scada cyber security for pipelines: api 1164 and updates … · sr. director cyber security...
TRANSCRIPT
SCADA CYBER SECURITY FOR PIPELINES:
API 1164 and updates from the TRENCHES
CTO, Axio // ICS Security Lead
JASON CHRISTOPHER
▪ Leads critical infrastructure strategy at Axio; actively involved in platform development
▪ SANS Instructor for ICS
▪ Frequent speaker at conference and client events
▪ Federal energy lead for several industry standards and guidelines, including NERC CIPv5, NIST CSF, and the C2M2
▪ Incident response & risk management lead for DOE
▪ Security metrics development across EPRI and other research organizations
▪ Began career designing & maintaining control systems at utilities
▪ MS, Electrical Engineering, Cornell
▪ Based in Atlanta, GA
Sr. Director Cyber Security Strategy & Programs // Baker Hughes, a GE Company
TOM AUBUCHON
▪ Leads cyber security strategy of IT, OT and Products at Baker Hughes
▪ Co-lead for the American Petroleum Institute’s Cybernetics drafting team on API 1164
▪ Co-Chair of the Interstate Natural Gas Association of America (INGAA) Pipeline Cybersecurity Guidelines
▪ 35+ years of experience in IT, OT, and Product development, architecture, design and security.
▪ 25 years experience in OT Security
▪ 15 years experience in IT Security
▪ Based in Houston, TX
STANDARDS DEVELOPMENTa tale of
stan·dard | \ˈstan-dərd\
: something established by authority, custom, or general consent as a model or example :
: something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality
▪ Voluntary Consensus Standard: a private sector standard developed in a specifically defined open and fair environment with general agreement by stakeholders
STANDARD?what is a
Think “formal process” or “death by bureaucracy”
A document that tells you how to do or say or make or test or organize or design something
▪ Formally recognized with voting bodies, quorums, comment periods, rules of procedures
▪ Could be national or internationally based▪ Has an ability to draw great subject matter expertise, build reputation, and achieve consensus
Created under a Standard Development Organization (SDO)
Creation of a standard usually takes months or years
▪ Telecommunications, operations, safety, project management, lifejackets, washing machines…
▪ Anything that requires common definitions or “standardization” will have similar voting bodies
Not unique to cybersecurity
DEVELOPMENT PROCESSexample standard
Again, enjoy the joys of bureaucratic journeys!
▪ IT-centric standards will not address unique ICS environments and devices
▪ Traditional IT security standards examine “Confidentiality, Availability, and Integrity” in that order. ICS does not.
▪ This compounded by the lifecycle of our assets, measured at an order of magnitude more than IT devices.
STANDARDS & GUIDELINESintroduction to ICS security
Unique Solutions for Unique Problems
Link it to everything you’ve heard today
▪ Establish the “what to achieve” or “how to achieve it.”
▪ Creates a common lexicon for vendors, asset owners, and consultants▪ Could be used for budget justifications and program roadmaps
▪ Leverages peers to discuss both baseline and best practices
ICS-specific security standards and guidelines in use
▪ Take these concerns and tailor something for pipeline owners and operators to make their own…
API 1164’s focus
ICS SECURITY STANDARDS
TOP 3“pipeline specific”
IEC/ANSI/ISA 62443A very large & in-depth discussion for your ‘IACS’ program
Published Published
(Under Review)
Out for
Comment/VoteIn Development Planned
IEC/ANSI/ISA 62443role-based considerations
ASS
ET O
WN
ERSY
STEM
IN
TEG
RA
TOR
PR
OD
UC
T SU
PP
LIER
OPERATES
INTEGRATES
DEVELOPS
IEC 62443:1-3: Conformance Metrics2-1: Establish IACS Security Program2-3: Patch Management for ICS
IEC 62443:2-4: Security Requirement’s Service
Providers3-2: Security Risk Asmt-System
Design
IEC 62443-4-1:Secure Development Lifecycle
IEC 62443-2-4 Security Requirements for IACS Service Providers
IEC 62443-3-3 System Security Requirements and Levels
IEC 62443-4-2 Security Requirements for IACS Components
Industrial Automation and Control Systems (IACS)
Automation Solution
Product
Operational and Maintenance Capabilities(Policies and Procedures)
Subsystem 1 Subsystem 2Complimentary
Hardware + Software
System, subsystem, or component, such as:
ApplicationEmbedded
DeviceNetwork
ComponentHost Device
it is a processsecurity is not a product,
How to apply 62443 to your environment
Identify access
Analyze threats
Determine security
objectives
Analyze and assess risk
Effective?
Identify measures
Implement counter-measures
Perform process audit & repeat
as needed
IEC/ANSI/ISA 62443
Foundational Requirements:
FR 1: Identification & authentication control
FR 2: Use control
FR 3: System integrity
FR 4: Data confidentiality
FR 5: Restricted data flow
FR 6: Timely response to events
FR 7: Resource availability
Security Levels
Capability Maturity Model
SL 1 SL 2 SL 3 SL 4
Prevents the unauthorized disclosure of information via eavesdropping or casual exposure
Casual or unintentional
Prevents the unauthorized disclosure of information to an entity actively searching for it using simple means with:
• low resources, • generic skills, and • low motivation
Prevents the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with:
• moderate resources,• skills specific to industrial
automation and control systems (IACSs), and
• high motivation
Prevents the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with:
• extended resources, • IACS-specific skills, and • high motivation
Level 1: Initial
Level 2: Managed
Level 3: Defined
Level 4: Quantitively Managed
Level 5: Optimized
NIST SPECIAL PUBLICATION (SP) 800-82An ICS “overlay” for SP800-53 (also very large and in-depth… and free)
▪ Becomes a bit of a cross-referencing hellscape
Takes the entire library of SP800-53 control families and adds ICS recommendations
Topics Include:
AC
AU
AT
CM
CP
IA
IR
MA
MP
Access Control
Audit and Accountability
Awareness and Training
Configuration Management
Contingency Planning
Identification and Authentication
Incident Response
Maintenance
Media Protection
PS
PE
PL
PM
RA
CA
SC
SI
SA
Personnel Security
Physical and Environmental Protection
Planning
Program Management
Risk Assessment
Security Assessment and Authorization
System and Communications Protection
System and Information Integrity
System and Services Acquisition
First, evaluate the impact
Then, select a control to implement
Impact Category Low Impact Moderate Impact High Impact
InjuryCuts, bruises requiring first
aidRequires hospitalization Loss of life or limp
Financial Loss $1,000 $100,000 Millions
Environmental Release Temporary Damage Lasting DamagePermanent Damage, off-site
damage
Interruption of Production Minutes Days Weeks
Public Image Temporary damage Lasting damage Permanent damage
Control Description:The information system uniquely
identifies and authenticates
organizational users (or processes
acting on behalf of organizational
users).
NIST SPECIAL PUBLICATION (SP) 800-82
Impact-based considerations(no role-based considerations)
Review SP 800-53 control language (for brevity, let’s look at low impact)
NIST SPECIAL PUBLICATION (SP) 800-82
Impact-based considerations(no role-based considerations)
Similar concepts as ISA 62443, but:• Enhancements are tied to impact ratings, not security levels• Assumption that other federal standards are used
• Could also include controls used in classified environments• Could have some exhaustive “Related to” informative references
Now reference SP 800-82 for the ICS recommendations
NIST SPECIAL PUBLICATION (SP) 800-82
Impact-based considerations(no role-based considerations)
Each control family in SP 800-82 has additional supplemental guidance!
But wait, there’s more!
NIST SPECIAL PUBLICATION (SP) 800-82
NIST Cybersecurity Framework
▪ A core set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors
▪ Helps organizations better manage and reduce cybersecurity risk
▪ Customizable to best suit your risks, situations, and needs
NIST CSF is voluntary guidance, based on existing standards, guidelines, and practices
National Institue ofStandards and TechnologyU.S. Department of Commerce
ELEMENTS OF THE NIST CSF
CORE TIERS PROFILE
Functions Cate
gori
es
Sub-
cate
gori
es
Info
rmati
ve
Refe
rences
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Tier 1: PartialAd hoc risk management
Limited cybersecurity risk awareness
Low external participation
Tier 2: Risk InformedSome risk management practices
Increased awareness, no program
Informal external participation
Tier 3: RepeatableFormalized risk management
Organization-wide program
Receives external partner info
Tier 4: AdaptiveAdaptive risk management practices
Cultural, risk-informed program
Actively shares information
Current Profile
Current state of alignment between Core elements and organizational requirements, risk tolerance, & resources.
Where am I today relative to the Framework?
Target Profile
Desired state of alignment between Core elements and organizational requirements, risk tolerance, & resources.
Where do I aspire to be relative to the Framework?
FUNCTIONS CATEGORIES SUBCATEGORIESINFORMATIVE REFERENCES
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Subdivisions: groups of outcomesFurther subdivisions: specific
outcomes
Specific sections of standards or guidelines: example methods to achieve subcategory outcomes
FUNCTIONS CATEGORIES SUBCATEGORIESINFORMATIVE REFERENCES
IDENTIFY
Asset Management (ID.AM):
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
ID.AM-1: Physical devices and systems within the organization are inventoried
CIS CSC 1
COBIT 5 BAI09.01, BAI09.02
ISA 62443-2-1:2009 4.2.3.4
ISA 62443-3-3:2013 SR 7.8
ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
NIST SP 800-53 Rev. 4 CM-8, PM-5
23 108 2875TOTALS
WARNING!
CLOSE
▪ American Petroleum Institute (Mostly Liquids)
▪ Interstate Natural Gas Association of America - Long-haul, traverses multiple states – (NG Transmission)▪ American Gas Association – Large, Medium, and Small NG Utility companies (NG Distribution)
TOGETHERputting it all
What is API 1164 and making it fit?
The New API 1164 - Broad ONG Industry Consensus Standard
▪ American National Standards Institute (ANSI) is Standards Development Organization (SDO)
▪ Department of Homeland Security▪ Federal Energy Regulatory Institute (FERC)
▪ Department of Transportation – Pipeline Hazardous Materials Safety Administration (DOT_PHMSA)
Open Standard – Broad Public / Private Stakeholder Engagement
API 1164 History – The SCADA (Supervisory Control And Data Acquisition) Security▪ Limited Scope: Written for hazardous liquid pipelines SCADA systems, limited applicability to natural gas pipelines
▪ Limited Enforcement: Is written as good/best recommended practices (PR)▪ Limited Actionability: Recommended practices are not the impetus to change, they are guidelines.
▪ Limited Adoption: As recommended practice measurement of implementation is very difficult.
GAS STOVE
FIREPLACEFURNACE
WATER
GRILL
HEATER
GAS DRYERCONDITIONER
HOT TUB/POOL
HEATER
AIR
TOOTHBRUSH
TOILETRIES
SPORTSEQUIPMENT
RUNNINGSHOES
JET FUEL
FERTILIZERAUTOMOBILEBICYCLE
PAINT
SUNGLASSES
CANDLESCLOTHING
ELECTRONICS
MEDICINE
ONG ConsumptionThe world you do see
PET
RO
LEU
M P
RO
DU
CTS
YO
U U
SEN
ATUR
AL G
AS AT H
OM
E
ONG DeliveryThe world you don’t see
Pipeline Commodity ~Miles Delivery
Crude Oil 73,300 9.3B Barrels
Petroleum Products 62,600 6.9B Barrels
Hydrocarbon Gas Liquid 67,600
NG Inter/Intra State 301,000 443B CF/Day
NG Distribution Mainlines 1,280,000
NG Distribution Service Lines 913,000
NG Gathering Lines 17,800
Flow From Field to Fixture
Natural Gas DeliveryKnow your Business to
Know your Risk
API 1164Governance to ONG Standard
March 2018
Iden
tify
API 1164
NIST CSF Core API 1164
API 1164Frameworks ≠ Controls
March 2018
Framework for Improving
Critical Infrastructure Cybersecurity
Version 1.1
April 16, 2018
IEC 62443-4-1
Secure
Product Development
Lifecycle Requirements
IEC 62443-4-2
Technical Security
Requirements for
IACS Components
Security
Risk Assessment
for System Design
IEC 62443-3-2
System Security
Requirements and
Security Levels
IEC 62443-3-3
IACS Security
Management
System
TECHNICAL
REPORT
IEC 62443-2-1
Patch Management
In the
IACS Environment
TECHNICAL
REPORT
IEC 62443-2-3
API STANDARD 1164
THIRD EDITION
Pipeline CybersecurityGuidelines
Tenets:• Implementable• Repeatable• Measurable
Risk vs. Impact
Business Objective Impact – CSF Mapping
Business Objective
TSA Requirement
NA
The New API 1164
Know your BusinessKnow Your Risk
Calculating Risk
Risk Rating
Risk Score
The New API 1164
Score vs. Rating
Likelihood x Impact
It’s Company Specific
How To UseAPI 1164
❑ Implementable ❑ Repeatable ❑ Measurable
Control LanguageDevelopment
Making it Industry Risk Relevant
The New API 1164
6.1.1.1.3 Pipeline Common Supplemental Guidance
6.1.1.1.4 Hazardous Liquid Pipeline Supplemental Guidance
6.1.1.1.5 Natural Gas Pipeline Supplemental Guidance
6.1.1.1.6 Natural Gas Transmission Pipeline Supplemental Guidance
6.1.1.1.7 Natural Gas Distribution Pipeline Supplemental Guidance
The Most Significant ONG ICS Security
Development in a
Decade
The New API 1164
Development Tenets:
Educational
Usable
Implementable
Repeatable
Measurable
The New 1164 Results:
A completely different document
It is a standard
Scope covers pipeline OT environments
Covers the entire supply chain
Provides tailored industry guidance
▪ Not a recommended practice, nor a guideline
▪ SCADA, local control, IIoT
▪ Operators, Integrators, System/Components Technology
Don’t get left behind
The New API 1164
Continuing Process:
API 1164 Complete Schedule:Internal balloting
Final ballot: Q1 2020
▪ End of 2019 Q4
▪ By sections (Identify, Protect, Detect, Respond, Recover)
Control statement vetting &
refinement
Industry guidance vetting &
refinement
Document packaging:
initiated
STANDARDS DEVELOPMENTa tale of
THANK YOUJason Christopher
CTO, Axio
@jdchristopher
linkedin.com/in/jdchristopher
Tom Aubuchon
Sr. Director Cyber Security Strategy,
Baker Hughes
linkedin.com/in/
tom-aubuchon-b02a264/