ispe cyber security s99 update december 08, 2009
TRANSCRIPT
ISPE Cyber SecurityISPE Cyber SecurityS99 UpdateS99 Update
December 08, 2009
Topics to be covered
Does it matter? Activity ISA S99
S99 Work completed S99 Work in progress
SCADA
Specific informationFreely availableDocumented case
DCS
Controls Systems Security Program (CSSP) administered by DHS
15 ICS assements245 vulnerabilitiesAll systems at risk
Not inclusive, only most critical vulnerabilities identified
Activity
Standards NERC CIP Chemical Sector
Guidance Documents NIST 800-53 NIST 800-82 ANSI/ISA-TR99.00.01-
2007 ANSI/ISA-99.00.01-2007 ISA-99.00.02 (Draft) DHS
Certifications CISP CISM®
CGIET ®
CISA ® ISP
Why a industrial security standard?
IT
IT Security
Control Systems
Control System Cyber Security
Copyright © 2009 ISA
Multiple Perspectives
7
The right Balance of Understanding in:
• Industry Sector drivers
• Control Vendor Limitations
• User Implementation Challenges
• Economic/Financial Burdens
• Community acceptance
• Community Support Requirements
Committee Scope
The ISA99 Committee addresses industrial automation and control systems whose compromise could result in any or all of the following situations:
endangerment of public or employee safety loss of public confidence violation of regulatory requirements loss of proprietary or confidential information economic loss impact on entity, local, state, or national security
8
Participation
Over 250 members from more than 200 companies Sectors include:
Chemical Processing Petroleum Refining Food and Beverage Power Pharmaceuticals Process Automation Suppliers IT Suppliers Government Labs Consultants
9
Work Product Types (*)
STANDARD: A document that embodies requirements (normative material) that, if not followed, could directly affect safety, interchangeability, performance, or test results. In general, such requirements should already be widely recognized and used. Standards also include Draft Standards for Trial Use (DSTU), which are draft standards intended for subsequent submittal to ANSI for approval as American National Standards. A standard may contain informative material as long as it is clearly identified as such.
RECOMMENDED PRACTICE: A document that embodies recommendations (informative material) that are likely to change because of technological progress or user experience, or which must often be modified in use to accommodate specific needs or problems of the user of the document.
TECHNICAL REPORT: A document that embodies informative material. For example, reports of technical research, tutorials, and factual data obtained from a survey, or information on the "state-of-the-art" in relation to standards on a particular subject.
(*) – From ISA Standards and Practices Department Procedures
10
Common Topics Across Standards…Common Concepts, Models &
Terminology(ISA99.01.xx)
Management System
(ISA99.02.xx)
System Technical
Requirements
(ISA99.03.xx)
Component Technical
Requirements
(ISA99.04.xx)
Reference Architecture & Models
Zones and Conduits
Foundational Requirements
Terminology
11Copyright © 2009 ISA
ISA99 Work Products (*)
ISA-99.02.01 Establishing an IACS
Security Program
ISA-99.01.01Terminology, Concepts
And Models
ISA-99.02.02 Operating an IACS Security Program
ISA-TR99.01.02Master Glossary of
Terms and Abbreviations
ISA-TR99.02.03 Patch Management in the
IACS Environment
ISA-99.03.04Product Development
Requirements
ISA-99.04.01Embedded Devices
ISA-99.04.02Host Devices
ISA-99.04.03Network Devices
ISA-99.04.04Applications, Data
And Functions
Sec
uri
ty P
rog
ram
Te
chn
ical
- S
yste
mT
ech
nic
al -
Co
mp
on
en
tIS
A9
9 C
om
mo
n
ISA-99.03.03System Security
Requirements and Security Assurance Levels
was Foundational Requirementswas ISA-99.01.03
ISA-TR99.03.01 Security Technologies for Industrial Automation and
Control Systems
was ISA-TR99.00.01-2007
ISA-99.03.02Security Assurance Levels
for Zones and Conduits
was Target Security Levels
ISA-99.01.03System Security
Compliance Metrics
was ISA-99.03.03
12Copyright © 2009 ISA
Phased Approach to Requirements Standards
Part Title Scope and Purpose
Primary Users Expected Publication Date
Technical Requirements: Target Security Levels
Use NIST 800-53 mapping to establish target security levels
Includes high-level description of domains including their zones and conduits
Asset owner Security system architect System integrator System providers including
3rd party outsourcesMid 2009
Technical Requirements: System Security Compliance Metrics
Defines measurable compliance metrics that are context specific
Asset owner Security system architect System integrator ISA Compliance Institute System providers including
3rd party outsources
Late 2009
Technical Requirements: Allocation to Subsystems and Components
Normative specification of security requirements including rationale and supporting use cases based on example reference models
Includes detailed description of domains including their zones and conduits
Asset owner Security system architect System integrator ISA Compliance Institute System, subsystem and
component providers including 3rd party outsources
2013
Note: this part could be further subdivided to improve timeliness of
publication
13Copyright © 2009 ISA
Guidelines for Implementing
Requirements
Risk Analysis
Countermeasure Selection
Design
Implementation
Continuous Improvement
Part 1 for Definition, Requirements, and “Coming to Terms with Terms”
Part 2 for Program Elements from Business Case to Implementation
Technical Report 1 for Evaluation and Selection of Countermeasures
Part 3 for Performance and Benefit Driven Analysis and Continuous Improvement
Part 4 for Vendors and Asset Owners to Specify and Build More Secure Components – Similar to SIL
Copyright © 2009 ISA
Work Products List (1/2)
ISA Number IEC Number(per IEC SMB)
Work Product Subject Status
ISA-99.01.01 IEC/TS 62443-1-1 Terminology, Concepts And Models Released
ISA-TR99.01.02
IEC/TR 62443-1-2 Master Glossary of Terms and Abbreviations
Draft
ISA-99.01.03 IEC 62443-1-3 Security Compliance Metrics Draft
ISA-99.02.01 IEC 62443-2-1 Establishing an IACS Security Program Released
ISA-99.02.02 IEC 62443-2-2 Operating an IACS Security Program Proposed
ISA-TR99.02.03
IEC/TR 62443-2-3 Patch Management in the IACS Environment
Proposed
Copyright © 2009 ISA 15October 2009
Work Products List (2/2)
ISA Number IEC Number(per IEC SMB)
Work Product Subject Status
ISA-TR99.03.01
IEC/TR 62443-3-1
Security Technologies for Industrial Automation and Control Systems
Released
ISA-99.03.02 IEC 62443-3-2 Security Assurance Levels for Zones and Conduits
Draft
ISA-99.03.03 IEC 62443-3-3 System Security Requirements and Security Assurance Levels
Draft
ISA-99.03.04 IEC 62443-3-4 Product Development Requirements Proposed
ISA-99.04.01 IEC 62443-4-1 Embedded Devices Proposed
ISA-99.04.02 IEC 62443-4-2 Host Devices Proposed
ISA-99.04.03 IEC 62443-4-3 Network Devices Proposed
ISA-99.04.04 IEC 62443-4-4 Applications, Data and Functions Proposed
Copyright © 2009 ISA 16October 2009
Connecting with Others
ISA100(Wireless)
ISA84ISA84(Safety)(Safety)
ISCI(Compliance)
MSMUGISA99Committee(Standards)
IECIEC(International)(International)
Copyright © 2009 ISA 17October 2009