Cyber Security focus in ABB: a Key issue

03 Luglio 2014, Roma

1° Conferenza Nazionale Cyber Security

Marco Biancardi, ABB SpA, Power System Division

• ABB introduction

• ABB Cyber Security organization & processes

• Security in ABB Life Cycles

• ABB Partnership

Cyber Security in ABBAgenda

145,000 employees in about 100

countries

$39 billion in revenue (2012)

Formed in 1988 merger of Swiss and

Swedish engineering companies

Predecessors founded in 1883 and

1891

Publicly owned company with head

office in Switzerland

A global leader in power and automation technologiesLeading market positions in main businesses

Power Products

Power Systems

Discrete Automation and Motion

Process Automation

$10.7 billion

36,000

employees

$7.9 billion

20,000

employees

$9.4 billion

29,000

employees

$8.2 billion

28,000

employees

(2012 revenues)

Low Voltage Products

$6.6 billion

31,000

employees

Electricals, automation, controls and instrumentation for power generation and industrial processes

Power transmission

Distribution solutions

Low-voltage products

Motors and drives

Intelligent building systems

Robots and robot systems

Services to improve customers

productivity and reliability

ABB’s portfolio covers:

How ABB is organizedFive global divisions

The foundation of Cyber SecurityWhat does it mean for ABB as an organization

Corporate foundation

Aw

are

ne

ss

Re

se

arc

h

Incid

en

t

Re

sp

on

se

IT S

ec

uri

ty

Tra

inin

g

Ma

na

gm

en

t

Su

pp

ort

Organizational priority at top management level

Global, cross-functional and long-term initiative

Formally established - it is not just a side task

Starts with improving people awareness and

operational readiness

Ex

tern

al

Ou

tre

ac

h

International standardization and regulation

ABB actively supports and drives the development of

international standards and regulations, for example:

Reference Title

IEC 62443 /

ISA 62443

Security for industrial automation and

control systems

IEC 62351 Power systems management and

associated information exchange - Data and

communications security

NERC CIP-

002 to -011

Critical Infrastructure Protection

IEEE 1686 Standard for Substation Intelligent

Electronic Devices (IEDs) Cyber Security

Capabilities

ABB involvement

For a more comprehensive overview of

cyber security standards, guidelines and regulations,

see http://inside.abb.com/cybersecurity

Cyber security is a process, not a project or productOrganizational readiness across the entire life cycle

Design

Implementation

Verification

Release

Support

Design

Engineering

FAT

Commissioning

SAT

Services and support for

• Operation

• Maintenance

• Review

• Upgrade

Product life cycle Project life cycle Plant life cycle

ABB follows international and national standards and

industry best practices to address cyber security

across the entire life cycle.

Product Lifecycle - Design & Implementation

Security Training depending on role:

SDL Introduction Training

Secure Design

Threat Modeling

Secure Coding

Security Testing

And more advanced training

Cyber Security Training for Developers

Formally established, centralized and independent security

test center

Leveraging state-of-the-art open source, commercial and

proprietary robustness and vulnerability analysis tools

Close collaboration with ABB developers providing in-depth

analysis and recommendations

Regular system tests at INL SCADA test bed (First Vendor!!!)

Product Lifecycle - VerificationState-of-the-art cyber security testing

Project Lifecycle – Engineering / CommissioningDeployment Guidelines

Plant Lifecycle - MaintenancePatch Management – Example

Validation of Microsoft security updates All relevant updates are tested for compatibility

Dedicated Security Test Lab covers supported versions

Other 3rd party SW (e.g. Adobe Reader, McAfee ) Released from SW vendor without schedule

Verified with next Microsoft Security Update

Verification status published the same way a Microsoft Security

Updates

Similar process for other ABB products

Plant Lifecycle - Maintenance

Minimize customer risk

This requires

Cultural change: Accept that vulnerabilities exist

(having a vulnerability is acceptable, improperly

handling them is not!)

Formal processes and policies

Proper communication at the right time

ABB has established a formal process and

vulnerability handling has top priority

To report a vulnerability:

cybersecurity@ch.abb.com

Vulnerability handling & Incident response

Co

mm

un

ica

tion

First

Response

Initial Triage

Investigation

ReMediumtio

n

Notification

• Exclusively focused on OT since 2002

• Pioneering automation systems

management for security, compliance

and change management

• Turnkey technology and service

solution

• Multiple applications, one

platform

• Vendor agnostic

• Purpose built

• 10,000+ technology deployments

• 400+ customers

• 25+ countries

Industrial Defender at a Glance

Industrial Defender ranked #1 two years in a row by

independent analysts, and

the only choice for ICS

security, compliance, and

Change Management

ABB Partnership

Industrial Defender

Conclusions

As technology leader, ABB fully understands the

importance of and its role in Cyber Security for

industrial automation and control systems.

ABB is actively anticipating the security challenges

imposed by the changing landscape of the markets.

ABB is constantly adapting its systems to the latest

developments in security and is engaging with

external partners for security testing and consulting.

ABB has been involved in cyber security for control

systems for over a decade – long before the hype.

Contact informationQuestions, Comments, etc.

marco.biancardi@it.abb.com

cybersecurity@ch.abb.com

www.abb.com/cybersecurity