ISPE Cyber Security S99 Update December 08, 2009 Topics to be covered Does it matter? Activity ISA S99 S99 Work completed S99 Work in progress SCADA Specific information Freely available Documented case DCS Controls Systems Security Program (CSSP) administered by DHS 15 ICS assements 245 vulnerabilities All systems at risk Not inclusive, only most critical vulnerabilities identified Activity Standards NERC CIP Chemical Sector Guidance Documents NIST 800-53 NIST 800-82 ANSI/ISA-TR99.00.012007 ANSI/ISA-99.00.01-2007 ISA-99.00.02 (Draft) DHS Certifications CISP CISM® CGIET ® CISA ® ISP Why a industrial security standard? IT IT Security Control Systems Control System Cyber Security Copyright © 2009 ISA Multiple Perspectives The right Balance of Understanding in: • Industry Sector drivers • Control Vendor Limitations • User Implementation Challenges • Economic/Financial Burdens • Community acceptance • Community Support Requirements 7 Committee Scope The ISA99 Committee addresses industrial automation and control systems whose compromise could result in any or all of the following situations: endangerment of public or employee safety loss of public confidence violation of regulatory requirements loss of proprietary or confidential information economic loss impact on entity, local, state, or national security 8 Participation Over 250 members from more than 200 companies Sectors include: Chemical Processing Petroleum Refining Food and Beverage Power Pharmaceuticals Process Automation Suppliers IT Suppliers Government Labs Consultants 9 Work Product Types (*) (*) STANDARD: A document that embodies requirements (normative material) that, if not followed, could directly affect safety, interchangeability, performance, or test results. In general, such requirements should already be widely recognized and used. Standards also include Draft Standards for Trial Use (DSTU), which are draft standards intended for subsequent submittal to ANSI for approval as American National Standards. A standard may contain informative material as long as it is clearly identified as such. RECOMMENDED PRACTICE: A document that embodies recommendations (informative material) that are likely to change because of technological progress or user experience, or which must often be modified in use to accommodate specific needs or problems of the user of the document. TECHNICAL REPORT: A document that embodies informative material. For example, reports of technical research, tutorials, and factual data obtained from a survey, or information on the "state-of-the-art" in relation to standards on a particular subject. – From ISA Standards and Practices Department Procedures 10 Common Topics Across Standards… Common Concepts, Models & Terminology (ISA99.01.xx) Management System System Technical Requirements Component Technical Requirements (ISA99.02.xx) (ISA99.03.xx) (ISA99.04.xx) Terminology Reference Architecture & Models Zones and Conduits Foundational Requirements Copyright © 2009 ISA 11 ISA-99.01.01 Terminology, Concepts And Models ISA-TR99.01.02 Master Glossary of Terms and Abbreviations ISA-99.01.03 System Security Compliance Metrics ISA-99.02.01 Establishing an IACS Security Program ISA-99.02.02 Operating an IACS Security Program ISA-TR99.02.03 Patch Management in the IACS Environment ISA-TR99.03.01 Security Technologies for Industrial Automation and Control Systems ISA-99.03.02 Security Assurance Levels for Zones and Conduits ISA-99.03.03 System Security Requirements and Security Assurance Levels was ISA-TR99.00.01-2007 was Target Security Levels was Foundational Requirements was ISA-99.01.03 ISA-99.04.01 Embedded Devices ISA-99.04.02 Host Devices ISA-99.04.03 Network Devices Technical - Component Security Program was ISA-99.03.03 Technical - System ISA99 Common ISA99 Work Products (*) Copyright © 2009 ISA ISA-99.03.04 Product Development Requirements ISA-99.04.04 Applications, Data And Functions 12 Phased Approach to Requirements Standards Part Title Scope and Purpose Primary Users Technical Requirements: Target Security Levels Use NIST 800-53 mapping to establish target security levels Includes high-level description of domains including their zones and conduits Asset owner Security system architect System integrator System providers including 3rd party outsources Technical Requirements: System Security Compliance Metrics Defines measurable compliance metrics that are context specific Asset owner Security system architect System integrator ISA Compliance Institute System providers including 3rd party outsources Technical Requirements: Allocation to Subsystems and Components Normative specification of security requirements including rationale and supporting use cases based on example reference models Includes detailed description of domains including their zones and conduits Asset owner Security system architect System integrator ISA Compliance Institute System, subsystem and component providers including 3rd party outsources Copyright © 2009 ISA Expected Publication Date Mid 2009 Late 2009 2013 Note: this part could be further subdivided to improve timeliness of publication 13 Guidelines for Implementing ISA-99.00.01 Requirements Implementation Continuous Improvement ISA-99.00.04 ISA-99.00.03 Design ISA-TR99.00.01 Countermeasure Selection ISA-99.00.02 Risk Analysis Part 1 for Definition, Requirements, and “Coming to Terms with Terms” Part 2 for Program Elements from Business Case to Implementation Technical Report 1 for Evaluation and Selection of Countermeasures Part 3 for Performance and Benefit Driven Analysis and Continuous Improvement Part 4 for Vendors and Asset Owners to Specify and Build More Secure Components – Similar to SIL Copyright © 2009 ISA Work Products List (1/2) ISA Number ISA-99.01.01 IEC Number (per IEC SMB) Work Product Subject IEC/TS 62443-1-1 Terminology, Concepts And Models ISATR99.01.02 IEC/TR 62443-12 ISA-99.01.03 Status Released Master Glossary of Terms and Abbreviations Draft IEC 62443-1-3 Security Compliance Metrics Draft ISA-99.02.01 IEC 62443-2-1 Establishing an IACS Security Program Released ISA-99.02.02 IEC 62443-2-2 Operating an IACS Security Program Proposed ISATR99.02.03 IEC/TR 62443-23 Patch Management in the IACS Environment Proposed October 2009 Copyright © 2009 ISA 15 Work Products List (2/2) ISA Number ISATR99.03.01 IEC Number (per IEC SMB) Work Product Subject IEC/TR 62443-3- Security Technologies for Industrial 1 Automation and Control Systems Status Released ISA-99.03.02 IEC 62443-3-2 Security Assurance Levels for Zones and Conduits Draft ISA-99.03.03 IEC 62443-3-3 System Security Requirements and Security Assurance Levels Draft ISA-99.03.04 IEC 62443-3-4 Product Development Requirements Proposed ISA-99.04.01 IEC 62443-4-1 Embedded Devices Proposed ISA-99.04.02 IEC 62443-4-2 Host Devices Proposed ISA-99.04.03 IEC 62443-4-3 Network Devices Proposed ISA-99.04.04 IEC 62443-4-4 Applications, Data and Functions Proposed October 2009 Copyright © 2009 ISA 16 Connecting with Others ISA84 (Safety) ISA100 (Wireless) ISA99 Committee (Standards) IEC (International) October 2009 MSMUG ISCI (Compliance) Copyright © 2009 ISA 17