Tärkeimpien ICS- tietoturvastandardien soveltaminen Fortumissa Tietoturvaa teollisuusautomaatioon (TITAN) Seminaari, 9.11.2010. Jarmo Huhta
Term to be used in Fortum: ICS Today many different names used for control systems, automation, process networks and SCADA When all these systems are referred at same time, one term makes communication easier. ICS = Industrial Control Systems Generic term including: SCADA (supervisory control and data acquisition systems) DCS (distributed control systems) PLC and other systems performing control functions Related servers Networking (Input/Output, Data Historian, Control server, etc.) (Fieldbus network, point-to-point wiring, routers, firewalls, etc.) Source: National Institute of Standards and Technology (NIST), U.S.
What is FASCO (Fortum Automation Security COncept)? FASCO is: Compliance concept and model Guidelines, requirements and other material Based on industrial best practices, standards and other related recommendations NOT a product or solution but helps to implement compliant solutions NOT a complete set of guidelines currently addresses selected important areas of ICS* cyber security TOOLSET to manage cyber security in changing ICS environment Under continuous development Currently planning FASCO v. 2.0 ongoing * ICS = Industrial Control Systems including SCADA, DCS and PLC
Why FASCO? AVAILABILITY of critical ICS* in Fortum ICS are starting to resemble IT systems (industry standard computers, operating systems and network protocols) Cyber Security issues and vulnerabilities are becoming major risk to availability of critical systems COST SAVINGS Models, solutions and guidelines according to industrial best practices and standards Re-use of work done earlier Less needs for case-by-case studies and development Continuous development of concept ensures continuous benefits SECURITY Availability, Integrity, Confidentiality Q: How to enhance availability and security of industrial control systems? A: FASCO is a "toolset" that helps to manage many cyber security risks for New installations, procurement Renewal projects Operation * ICS = Industrial Control Systems including SCADA, DCS and PLC
ICS* reference model for cyber security zones Overall conceptual basis for other FASCO and security principles Based on standards e.g. ISA-99 (TITAN-käsikirja s. 35) ANSI/ISA 95 Real life ICS security zones may look different, but should follow these principles. DCS and SCADA reference models differ slightly but levels 0...5 have same purpose in both LEVEL 5 is Fortum's addition to standards to emphasize different role of enterprise (office) systems and external 3rd party systems * ICS = Industrial Control Systems including SCADA, DCS and PLC
Tietoturvan varmistaminen hankintavaiheessa Kyselylomake tarjouskyselyn liitteeksi "Interaktiivinen" Excel, joka palautetaan sekä sähköisessä että paperilla Helpottaa sekä toimittajien vertailua että tarjotun ratkaisun ymmärtämistä Saman sisältöinen sopimusliite Sama asia, mutta vaatimusmuodossa Myös RFP:n liitteenä (.doc tai.pdf) Tärkein referenssi: SCADA Procurement project: Cyber Security Procurement Language for Control Systems TITAN-käkirja s. 43 http://www.us-cert.gov/control_systems/pdf/scada_procurement_dhs_final_to_issue_08-19-08.pdf
FORTUM ICS concept overview ICS concept, Fortum material contract technical security etc. standard standard part part project project specific specific data data template template Other Fortum concept contract etc. contract etc. Licenses General ICS concept & best practices contract etc. Lead Lead Buyer Buyer function + purchasing project(s) project project docum. docum. Mainten Mainten ance ance Agreem Agreem ent ent ISO 20000 ISO 20000 ITIL ITIL ISO 27002 ISO 27002 (CobiT) (CobiT) pre-study RFP preparation RFP commissioning guarantee / oper. maintenance / operation contract FAT SAT take over revision replacement close down
ISO/IEC 27002: Information Security Management System (ISMS) (TITAN-käsikirja s. 36) 1. Risk assessment 2. Security policy - management direction 3. Organization of information security - governance of information security 4. Asset management - inventory and classification of information assets 5. Human resources security - security aspects for employees joining, moving and leaving an organization 6. Physical and environmental security - protection of the computer facilities 7. Communications and operations management - management of technical security controls in systems and networks 8. Access control - restriction of access rights to networks, systems, applications, functions and data 9. Information systems acquisition, development and maintenance - building security into applications 10. Information security incident management - anticipating and responding appropriately to information security breaches 11. Business continuity management - protecting, maintaining and recovering business-critical processes and systems 12. Compliance - ensuring conformance with information security policies, standards, laws and regulations
ISO/IEC 20000: IT Service Management (ITIL)
CobiT: Control Objectives for Information and related Technology (IT Governance) CobiT tarjoaa viitekehyksen, joka perustuu kokoelmaan yleisiä ICTprosesseja liiketoimintajohtajien, ICT-toimittajien ja auditoijien ymmärtämässä muodossa. CobiTin lähestymistapa on liiketoimintakeskeinen, prosessiorientoitunut, kontrollipohjainen ja mittausta suosiva. CobiTista on kehittynyt avoin standardi ja se on kansainvälisesti omaksuttu ICT-palvelujohtamisen kontrollimalli. CobiTissa on määritelty 34 korkean tason tavoitetta (geneeristä prosessialuetta), jotka käsittävät edelleen 215 kontrollitavoitetta. CobiT jakaa geneeriset prosessialueet neljään toimialueeseen: Suunnittele ja organisoi (engl. Plan and Organize) Hanki ja toteuta (engl. Acquire and Implement) Toimita ja tue (engl. Deliver and Support) Valvo ja arvioi (engl. Monitor and Evaluate)
Kiitos! Kysymyksiä? Kommentteja? Jarmo Huhta jarmo.huhta@fortum.com +358504524252