Sicherheit im ProduktlebenszyklusVon der Wiege bis zur Bahre

Dr. Ragnar Schierholz, Hannover Messe – Thementag Industrial IT Security, 2014-04-11

Life cycle aspects of cyber security for ICS

PS: Product Supplier

SI: System Integrator

AO: Asset Owner

Draft material from IEC 62443*

April 11, 2014 | Slide 2

© ABB Group

* Based on VDI 2182

Life cycle aspects of cyber security for ICS

PS: Product Supplier

SI: System Integrator

AO: Asset Owner

Draft material from IEC 62443

April 11, 2014 | Slide 3

© ABB Group

How ABB works with Cyber Security An important factor in all phases

Design

Implementation

Verification

Release

Support

Design

Engineering

FAT

Commissioning

SAT

Operation

Maintenance

Review

Upgrade

Product

Lifecycle

Project

LifecyclePlant Lifecycle

April 11, 2014 | Slide 3

© ABB Group

How ABB works with Cyber SecurityAn integral part of ABB’s products and systems

April 11, 2014 | Slide 3

© ABB Group

Security Development LifecycleThe Process

Training Requirements Design Implementation Verification Release Response

Core training Define quality

gates/bug bar

Analyze cyber

security risk

Attack surface

analysis

Threat modeling

Specify tools

Enforce banned

functions

Static analysis

Dynamic/Fuzz

testing (e.g.

DSAC)

Verify treat

models/attack

surface

Response plan

Final security

review (FSR)

Release archive

Execute

response plan

(e.g. vulnerability

handling policy)

Administer and

track security

training

Education

Guide product

teams to meet

SDL

requirements

Process

Establish release

criteria and sign-

off as part of G5

Accountability

Incident

response

April 11, 2014 | Slide 3

© ABB Group

Security Development LifecycleExample: Verification

April 11, 2014 | Slide 7

© ABB Group

Formally established, centralized and independent security

test center

Leveraging state-of-the-art open source, commercial and

proprietary robustness and vulnerability analysis tools

Close collaboration with ABB developers providing in-depth

analysis and recommendations

Secure Development LifecycleExample: Validation of Security Updates

Accreditation of Anti-virus SW for Sentinel Users

McAfee VirusScan® Enterprise with ePO Server and

Symantec Endpoint Protection

Configuration guidelines

Verified in system tests

Node based or centralized management

Updating via server in the Demilitarized zone

Daily verification of Definition files

Update production systems with 48h delay

Redistribution of Symantec definition files

April 11, 2014 | Slide 3

© ABB Group

Secure Development LifecycleExample: Validation of Security Updates

Microsoft security updates for Sentinel Users

All relevant updates are tested for compatibility

Result published typically within 3 – 7 days

Other 3rd party SW (e.g. Adobe Reader)

Validated with next Microsoft Security Update

Deployment

The System 800xA Qualified Security Updates

For node by node deployment

MS Security Updates delivered from ABB

WSUS for centralized management

April 11, 2014 | Slide 3

© ABB Group

Security Development Lifecycle

In case you want to be informed of vulnerabilities found in

ABB products:

Public disclosure on www.abb.com/cybersecurity and ICS-

CERT

In case you have found a vulnerability in our products:

Use the “Contact us” feature on ABB’s Cyber security

webpage www.abb.com/cybersecurity to report any

security issue

Example: Vulnerability handling

April 11, 2014 | Slide 10

© ABB Group

Contact

Cyber Security Analyst

ABB AG

Schillerstr. 72

DE-32425 Minden

Phone +49 517 830 1080

Mobile +49 171 189 2349

E-Mail ragnar.schierholz@de.abb.com

Dr. Ragnar Schierholz