ISPE Cyber Security S99 Update December 08, 2009

advertisement
ISPE Cyber Security
S99 Update
December 08, 2009
Topics to be covered
 Does it matter?
 Activity
 ISA S99
 S99 Work completed
 S99 Work in progress
SCADA
Specific information
Freely available
Documented case
DCS
Controls Systems Security Program
(CSSP) administered by DHS
15 ICS assements
245 vulnerabilities
All systems at risk
Not inclusive, only most critical
vulnerabilities identified
Activity








Standards
NERC CIP
Chemical Sector
Guidance Documents
NIST 800-53
NIST 800-82
ANSI/ISA-TR99.00.012007
ANSI/ISA-99.00.01-2007
ISA-99.00.02 (Draft)
DHS
Certifications





CISP
CISM®
CGIET ®
CISA ®
ISP
Why a industrial security standard?
IT
IT Security
Control
Systems
Control
System
Cyber
Security
Copyright © 2009 ISA
Multiple Perspectives
The right Balance of Understanding in:
• Industry Sector drivers
• Control Vendor Limitations
• User Implementation Challenges
• Economic/Financial Burdens
• Community acceptance
• Community Support Requirements
7
Committee Scope
The ISA99 Committee addresses industrial
automation and control systems whose compromise
could result in any or all of the following situations:






endangerment of public or employee safety
loss of public confidence
violation of regulatory requirements
loss of proprietary or confidential information
economic loss
impact on entity, local, state, or national security
8
Participation
 Over 250 members from more than 200
companies
 Sectors include:









Chemical Processing
Petroleum Refining
Food and Beverage
Power
Pharmaceuticals
Process Automation Suppliers
IT Suppliers
Government Labs
Consultants
9
Work Product Types



(*)
(*)
STANDARD: A document that embodies requirements (normative material)
that, if not followed, could directly affect safety, interchangeability,
performance, or test results. In general, such requirements should already be
widely recognized and used. Standards also include Draft Standards for Trial
Use (DSTU), which are draft standards intended for subsequent submittal to
ANSI for approval as American National Standards. A standard may contain
informative material as long as it is clearly identified as such.
RECOMMENDED PRACTICE: A document that embodies recommendations
(informative material) that are likely to change because of technological
progress or user experience, or which must often be modified in use to
accommodate specific needs or problems of the user of the document.
TECHNICAL REPORT: A document that embodies informative material. For
example, reports of technical research, tutorials, and factual data obtained
from a survey, or information on the "state-of-the-art" in relation to standards
on a particular subject.
– From ISA Standards and Practices Department Procedures
10
Common Topics Across Standards…
Common
Concepts,
Models &
Terminology
(ISA99.01.xx)
Management
System
System
Technical
Requirements
Component
Technical
Requirements
(ISA99.02.xx)
(ISA99.03.xx)
(ISA99.04.xx)
Terminology
Reference Architecture & Models
Zones and Conduits
Foundational Requirements
Copyright © 2009 ISA
11
ISA-99.01.01
Terminology, Concepts
And Models
ISA-TR99.01.02
Master Glossary of
Terms and
Abbreviations
ISA-99.01.03
System Security
Compliance Metrics
ISA-99.02.01
Establishing an IACS
Security Program
ISA-99.02.02
Operating an IACS
Security Program
ISA-TR99.02.03
Patch Management in the
IACS Environment
ISA-TR99.03.01
Security Technologies for
Industrial Automation and
Control Systems
ISA-99.03.02
Security Assurance Levels
for Zones and Conduits
ISA-99.03.03
System Security
Requirements and
Security Assurance Levels
was ISA-TR99.00.01-2007
was Target Security Levels
was Foundational Requirements
was ISA-99.01.03
ISA-99.04.01
Embedded Devices
ISA-99.04.02
Host Devices
ISA-99.04.03
Network Devices
Technical - Component
Security Program
was ISA-99.03.03
Technical - System
ISA99 Common
ISA99 Work Products
(*)
Copyright © 2009 ISA
ISA-99.03.04
Product Development
Requirements
ISA-99.04.04
Applications, Data
And Functions
12
Phased Approach to Requirements Standards
Part Title
Scope and
Purpose
Primary Users
Technical
Requirements: Target
Security Levels
 Use NIST 800-53 mapping
to establish target security
levels
 Includes high-level
description of domains
including their zones and
conduits
 Asset owner
 Security system architect
 System integrator
 System providers including
3rd party outsources
Technical
Requirements: System
Security Compliance
Metrics
Defines measurable
compliance metrics that are
context specific
 Asset owner
 Security system architect
 System integrator
 ISA Compliance Institute
 System providers including
3rd party outsources
Technical
Requirements:
Allocation to
Subsystems and
Components
 Normative specification of
security requirements
including rationale and
supporting use cases based
on example reference
models
 Includes detailed description
of domains including their
zones and conduits
 Asset owner
 Security system architect
 System integrator
 ISA Compliance Institute
 System, subsystem and
component providers
including 3rd party
outsources
Copyright © 2009 ISA
Expected
Publication Date
Mid 2009
Late 2009
2013
Note: this part could be
further subdivided to
improve timeliness of
publication
13
Guidelines for Implementing
ISA-99.00.01
Requirements
Implementation
Continuous
Improvement
ISA-99.00.04
ISA-99.00.03
Design
ISA-TR99.00.01
Countermeasure
Selection

ISA-99.00.02
Risk Analysis




Part 1 for Definition, Requirements,
and “Coming to Terms with Terms”
Part 2 for Program Elements from
Business Case to Implementation
Technical Report 1 for Evaluation
and Selection of Countermeasures
Part 3 for Performance and Benefit
Driven Analysis and Continuous
Improvement
Part 4 for Vendors and Asset
Owners to Specify and Build More
Secure Components – Similar to SIL
Copyright © 2009 ISA
Work Products List (1/2)
ISA Number
ISA-99.01.01
IEC Number
(per IEC SMB)
Work Product Subject
IEC/TS 62443-1-1 Terminology, Concepts And Models
ISATR99.01.02
IEC/TR 62443-12
ISA-99.01.03
Status
Released
Master Glossary of Terms and
Abbreviations
Draft
IEC 62443-1-3
Security Compliance Metrics
Draft
ISA-99.02.01
IEC 62443-2-1
Establishing an IACS Security Program
Released
ISA-99.02.02
IEC 62443-2-2
Operating an IACS Security Program
Proposed
ISATR99.02.03
IEC/TR 62443-23
Patch Management in the IACS
Environment
Proposed
October 2009
Copyright © 2009 ISA
15
Work Products List (2/2)
ISA Number
ISATR99.03.01
IEC Number
(per IEC SMB)
Work Product Subject
IEC/TR 62443-3- Security Technologies for Industrial
1
Automation and Control Systems
Status
Released
ISA-99.03.02
IEC 62443-3-2
Security Assurance Levels for Zones and
Conduits
Draft
ISA-99.03.03
IEC 62443-3-3
System Security Requirements and
Security Assurance Levels
Draft
ISA-99.03.04
IEC 62443-3-4
Product Development Requirements
Proposed
ISA-99.04.01
IEC 62443-4-1
Embedded Devices
Proposed
ISA-99.04.02
IEC 62443-4-2
Host Devices
Proposed
ISA-99.04.03
IEC 62443-4-3
Network Devices
Proposed
ISA-99.04.04
IEC 62443-4-4
Applications, Data and Functions
Proposed
October 2009
Copyright © 2009 ISA
16
Connecting with Others
ISA84
(Safety)
ISA100
(Wireless)
ISA99
Committee
(Standards)
IEC
(International)
October 2009
MSMUG
ISCI
(Compliance)
Copyright © 2009 ISA
17
Download