—PUBLIC

ABB ICS Cyber Security Reference ArchitectureIntroductionJune 2021

—ABB ICS Cyber Security Reference Architecture

June 30, 2021 Slide 2

Agenda

1

2

3

Introduction

Foundational principles

Implementation Examples

—Industrial companies face elevated cyber security risks

June 30, 2021 Slide 3

Distributedsystems

Asset complexity

Processcomplexity

Insufficient security visibility

Insufficient security awareness

Insufficientsecurity expertise

Key risk factors Potential impacts

Production

Environmental Public Health andsafety

Lucrative and attractive target that leads to… Trust Revenue

—

Operations

Consulting

Training

Maintenance

Controls

ABB Ability™ Cyber Security Services

June 30, 2021 Slide 4

Reducing risk – ABBs cyber security portfolio helps to reduce the likelihood of cyber incidents

Ris

kH

igh

Lo

w

SecurityLow High

Lik

eli

ho

od

of

be

ing

aff

ec

ted

Non targeted threats Hobbyist hackers Professional hackers Nation states

Required security level

ABBs cyber portfolio

—

Operations

Consulting

Training

Maintenance

Controls

ABB Ability™ Cyber Security Services

June 30, 2021 Slide 5

Reducing risk – A strong network architecture reduces risk

Ris

kH

igh

Lo

w

SecurityLow High

Lik

eli

ho

od

of

be

ing

aff

ec

ted

Design and deploy a strong network architecture

Non targeted threats Hobbyist hackers Professional hackers Nation states

Required security level

ABBs cyber portfolio

—ABB ICS Cyber Security Reference Architecture

June 30, 2021 Slide 6

What is it?

A reference architecture provides a template solution for an architecture for a particular domain. It also provides a common vocabulary with which to discuss implementations, often with the aim to stress commonality.

Your guide for a cyber secure architecture.

Introduction

• It is not a guarantee that a system is secure or invulnerable from cyber-attacks.

• It does not guarantee to pass external audits.

• The reference architecture is not developed with a specific (DCS) system in mind.

Always follow product manuals to ensure proper functionality and system availability.

What is it NOT!

—ABB ICS Cyber Security Reference Architecture

June 30, 2021 Slide 7

Security levels Functional requirements

Description

1Prevent the casual or coincidental circumvention of zone and conduit segmentation.

2Prevent the intended circumvention of zone and conduit segmentation by entities using simple means with low resources, generic skills, and low motivation.

3

Prevent the intended circumvention of zone and conduit segmentation by entities using sophisticated means with moderate resources, IACS specific skills, and moderate motivation.

4

Prevent the intended circumvention of zone and conduit segmentation by entities using sophisticated means with extended resources, IACS specific skills, and high motivation.

Sections

1 Identification and authentication control

2 Use control

3 System integrity

4 Data confidentiality

5 Restricted data flow

6 Timely response to events

7 Resource availability

IEC62443-3-3:2013

—ABB ICS Cyber Security Reference Architecture

June 30, 2021 Slide 8

Our assessment

The reference architecture makes it possible to design a system to achieve SL4.

However, the reference architecture doesn’t suggest that by simply applying the recommendations will ensure compliance to SL4, nor does it imply that the reference architecture is certified.

Compliance requires hard work and can never be bought.

IEC62443-3-3:2013

—

—

OT Systems

Control System

—

OT Systems

Control System

IT Systems

—

—

June 30, 2021 Slide 13

Level 0ProcessSensors and actuators directly connected to the process

—

June 30, 2021 Slide 14

Level 1Local and Basic ControlDCS controllers, I/O and fieldbus interfaces that controls the process.

—

June 30, 2021 Slide 15

Level 2Supervisory ControlRelated to monitoring and controlling the process

—

June 30, 2021 Slide 16

Level 3Operations and Systems ManagementAuxiliary functions tied to the production (OT) but not directly used to operate

—

June 30, 2021 Slide 17

Level 4Enterprise Business SystemsOffice systems

—

June 30, 2021 Slide 18

Cloud/InternetApplications and functions hosted either in personal or public clouds or other functions using the Internet for communication.

—

June 30, 2021 Slide 19

—

June 30, 2021 Slide 20

Level 3Operations ManagementBusiness related systems and functions used for production

—

June 30, 2021 Slide 21

Level 3Systems ManagementSecurity related functions

—

June 30, 2021 Slide 22

Secure area

Un-trusted area

Trusted area

—

June 30, 2021 Slide 23

Secure area

—

June 30, 2021 Slide 24

Secure area

—ABB ICS Cyber Security Reference Architecture

June 30, 2021 Slide 25

Commonly used drawings

Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ)

Half (.5) Levels

Combined Level 1 and 0

Many Different “Zones”

Same Concepts

Same Basic Principles

Demilitarized Zone (DMZ)

Not connected to

anythingNo firewalls shown between Levels

—ABB ICS Cyber Security Reference Architecture

June 30, 2021 Slide 26

Remote access

Customer

Use-case 1

ABB

Remote access is an integral part of many of our services and with the recommendations in the architecture it can de implemented without increasing the risk or break compliance.

“We realize that remote access is valuable, but we are concerned that it isn't secure or will break our compliance.”

—ABB ICS Cyber Security Reference Architecture

June 30, 2021 Slide 27

IoT Gateways (or any buzzword)

Use-case 2

ABB

We created the architecture with this in mind. Correctly implemented, you can reap the benefits of these new technologies with only negligible increased cyber risk.

“We see the value in [insert buzzword here]but don't think it can be done securely.”

Customer

—ABB ICS Cyber Security Reference Architecture

June 30, 2021 Slide 28

Management Networks

Customer

Use-case 3

“We were expecting to implement a management network in our design. As it's not shown on the reference architecture, is this prohibited?”

ABB

Sure we can do that. It's not part of our standard design, but our experts have provided us with guidance to set this up securely.

—ABB ICS Cyber Security Reference Architecture

June 30, 2021 Slide 29

Compliance

Customer

Use-case 4

“My CISO told me that I must get my control system certified by the end of the year. Will the reference architecture make me compliant?”

ABB

No, but implementing the architecture will help you meet some of the compliance requirements related to data control and architecture.

—

Mitigate cyber security risks with a solid architecture for your OT systems

ABB ICS Cyber Security Reference Architecture

June 30, 2021 Slide 30

Resource

The reference architecture is the keystone of OT security and your go to document

• ABB provides recommendations, not rules

• The architecture is highly flexible

• Applies to any OT system or device

Compliance

The reference architecture is the foundation of cyber security compliance

• Rooted in IEC62443

• Address Functional Requirement 5

• Maintain compliance while adopting new technologies

Digital Enabler

The reference architecture is an enabler for the implementation of digital services

• Securely connect to other systems and clouds

• Collect data without reducing security

• Remote access to reduce maintenance cost

Conclusion