Cyber Manual Adhering to the cybersecurity requirements of ...

Cyber Manual Adhering to the cybersecurity requirements of a toxins permitrequirements of a toxins permit July 2020 Version 1.3
Ministry of Environmental Protection Emergency and Cybersecurity Division
Industrial Cybersecurity Department
2. Definitions 5
4. Background – cybersecurity in the hazardous substances industry 10
5.Explanation of the process 11
6. Work planning 15
7. Required deliverables 15
9. Calculating the level of cyber risks 17
10. Determining the controls that must be implemented 19
11. Gap analysis – comparing the current situation to the controls required and mapping of the gaps 20
12. Building a work plan based on the mapping of the gaps 20
13. Appendices 21
Appendix A – Table used to calculate the impact (I) of a business holding hazardous substances 21
Appendix B – Table used to determine the level of exposure/probability (P) of a cyber incident in a business
holding hazardous substances 22
Appendix C – Details of the required controls 26
Appendix D – Threshold requirements of an external advisor for the preparation of a cyber risk survey 43
Appendix E – Letter of appointment of a cybersecurity officer in the business 45
Appendix F – Initial mapping of a hazardous process that is managed/controlled by a computerized system6 46
Appendix G – Declaration of the toxins permit holder regarding the performance of a cyber risk assessment
and classification of the business 47
Appendix H – Declaration of the toxins permit holder regarding the completion of a cyber risk mitigation plan 48
Appendix I – Cyber Incident Report 49
Appendix J – Declaration of the toxins permit holder regarding the absence of computerized systems
managing/controlling hazardous substances 51
Document version management 63
1.1 On February 15, 2015, Government Resolution 2443 – “Advancing National Regulation and Governmental Leadership in Cybersecurity” was passed (hereinafter: “the Government Resolution”). This resolution was passed pursuant to Government Resolution 3611 – “Advancing National Capabilities in Cyberspace” of August 7, 2011.
1.2 On the same day (February 15, 2015), another resolution was passed, Government Resolution 2444 – “Advancing National Preparedness for Cybersecurity,” in which the government decided to formulate a comprehensive cybersecurity policy and to establish a National Cybersecurity Authority in the National Cyber Directorate in the Prime Minister’s Office.
1.3 These resolutions were designed to advance national cybersecurity regulations and increase the national resilience in cyberspace in the State of Israel.
1.4 As a result of the Government Resolution, professional cybersecurity guidance and direction to the Israeli economy were incorporated into the governmental regulatory framework. This means that defense against cyber attacks that pose a threat to the environment, to public health or to human lives would be carried out through regulatory tools (such as toxins permits issued pursuant to the Hazardous Substances Act).
1.5 The Industrial Cyber Defense department was formed in the Emergency and Cybersecurity Division of the Ministry of Environmental Protection and was tasked with prescribing instructions relating to defense against cyber attacks that pose a threat to the environment, to public health or to human lives. The department operates under the professional guidance of the National Cyber Directorate.
1.6 The Industrial Cybersecurity department engages in cybersecurity guidance, supervision, and enforcement with businesses holding hazardous substances. The department’s role is to define the sectorial policy and regulatory requirements, provide ongoing professional assistance, and respond to professional queries according to the characteristics of the businesses it supervises.
1.7 This manual presents the unique methodology that the department developed for conducting risk surveys in plants that hold hazardous substances and are required to obtain a toxins permit from the Ministry of Environmental Protection. The methodology that was developed is based on the National Cyber Directorate’s Cyber Defense Methodology for Organizations and was adapted for the hazardous substances industry. The methodology development process included consultations with leading professionals in the fields of cybersecurity, control systems, and hazardous substances, as well as cooperation with the Manufacturers’ Association throughout the entire process.
1.8 This document is version 1.3 and constitutes a binding version. Earlier versions were published for public comments and, after meticulous examination of these comments, some of them were incorporated into this version. Updates to the methodology were also made according to insights gleaned from risk surveys conducted at businesses and according to consultations with various companies and businesses that hold hazardous substances.
1. Introduction
1.9 The instructions in this manual were designed to help companies implement the conditions stipulated in their toxins permits and include instructions with regard to mapping and assessing risks and implementing the requisite protections.
1.10 Notwithstanding the guidelines in this manual, the Commissioner of Hazardous Substances has the authority to issue instructions in toxins permits that differ from the instructions prescribed herein. Individual adjustments or changes will be made in coordination with the District Commissioner of Hazardous Substances and in coordination with the Emergency and Cybersecurity Division of the Ministry of Environmental Protection.
1.11 If multiple risk management requirements apply to a business (risk management in relation to hazardous substances, earthquakes and cyber attacks), then the instructions in this manual will apply, in conformity with the combined risk management conditions. If only cyber risk management conditions apply to a business, then activities should be carried out solely according to this manual.
Gilad Ben Ari, Head Emergency and Cybersecurity Division,
Ministry of Environmental Protection
Ministry of Environmental Protection
Any questions about this manual may be sent to: [email protected]
5 6
2. Definitions
Term Definition
Physical security The physical means required to protect: computerized equipment, access to a business’s information, and the survivability of computerized systems containing databases and computerized industrial components.
Threat Potential hacker who is likely to deliberately or randomly compromise a business’s hazardous processes/computerized systems.
Hazardous substances event
Uncontrolled incident or accident involving a hazardous substance that causes or is likely to cause a risk to the public and to the environment, including spills, leaks, dispersions, explosions, evaporation or fire.
Major hazardous substances event
An event that causes or could cause major harm to the public or to the environment. In this regard, harm includes leaks of toxic, flammable or explosive substances in the public space, explosions or fire resulting from the presence of a hazardous substance or irreversible harm to the environment.
Cyber incident/ industrial cyber incident
An incident that could potentially lead to the possible compromise of computerized systems, resulting from a deliberate or accidental act, and which could cause a major hazardous substances event.
Controls The means that businesses must implement in order to protect themselves from cyber incidents.
Compensating control Control designed to compensate for an inability to implement the recommended control and that provides an adequate solution to the problem of the existing cybersecurity gap.
Identification Process that provides authenticated identification of a person or computer using unique information about a person or computer or about a physically-identifying element or feature.
Strong authentication (MFA)
Identification method based on a combination of at least two of the following authentication characteristics: Something that a user knows, like a password. Something that a user has, such as a physical element, like a token or a single-use password generator or a smart card. A user’s biological characteristic, such as a fingerprint or retinal pattern.
The Directorate The National Cyber Directorate.
5 6
Term Definition
The National CERT Center to help contend with cyber threats. The National CERT strives to improve defensive resilience in cyberspace, helps contain cyber threats and cyber incidents, collects and shares relevant information with all economic entities, and constitutes a hub between security entities and economic entities.
Worst-case scenario (WCS)
Scenario in which the largest amount possible of a hazardous substance is released from a container or facility, or a process failure results in a hazard zone with the greatest distance to the endpoint.
Data availability Verification that authorized users have access to information and to associated hazardous processes as needed, on an ongoing basis and without interference.
Cyber risk level calculation
The cyber risk level calculation is based on the weighting of the expected magnitude of the damage (Impact – I), considering the probability that damage will occur (Level of exposure – P) according to the following formula: Risk = P + I*3 (the risk is equal to the Probability + the Impact multiplied by three).
Information Data about and/or relating to the activity, operation or functioning of computerized systems in businesses. This data is located in: computerized, magnetic or electronic storage means or physical information platforms. It may also be transmitted orally.
Commissioner As defined in the Hazardous Substances Act of 1993.
Cybersecurity officer The person responsible for implementing and fulfilling the additional cyber risk mitigation requirements in the business, which are specified in this document.
National cyber laboratory
7 8
Term Definition
General term encompassing several types of control systems used in industrial manufacturing. The systems can be comprised of the following components: Intelligent electronic devices – IEDs (sensors, actuators, and other electronic devices) Remote terminal units – RTUs Programmable logic controllers – PLCs Wide area network communication – WAN Supervisory control and data acquisition – SCADA Distributed control systems – DCSs Human-machine interfaces – HMIs
Sensitive location As defined in the Criminal Procedure Order – Finable Offenses – Maintaining Cleanliness (2000): national park, nature reserve, memorial site, archeological site, forest, sea, coastline, water source (as defined in Section 2 of the Water Act of 1959) or any location in proximity to a water source.
Computer resources Databases, files, systems, programs or other means, the entry into which enables access to information and to computerized systems in the business’s possession.
H risk statements The hazardous properties of a substance: physical properties, risk to public health or to the environment.
Cyber attack Aggressive action of penetrating the cyberspace of the target and endangering a process, including systems, infrastructures, and services supported by them.
Combined risk management
Confidential information
Information that the owner has determined must not be disclosed to anyone without authorization.
Classification Index defining the sensitivity level of information and supporting systems.
7 8
Term Definition
Cyberspace Metaphoric space of computer systems and computer networks in which electronic data are stored and in which interactive, online communications take place, irrespective of the geographic location of the users.
Low-voltage network Designated TCP/IP-based communications network intended to defend and supervise the security of the facility. The system can be comprised of the following components:
IP security cameras and thermal cameras (fixed/LPR/PTZ) VMS and analytic systems Intrusion detection systems Entry control systems Smart fence system Radar systems Command and control systems Industrial Internet of Things – IIoT
Process Industrial activity involving a hazardous substance, including storage, mixing, and production, and which is connected to computerized systems.
Hazardous process One of the following: a. Process in a business that involves a quantity of a hazardous substance that
exceeds 2% of the lower threshold value for that substance, which is listed in Appendix K to this manual.
b. Process located in close proximity to a hazardous process, as defined in section A, when an incident in that process is likely to cause a major hazardous substances event in the dangerous process, as defined in section A (“domino effect”).
Computerized industrial process
Defense methodology The National Cyber Directorate’s Cyber Defense Methodology for Organizations1
NIST CSF National Institute of Standards and Technology – Cyber Security Framework
1 National Cyber Directorate, “Cyber Defense Methodology for Organizations.”
To provide assistance and guidance to businesses whose toxins permits stipulate additional cybersecurity conditions, regarding ways to implement the conditions, and to define work stages in the implementation of cyber regulations for owners/employees responsible for compliance with the business’s toxins permit.
This manual was designed to provide instructions and tools for reducing any potential to harm public health and the environment, as well as for mitigating, to the extent possible, the risk that a cyber incident or other type of sabotage that could trigger a hazardous substances event might occur in technological processes or in computerized systems that manage/control hazardous substances.
This manual defines requirements and directives on conducting cyber risk surveys on computerized systems that manage/control hazardous substances. The process is based on the principles of the National Cyber Directorate’s Defense Methodology (version 1.0), which largely relies on the U.S. National Institute of Standards and Framework’s Cyber Security Framework (NIST CSF), with regard to cybersecurity for computerized control systems in industry, while adapting it for industrial applications in general and the hazardous substances industry in particular.
Please note: In the event of a contradiction or inconsistency between these instructions and other documents, including the National Cyber Directorate’s Defense Methodology and the NIST CSF, the instructions in this manual take precedence.
3. Purpose of this manual
2 https://www.nist.gov/cyberframework
9 10
4. Background – cybersecurity in the hazardous substances industry
4.1 A cyber incident causing a failure in computerized systems that control/manage the manufacturing, transport, and storage of hazardous substances could trigger a hazardous substances event that results in harm to public health and to the environment.
4.2 The following are several examples of hazardous substances events that could be triggered by a cyber incident:
Gas emissions endangering the public Explosion of hazardous substances Ignition of hazardous substances in three states of matter Spill of a hazardous liquid, without fire Dispersion of a hazardous solid, without fire Industrial spill into a flowing water source/into the drainage system Industrial spill onto open land Industrial spill into the sewage system (water reservoirs/treated waste water).
4.3 Sharing information between organizations and reporting events to the Industrial Cybersecurity department of the Ministry of Environmental Protection, including to the National CERT, will promote early detection of potential cyber incidents. Holders of toxins permits can identify any potential for attacks during any of the preliminary stages and mitigate the potential risk of damage being caused.
4.4 Once a cyber incident has ended, the business is required to prepare a cyber incident report according to Appendix I to this manual. If a hazardous substances event was caused as a result of a cyber incident, the report must include the incident investigation as defined in the general conditions of the toxins permit.
11 12
5.1.1 Cybersecurity officer appointment letter
5.1.1.1 Within 60 days of the receipt of the cybersecurity conditions in the toxins permit, the toxins permit holder must appoint an employee who will be responsible for implementing and fulfilling these additional cyber-risk-mitigation conditions and who must forward Appendix E (“Letter of appointment of a company cybersecurity officer”) to the district commissioner. This employee is to be called a “cybersecurity officer” (hereinafter: “cybersecurity officer”). The cybersecurity officer will perform his/her role concurrent with his/her primary role, or may be appointed specifically to carry out this role, at the discretion of the toxins permit holder.
5.1.1.2 The cybersecurity officer’s role is to be the liaison officer to the Industrial Cybersecurity Department in the Ministry of Environmental Protection, in relation to all matters pertaining to cybersecurity activities in the business.
5.1.1.3 The toxins permit holder must appoint an alternate to stand in whenever the cybersecurity officer is absent.
5.1.2 Policy document
5.1.2.1 Businesses must draw up an IT and cybersecurity policy document that defines the security objectives, managerial processes, means to realize them, security implementation principles, commitment of the company management to a process of increasing the business’s cyber resilience – including the allocation and budgeting of resources, and the drafting of work procedures - including a cyber incident management procedure. Businesses must present their policy documents to the commissioner upon request.
5.2 Stages of the process
5.2.1 Mapping
5.2.1.1 Mapping of the hazardous substances – All hazardous substances held in the business must be mapped according to the table of hazardous substances in Appendix K to this manual and to the instructions set out in the appendix. The quantity of every hazardous substance that has been approved for holding in the toxins permit must be used to calculate and ascertain compliance with the requirements thresholds for imposition of the regulation, as specified in Appendix K to this manual.
5.2.1.2 Mapping of substances relating to a hazardous process – Of the substances mapped according to clause 5.2.1.1, only those substances involved in a hazardous process, as defined in this manual, are to be taken into account.
5.Explanation of the process
11 12
5.2.1.3 Mapping of substances managed/controlled by computerized systems – With regard to the substances defined in clause 5.2.1.2, businesses must map those substances that are managed/controlled by computerized systems and complete Appendix F to this manual (“Initial mapping of a hazardous process that is managed/controlled by a computerized system”).
5.2.2 Conducting a risk survey and assimilating controls
5.2.2.1 Conducting a cyber risk survey – The level of cyber risk is calculated by weighting the probability and the impact according to the instructions in this manual. The set of controls that must be implemented must be determined depending upon the results of the risk survey.
5.2.2.2 Performing a gap analysis – Businesses must compare the existing controls in their companies against the controls that they are required to implement, according to the results obtained in the risk survey stage.
5.2.2.3 Building a work plan – Businesses must build work plans to close the gaps.
5.2.2.4 Implementing the controls according to the work plan – Businesses must implement the controls required according to the conclusions of their risk surveys and according to their work plans. If, for any reason, the controls cannot be implemented as specified in the list of controls, compensating controls may be selected that will provide a solution for the gap, after consulting with the Ministry of Environmental Protection’s Industrial Cybersecurity Department.
5.2.2.5 Ongoing supervision and monitoring – Businesses must monitor and supervise all stages of the process on an ongoing basis, as described in this clause.
5.3 Stages in the mapping of hazardous substances for a cyber risk survey
Mapping of hazardous substances according to Appendix K
Mapping of hazardous substances relating to a hazardous process
Mapping of substances managed / controlled by a computerized system
1.
3.
2.
1. Map
hazardous substances
and processes
5.5 Timetable for implementing the directives
5.5.1 Immediately upon the imposition of cybersecurity conditions in the toxins permit, implementation of stages 1 through 3 (inclusive) – 12 months.
5.5.2 Immediately upon completing the first three stages, implementation of stages 4 through 6 (inclusive) – 24 months.
The entire process, including mapping, risk survey, and implementation of the requisite controls – 36 months.
5.5.3 After implementing the controls, a 6-month interval will be granted for the purpose of performing needed supplementary actions, to the extent required.
5.5.4 The work process is cyclical and is repeated every 42 months after the start date of the process.
13 14
5.6 Repetition of the work process
The work process must be repeated in each of the following instances:
5.6.1 Every 42 months (3.5 years): After completing the process and the period for performing supplementary actions over a period of 42 months, another cycle must begin.
5.6.2 Whenever a new computerized system is added that manages/controls hazardous substances.
5.6.3 Whenever any new hazardous substance is added.
5.6.4 Whenever a change is made in an existing computerized system that manages/controls hazardous substances, including any addition, removal or change of computerized components in an existing computerized system managing hazardous substances.
5.7 Performance timetable:
15 16
6.1 Cybersecurity activities should be an integral part of a business’s organizational culture, and should be based on the commitments of the toxins permit holders and of the company’s management to implement the requirements of this manual.
6.2 The most important step in following the instructions of this manual is the meticulous planning of all stages of the work plan – coupled with the allocation of the resources needed to implement it – according to the defined timetables.
7.1 Upon completing the survey, Appendix G to this manual must be completed and forwarded to the commissioner. This includes a declaration by the toxins permit holder regarding the performance of the cyber risk assessment in the business, and a table specifying the name of the system, data on the probability and the impact as obtained, a calculation of the risk profile, and the set of controls for implementation according to a heat map.
7.2 Upon completing the survey, a written gap analysis must be performed. This document is to be kept at the plant but does not have to be submitted to the commissioner, except upon request.
7.3 After completing the gap analysis, a work plan must be drafted for assimilating the controls. This plan is to be kept at the plant but does not have to be submitted to the commissioner, except upon request.
7.4 Upon completing the implementation of the work plan and the assimilation of the controls, the declaration in Appendix H to this manual must be completed and forwarded to the commissioner. This includes the table that specifies the name of each of the mapped systems, the set of controls allocated for the assessed risk, the list of assimilated controls, and comments.
6. Work planning
7. Required deliverables
15 16
8.1 In this manual, “cyber risk assessment” refers to every activity in the OT (operation technology) network, including on the production floor, in which computerized systems that manage/control hazardous substances are operating.
It is important to note that risks deriving from a cyber incident in the plant’s computerized information systems that are not located on the production floor, including those found in the IT (information technology) systems, such as the email systems, Internet access, sensitive business information, highly classified information, etc., are not addressed within the framework of the Ministry of Environmental Protection’s cybersecurity regulations, as specified in this manual. However, they should be dealt with as an attack vector to the OT network that contains computer systems managing/controlling hazardous substances.
8.2 The cyber risk assessment should also relate to a cyber attack on safety systems, defense systems, and supporting systems located on the production floor, such as a cyber attacks on controller safety systems, on detectors, on camera systems, etc.
8.3 The risk assessment should relate to any exposure of information about the plant’s computerized processes that handle hazardous substances, including the system architecture and its defense systems: information about the type of controllers, the model, the hardening version, the software version, etc.
8.4 The risk assessment should relate to any compromising of system reliability – damage to the normal functioning of a device or a system according to their specifications and according to their design process. For example: a cyber attack that alters the information flow of the process and thereby disrupts the process.
8.5 The risk assessment should relate to any disruption of the availability of system components: disruption of the availability of a human-machine interface (HMI), of a controller or of field components (taps, regulators, etc.). For example: a cyber attack on computerized control systems that causes loss of control over a controller, a sensor or any field component. In such instances, the process is likely to become uncontrolled and trigger a hazardous substances event.
8.6 If a business opts to receive assistance in performing a cyber risk survey or any other cyber-related activity through external advisory services, the advisor must meet the requirements set out in Appendix D to this manual.
8. Cyber risk assessment
17 18
9.1 Risk management is based on a risk assessment that reflects the degree of vulnerability of computerized systems and on an assessment of the threats, the probability of their materialization, and their potential repercussions.
9.2 The risk assessment must be performed according to the principles in the most recently published version of this manual. This manual is based on the National Cyber Directorate’s Defense Methodology, with specific adjustments for the hazardous substances industry and for industrial control systems. The possible scenarios should be analyzed from the perspective of an attacker, since a human will always be behind any attack. The path to an optimal cybersecurity solution requires thoroughly understanding attackers’ operating methods, identifying them, and preventing them.
9.3 The assumption is that during a malicious cyber attack, most of the hazardous substance will be released through a component that contains the largest quantity in the hazardous process that is connected to the computerized system3 (as opposed to a release due to a malfunction or accident). Therefore, the dispersion of the hazardous substance should be calculated accordingly.
9.4 The risks are based on threats that are relevant to the components of any system, according to the risk analysis performed in the business.
9.5 Risk assessment – calculating the impact (I). A risk assessment begins by assessing the impact that is likely to be caused to the environment or to public health if a hazardous substances event occurs as a result of a cyber attack. The impact will be assessed on a scale of 1 to 4, applying the method presented in the table in Appendix A to this manual. Please note: The score is assigned at this stage according to an assessment of the maximum damage.
9.6 Risk assessment – calculating the level of exposure or probability (P). After calculating the expected impact of a hazardous substances event caused by a cyber attack on the business, the level of exposure or the probability of a cyber incident in systems managing/controlling hazardous substances must be calculated. This calculation is entered into the table in Appendix B to this manual.
9. Calculating the level of cyber risks
3 To be taken from the WCS – Worst-Case Scenario.
17 18
9.7 Calculation of the risk assessment and classification of the business’s systems
The risk assessment is based on a weighting of the expected impact, considering the probability that damage will occur, according to the following formula:
(Risk equals Probability + the Impact multiplied by 3)
(I) = the expected impact relative to the worst-case scenario (WCS) (value to be obtained according to Appendix A to this manual).
(P) = the probability that the damage will occur (average obtained from the calculation according to Appendix B to this manual).
The above formula for calculating the risk level will produce a score of 4 to 16.
Each of the computerized systems in the business that manages/controls hazardous substances as defined in this manual must be classified under one of four levels according to its risk assessment, as specified below:
Level 1: low risk potential (score of between 4 to 7); Level 2: moderate risk potential (score of between 8 to 11); Level 3: high risk potential (score of between 12 to 14); Level 4: very high-risk potential (score of between 15 to 16).
Risk = P+I*3
19 20
9.8 The heat map lists the risk levels as a function of impact and probability:
9.9 Number of controls for assimilation at each risk level (as appears in Appendix C to this manual). Please note that every level of control includes the controls from the level below it; for example, level 4 controllers include all possible controls from levels 1, 2, 3, and 4.
(I) Impact
(P) Probability
Risk potential Set of controls according to the risk potential
Number of controls for this set
7-4 1 41
11-8 2 59
14-12 3 81
16-15 4 92
10.1 After calculating the level of risk in the process, the business will know which set of controls4 to implement according to the following key:
Level of risk at values of between 4 – 7 (inclusive): control set 1. Level of risk at values of between 8 – 11 (inclusive): control set from level 2 (which includes
controls from level 1 and controls from level 2). Level of risk at values of between 12 – 14 (inclusive): control set from level 3 (which includes
controls from level 1, controls from level 2, and controls from level 3). Level of risk at values of between 15 – 16 (inclusive): control set from level 4 (which includes
controls from level 1, controls from level 2, controls from level 3, and controls from level 4).
4 According to the list of controls in Appendix C to this manual.
10. Determining the controls that must be implemented
19 20
11.1 Using the list of security controls specified in Appendix C to this manual, the business must examine what
it is implementing at the time the risk survey was conducted in relation to each of the examined systems,
and what it needs to implement according to the results of the risk survey.
11.2 The outcome of the process described in the previous clause will be a list of gaps (gap analysis) in “needed
versus what exists” that the business must compile.
11.3 The business must be diligent about performing an individual analysis of every computerized system that
manages/controls hazardous substances and according to the mapping of its hazardous processes as
described in clause 5.2.1.
11.4 The list of gaps obtained constitutes the foundation for building the business’s work plan.
12.1 The toxins permit holder/business’s cybersecurity officer is responsible for formulating a plan for
implementing the work plan to implement the requisite controls. This plan must specify which employees
are involved, timetables, and handling methods. The business owner must allocate the necessary resources,
including the budget, manpower, and time needed to implement the requisite controls.
12.2 The priorities for implementing the controls that the business lacks will be determined in the work plan by
weighting the risk level of the hazardous process, the cost, and complexity of the solution for implementing
the controls, and the speed with which the controls are implemented.
12.3 The business must decide its own priorities in implementing the controls, as long as the business complies
with the timetable specified in this manual.
11. Gap analysis – comparing the current situation to the controls required and mapping of the gaps
12. Building a work plan based on the mapping of the gaps
21 22
Appendix A – Table used to calculate the impact (I) of a business holding hazardous substances
In this table, answer all four questions in the “question” column by assigning a score of 1 to 4. After assigning
scores to all of the questions, the impact will be the highest value entered in the “score” column.
Question 1 2 3 4 Score (4-1)
The impact is assessed using one or more of the following criteria:5 S
(Safety) Public health:
2. Environ- ment: no impact on the environment.
Public health:
1. No impact on the public receptor.
2. Environ- ment: potential for a hazardous substances event that could have an impact on the environment.
Public health:
1. Potential impact on the public receptor at the PAC 2 level.
2. Potential for a UVCE: maximum pressure for a public receptor of 0.1 bars.
3. Potential for a BLEVE – 1.6 kw/m2 for 60 consecutive seconds (or radiation of parallel intensity for a shorter time)
Public health:
1. Potential impact on the public receptor at the PAC 3 level.
2. Potential for a UVCE: maximum pressure for a public receptor of 0.28 bars.
3. Potential for a BLEVE – 5 kw/m2 for 60 consecutive seconds (or radiation of parallel intensity for a shorter time)
S (Safety)
What impact on public health or on the environment could there be as a result of any compromising of the safety of the system owned by the business?
C (Confidentiality)
C (Confidentiality)
What impact on public health or on the environment could be caused as a result of exposure of information about a computerized system managing /controlling hazardous substances owned by the business?
I (Integrity)
I (Integrity)
What impact on public health or on the environment could be caused as a result of corruption of the information in the industrial component or disruption of the process in which the industrial component is an integral part?
A (Availability)
A (Availability)
What impact on public health or on the environment could be caused as a result of a shutdown of the industrial component or of a computerized process?
13. Appendices
5 The data are taken from the director general’s circular – Policy of separation distances in fixed sources of risk – revised version (in Hebrew)
21 22
Examined parameter 1 2 3 4 Score (4-1)
1. Number of employees with access to HMIs that manage or control hazardous substances
Up to 5 6 - 10 11- 50 More than 50
2. Number of employees with access to controllers that manage/control a hazardous substances system
Up to 10 11- 25 26 - 50 More than 50
3. Responsibility for programming HMIs
Only internal employees
Specific external suppliers
Appropriate external suppliers
Only internal employees
Specific external suppliers
Appropriate external suppliers
5. Number of HMI stations in the business
1 2 - 5 6 - 10 More than 10
6. Number of controllers relating to hazardous substances in the business
Up to 5 6 - 10 11 - 50 More than 50
7. Communications between administrative network and an operating network
None – physically disconnected
Yes, using a firewall and a unidirectional diode
Yes, using a firewall only
Yes, without any control means
8. Is Internet access allowed from the ICS (industrial control system) environment?
No. There is a connection, but it is usually disconnected. Operated for remote support purposes
Yes, but with a firewall and content filter or with other security components
Yes
Appendix B – Table used to determine the level of exposure/probability (P) of a cyber incident in a business holding hazardous substances
In this table, answer all 36 questions in the column “examined parameter” by assigning a score of 1 to 4. After grading
all of the questions, calculate the level of exposure (probability) of a cyber incident by adding up all of the scores and
calculating the average for the entire table. The outcome obtained is the probability – P.
Perform the analysis according to this table in relation to every process indicated in the mapping of hazardous processes
and in relation to every computerized system in each of these processes.
23 24
9. Updating of firmware in controllers
Performed regularly and fully
Performed regularly and fully
Only authorized personnel have access
Specific external suppliers have access
Appropriate external suppliers have access
Other parties also have access
12. Physical security for hazardous substances controllers
13. Physical security for field components affecting hazardous substances (taps, regulators, valves, etc.)
14. Number of physical protection and security means in the examined system out of the following 4 means: cameras, alarm system, biometric access, guards
4 3 2 1
15. Number of existing logical security means for HMI systems, such as: communications security, application security, antivirus
3 or more 2 1 None
16. Number of logical security means (communications security, application security, antivirus) for hazardous substances controllers
3 or more 2 1 None
17. Information security awareness campaign for employees on the production floor
Conducted on a regularly scheduled basis
Frequently conducted
Rarely conducted
Examined parameter 1 2 3 4 Score (4-1)
18. Is there an orderly onboarding process for new employees with access to computerized industrial systems?
Yes Partial process Oral instructions only
No
19. Is there an orderly process on employee severance, including deletion of authorizations and user name?
No
20. When an employee transfers from one role to another in the business, is there a process to change his/her access to computerized industrial systems?
No
Up to 3 components are used
4 to 10 components are used
More than 10 components are used
22. Is there a written organizational policy about managing, controlling and protecting the ICS environment?
Yes Partially In a very limited manner
No
Yes Partially In a very limited manner
No
24. Is cellular technology used to connect to HMI stations or to other components of the ICS?
No Yes, with encryption and smart identification
Yes, either unencrypted or non-smart identification
Yes, no encryption and no smart identification
25. Handling of default access authorizations (default user name and password)
We change the default user name and password
We only change the default password
We only change the user name
We leave the default values
26. Is there a wireless network on the production floor?
No Yes, but with strong encryption
Yes, but with weak encryption
Yes, and it is not protected at all
27. Are inventories of components in the plant that could have an impact on a hazardous substances event being recorded and controlled?
Yes, regularly Yes, frequently Yes, but on rare occasions
No, not at all
28. Can HMI systems be remotely accessed?
29. Can ICSs be remotely accessed?
30. Is cloud computing used? No Yes, slightly Yes, considerably
Yes, fully
Yes, regularly Yes, frequently
No, not at all
32. Is there hardware redundancy for critical computerized components that handle hazardous substances?
Yes, fully Yes, for most of the critical components
Yes, for a small portion of the critical components
No redundancy checks
USB port is disabled
USB device is operated with CDR (content disarm and reconstruct) capability
USB device is operated by authorized personnel only
USB device is freely enabled
34. Has a log collection and monitoring system been implemented?
Yes Mostly implemented
No
35. Is the access to HMIs enabled only via a personal user name for each operator?
Only personal user names
Largely personal user names
Largely generic user names
Only generic user names
Smart identification, no biometric
Password subject to policy
Password, no policy
1. Introduction
To mitigate the risk of the materialization of a cyber incident, toxins permits holders are required to implement various cybersecurity controls. These controls include processes, procedures, security systems, technologies, etc.
These controls are grouped by topic: controls to protect servers and terminal stations, user-management controls, monitoring controls, procedures, etc.
2. Details of the list of controls
There are four levels of controls, ranked from 1 to 4. Business owners must perform a risk survey and implement the level of controls required according to the risk profile obtained. If any contradictions or inconsistencies are discovered between the various controls, the highest level of control must be implemented.
27 28
The list of controls is specified in the table below:
Clause Required control Details Recommendations / Comments Level Checks
Number of
Mapping of computerized systems and hazardous substance control systems
1.1 The business owner must map all hazardous substances that are managed by computerized systems
1.2 The business owner must map all computerized systems, network, control, sensing and automation systems in the business and those that: a. relate to storage, use, flow, manufacturing, transport, destruction and detection of deviations and leaks of hazardous substances.
b. are likely to cause or contribute to a malicious hacking of hazardous substances or an improper action with them.
c. relate to the recordkeeping of inventories of hazardous substances and logistics.
1.2 The mapping must include: the list of computers, noting their function and the systems installed in them for the purpose of their function; designated/ integrated HMI/ automation stations, noting model and software version; controllers and detector switchboards, noting model, firmware/ software versions and type of WiFi communications (ethernet, telephone, other); IoT/IIoT components and detectors, noting model, location and type of communication with them; network components (switches, routers, wireless access points, firewall), noting model and their connections to other networks/the Internet.
1.2 b. It is recommended that the business owner consult with hazardous substances professionals to clarify whether a computerized system that does not manage hazardous substances but may catch fire or explode due to a cyber attack (such as a steam boiler with a programmed controller) endangers hazardous substances in its vicinity.
1
1.1 Has mapping of hazardous substances been performed?
1.2 Has mapping of computerized systems and control systems been performed?
2
1
Penetration test
1.6 Penetration testing must be conducted once every two years using an information security specialist, and will include at least: a. testing of the durability of computerized systems and control systems for the hazardous substances to attacks from outside the business.
b. testing of the durability of computerized systems and control systems for the hazardous substances to attacks from the IT network inside the business.
c. testing of the durability of computerized systems and control systems for the hazardous substances to an attacker with physical access to operating stations and to communications cabinets and the controllers.
4
Number of
Basic access control
4.1 The computerized stations must be protected by personal user names and passwords, and must automatically lock after 10 minutes of nonuse or at the discretion of the business, but not more than 30 minutes.
4.2 Users of the computerized systems must be separated by at least two levels of authorizations with regard to the operating system – “user” (minimum authorizations to operate systems will be enforced on them depending upon their role; minimum access to files and resources in the network; inability to install software) and “administrator” having broader authorizations at the discretion of the business.
4.3 For operating stations (designated/ integrated HMI/ automation workstations), application access authorizations must be defined for authorized users. The authorizations will be for viewing, for operating defined processes, and for performing changes in systems and in processes.
4.4 Officers must be appointed with authorization to make changes in definitions and perform maintenance operations on controllers, sensors, and SCADA components. Employees who are authorized to do this remotely (through an application, network connection, telephony, etc.) must be listed by name.
4.5 Officers must be appointed with authorization to make changes and definitions in the business’s networks.
4.6 For every HMI station, workstation, and computer that uses controller software, the configuration of the required software must be defined, and a ban must be imposed on installing other software.
The access control policy is designed to ensure that only authorized personnel can access, view, and make changes in computerized systems and control systems for hazardous substances, solely according to their job definitions and subject to supervision.
1
4.4-5 Present the list of officers.
4.6 Perform random inspection of software installed in stations.
6
Number of
Advanced access control
4.7 The list of users with access authorizations to computerized systems and control systems for hazardous substances must be reviewed at least quarterly and updated if changes have occurred in the personnel and in authorized officers in the business.
4.8 A user’s connection to a system must be blocked after 5 failed connection attempts, by disabling any possibility of connecting for a defined timeframe or until released by the system administrator.
4.9. A policy must be drawn up and enforced regarding remote connection to the operating network, defining the restrictions on remote connection to computerized systems and automation systems for hazardous substances. Every remote connection must be encrypted end-to-end and requires strong personal identification (2FA).
4.10 Access to computerized systems and control systems for hazardous substances from the business’s wireless networks must be banned and blocked, and only be enabled from the business’s computers that are cable-connected to the network.
4.11 An appropriate passwords policy must be drawn up and enforced, including requirements for the length and complexity of the password and an expiration date.
4.12 A policy must be drawn up for authorizing laptops used for local configuration of controllers and automation systems.
4.13 Critical changes in HMI stations, such as a change in pressures, temperatures and flow, must trigger a popup window demanding additional identification. No critical changes may be made according to an instruction issued via email/text message/ telephone call/video call.
4.11 We recommend at least 8 characters, at a complexity of 3 out of 4 (capital letters, lower-case letters, numbers and special characters).
4.12 For example: a laptop without connection to the Internet that never leaves the business’s premises and is used solely to program the controller; or a laptop of a recognized external technician that has been scanned for malware.
4.13 Attackers are capable of forging emails and text messages, of impersonating someone else via telephone and even during a video call.
4.10 This can be implemented using a unidirectional connection system to electrical signals directly from the sensors and actuators (level 0) using a configuration that is completely severed from the enterprise network and is not affected by it.
4.13 A compensating control may be used at the business’s discretion to trigger a popup window demanding additional identification. The compensating control must ensure that no unauthorized party can make any significant change that could trigger a hazardous substances event.
2
4.8 Perform a test on a random station.
4.9 Demonstrate the mode of remote connection.
4.10 Perform a test using a computer that is connected to a wireless network.
4.11 Demonstrate a password change.
4.12 Present the policy.
7
Number of
Strict access control
4.14 The remote connection policy must be limited solely to users who identify themselves with a strong 2FA and whose computers have been inspected and identified as safe (scanned and free of malicious code, with information security updates in the operating system and updated antivirus software).
4.15 Any user who tries to perform a prohibited operation (inserting a DOK, installing software) must be immediately locked out and an alert must be issued to the system administrator.
4.16 Any user with high authorizations (computerization administrator, ability to alter a configuration in the production systems) must be required to use strong authentication (MFA) and must be restricted (if the system allows this) to operating on a single workstation or a single remote connection at a time.
4.17 Any possibility of a direct takeover of computerized hazardous substance systems that operate in Internet mode (remote desktop, TeamViewer, Remote Assist, AnyDesk, etc.) must be prohibited and completely blocked.
4.18 Direct access to hardware components (controllers, sensors, etc.) from outside the business must be prohibited and blocked.
4.19 All activity performed remotely must be monitored and documented.
4.20 Any creation, alteration, enabling, locking, and removal of an account must be documented in an automatic log record.
4.16 A compensating control will be allowed as long as it meets the security requirements.
4.17 A suitable compensating control will be allowed as long as it prevents any possibility of access by an unauthorized party to the computerized systems managing/ controlling hazardous substances.
3
4.14 Demonstrate the process.
4.17 Test the definitions in computers and in the network (FW/switch).
4.20 Examine the logging mechanism and recent logs.
7
4
Maximum access control
4.21 Computers that came from outside of the company or that left the premises must not be allowed to access computerized and automated systems managing hazardous substances.
4.22 Remote connection to the operating system must not be allowed, apart from viewing only (to view status) through a secure unidirectional connection.
4.23 Conditions for blocking the use of accounts must be defined and enforced according to the business’s operating hours and according to the work schedules of the various types of employees.
4.21 Such as by technicians’ laptops, SCADA applications for smart phones on the employees’ devices. Examples of entry blocking conditions: weekends, nights.
4.22 This can be implemented using a unidirectional connection system to electrical signals directly from the sensors and actuators (level 0) using a configuration that is completely severed from the enterprise network and is not affected by it.
4
4.22 Present the mode of use.
3
Number of
Hardening of workstations, HMI stations and servers
6.1 The system must be configured so that it provides the minimum required functionality (while removing applications, blocking functions, ports, and protocols that are not required) based on accepted practices, so that they will include, at the very least: a. blocking of any unnecessary ports;
b. removing applications, operating system software, and unnecessary services;
c. removal of guest/default and local administrator accounts;
d. secure mechanism for receiving operating system updates;
e. disabling connections of storage devices and media;
f. blocking the installation of software and hardware by unauthorized users.
6.1 d. Such as WSUS or updates that are brought manually on media.
6.1 e. Such as DOKs, CDs/DVDs, cellular devices, cameras, etc.
6.1 Configurations may be based on accepted practices, such as NIST, publications by the national CERT, etc., or on the services of an expert who will prepare hardening procedures according to the relevant technology.
1
6.1 Present the mode of hardening performed for every type of computerized system.
1
7
Basic prevention of malicious code
7.1 Tools must be assimilated to identify and prevent malicious code on workstations and servers in the business. These tools will be operated using an alert/active protection format (at the business’s discretion) and periodic scans must be performed.
7.2 The business must define procedures for cleaning stations, networks or servers infected with malicious code.
7.3 A mechanism must be defined for receiving/transferring updates to tools (referred to in clause 7.1) at least on a biweekly basis.
7.1 Since some malware may be able to penetrate the security mechanisms, businesses must make sure that controls for handling malicious code are implemented in all servers and workstations.
7.3 Similar to operating system updates, an updating solution for the tool must be presented.
7.1 Any tool for identifying and preventing hostile code from a recognized manufacturer may be used (such as antivirus).
1
7.2 Present the procedures.
3
Number of
Advanced prevention of malicious code
7.4 Tools to detect and block malware must be assimilated at the network level.
7.5 The business must operate an IDS/ IPS that identifies behavior that deviates from what is acceptable and reasonable (detecting anomalies in the network and in user/station behaviors).
7.6 The business must manage all malicious code prevention and information security tools in the business through a central SIEM control solution.
7.4 This requirement may be met by using a firewall with a content filter and by using network IDSs.
7.5 Another compensating control may be used that will provide a solution for this requirement.
7.5 This may be implemented by assimilating a system to detect process anomalies in the electrical signals environment.
7.5 The IDS component in the IPS may be operated alone, provided that there is a human response to replace the automatic blocking response, who will exercise judgment and decide what to block.
3
3
Number of
Basic network security
9.1 The business must document the description of the networks serving the computerized and automated systems for hazardous substances, the separations, the restrictions, and the protections to be implemented in them.
9.2 The access to networks serving the computerized and automated systems for hazardous substances from other networks in the business (IT, WiFi) must be restricted through authorization management.
9.3 Mechanisms must be implemented to prevent unauthorized connection to networks serving the computerized and automated systems for hazardous substances.
9.4 The networks serving the computerized and automated systems for hazardous substances must be disconnected from the Internet, apart from the possibility of an encrypted designated connection (VPN).
9.5 Bridging between various networks used for command and control over equipment through the use of cables and various connectors, such as serial connections (RS-232 and the like), must be prevented. Computers used for on- site definitions of equipment must be disconnected from the Internet.
9.6 There must be verification that all unique and complex administrator passwords to all network components (switches, routers, firewalls, access points) have been changed from the manufacturer’s default password and are known only to officers who are authorized to make changes in definitions of the network.
9.3 The business must verify that all unused ports in switches are disabled and are only enabled by manual definition or by NAC mechanisms.
It is recommended to separate networks physically or through the use of firewalls.
1
9.2-6 Present the implemented restrictions.
6
Number of
Advanced network security
9.7 Disable or remove any hardware components that support or enable wireless connection.
9.8 Direct access to hardware components from outside the local network must be prevented. Access from outside the local network must be limited solely to administrator stations requiring identification.
9.9 Communications filters must be implemented at an individual level in networks serving the computerized and automated systems for hazardous substances. The permitted ports and communications routers must be precisely defined.
9.10 Periodic network monitoring scans must be performed. These scans listen to communications in the computerized and automated networks for hazardous substances, in order to: identify all elements participating in the communications and the types of communications that they initiate and receive; remove unidentified elements; analyze anomalies in communications; and correct the separation mechanisms accordingly. These scans must be performed at least once every 18 months.
3
9.10 Present the results of the last scan.
4
9
Maximum network security
9.11 The networks serving the computerized and automated systems for hazardous substances must be closed, cabled, and completely separated (separate switches and cables) from the business’s other networks.
9.12 The only outgoing connection that will be allowed will be for unidirectional sending of control data/statuses/logs to another network, using a solution approved for unidirectional information transmissions.
9.13 Mechanisms must be implemented in the networks that filter any communication not corresponding to the structure of the protocol/the expected information.
4
9.13 Present the filtering solution. 3
35 36
Number of
section
10
Separation of the environment of the computerized and automated systems in the operating network containing hazardous substances
10.1 An approval process must be drawn up for the transmission of data, scripts and software received from another environment inside the business or from outside it to this environment.
10.2 Software and firmware updates must be performed directly from the equipment or software manufacturer in an authenticated manner.
10.3 The introduction of scripts or configurations into manufacturing automation/HMIs or configurations of controllers from unknown or unverified sources must be prohibited.
10.2 Verify the software and firmware using checksum or by receiving media directly from the manufacturer’s representative.
1
10.1-3 Present the processes for transmitting and authenticating software and firmware updates.
3
11
Use of public cloud resources for computerized and automated systems in the operating network containing hazardous substances
11.1 A limited number of officers with access to the cloud service’s administrator interface must be defined.
11.2 The connection to the cloud service’s administrator interface must be secured with strong authentication (MFA).
11.3 The business must verify that the servers/machines that are operated in the cloud also comply with all of the requirements corresponding to the requisite level of control dictated by the risk potential (including hardening, restriction of communications, tools to prevent malicious code, use of minimum user authorizations, etc.).
11. All of the controls in this document are also valid for the use of public cloud computing.
Any business uploading data to a cloud must ensure a clear division of responsibilities for securing the information between the cloud provider and the client.
1
11.1-2 Present the officers and the mode of identification.
11.3 Present the types of machines in use and the implemented protections. 3
11
Unidirectional connection
11.4 Computerized systems and control systems for hazardous substances must be restricted to exporting data to a cloud via unidirectional connection, using an approved solution for unidirectional transmission of information.
11.4 This can be implemented using a unidirectional connection system to electrical signals directly from the sensors and actuators (level 0) using a configuration that is completely severed from the company network and is not affected by it.
4
1
Number of
12.1 Company officers must be appointed with authorization to access controllers (for on-site maintenance) and administrator stations/HMI stations, and procedures must be drawn up for making changes in configuration, identifying and contending with controller failures (required authorizations, supervision, order for shutting down/operating systems).
12.2 Firmware updates, changes in configuration, etc., must be examined in advance in a laboratory environment before transferring them to the production environment.
12. The goal is to prevent an incident involving hazardous substances due to human error, a controller failure or an erroneous change in configuration.
1
2
12
Configuration and backup monitoring
12.3 The business must keep a record of the controllers relating to hazardous substances, which will include at least: manufacturer, model, firmware version, configuration version, location of the configuration file for backup, location of the firmware version for backup.
12.4 Firmware and configurations of controllers, scripts, image configurations, workstations, HMIs and manufacturing processes must be backed up in a secure/separate system that is physically remote (by at least 50 kilometers) from the site where the backup was performed.
12.5 The business must be capable of restoring a controller from backup or of restoring a workstation/HMI station within one workday of the identification of a malfunction or anomalous operation. Alternatively, the controlled process will be shut down until the restoration has been completed.
12.6 The business must maintain continuous contact with the manufacturers of the controllers and systems in its possession and must obtain updates about information security issues and updated software and firmware versions.
12.5 This capability may be independent or through outsourcing.
12.4 It is also advisable to keep copies on detachable media (disc, DOK) that will be kept on site.
2
4
Number of
Advanced security
12.7 Hardening of the controllers must be performed according to the manufacturer’s instructions and all of the controller’s information security capabilities relating to identification, to limiting and protecting communications with it and to preventing unwanted changes, must be used. The hardening must be tested in a laboratory environment before transfer to the production environment.
12.8 The business must verify that every controller has a unique, complex administrator password and that the manufacturer’s default password is not being used. The password must be known only to officers who are authorized to make changes in controllers.
12.9 The access to workstations/ HMI stations must require strong authentication (MFA).
12.10 The operating system of a workstation/HMI station that is not in use must be locked after 10 minutes, or at the discretion of the operator, but not longer than 30 minutes, apart from stations defined as for viewing purposes only.
12.11 Any attempt to make a significant change in a process, such as changing pressure thresholds, temperatures, flows or reactions must require the entering of an additional password or strong authentication (MFA) before any change is executed.
12.7 Different manufacturers have different hardening instructions depending upon the equipment’s capabilities, including closing ports, discontinuing the support of unencrypted protocols, requiring identification prior to making any configuration change, capability of automatic restoration of an earlier configuration, etc.
3
12.11 Present the implementation of the required authentication method.
5
12
Maximum security
12.12 The computerized systems must be obligated to run on an up-to-date supported operating system that receives continuous security updates.
12.13 Any change in a process must require authorization from a senior manager via strong authentication (MFA).
12.14 The controllers must be separated into different networks according to their functions/the process in which they are participating. Workstations/HMI stations must be connected to a network that is separated from the controllers. Communications between the networks must be managed using a firewall.
12.12 Versions supported by Windows, Linux, etc.
12.14 Alternative controllers may be used as a test before uploading to production or on production controllers during production system downtimes.
12.13 A variety of means may be used, such as biometric identification, smart cards, OTP, etc.
4
3
Number of
Security and separation of safety, detection and security systems
12.15 The business must verify that the network of detectors in the business is isolated in a separate network, without any possibility of accessing computerized systems and control systems for hazardous substances from it.
12.16 The detector controller station must be locked in a communications cabinet in order to ensure that no uncontrolled changes are made.
12.17 If the detector controller enables locking of the controller’s programming mode, it must be kept routinely locked.
12.18 If the detector controller is connected via network/telephony to a security/support center, the business must verify that any ability to change definitions remotely or to shut down the controller is disabled.
12.19 Electrical definitions, access control systems and low-voltage systems must be separated in the network without any possibility of accessing computerized systems and control systems for hazardous substances from them.
12.20 Security cameras – physical access to the security cameras must be prevented and they must be separated in the network without any possibility of accessing computerized systems and control systems for hazardous substances from them.
12.15 If the detector network is part of the production network, any hacking into this network will enable access to the network on the production floor.
12.16 If the controller station is conspicuous, it is exposed to potential changes in the detectors’ threshold values.
12.17 Controllers have programming modes and operating modes. No controller should be left open in programming mode during routine operation.
12.18 If necessary, changes in definitions will be enabled only for the purpose of providing remote support for a defined timeframe and then must be redisabled.
12.19-20 If physical access to cameras and to other low- voltage systems is freely allowed, then detachable media are likely to be connected to them or they may be tampered with in some other way in order to inject malicious code.
12.15 This may be implemented using a firewall or physical isolation or by deploying dry touch detectors.
12.17 This may be implemented using physical or logical locking as supported by the controller.
12.19-20 This may be implemented using a firewall or physical isolation.
12.20 It is recommended, to the extent possible, to install the cameras high up and to disable wireless connection
1
6
Number of
Media used in controllers and operating/HMI stations
15.1 In order to transmit software and firmware versions, configurations, scripts, etc., designated company media must be used solely for this purpose and must be stored in a secure location.
15.2 Media used for backups of firmware versions, configurations of controllers and scripts must be stored and locked in secure locations.
15.3 Media used for transferring information must be scanned for malware before each use.
15.1 If media are used for other purposes, they are more susceptible to being infected with malware.
15.2 Scanning the media for malware should be performed on a computer/ CDR station that is not connected to computerized systems and control systems of hazardous substances.
1
3
18
Awareness and enforcement
18.1 Suitable directives should be disseminated among the employees and guards. Employees and guests who have no role relating to the control systems and computerized systems for hazardous substances are not supposed to be in their vicinity. Any unauthorized employee found next to the controller or detector cabinets, who is connecting elements to a network at his own initiative, or who is attempting to access operating/HMI stations, will be dealt with severely. The business must draft and disseminate a procedure conveying these directives.
18.2 Communications cabinets and controller cabinets must be locked and their keys must be kept in a discrete location.
1
18.1 Present the explanations given to the employees and guards.
18.2 Check the locks.
Number of
Advanced security
18.3 Security cameras must be installed to document the access to communications cabinets, controller cabinets and workstations/HMI stations.
18.4 An alarm system must be installed that will issue an alert about any attempt to access communications cabinets, controller cabinets and workstations other than during business hours.
18.5 Suitable directives must be disseminated among the employees and guards – external technicians and visitors will be required to deposit all media (magnetic, optic), cellular phones and computers in their possession before accessing or coming into physical proximity to computerized systems and control systems for hazardous substances.
18.3 This may be implemented by installing cameras opposite HMI stations or cameras with roving lenses that also scan the vicinity of the HMI stations and local panels.
18.4 If there is internal opposition in the company to the installation of cameras for reasons of privacy protection, opposition from employee committees, etc., another compensating control must be implemented that constitutes an adequate alternative solution for this control.
18.5 It is recommended to apply the procedure also to employees, apart from designated media used solely for work purposes.
3
18.5 Present the explanations given to the employees and guards.
3
Number of
Employees with access to computerized and automated systems managing hazardous substances
19.1 The employees’ signatures must be obtained on a statement of full commitment to comply with the business’s information security requirements and on a non-disclosure agreement with regard to the computerized systems and control systems for hazardous substances, formulas, processes for using hazardous substances and related logistics in the business.
19.2 If there are concerns about employees (disgruntled, unstable, careless about complying with rules), their access must be suspended.
19.3 When employment is severed, access authorizations should be cancelled and user accounts must be blocked.
19.4 Employees must be ordered to not accept instructions to perform operations in computerized systems and control systems for hazardous substances according to instructions sent via email/ text message/ telephone call/video call.
19.1 The exposure of information about computerized systems and control systems, formulas for chemical substances prepared in the company (by both mixing and reaction), or logistics procedures and recordkeeping of hazardous substances in the company, can enable an attacker to plan and execute a cyber attack that could trigger a hazardous substances event.
19.4 Attackers are capable of forging emails and text messages and of impersonating someone else via telephone and even during a video call.
2
4
Number of
Cyber incident detection and management for computerized and automated systems managing hazardous substances
24.1 The business must prepare a response plan for a cyber incident in computerized systems connected to hazardous substances. The procedure must be drilled at least once a year.
24.2 If a suspected cyber incident in computerized systems connected to hazardous substances has been verified, the business must inform the call center of the National Cyber Directorate and the Industrial Cybersecurity (ICS) Department in the Ministry of Environmental Protection.
24.3 If the incident impacted hazardous substances, first the required processes/ drills must be performed, the authorities must be alerted and the business’s hazardous substances coordinator must be informed as is required for any hazardous substances event in the business pursuant to any law.
24.4 The business must make sure that the business’s procedures/drills for a hazardous substances event include references to a situation in which the computerized systems and control systems are not functioning properly.
24.1 The procedure must refer to clarifying suspicious behavior with professionals in the business and with external professionals, notifying the management, authorization to make a decision to disconnect a component/shut down a system/ disconnect communications until the incident is clarified and the tests of good working order that must be performed on other components have been completed.
24.2 The National Cyber Directorate’s call center operates 24/7 – dial 119; and email team@cyber. gov.il
Industrial Cybersecurity Department email: cyber_industry@ sviva.gov.il
24.1 Refer to existing procedures for system shutdowns and for replacing corrupted components.
1
24.1 Present the procedures.
24.2 Present the history of cyber incidents that have been detected and reported.
24.3 Present the method for handling incidents impacting hazardous substances. Present the changes/ additions in handling a hazardous substances event resulting from a cyber attack.
4
25
Repair and resumption of operations subsequent to a cyber incident
25.1 The information security policy document must refer to the post-incident recovery process. The plan must take into account various disaster scenarios involving hazardous substances (for example: how long a particular controller or HMI system be can be safely shut down).
25.2 The business must make sure that the resumption of the routine is performed in compliance with the procedure for resuming routine operations.
25.3 Within 60 days of the detection of a cyber incident, the business must prepare an investigation report summarizing the nature of the incident, the failures that enabled it to occur and the lessons learned, and must send it to the Industrial Cybersecurity Department.
25.1 Refer to existing procedures for system shutdowns and for replacing corrupted components.
2
25.2 Present the replacements and backups to demonstrate the recovery capability.
25.3 Present the reports of previous incident investigations.
3
92
1. Threshold educational requirements:
or
or
graduate of a technological unit in the IDF (Center of Computing and Information Systems, 8200, teleprocessing and parallel units) and/or the Information Security Authority, provided that he/she engaged in the technological field subject to appropriate authorizations
or
participated in a cybersecurity course for industrialists in cooperation with the Ministry of Environmental Protection and the Manufacturers’ Association and/or any other entity.
2. Threshold experience requirements:
and
experience working on the production floor on OT (operation technology) systems, in the context of working with ICS (industrial control systems), including experience with SCADA (supervisory control and data acquisition) systems and HMI (human-machine interface) systems. Experience in programming controllers, planning a SCADA system, making changes to HMI systems, monitoring and handling alerts received from HMI systems;
Six years of experience performing the tasks described for the role, including at least two years of experience managing technological teams.
43 44
3. Additional requirements with regard to education, experience, qualifications, and skills (if any); Desired qualifications:
1. tertiary education in the field of chemistry, chemical engineering or industrial engineering or natural sciences or business administration.
2. practical familiarity with industrial cyber defense methodologies – significant advantage.
3. drafting of industrial cyber defense methodologies – significant advantage.
4. practical experience in the chemical industry – significant advantage.
5. experience as a computer professional in the chemical industry, particularly experience in process control systems.
6. experience in defining organizational policies, in drafting procedures; experience implementing policy documents and procedures.
7. experience in performing information security audits.
8. familiarity with security techniques and information security tools in SCADA systems – significant advantage.
45 46
Appendix E – Letter of appointment of a cybersecurity officer in the business
Date:
Reference:
Re: Letter of appointment of a cybersecurity officer
Pursuant to the Hazardous Substances Act of 1993 (hereinafter: “the Act”) and to the requirements specified in the toxins permit, I hereby appoint you as the cybersecurity officer in our organization.
The cybersecurity officer will act in direct subordination to the toxins permit holder.
The role of the cybersecurity officer will include:
1. formulating a cybersecurity policy according to the organizational risk management process and according to the requirements stipulated in the toxins permit and in the Cyber Manual;
2. building a cybersecurity work plan in conformity with the policy;
3. controlling and monitoring the execution of the work plan and compliance with the cybersecurity conditions in the toxins permit;
4. performing aspects of cybersecurity activities in conformity with the Cyber Manual and the current security updates of the Industrial Cybersecurity Department of the Ministry of Environmental Protection.
Sincerely,
45 46
Appendix F – Initial mapping of a hazardous process that is managed/ controlled by a computerized system6
Business:
Facility:
Approved quantity in the toxins permit
Is the hazardous substance included in a process that is controlled/ integrated in computerized systems?
Explanation of the hazardous process (stages of the process, its purposes, mode of execution)
Details of the computerized systems/ digital process involved in the hazardous process
Potential impact on public health or on the environment7
6 To be completed only if an independent cyber risk survey was performed without combined risk management 7According to the impact calculation table in this manual
47 48
Appendix G – Declaration of the toxins permit holder regarding the performance of a cyber risk assessment and classification of the business
I, the undersigned __________________ ID No. __________________ having been informed that I must tell the whole truth and that I can expect the punishment prescribed by law if I fail to do so, do hereby declare:
1. The undersigned is the __________________ (position) for__________________ (company name), toxins permit No. __________________.
2. The cybersecurity classification process for the business was completed on __________________.
3. A document specifying the key results of the classification process for the business and the cyber risk assessment is appended hereto.
4. I performed the risk assessment myself/I availed myself of the services of the consulting firm __________________ (delete as appropriate) and prepared the document summarizing the key results of the business classification process and the risk assessment and, to the best of my knowledge and understanding, these documents are complete and accurate, were prepared in conformity with the Cyber Manual and present a precise situation report of the business.
5. The risk assessment process and the summary of its results in relation to cybersecurity were completed on _________________.
6. The following is a summary of the results of the risk assessment:
System name Probability (1-4) Impact (1-4) Level of risk
(4-16)
(1-4)
7. I myself prepared/I checked (delete as appropriate) the table summarizing the risk assessment being submitted to the Ministry of Environmental Protection as required in the directives and, to the best of my knowledge and understanding, the summary is complete and accurate and presents a precise situation report of the business.
8. I declare all of the above to be true. Signature of the declarant ___________________________
Attorney’s confirmation
I, the undersigned _________________, attorney, do hereby confirm that on _______________________ ___________ appeared before me, who is known to me personally/whom I identified according to ID No. _________________, and that after I had informed him/her of the requirement to tell the whole truth and nothing but the truth and of the punishment prescribed by law if he/she failed to do so, he/she affirmed the veracity of his/her above declaration and signed it in my presence.
Signature and stamp: ______________________
47 48
Appendix H – Declaration of the toxins permit holder regarding the completion of a cyber risk mitigation plan
I, the undersigned ____________________________, ID No. ____________________, having been informed that I must tell the whole truth and that I can expect the punishment prescribed by law if I fail to do so, do hereby declare::
1. The undersigned is the CEO/owner (delete as appropriate) of__________________ (company name), toxins permit No. _______________________.
2. The process of implementing a plan to prevent risk to public health and to the environment as a result of a cyber incident, was completed on ____________________.
3. The following is a summary of the assimilation of controls to mitigate cyber risks:
System name Required set of controls (1-4) List of assimilated controls Remarks
4. I have examined the summary document being submitted to the Ministry of Environmental Protection as required in the directives and, to the best of my knowledge and understanding, the document is complete and accurate.
5. I declare all of the above to be true. Signature of the declarant: ___________________________
Attorney’s confirmation
I, the undersigned _________________, attorney, do hereby confirm that on ____________________________ appeared before me, who is known to me personally/whom I identified according to ID No. _________________ and, after I had informed him/her of the requirement to tell the whole truth and nothing but the truth and of the punishment prescribed by law if he/she failed to do so, he/she affirmed the veracity of his/her above declaration and signed it in my presence.
Signature and stamp:
Name:
Role:
Telephone:
Summary of the incident:
Date and time the incident was discovered:
Status of the handling of the incident Not handled
Handling started but not completed
Handling completed
Physical location of the incident
Systems affected by the incident
Have additional parties outside of the plant been affected by the incident? (if yes, specify)
4. Extent of the damage/potential damage: (mark everything that applies)
Harm to a computerized system that manages/controls hazardous substances without any release of hazardous substances
Harm to a computerized system that manages/controls hazardous substances including the release of hazardous substances that caused harm to the environment
Harm to a computerized system that manages/controls hazardous substances including the release of hazardous substances that caused harm to public health
At this stage, the extent of the damage is not known
Brief verbal description of the impact:
Appendix I – Cyber Incident Report
49 50
List of people who were informed about the incident
Name Role Telephone
6. What measures have been taken to date? (Mark everything that applies)
At this stage, no measures have been taken at all
The systems were disconnected from the OT environment
The system was scanned for viruses
The systems’ logs were saved for the investigation
Restoration was performed from backups
Another operation was performed (describe what was done)
Brief verbal description of the measures taken:
7. Additional data/additional information which, in your opinion, is important to report and which is not requested in the incident report form
8. Lessons and conclusions in order to prevent any recurrence of an incident of this type::
Actions to be taken Person responsible Timetable
Full name: ID: Signature:
51 52
Appendix J &

Cyber Manual Adhering to the cybersecurity requirements of ...

Documents

Transcript of Cyber Manual Adhering to the cybersecurity requirements of ...