Management of Change 8. Third Party Services 9. Incident Investigation and Analysis 10. Community Awareness and Emergency Preparedness 11. Assessment and Improvement 12. Control System Networks 13. Operating Systems

25

COLD EYES REVIEW (CER) PROCESS

Purpose: To identify key areas of risk and vulnerabilities and help Production Units (PUs) design a risk-based approach to close these gaps.

Planning and Coordination: Scheduled CER 2 mos. prior to PUs Audit Requested Network Diagrams, Equipment Inventory, Gap Analysis Met with PU contact to discuss technical scope, review scope and logistics Developed review schedule Met with CER team to finalize schedule, technical scope, review scope, CER strategy, areas of responsibilities Sent documentation request to PU contact
Total # of Production Units (PU) evaluated: Total # of PU sites visited (~ 2.5 sites per PU): Timeline: 13 33 6 mos.

26

COLD EYES REVIEW (CER) PROCESS

Strategy: Aligned review process based on ICSR and Gap Analysis Randomly sampled critical areas with known Audit visibility Focused on systems and components with known risks (i.e. servers, eng. work stations, historians, external connections, windows implementation, etc.) Create a review tool designed to uncover controls strengths, weaknesses and vulnerabilities Scope: Phase 1 Analysis Risk Management Facilities Physical Controls Access Management Change Management Information Protection Remote Connections External Connections

27

A comprehensive controls evaluation and analysis takes into consideration the following:
Internet Network Control Point

Points of entry Controls in place Processes affected

Internet

L4 Server (Process History, etc)

L4 Desktop

L4 Switch L4 Business Network

Impact or potential impact to the business Probability

Modem
L3 Server (PCTS, DC, Adv. Control, Optimization, etc) L3/L4 Network Control Point L3/L4 DMZ L3 Workstation Wireless Access Network Control Point

Dedicated Dedicated communication communicationpath path

Standalone System L1/L2 Workstation L2 DCS Server

L3 Control Systems Network L3 Backbone Switch L2/L3 Network Control Point Subsystem Server Subsystem Workstation

L1/L2 DCS Network L1/L2 Switch

Modem
DCS Controller

Sub System Switch

L1/L2 Subsystem Network (PLC, EHM, TGS, Metering, Analyzer, Subsea, Ballast Control, etc)

Packaged System

Dedicated communication path

In Scope

Process

Single Loop Controller

3rd-party internet access

PS Network Control Point PS Data Network PS Switch In Scope PS Safety Network

Protective System

3rd-party internet access

PS Switch

ExxonMobill Use Only

Threats: real or perceived?

January 8, 2008 Lodz City Transit De-Railing (UK) 14-year old hacks into the public transport network in Lodz to change the track points using a TV-style remote control, derailing at least four trains and leaving dozens injured.

March 7, 2008 - Hatch Nuclear Power Plant Shutdown (US) A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. The trouble started after an engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant's business network. October 2006 Harrisburg Water Systems Incident (US) An infected laptop PC gave hackers access to computer systems at a Harrisburg, Pa., water treatment plant . The plant's systems were accessed in early October after an employee's laptop computer was compromised via the Internet and then used as an entry point to install a computer virus and spyware on the plant's computer system. March 2007 TJMaxx incident, Believed Largest Hack ever (US) A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information.

29

Defense in depth: multiple layers of security

Questions?