ISPE Cyber SecurityISPE Cyber SecurityS99 UpdateS99 Update

December 08, 2009

Topics to be covered

Does it matter? Activity ISA S99

S99 Work completed S99 Work in progress

SCADA

Specific informationFreely availableDocumented case

DCS

Controls Systems Security Program (CSSP) administered by DHS

15 ICS assements245 vulnerabilitiesAll systems at risk

Not inclusive, only most critical vulnerabilities identified

Activity

Standards NERC CIP Chemical Sector

Guidance Documents NIST 800-53 NIST 800-82 ANSI/ISA-TR99.00.01-

2007 ANSI/ISA-99.00.01-2007 ISA-99.00.02 (Draft) DHS

Certifications CISP CISM®

CGIET ®

CISA ® ISP

Why a industrial security standard?

IT

IT Security

Control Systems

 

Control System Cyber Security

Copyright © 2009 ISA

Multiple Perspectives

7

The right Balance of Understanding in:

• Industry Sector drivers

• Control Vendor Limitations

• User Implementation Challenges

• Economic/Financial Burdens

• Community acceptance

• Community Support Requirements

Committee Scope

The ISA99 Committee addresses industrial automation and control systems whose compromise could result in any or all of the following situations:

endangerment of public or employee safety loss of public confidence violation of regulatory requirements loss of proprietary or confidential information economic loss impact on entity, local, state, or national security

8

Participation

Over 250 members from more than 200 companies Sectors include:

Chemical Processing Petroleum Refining Food and Beverage Power Pharmaceuticals Process Automation Suppliers IT Suppliers Government Labs Consultants

9

Work Product Types (*)

STANDARD: A document that embodies requirements (normative material) that, if not followed, could directly affect safety, interchangeability, performance, or test results. In general, such requirements should already be widely recognized and used. Standards also include Draft Standards for Trial Use (DSTU), which are draft standards intended for subsequent submittal to ANSI for approval as American National Standards. A standard may contain informative material as long as it is clearly identified as such.

RECOMMENDED PRACTICE: A document that embodies recommendations (informative material) that are likely to change because of technological progress or user experience, or which must often be modified in use to accommodate specific needs or problems of the user of the document.

TECHNICAL REPORT: A document that embodies informative material. For example, reports of technical research, tutorials, and factual data obtained from a survey, or information on the "state-of-the-art" in relation to standards on a particular subject.

(*) – From ISA Standards and Practices Department Procedures

10

Common Topics Across Standards…Common Concepts, Models &

Terminology(ISA99.01.xx)

Management System

(ISA99.02.xx)

System Technical

Requirements

(ISA99.03.xx)

Component Technical

Requirements

(ISA99.04.xx)

Reference Architecture & Models

Zones and Conduits

Foundational Requirements

Terminology

11Copyright © 2009 ISA

ISA99 Work Products (*)

ISA-99.02.01 Establishing an IACS

Security Program

ISA-99.01.01Terminology, Concepts

And Models

ISA-99.02.02 Operating an IACS Security Program

ISA-TR99.01.02Master Glossary of

Terms and Abbreviations

ISA-TR99.02.03 Patch Management in the

IACS Environment

ISA-99.03.04Product Development

Requirements

ISA-99.04.01Embedded Devices

ISA-99.04.02Host Devices

ISA-99.04.03Network Devices

ISA-99.04.04Applications, Data

And Functions

Sec

uri

ty P

rog

ram

Te

chn

ical

- S

yste

mT

ech

nic

al -

Co

mp

on

en

tIS

A9

9 C

om

mo

n

ISA-99.03.03System Security

Requirements and Security Assurance Levels

was Foundational Requirementswas ISA-99.01.03

ISA-TR99.03.01 Security Technologies for Industrial Automation and

Control Systems

was ISA-TR99.00.01-2007

ISA-99.03.02Security Assurance Levels

for Zones and Conduits

was Target Security Levels

ISA-99.01.03System Security

Compliance Metrics

was ISA-99.03.03

12Copyright © 2009 ISA

Phased Approach to Requirements Standards

Part Title Scope and Purpose

Primary Users Expected Publication Date

Technical Requirements: Target Security Levels

Use NIST 800-53 mapping to establish target security levels

Includes high-level description of domains including their zones and conduits

Asset owner Security system architect System integrator System providers including

3rd party outsourcesMid 2009

Technical Requirements: System Security Compliance Metrics

Defines measurable compliance metrics that are context specific

Asset owner Security system architect System integrator ISA Compliance Institute System providers including

3rd party outsources

Late 2009

Technical Requirements: Allocation to Subsystems and Components

Normative specification of security requirements including rationale and supporting use cases based on example reference models

Includes detailed description of domains including their zones and conduits

Asset owner Security system architect System integrator ISA Compliance Institute System, subsystem and

component providers including 3rd party outsources

2013

Note: this part could be further subdivided to improve timeliness of

publication

13Copyright © 2009 ISA

Guidelines for Implementing

Requirements

Risk Analysis

Countermeasure Selection

Design

Implementation

Continuous Improvement

Part 1 for Definition, Requirements, and “Coming to Terms with Terms”

Part 2 for Program Elements from Business Case to Implementation

Technical Report 1 for Evaluation and Selection of Countermeasures

Part 3 for Performance and Benefit Driven Analysis and Continuous Improvement

Part 4 for Vendors and Asset Owners to Specify and Build More Secure Components – Similar to SIL

Copyright © 2009 ISA

Work Products List (1/2)

ISA Number IEC Number(per IEC SMB)

Work Product Subject Status

ISA-99.01.01 IEC/TS 62443-1-1 Terminology, Concepts And Models Released

ISA-TR99.01.02

IEC/TR 62443-1-2 Master Glossary of Terms and Abbreviations

Draft

ISA-99.01.03 IEC 62443-1-3 Security Compliance Metrics Draft

ISA-99.02.01 IEC 62443-2-1 Establishing an IACS Security Program Released

ISA-99.02.02 IEC 62443-2-2 Operating an IACS Security Program Proposed

ISA-TR99.02.03

IEC/TR 62443-2-3 Patch Management in the IACS Environment

Proposed

Copyright © 2009 ISA 15October 2009

Work Products List (2/2)

ISA Number IEC Number(per IEC SMB)

Work Product Subject Status

ISA-TR99.03.01

IEC/TR 62443-3-1

Security Technologies for Industrial Automation and Control Systems

Released

ISA-99.03.02 IEC 62443-3-2 Security Assurance Levels for Zones and Conduits

Draft

ISA-99.03.03 IEC 62443-3-3 System Security Requirements and Security Assurance Levels

Draft

ISA-99.03.04 IEC 62443-3-4 Product Development Requirements Proposed

ISA-99.04.01 IEC 62443-4-1 Embedded Devices Proposed

ISA-99.04.02 IEC 62443-4-2 Host Devices Proposed

ISA-99.04.03 IEC 62443-4-3 Network Devices Proposed

ISA-99.04.04 IEC 62443-4-4 Applications, Data and Functions Proposed

Copyright © 2009 ISA 16October 2009

Connecting with Others

ISA100(Wireless)

ISA84ISA84(Safety)(Safety)

ISCI(Compliance)

MSMUGISA99Committee(Standards)

IECIEC(International)(International)

Copyright © 2009 ISA 17October 2009