Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com ISA99 - Security Standards in water treatment plants Marcelo Teixeira de Azevedo 1 *, Alaide Barbosa Martins 2 *, and Sergio Takeo Kofuji 1 1 Polytechnic School of the University of Sao Paulo, POLI-USP, São Paulo, SP, Brazil (*[email protected]) 2 Odebrecht Ambiental – Foz do Brasil, Av. Jorge Amado, S/N, Jaguaribe, Salvador-Bahia (*[email protected]) KEYWORDS SCADA, Security, ISA Standards, Industrial networks, ISA99 ABSTRACT Currently, information security is a constant concern for many institutions and countries that use computer resources for communication and to deliver services. Protective measures and countermeasures for traditional networks, such as firewalls and intrusion detectors, are well-known and widely used. For Supervisory Control and Data Acquisition (SCADA) systems, the situation is no different. In the early days, such systems were based on mainframes and closed-architecture platforms; in other words, they were dependent on manufacturers and consequently isolated from other systems. These days, SCADA systems are converging more and more onto open-system platforms, with architectures heavily reliant on connectivity; accordingly, interconnection between such systems and the corporate network, and in some cases, the internet itself, is more common. Taking this issue into account, and based on current technological development in the information security area, this research proposes a methodology to implement automation systems in water treatment plants, with an emphasis on security, and a focus on industrial systems that employ the ISA99 automation safety standards. In summary, the purpose of this essay is to study the safety rules, methods and methodologies for industrial systems, using the water treatment process as a working example, and to propose a methodology to minimize inherent safety hazards. Introduction Automated systems have been gaining in prominence over the last few decades and their implementation has become more and more important in recent times. Among the ubiquitous technologies now available in modern society, we can highlight electronic commerce, financial transactions over the internet, VPNs, customer service websites and many other computerized systems that are now an intrinsic part of our daily lives. The amount of information present in modern society, on which, to one degree or another, we depend more and more, has evolved exponentially and defense methods and security practices have become necessary and should be studied in order to ensure greater protection of sensitive information that, if attacked, could have a substantial negative impact on modern society, countries and concerned groups. Such attacks could result in great damage, including disruption of services regarded as critical to the functioning of society, such as:
15
Embed
ISA99 - Security Standards in water treatment plantsisawwsymposium.com/wp-content/uploads/2013/08/WWAC2013_Teixeira-et... · ISA99 - Security Standards in water treatment plants Marcelo
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium
Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com
ISA99 - Security Standards in water treatment plants
Marcelo Teixeira de Azevedo1*, Alaide Barbosa Martins
2*, and Sergio Takeo Kofuji
1
1Polytechnic School of the University of Sao Paulo, POLI-USP, São Paulo, SP, Brazil
Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium
Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com
and external network infrastructure and services. This step will produce the following results: a map of the
network perimeter, inventory and classification of assets.
Step 3: Risk Analysis
In this step, a security analysis for the previously defined scope is carried out; in other words, through the
identification of the information assets involved and the mapping of all threats pertaining to these. The
level of risk involved must be ascertained for each threat. After an analysis of the risks, those which are
deemed acceptable and unacceptable are defined.
Step 4: Management of Areas of Risk
This step is a continual process, which does not end with the implementation of a security measure.
Constant monitoring itself becomes a resource with which it is possible to identify the effectiveness of the
application of the measure and also for the execution of reviews and adjustments. In this stage, the impact
that a certain risk may cause on the business is estimated. Thus, it is necessary to identify the most critical
assets and vulnerabilities, in order to enable the optimization of efforts and expenditures with regards to
security. Once the risks have been identified and the organization has defined which ones are to be dealt
with, the security measures should finally be implemented.
Step 5: Selection of the Controls and Declaration of Applicability
Controls must be selected and put into practice to ensure that the risks be reduced to a level that they do
not cause problems for the enterprise. This must occur after the identification of the requirements.
Step 6: Implementing Controls
The processes for the implementation of countermeasures and security directives take place throughout
the implementation phase of the methodology. Then, a monitoring process for all the controls
implemented must be put into place and, accordingly, specific indicators must be produced that enable
the working conditions and performance of the analyzed environment to be visualized. The
implementation of the controls selected may involve the acquisition of software and/or hardware
technology (additional costs), but, in some cases, this implementation only results in the creation of
internal standards and norms that must be followed (MARTINS; SANTOS, 2005).
Step 7: Auditing the System
The main purpose of system audits is to check whether the following conditions occur satisfactorily, based
on clear evidence (MARTINS; SANTOS, 2005):
a. that operational procedures and instructions are adequate and effective;
b. that the different sectors of the enterprise have been operating in accordance with the
standards;
c. that the subsidies supplied are sufficient for the creation of periodic critical analysis
reports.
Azevedo, Martins, Kofuji 8
Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium
Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com
Characterization
In this item, the scenarios described in chapter 3 were submitted for evaluation of the security index based
on the ISA 99 control spreadsheet, and by using the GUT methodology. Finally, recommendations for
improvement were suggested.
Step 1: None of the scenarios presented provided a clear and objective security policy. Concern with the
level of security, i.e., the use of security techniques and equipment, was the responsibility of the
professional in charge of plant automation. Thus, an action plan for the implementation of an information
security policy needed to be structured. It is important to emphasize that the creation of a security policy
should not be dealt with in an isolated manner. It should be presented to all employees and a process of
awareness is necessary to ensure that the principles of this policy are followed by all the users within the
enterprise.
Step 2: A survey of the assets involved is necessary in order to define the scope. A cost-benefit analysis is
very important for the definition of the scope for the implementation of controls, since the broader the
scope, the greater the complexity and, consequently, the greater the investment. The assets survey was
carried out manually, generating the scenarios described in chapter 3.
Step 3: In order to carry out the study of security priorities, the GUT methodology was used, which has the
purpose of evaluating each factor, taking into consideration criteria of gravity, urgency and tendencies.
The parameters and the respective values associated to each aspect are featured in Table 1.
Table 1 – GUT methodology parameters.
VALUE GRAVITY URGENCY TENDENCY
1 No gravity No hurry Will not get worse
2 Not very serious Can wait a little Will get worse in the long term
3 Serious As soon as possible Will get worse in the medium
term
4 Very serious Urgent Will get worse in little time
5 Extremely serious Immediate action required Will get worse quickly
The item “Gravity” concerns the impact caused to the water treatment station for the supply of potable
water, whilst “Urgency” is linked to the time required to reduce or solve the problem and “Tendency” is
associated to future impacts, in the event that no action is taken to solve the problem. Accordingly, wide-
ranging research was carried out with regards to points of criticality that could affect security in water
treatment plants. These items can be observed in Table 2.
Azevedo, Martins, Kofuji 9
Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium
Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com
Table 2 – Items of criticality.
ITEM G U T. TOTAL
Firewall 5 5 5 125
Firewall with redundancy 3 4 3 26
Equipment with authentication 5 5 4 100
Cryptography 3 3 3 27
Strong cryptography 2 2 2 8
IDS 5 4 3 60
Updated equipment 5 5 5 125
Virtual Private Network 4 3 2 24
Monitoring 2 4 4 32
Control of physical access 4 5 5 100
Periodic updates 3 3 3 27
Virtual Local Network 5 3 3 45
In Graph 1, it is possible to observe the graphic representation of items of criticality, considering that the
most critical items are: lack of firewall, out-of-date equipment and physical access control.
Graph 1 – Items of criticality. Source: The author.
Azevedo, Martins, Kofuji 10
Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium
Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com
Step 4: The controls necessary to protect assets must be defined after analysis of the risk, in such a
manner that the identification process of the risks and implementation of controls must be continuously
executed. With the study carried out in the previous step, it is possible to measure the impact that a
certain risk may cause and, thus, it was possible to implement controls only in the most critical situations,
because it is very difficult to offer total protection against all existing threats.
Step 5: In this step, from the controls presented by ISA 99, those applicable to the organization were
selected. The control spreadsheet referenced in Chart 2 was created based on the ISA 99 standards, where
recommendations of the ISA 99 are dealt with. It can be observed that the technology suggested by the
security standard is described, and the associated vulnerabilities, deficiencies and recommendations are
displayed.
Chart 2 – ISA 99 recommendations.
TECHNOLOGY DESCRIPTION VULNERABILITIES
CORRECTED DEFICIENCIES RECOMMENDATIONS
Virtual Networks
(Vlan)
Segregation of
physical networks and
logical networks
Segregation of
traffic
Spoof Mac
Spanning tree protocols
VLAN Hopping
Periodic updates of the version;
Segregation of the corporate network
and the industrial network.
Network Firewalls Mechanism used for
traffic control
Protection of
network traffic that
passes through the
device
Necessity to work in
conjunction with intrusion
detectors;
Large quantity of logs;
Professionals trained for daily
operations.
Segmentation of the networks into
zones;
Creation of DMZ for internet traffic.
Virtual Private
Network (VPN)
Remote access with
cryptography
Controlled access to
networks via
authentication
Access from anywhere
(internet) to the corporate
network
Strong method of authentication
Utilities of the
auditing log Supporting log tool
Authentication and
utilization check
Extensive documentation and
backup
Strategic planning in conjunction with
other areas
Biometric
Authentication
Biometric
authentication
Strong
authentication Not extensively used
Occasional use in restricted
equipment
Authentication and
Authorization
Technology
Permission and levels
of access
Controlled access to
networks via
authentication
Necessity to synchronize all
assets in the environment
Authentication/authorization method
centered in the network
Cryptography Encrypting and
decrypting process
Cryptography in
clear text traffic
A cryptography method that
all equipment supports should
be used
Use of cryptography in all internal and
external communication
Intrusion Detectors
Utility for the
detection of
events not permitted
on the network
Identification of
malicious traffic
Requires signature updates
and excess of false-positives Use in segments
Physical Control Restricted access to
field equipment
Only authorized
personnel can
handle
and undertake
physical alterations
If not used with a biometric
method, it could prove to be
ineffective
Controlled access
Azevedo, Martins, Kofuji 11
Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium
Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com
Step 6: After implementation of the controls, a monitoring mechanism is required to avoid unnecessary
occurrences. The implementation of control may be carried out by monitoring software programs and
issuing periodic reports.
Step 7: The auditors must check that the security conditions of the information have been implemented
and documented correctly and according to the definitions of the security policy. The ISA 99 standards do
not deal with auditing, but a mechanism for the detection of non-conformities and preventative actions is
necessary so that any deviances identified do not occur again. Accordingly, periodic execution of internal
auditing in additional to external auditing is necessary for a more precise verification that the defined
security policy is being followed correctly. In addition, an auxiliary mechanism for the detection of events
based on the behavior of the water treatment station is described in the next item, and this can be used
additionally in the auditing.
For the creation of a criticality index, the GUT methodology table was considered in conjunction with the
recommendations of the ISA 99, which resulted in Table 5.
Table 3 – Criticality Index.
SCORING SITUATION INDEX
100-125 Extremely serious 4
75-100 Very serious 3
50-75 Serious 2
25-50 Not very serious 1
0-25 No gravity 0
With the creation of this index in conjunction with the definitions of the aforementioned stages, the
scenarios were submitted to evaluation. The values defined by the GUT methodology in conjunction with
the criticality index, were transported to the criticality column, which resulted in the value 22. This value is
considered to be a secure index, according to the definitions and security policies of the enterprise. All the
sanitation plants subject to this methodology must get close to this value to be considered secure. The
situation column is the existence, or otherwise, of such technology; existence is represented by the
number 1 and inexistence by the number 0. In the event of inexistence of the technology, the value
attributed to criticality will be subtracted, and the formula below will be responsible for the final value.
Value = (Sum of Criticality – (Value of the Criticality if the Situation =0))
SCENARIO 1 – CAPITAL
For the first scenario, denominated Scenario 1 - Capital, the Plant is considered secure, but only the IDS
was not present in the Plant of the enterprise, as illustrated in Table 6. However, the value of this item was
Azevedo, Martins, Kofuji 12
Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium
Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com
not considered a priority for the definition of the security policy of the enterprise and accordingly, it did
not affect the security index. But as an additional measure, the acquisition of an intrusion detector is highly
recommended, as well as the execution of its strategic positioning in order to visualize internal and
external traffic.
Table 4 – Capital Plant Index.
TECHNOLOGY CRITICALITY SITUATION
Firewall 4 1
Firewall with redundancy 1 1
Equipment with authentication 4 1
Cryptography 1 1
Strong cryptography 0 1
IDS 2 0
Updated equipment 4 1
Virtual Private Network 0 1
Monitoring 1 1
Control of physical access 3 1
Periodic updates 1 1
Virtual Local Network 1 1
Total 22 20
SCENARIO 2 – COUNTRYSIDE
In the second scenario, called Countryside, the sanitation Plant proved not to be secure, especially in the
most remote plant, normally also less automated, which in some instances does not have firewall, VPN
and VLAN. Therefore the execution of a more specific analysis in the Countryside sanitation plant is highly
recommended, in order for the security technologies described in the ISA 99 standards to be adopted and
used in the best manner possible. Furthermore, the sanitation plant denominated Capital, could be used as
a reference for the implementation of the technologies. In Table 7, it is possible to observe the items not
included in the Plant.
Azevedo, Martins, Kofuji 13
Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium
Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com
Table 5 – Countryside Plant Index.
TECHNOLOGY CRITICALITY SITUATION
Firewall 4 0
Firewall with redundancy 1 0
Equipment with authentication 4 0
Cryptography 1 1
Strong cryptography 0 0
IDS 2 0
Updated equipment 4 1
Virtual Private Network 0 0
Monitoring 1 1
Control of physical access 3 1
Periodic updates 1 1
Virtual Local Network 1 0
Total 22 10
CONCLUSIONS
For the execution of this study, research was carried out using up-to-date bibliographic references,
covering the most varied of subjects from the information security area, with emphasis on industrial
systems and industrial networks, as well as research pertaining to information security in the global
context.
Firstly, it is important to emphasize that to prepare a methodology for the secure implementation of a
water treatment plant is a complex task, both from the technical and managerial standpoint. In this
perspective, an approach and a definition are proposed by means of a secure implementation
methodology, based on the necessities of the corporation.
The ISA 99 set of security standards provides guidelines for security and managerial elements, with the
main objective of obtaining conformity for all security elements, including both basic and strategic
concepts, however it does not cover practices, procedures and rules for the application or execution of a
secure method of implementation. Accordingly, this study offers a resolution for this deficiency through
the proposal of a secure implementation methodology for water treatment plants, which can be adapted,
with modifications, to other types of equally critical industrial systems.
Azevedo, Martins, Kofuji 14
Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium
Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com
The execution of the stages of this study has contributed to the knowledge of the behavior of a water
treatment station, with the definitions of the flow chart and all the stages that make up the cycle. The
characterization process has enabled knowledge to be gained on industrial equipment and the system to
execute the data control and acquisition, as well as the protocols used.
The development of a system to characterize the stages of water treatment has enabled the behavior and
the impacts on the interaction between equipment in an industrial plant to be ascertained. The
experiments carried out to ascertain the detection of critical events have proven to be adaptable to the
environment and they are equally linked to the stages and the knowledge of the entire flow and the
criticality of the process. The events considered critical were detected as expected, according to the
business of the enterprise; however, a real approach and the use of some artificial intelligence techniques
are necessary.
There is in planning private company which mostly started the management of water treatment plants,
greater investment and attention to automation processes safely for plants that are still vulnerable, usually
remains this same concern is not observed in public management.
Finally, the use of security techniques in conjunction with the ISA 99 standards in this study may create
benefits with regards to system security, and these may also be extended in adaptations to other equally
critical environments, such as: the power grid, nuclear plants and the petrochemical industry, among
others.
References
ISA99 Security Guidelines and User Resources for Industrial Automation and Control Systems, 3rd Edition.
MARCIANO, J. L. P. Segurança da Informação : uma abordagem social. 2006. 212 p. Tese (Doutorado em Ciências da Informação) – Universidade de Brasília, Brasília, 2006.
KRUTZ, R. L. Securing Scada Systems . Indianapolis: Wiley Publishing, Inc., 2006.
MARTINS, A. B.; SANTOS, C. A. S. Metodologia para implantação do sistema de gestão da segurança da informação. Revista de Gestão da Tecnologia e Sistemas de Infor mação , v. 2, n. 2, p. 121-136, 2005.
TORRES, J. M. Analyzing risk and uncertainty for improving water distribution system security from malevolent water supply contamination events . 2008. Thesis (Master’s) – Office of Graduate Studies of Texas A&M University, Texas, 2008.
WILES, J. et al. Techno security's guide to securing SCADA : a comprehensive handbook on protecting the critical infrastructure. Burlington: Syngress, 2008.
HAMOUD, G.; CHEN, R.-L.; BRADLEY, I. Risk Assessment of Power Systems SCADA. In: Power Engineering Society General Meeting, 2003, Toronto, Canadá. Proceeding… Toronto, Canadá: IEE, 2003. 4 v.
List of Acronyms:
ANSI .................. American National Standards Institute
ASCE ................. American Society of Civil Engineers
AWWA .............. American Water Works Association
BS ..................... British Standard
Azevedo, Martins, Kofuji 15
Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium
Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com
DFMEA ............. Design Failure Modes and Effects Analysis
DOS................... Denial of Service
WTS .................. Water Treatment Station
FMEA ................ Failure Modes and Effects Analysis
FTA ................... Fault Tree Analysis
HAZOP .............. Hazard and Operability Studies