Yokogawa
Security
Assessment
How do you know if your industrial plant is sufficiently protected?
Yokogawa Europe B.V.
July 2014
Yokogawa Security Assessment
version 1.1
Yokogawa Security Assessment
Introduction
How do you know if your plant is sufficiently protected? And which investments are
essential to keep your plant protected in the future? If you are not completely
confident about your security approach and policies or if you need help convincing
your management about some necessary security investments, Yokogawa’s security
consultants can help you by conducting a security assessment. The outcome of this
assessment is a clear report that will list your vulnerabilities and indicate the actions
you can take to rule out and mitigate them.
To assist and advise customers on these matters Yokogawa has developed a security
assessment. In this assessment the security countermeasures at a site location will be
checked and it will assist you to determine if improvements are necessary.
This document is especially intended for Plant Managers, owners, or stakeholders. In
general it is designed for professionals who are ultimately responsible for any
incident that may occur, and therefore have to deal with the consequences.
Benefits of the assessment
Why should someone invest in security? On the first impression an investment in
security will not make the plant more productive. An investment in security should
therefore primarily be seen as insurance: spending money on security is similar to
spending money on a health insurance. If you don’t have insurance, only one incident
may cost you an amount of money that will exceed the costs of insurance for the
entire lifecycle of your plant.
When considering implementing new security measures, the first step is to identify
what you want to protect. Next step is to calculate the value of what you are
protecting. Then, after successfully completing the first two steps, you can start to
assess the threat, the risk and the vulnerability.
What will happen if your plant is hacked?
When your plant is targeted by hackers, potentially harmful viruses will float inside
the DCS or SCADA, not intentionally harming the system, but consuming system
resources and network resources, which can influence the system performance.
However, it could be worse if all systems are wiped blank, leaving the Microsoft
Operating System to fail and therefore the Human Machine Interface (HMI) will fail
1|Page
Yokogawa Security Assessment
version 1.1
as well. The plant will continue to work, but no visualization or manual control is
possible. Usually, at this point, operators will stop the plant, which results in
production loss.
A hacker can also take control over parts or even the complete plant or factory.
Programmers with malicious intentions can decide to place
‘ransom (soft)ware’, thereby taking over the whole system at a site
If you want to read more
location. And like a hostage, hackers will demand money before
about Plant Network Security,
control is given back to the operators.
please read the Yokogawa
Plant network security
Plant Network Security
whitepaper (2014). Available
at www.yokogawa.com/eu
In all the examples above, production can be lost, and in case of
shutdowns, environmental damage may occur, which might
damage your company’s reputation. Luckily it is possible to
mitigate the security risk with proper security countermeasures.
The whitepaper will explain
more details about security in
depth and shows how a
system could be protected.
This assessment is especially intended for Plant Managers, owners, or stakeholders.
In general it is designed for professionals who are ultimately responsible for any
incident that may occur, and therefore have to deal with the consequences.
Flow of the assessment
The flow of the security assessment for typical industrial plant’s is as follows:
1. Gather documentation from site, drawings, requirements
2. Pre-Audit study
3. Data Collection by questionnaires
4. Execute a number of non-intrusive tests
5. Write a report with the outcome of the document
Step 1:
Gather documentation from site
The Yokogawa security specialist will request ‘the as build system documentation’,
the documentation that is most up to date, to get a clear picture about the network
setup like hardware configurations. He or she must also clarify the software that is
being used.
Some Plants have local security guidelines/standards, and some countries have
special laws concerning the security implementation. All these things must be taken
into account.
2|Page
Yokogawa Security Assessment
Step 2:
version 1.1
Pre-Audit Study
The Yokogawa security specialist will study the gathered documentation. If any
questions that a security specialist considers important to ask upfront come up
during this phase, they can be answered or looked into during this step.
Step 3:
Data collection
During this step of the assessment the Yokogawa security specialist will be focusing
on collecting information and data (network and system drawings). This
documentation enables the Yokogawa security professional to create a customized
network assessment worksheet, tailored to the customers’ environment and the
objectives. This customized worksheet may contain policies and procedures, which
will be further explained at page 4 of this document.
Step 4:
Execute Non-intrusive testing
Part of the assessment is non-intrusive testing. During these test we will check log
files of network devices and of the machines. Also patch updates will be checked by
the use of non-intrusive packages. Moreover, system settings will be collected if
more information is needed while writing the report.
Step 5:
Creating a clear report
The Yokogawa security consultant will put all the pieces of the puzzle together and
will write down the findings in a clear report describing the strengths and
weaknesses of the system. If a weakness is found a proposal for a remedy will also be
added to the report.
Last but not least, Yokogawa likes to point out that it is advisable to do the security
assessment on a regular base, as security requirements are always changing.
Yokogawa recommends making this a standard option in the Life cycle maintenance
contract.
Out of Scope! -Intrusive TestingMany people will expect that intrusive testing or port scans are part of the
assessment. In the IT world this is indeed the case. However, in the process
control world we classify this as a major risk and therefore we only do realtime intrusive testing when a plant is not producing.
3|Page
Yokogawa Security Assessment
version 1.1
The basic outline of a good defence
The outlines of a steady defence consist out 5
elements (see fig 1): Policy; Procedures; and Host
Based Security Physical Security; Network
security.
1.
Policy
When performing a network security assessment this
should preferably be based on one of the documents
obtained from the customer. This document
determines largely what security controls must be
applied to the network and systems running on the
network. This document must provide clear and concise
objectives which will be translated into procedures. If
this document does not exist, guidelines need to be
defined during step 1.
2.
Fig. 1: The basic outline of a good defence,
including Procedures and Policies
Procedures
Procedures are detailed instructions about how a policy is to be implemented.
Written procedures enforce consistency in the application of security controls
specified in the security policy. Procedure documents can provide a measure of
effectiveness for applying controls. There are 4 high level procedure chapters which
are explained below
2.1
Configuration Management
Configuration management processes and procedures are implemented to
archive and approve any changes to the process control network. By applying
configuration management processes the likelihood of problems will be
reduced since all changes are registered. Should any issues arise, a trail of
logged information will make trouble shooting much easier as it will be
possible to retrace the point where the issues or incident appeared.
2.2
Information Management
Information management determines how an organization handles
information from the moment it is created up to (and including) the moment
of disposal. This includes how documents are managed, classified and stored.
If there are any regulatory requirements and laws this will also affect how
information is handled and when and how it can be destroyed. If information
is transferred between people or systems, requirements may be specified on
how this can be done effectively.
4|Page
Yokogawa Security Assessment
version 1.1
2.3
Change management
For this security assessment change management determines how an
organization takes care of changes within a process control network
environment. It looks at the impact of changing technologies, systems, new
applications, enhancements and other significant changes. The objective of
change management processes is to document and approve changes by
proper authorities before it is implemented. As part of the change
management it would be highly recommended to have a procedure in case a
major change is to be carried out, so that everything and everyone involved
is documented. The impact of changes should be considered as well, and any
mitigating actions should also be stated.
2.4
Incident Management
Incident management is the monitoring and detection of security incidents.
This includes a process to detect, correct, gather evidence, minimize impact
and learn lessons from earlier vulnerabilities. It is recommended that there is
a person or a team to deal with security incidents.
3.
Physical Security
Physical security will address the options a malicious person has to physically reach
devices, like network equipment or servers. The effectiveness of physical controls
such as locks, perimeter fences and video surveillance fit into this category.
4.
Network Security
The network provides a transport mechanism for data communications. This is the
foundation for the infrastructure that applications need in order to work; without it,
equipment will not be updated or patched. Security controls are required to ensure
that the network remains available.
4.1
Network Architecture
Network architecture is about the layout of the network. This can be
approached both logically and physically.
-
-
The logical layout is about the data flows through the network. By
examining the logical layout, communication flows between applications
and parts of the plants become clear and therefore it is possible to assess
the security zones.
The physical layout will enable you to detail which devices are connected
to the network, and what connections to outside network, such as the
office network, exist. Using both the logical and physical layout of the
network infrastructure will help identify any vulnerabilities or
inefficiencies.
5|Page
Yokogawa Security Assessment
version 1.1
4.2
Firewall
A firewall is the boundary between the process control network and the
outside networks. It is usually implemented as filter traffic based on IP
address, ports and protocols. Firewalls can also provide protection against
malicious behaviour such as ports scans, network floods, ping of death and
other type of DoS (denial of service) attacks. In order to evaluate the
effectiveness of the firewall, the required traffic flows across the firewall
need to be clear. This will make it possible to determine what appropriate
rules need to be applied. Over time these rules may be modified to such an
extent that the effectiveness of the firewall is reduced. Part of the
assessment would be to identify obsolete or overlapping rules.
4.3
Routers & Switches
Routers and switches provide the connection between the applications and
the hardware components of the process control system. To ensure that the
network remains available the switches need to be hardened to prevent
unauthorized traffic onto the network. Additionally, management
connectivity to the switches should also be restricted to prevent any
unauthorized changes to the switch configuration.
4.4
Remote Access
In the past, remote access connections were provided by dial in modems. At
the present time internet connections with VPN are mostly used. Regardless
of the type of access, all remote connectivity should be checked on
authorization, confidentiality and integrity. Additionally these connections
should not provide a backdoor into the network, which can be a threat.
4.5
Wireless
Within the Process Control landscape wireless LANs will
become vital in the future. Wireless exists in two forms:
1. Wi-Fi, also spelled Wifi or WiFi, is a local area
wireless technology that allows an electronic
device to exchange data or connect to the
internet using 2.4 GHz UHFand
5 GHz SHF radio waves.
2. ISA100. The ISA100 protocol is used by field
equipment to wireless transfer
measurements to the process control system.
During the assessment, checks will be done to verify the
security countermeasures and to check the
implementation.
6|Page
Yokogawa Security Assessment
5
version 1.1
Host Based Security
Host based security is focusing on protecting the “host” (workstations and servers)
from malicious or accidental actions. Malicious actions, whether intended or
unintended, may cause data loss or unauthorized access to the system. As the hosts
are often based on Microsoft operating system, there are many vulnerabilities and
threats.
5.1
Antivirus Management
There is always the possibility that a host gets infected with malware which
may negatively impact the process control system or even crash the system
completely. Since new malicious software is always being developed,
antivirus software manufacturers constantly have to come up with solutions
to counter these new threats. The assessment will check whether or not
there is an effective and up to date antivirus product/solution. Additionally
measures against “zero day” attacks can also be assessed. These Zero day
attacks can take the form of Advanced Persistent Threats (APT’s) and
therefore they are often not detected by firewall or antivirus systems. One of
the few methods to detect an APT is to know what the normal behaviour of
the system is. When there is unusual activity such as unexplained traffic
spikes or data going to unexpected IP addresses this must be investigated.
5.2
Backup Management
You cannot secure something for a full 100%. It is always possible that that
something goes wrong. Therefore the assessment should be able to identify
data assets, how these assets are backed up and what the potential data loss
would be. The assessment will also evaluate how effectively the process
control system can be recovered in terms or time and data integrity.
5.3
Patch Management
Operating systems and software can contain faults and vulnerabilities that
can be exploited. These vulnerabilities can be backdoors, buffer overflows,
system crashes or memory leaks. To manage this, an inventory of software
running in the systems must be maintained. To fix bugs and plug
vulnerabilities, a patch update strategy must be put in place, ensuring that
new patches are installed and will not inhibit the functioning of any
applications on the network.
5.4
System Hardening
System hardening is about minimizing the attack surface by removing
software, stopping services and disable ports that do not need to be used.
Furthermore any devices such are USB ports and CD drivers can also be
disabled. Also unauthorized access from the operator interfaces into the
operating system will be checked.
7|Page
Yokogawa Security Assessment
version 1.1
Recommendations
If you are not completely confident about your security approach and policies or if
you need help convincing your management about some necessary security
investments, Yokogawa’s security consultants can help you by conducting a security
assessment. The outcome of this assessment is a clear report that will list your
vulnerabilities and indicate the actions you can take to rule out and mitigate them.
About Yokogawa
Helpful Resources
Plant network Security Whitepaper - 2014
(by Yokogawa)
Brochure Cyber Security for Industrial Control Systems (by
Yokogawa)
Video: Security: YOKOGAWA IA System Security Solutions
(YouTube)
Read more about Security in general on our website
Read more about SCADA & Cyber security on our website
Contact us
For more information please visit www.yokogawa.com/eu to find
contact information for Yokogawa in your area.
For Europe please send an e-mail to [email protected]; a
Yokogawa security expert will get in contact with you.
You can also use the digital contact page to get in contact with a
Yokogawa Security Expert.
8|Page
Yokogawa Electric
Corporation is a Japanese
electrical engineering and
software company, with
businesses based on its
measurement, control,
and information
technologies.
Every high-technology
product from Yokogawa
has to fulfill three basic
criteria: Quality,
Innovation, Foresight. We
are one of the world
leaders in industrial
automation and control,
test and measurement,
information systems and
industrial services. Besides
being high quality,
innovative and advanced,
our products are also safe
and durable. In other
words, we supply smart
technology, made by
smart professionals. Many
of our customers are
major and global names in
oil and gas upstream and
midstream, refining and
petrochemical, power and
energy industries.