Dr. Ragnar Schierholz, Hannover Messe – Thementag Industrial IT Security, 2014-04-11
Sicherheit im Produktlebenszyklus
Von der Wiege bis zur Bahre
Life cycle aspects of cyber security for ICS
Draft material from IEC 62443*
PS: Product Supplier
SI: System Integrator
AO: Asset Owner
© ABB Group
April 11, 2014
| Slide 2
* Based on VDI 2182
Life cycle aspects of cyber security for ICS
Draft material from IEC 62443
PS: Product Supplier
SI: System Integrator
AO: Asset Owner
© ABB Group
April 11, 2014
| Slide 3
How ABB works with Cyber Security
An important factor in all phases
© ABB Group
April 11, 2014
| Slide 3
Product
Lifecycle
Project
Lifecycle
Plant Lifecycle
Design
Implementation
Verification
Release
Support
Design
Engineering
FAT
Commissioning
SAT
Operation
Maintenance
Review
Upgrade
How ABB works with Cyber Security
An integral part of ABB’s products and systems
© ABB Group
April 11, 2014
| Slide 3
Security Development Lifecycle
The Process
Education
Process
Administer and
track security
training
Guide product
teams to meet
SDL
requirements
Training

Core training
© ABB Group
April 11, 2014
| Slide 3
Requirements
Design

Define quality
gates/bug bar

Attack surface
analysis

Analyze cyber
security risk

Threat modeling
Accountability
Establish release
criteria and signoff as part of G5
Implementation

Specify tools

Enforce banned
functions

Static analysis
Verification


Dynamic/Fuzz
testing (e.g.
DSAC)
Verify treat
models/attack
surface
Incident
response
Release

Response plan

Final security
review (FSR)

Release archive
Response

Execute
response plan
(e.g. vulnerability
handling policy)
Security Development Lifecycle
Example: Verification
© ABB Group
April 11, 2014
| Slide 7

Formally established, centralized and independent security
test center

Leveraging state-of-the-art open source, commercial and
proprietary robustness and vulnerability analysis tools

Close collaboration with ABB developers providing in-depth
analysis and recommendations
Secure Development Lifecycle
Example: Validation of Security Updates

Accreditation of Anti-virus SW for Sentinel Users

McAfee VirusScan® Enterprise with ePO Server and
Symantec Endpoint Protection

Configuration guidelines

Verified in system tests

Node based or centralized management
Updating via server in the Demilitarized zone

Daily verification of Definition files


© ABB Group
April 11, 2014
| Slide 3
Update production systems with 48h delay
Redistribution of Symantec definition files
Secure Development Lifecycle
Example: Validation of Security Updates


Microsoft security updates for Sentinel Users

All relevant updates are tested for compatibility

Result published typically within 3 – 7 days
Other 3rd party SW (e.g. Adobe Reader)


Deployment


© ABB Group
April 11, 2014
| Slide 3
Validated with next Microsoft Security Update
The System 800xA Qualified Security Updates

For node by node deployment

MS Security Updates delivered from ABB
WSUS for centralized management
Security Development Lifecycle
Example: Vulnerability handling
In case you want to be informed of vulnerabilities found in
ABB products:

Public disclosure on www.abb.com/cybersecurity and ICSCERT
In case you have found a vulnerability in our products:

© ABB Group
April 11, 2014
| Slide 10
Use the “Contact us” feature on ABB’s Cyber security
webpage www.abb.com/cybersecurity to report any
security issue
Contact
Dr. Ragnar Schierholz
Cyber Security Analyst
ABB AG
Schillerstr. 72
DE-32425 Minden
Phone
+49 517 830 1080
Mobile
+49 171 189 2349
E-Mail
ragnar.schierholz@de.abb.com