ESCoRTS
A European network for the Security of
Control & Real Time Systems
Luc Van den Berghe
CEN-CENELEC Management Centre
Recommendations
from a CEN/BT WG161
Survey in 2006
• Encourage best practice, possibly in a joint endeavour between manufacturers and end users. Develop and establish test platforms for SCADA & other process control equipment in Europe.
• Try to reduce the divergence between current
standardisation efforts, especially between process control in general and power system control.
• Liaise with the US.
• Promote awareness on security risks by the stakeholders’ personnel like plant and security managers, researchers, process operators, IT specialists, and the general public.
• ESCoRTS to explore/address these survey conclusions – Submitted May 2007 to the FP7 Call
• SEC-207-7.0-02: European Security Research Networks (incl. For standardisation)
– Start of the contract 16 June 2008 – Duration 30 months
The Consortium
• CEN, the European Committee for Standardization: co-ordinator
• JRC: project author
• Enginet: Italian SME, dissemination and support to co-ordinator
• Three main EU manufacturers of SCADA equipment:
– ABB, Areva, Siemens
• Three important SCADA end-users in different processes:
– power generation (Italy, Enel Produzione),
– electricity transmission (Roumenia, Transelectrica),
– water management (Italy, Mediterranea delle Acque).
• OPUS publishing (US): Liaison with US
• UNINFO: Italian ICT standards organization
Work-package 1
•
WP1: Complete survey of stakeholder needs
and evaluate the market for SCADA security.
– Complete a survey of the stakeholder needs across the sectors involved
– Evaluate the market for security related services in EU and structure its key demands
– Both reports delivered in 2009
D11 – Conclusions
Survey of needs
• EU industry awareness and readiness lags behind US initiatives, but a growing feeling in Europe that
security issues are crucial
• lack of European explicit demand for comprehensive security solutions
– potential cost of security measures, which might weigh considerably on the overall control equipment cost
– lack of adoption in Europe of common security references or baselines (be them formal or de facto standards,
guidelines, or accepted best practices accepted and applicable across all countries).
D12 – Market for SCADA
security services
• Report addresses
– Security assessments of the security organization of an operator, also with respect to the implementation of technical security measures.
– Security testing: (technical) part of a security assessment (for a infrastructure operator), but also relevant for the vendors of control system components or systems.
– Security training and awareness; adequate training is the most important factor to discriminate a security induced event from an everyday operational fault.
D12 – Market for SCADA
security services
•
The D12 study concludes that there is, beside
managed security services, definitely a market
also for other security services, especially for
security consulting, which includes security
assessments, testing, and training.
•
But the readiness of the actors (mainly the
operators of critical infrastructure) depends
on the sector (energy, chemical or
pharmaceutical: high awareness)
Work-package 2
• D21 - Survey of current best practice (existing methods, procedures and guidelines, current standardization efforts)
• D22 – Security solutions taxonomy
• D23 – Reports on targeted experiments at the end users (ENEL, Transelectrica, Mediterranea delle
Acque) locations (purpose: evaluating a standard for applicability, usability and utility)
• One targeted experiment still ongoing, rest delivered
D21 – Survey of
standards (1)
•
Per standard/guideline
– Identifier, Title – Status, Type – Geographic relevance – Addressed Industry – Addressed Audience – Short Description – Cross References 20/05/2010 Luxembourg workshop 10D21 – Survey of
standards (2)
• 37 standards, guidelines or regulations relevant for operators or manufacturers in the area of control system (cyber)
security
– 13 are international standards or guidelines, – 14 are provided by US committees
– 10 are defined by European groups, or by groups of European countries.
• Per sector
– Independent of the addressed industry (generic): 5
– Energy sector: 12 energy generic and 2 energy automation specific
– Automation area (process and/or manufacturing automation): 13
– Oil & gas: 4
– Chemistry sector: 2
D22 – Taxonomy of
security solutions (1)
•
Report describes the more typical
cyber-security problems encountered by industrial
control systems, and the solutions that can be
put in place for countering them. It classifies
and lists security vulnerabilities, threats and
solutions, but is does recommend neither best
practices nor possible options(beyond the
possibilities of ESCoRTS project)
D22 – Taxonomy of
security solutions (2)
•
Part 1: an overview of SCADA architecture, in
order to define a common terminology for the
whole document and set the scene regarding
the problems under discussion. This part
includes also a discussion on SCADA protocols.
•
Part 2: vulnerabilities and attacks, with a
classification of the security problems.
•
Part 3: potential attack scenarios
D22 – Taxonomy of
security solutions (2)
•
Part 4: discusses the best-known
countermeasures (as of end 2009), with some
technical detail regarding their
implementation. Three categories of
countermeasures are considered:
– Communication protocol countermeasures, – Filtering and Monitoring countermeasures – Architectural countermeasures.
Work-package 3
•
WP3: Stimulating convergence of current
standardisation efforts
.
– Building on the results of WP1-2, this work package will result into a joint understanding of the way
current standardisation efforts are progressing.
– It will point out and rationalise eventual divergences, and develop a strategic standardisation roadmap so as to structure existing and forthcoming actions.
– Deliverable: a R&D and standardization Road Map
– Draft by June 2010; final by October 2010
Work-package 4
• WP4: Requirements for appropriate test platforms for
the security of process control equipment and applications.
– D41 – Requirements for a Secure ICT platform for data exchange - delivered
– D42 - Metrics for cyber security assessment and testing – started
– D43 - Requirements for future cyber security laboratories (following a survey on current test facilities) – to start
– D44 – Public results of the verification of the metrics conducted on a replication of a live control
system/environment – to start
Work-package 5
•
WP5: Management and dissemination.
– a Stakeholders Advisory Board composed of
representatives of the relevant industrial sectors, such as power, oil, water, and process automation. – The constituency of this board will keep growing
along the life of the project: the board has been opened to become a CEN-CENELEC Focus Group
Between now and
end 2010
•
Meeting of the Focus Group (Torino, 30 June)
– Draft Roadmap
– Metrics for cyber security assessment and testing
•
Final conference (Brussels, 27 October)
– Final Roadmap
– Verification of the metrics in a test performed on the replication of live environment: public results – Requirements for future cyber security
laboratories
Thank you
lvandenberghe@cencenelec.eu