Why and How should You include Industrial Cyber Security among the topics to be covered during the definition of an industrial or infrastructural Project?
Project Management & Industrial Cyber Security (ICS) by Enzo M. Tieghi
1. Proteggiamo da incidenti cyber i
Sistemi di controllo e automazione
nell’industria e nelle infrastrutture
Enzo M. Tieghi
etieghi@servitecno.it
em.tieghi@infrastrutturecritiche.it
3. Enzo Maria Tieghi
Amministratore Delegato di ServiTecno
(da oltre 20 anni software industriale)
Consigliere AIIC, attivo in associazioni e gruppi di studio
per la cyber security industriale (ISA s99 member)
In Advisory Board, gruppi e progetti internazionali su
Industrial Security e CIP (Critical Infrastructure Protection)
Co-autore ed autore pubblicazioni, articoli e memorie
3
6. 6
ANSI/ISA95 Functional Hierarchy www.isa.org
Level 4
Level 1
Level 2
Level 3
Business Planning
& Logistics
Plant Production Scheduling,
Operational Management, etc
Manufacturing
Operations Management
Dispatching Production, Detailed Production
Scheduling, Reliability Assurance, ...
Batch
Control
Discrete
Control
Continuous
Control
1 - Sensing the production process,
manipulating the production process
2 - Monitoring, supervisory control and
automated control of the production process
3 - Work flow / recipe control to produce the
desired end products. Maintaining records
and optimizing the production process.
Time Frame
Days, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -
production, material use, delivery, and
shipping. Determining inventory levels.
Time Frame
Months, weeks, days
Level 0 0 - The actual production process
Level 4
Level 1
Level 2
Level 3
Business Planning
& Logistics
Plant Production Scheduling,
Operational Management, etc
Manufacturing
Operations Management
Dispatching Production, Detailed Production
Scheduling, Reliability Assurance, ...
Batch
Control
Discrete
Control
Continuous
Control
1 - Sensing the production process,
manipulating the production process
2 - Monitoring, supervisory control and
automated control of the production process
3 - Work flow / recipe control to produce the
desired end products. Maintaining records
and optimizing the production process.
Time Frame
Days, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -
production, material use, delivery, and
shipping. Determining inventory levels.
Time Frame
Months, weeks, days
Level 0 0 - The actual production process
7.
8. Sicurezza Impianti
Oltre alla safety (EN ISO 13849-1/2,
IEC/EN 62061, IEC/EN 61508,
IEC/EN61511)…
• valutiamo la security?
• Life Cycle dei sistemi?
• Documentazione di progetto?
• Cambiamenti sull’impianto?
• Reti, PLC, DCS, SCADA?
• Chi? Quando? Dove? Perchè?
9. • un repository per la versione
“validata” del sw
• la documentazione di progetto
• per eventuali variazioni,
manutenzioni, ripartenze?
10. • Ho fatto Risk Analysis per
rischio cyber?
• Ho protetto rete e sistemi di
fabbrica?
• Ho una copia completa, back-up
del sistema (e dei dati) ?
• Ho mai provato il recovery?
14. Esempio di “Security Architecture” nei sistemi di
automazione e controllo
Enterprise
Control
Network
Manufacturing
Operations
Network
Perimeter
Control
Network
Control
System
Network
Process
Control
Network
Source: Byres - Tofino
15. Protezione di Zone & Conduits con Firewalls
(multilayered defence)
Corporate Firewall
Industrial Firewall
Source: Byres - Tofino
16. … e molto altro
HW e SW di varie marche,
provenienze, epoche, uso…
19. 19
Il vero problema?
…“Control system staff often have no skill and time for
security practices…”
Steve Meyer, System Security Expert says:
“... Hackers and exploits are an inconvenience and can cost
money but plant downtime will kill a business…”
20. Enzo Maria Tieghi
Amministratore Delegato di ServiTecno
(da oltre 20 anni software industriale)
Consigliere AIIC, attivo in associazioni e gruppi di studio
per la cyber security industriale (ISA s99 member)
In Advisory Board, gruppi e progetti internazionali su
Industrial Security e CIP (Critical Infrastructure Protection)
Co-autore ed autore pubblicazioni, articoli e memorie
20