ICS-Security für KMUs

Transkript

1 TLP: IT-Security Community XChange, St. Pölten 9. November 2012 ICS-Security für KMUs Zukünftige Anforderungen für sichere industrielle Automatisierung in Österreich Ing. DI(FH) Herbert Dirnberger, MA, CISM Leiter der Arbeitsgruppe Sicherheit der industriellen Automation/SCADA CYBER SECURITY AUSTRIA Verein zur Förderung der Sicherheit Österreichs strategischer Infrastruktur Copyright Cyber Security Austria Diese Arbeit wird unter den Bedingungen der Creative Commons Lizenz (CC BY-NC-ND) veröffentlicht. siehe

2 Einleitung Industrielle Automatisierung Sicherheit KMUs KMUs

3 AGENDA Automatisierung Konvergenz Sicherheit Maßnahmen (KMUs, EU, Österreich) Cyber Security Austria

4 Industrielle Automatisierung

5 Automatisierung Fertigung Prozesse Gebäude v=kpvr2mvzjws&feature=plcp Bikinger, Raffinerie Schwechat, CC-Lizenz (BY 2.0) teakettle, u1, CC-Lizenz (BY 2.0) kritische Infrastruktur v=yfbbvzyah_e Qualität Produktivität Paul-Gerhard Koch, Kaprun Bikinger, CC-Lizenz (BY 2.0) Alle Bilder stammen aus der kostenlosen Bilddatenbank

6 Fachbegriffe der Automatisierung Quelle: Wikipedia Quelle: Wikipedia ICS Industrial Control Systems PLC/SPS SCADA/DCS HMI Quelle: Wikipedia Quelle: Wikipedia Quelle:

7 Automatisierung in 2 min HMI BedienerInnen Steuerung Bussystem Sensor Aktor Physikalischer Prozess

8 Konvergenz

9 Konvergenz IT und AT Quelle: COTS IT Standards offene Systeme Cloud remote Quelle: Wikipedia Quelle: Wikipedia Cyber Physical Systems wireless mobil Netzwerke BYOD Quelle: Wikipedia Quelle: Wikipedia Gebäudeleittechnik as a Service

10 Folgen der Konvergenz Die Zeit der getrennten Systeme ist vorbei Übergangsphase T. Brandstetter Know How- und Fachkräftemangel Security und Safety

11 Sicherheit

12 protect the Quelle: Wikipedia machine network IT Shanxi Datong University South China University of Technology Guangdong Jidian Polytechnic Datong, China Guangzhou, China Guangzhou, China *Corresponding Author Abstract Cyber-Physical Systems (CPSs) are characterized by integrating computation and physical processes. The theories and applications of CPSs face the enormous challenges. The aim of this work is to provide a better understanding of this emerging multi-disciplinary methodology. First, the features of CPSs are described, and the research progresses are summarized from different perspectives such as energy control, secure control, transmission and management, control technique, system resource allocation, and model-based software design. Then three classic applications are given to show that the prospects of CPSs are engaging. Finally, the research challenges and some suggestions for future work are in brief outlined. Keywords cyber-physical systems (CPSs); communications; computation; control I. INTRODUCTION Cyber-Physical Systems (CPSs) integrate the dynamics of the physical processes with those of the software and communication, providing abstractions and modeling, design, and analysis techniques for the integrated whole[1]. The dynamics among computers, networking, and physical systems interact in ways that require fundamentally new design technologies. The technology depends on the multi-disciplines such as embedded systems, computers, communications, etc. and the software is embedded in devices whose principle mission is not computation alone, e.g. cars, medical devices, information (game) Sicherheitsparadigma Complex at multiple temporal and spatial scales. In CPSs, the different component has probably inequable scientific instruments, Quelle: andintelligent transportation systems [2]. Quelle: Now the project for CPSs engages the related researchers very much. Since 2006, the National Science Foundation (NSF) has awarded large amounts of funds to a research project for CPSs. Many universities and institutes (e.g. UCB, Vanderbilt, Memphis, Michigan, Notre Dame, Maryland, and General Motors Research and Development Center, etc.) join this research project [3, 4]. Besides these, the researchers from other countries have started to be aware of significance for CPSs research. In [5-7], the researchers are interested in this domain, including theoretical foundations, design and implementation, real-world applications, as well as education. As a whole, although the researchers have made some progress in modeling, control of energy and security, approach of software design, etc. the CPSs are just in an embryonic stage. The rest of this paper is outlined as follows. Section II introduces the features of CPSs. From different perspectives, the research processes are summarized in Section III. Section IV gives some classic applications. Section V outlines the research challenges and some suggestions for future work and Section VI concludes this paper. II. FEATURES OF CPSS Goals of CPSs research program are to deeply integrate physical and cyber design. The diagrammatic layout for CPSs is shown in Figure 1. Obviously, CPSs are different from desktop computing, traditional embedded/real-time systems, today s wireless sensor network (WSN), etc. and they have some defining characteristics as follows [7-10]. Closely integrated. CPSs are the integrations of computation and physical processes. Cyber capability in every physical component and resource-constrained. The software is embedded in every embedded system or physical component, and the system resources such as computing, network bandwidth, etc. are usually limited. human SAFETY Networked at multiple and extreme scales. CPSs, the networks of which include wired/wireless network, WLAN, Bluetooth, GSM, etc. are distributed systems. Moreover, the system scales and device categories appear to be highly varied. Figure 1. Diagrammatic layout for CPSs process/system SECURTIY

13 Security und Safety Sicherheit IT Security Information Security Cyber Security Cyber war Network Security Embedded Security ICS Security SCADA Security Industrial IT Security Physical Security Safety Prozess Sicherheit Security Risiko Mgt BCM

14 Security by obscurity Insellösungen Silodenken unkoordiniert unnötig komplex und abhängig angewandtes Home Office ka2706, Stooop!!, CC-Lizenz (BY 2.0) Sicherheit ist zu teuer Bild stammt aus der kostenlosen Bilddatenbank

15 Gefahren und Risiken Gefahren Technische Defekte Organisatorische Mängel Höhere Gewalt Menschliche Fehler Insider Attacken Wirtschaftsspionage Cyber Attacken Risiken Qualitätsminderung Produktionsausfall Kollateralschäden Überlastung von Personal Rechtsstreitigkeiten Reputationsverlust Know How Verlust, Leaks Erpressung

16 Innovative Angriffsvektoren Open Source Intelligence & SCADA Passive information gathering meta... Tools Botnet as a Service People Organization Infrastructure Timothy Krause, Security guard, CC-Lizenz (BY 2.0) Bild stammt aus der kostenlosen Bilddatenbank Herbert Dirnberger, Auszug aus Screenshot der Webseite

17 Verantwortung

18 Verantwortung Hersteller Aus- und Weiterbildung Normen Standards Gesetzgeber Integratoren Distributoren Betreiber Endkunde

19 Maßnahmen

20 10 ICS-Security Maßnahmen für KMUs (1) Sensibilisierung und Bewusstsein schaffen, Management einbinden (2) Verantwortung definieren (3) Budget und Ressourcen bereitstellen (4) Zugangskontrollen und -schutz installieren (5) Backup erstellen und Recovery prüfen

21 10 ICS-Security Maßnahmen für KMUs (6) Dokumentation laufend überarbeiten (7) Segmentierung durchführen (8) Anti Malwareschutz einsetzen (9) Komplexität reduzieren (10)Integration von ICS-Security im Managementsystem durchführen Ausgabe 4/2012, verfügbar ab

22 ENISA Europaweite ICS Strategie Good Practice Guide ICS Security plan templates Stärkung von Bewusstsein und Training Common test bed ICS Security cert. Framework

23 Notwendige Maßnahmen (national + EU) Stärkung von Aus- und Weiterbildung Schaffung einer eindeutigen Terminologie Bildung von Standards, Gesetzen, Normen, Richtlinien, Zertifizierungen,... Berücksichtigung des Internationalen Rahmens - ISA 99, ISO 27000,...

24 Aktivitäten der Cyber Security Austria

25 Arbeitsgruppe SCADA Industrial Automation Sensibilisieren und Bewusstsein schaffen Management, Führungskräfte, Mitarbeiter,... Mitarbeit bei Standards, Gesetzen, Normen, Richtlinien, Zertifizierungen,... Entwicklung von Design Pattern Stärkung Aus-, Weiterbildung und Lehre Bildung einer eindeutigen Terminologie

26

27 Ing. DI(FH) Herbert Dirnberger, MA, CISM DANKE speziell auch an die Kollegen Joe, Florian, David, Rüdiger, Franz, Herbert und Paul