ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34....
-
Upload
truongliem -
Category
Documents
-
view
246 -
download
10
Transcript of ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34....
![Page 1: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/1.jpg)
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
1Copyright © ISA
ISA99 - Industrial Automation and Controls Systems Security
Committee Summary and Activity UpdateJanuary 2015
![Page 2: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/2.jpg)
Purpose
Introduce the ISA99 committee and
the ISA-62443 series of standards on
Industrial Automation and Control
Systems Security.
January 2015 2Copyright © ISA
![Page 3: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/3.jpg)
Topics
• Who are we?• How do we work?• What are the basics?• What are our work products?• Where do things stand?
January 2015 3Copyright © ISA
![Page 4: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/4.jpg)
Who we are
January 2015 4Copyright © ISA
![Page 5: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/5.jpg)
ISA99 Committee
• The International Society of Automation (ISA) Committee on Security for Industrial Automation & Control Systems (ISA99)– 500+ members– Representing companies across all sectors,
including:– Chemical Processing– Petroleum Refining– Food and Beverage– Energy– Pharmaceuticals– Water– Manufacturing
January 2015 5Copyright © ISA
![Page 6: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/6.jpg)
Our Scope
• “… industrial automation and control systems whose compromise could result in any or all of the following situations:– endangerment of public or employee safety– environmental protection– loss of public confidence– violation of regulatory requirements– loss of proprietary or confidential information– economic loss– impact on entity, local, state, or national security”
January 2015 6Copyright © ISA
![Page 7: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/7.jpg)
How we Work
January 2015 7Copyright © ISA
![Page 8: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/8.jpg)
ISA99 and ISA/IEC 62443
• ISA/IEC 62443 is a Series of Standards• Being Developed by 3 Groups
– ISA99 ANSI/ISA-62443– IEC TC65/WG10 IEC 62443– ISO/IEC JTC1/SC27 ISO/IEC 2700x
January 2015 8Copyright © ISA
![Page 9: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/9.jpg)
Other Partners for Related Topics
• Process Safety (ISA84)• Wireless Communications (ISA100)• Certification (ISCI)• Information Sharing (ICSJWG)• Security Framework (NIST)• International Reach (IEC/ISO)• etc.
January 2015 9Copyright © ISA
IACSSecurity
![Page 10: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/10.jpg)
The Basics
• General Concepts• Fundamental Concepts
January 2015 10Copyright © ISA
![Page 11: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/11.jpg)
General Concepts
• Security Context• Security Objectives• Least Privilege• Defense in Depth• Threat-Risk Assessment• Policies and Procedures
Source: ISA-62443-1-1, 2nd Edition (Under development)
January 2015 11Copyright © ISA
![Page 12: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/12.jpg)
Fundamental Concepts
• Security Life Cycle• Zones and Conduits• Security Levels• Foundational Requirements• Program Maturity• Safety and Security
January 2015 12Copyright © ISA
Source: ISA-62443-1-1, 2nd Edition (Under development)
![Page 13: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/13.jpg)
Security Life Cycle
January 2015 13Copyright © ISA
Source: ISA-62443-1-1, 2nd Edition (Under development)
![Page 14: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/14.jpg)
Zones and Conduits
A network & system segmentation technique:• Prevents the spread of an incident• Provides a front-line set of defenses• The basis for risk assessment in system design
January 2015 14Copyright © ISA
![Page 15: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/15.jpg)
System Segmentation
• A process to understand:– How different systems interact– Where information flows between systems– What form that information takes– What devices communicate– How fast/often those devices communicate– The security differences between system
components• Technology helps, but architecture is more
important
January 2015 15Copyright © ISA
![Page 16: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/16.jpg)
Example
January 2015 16Copyright © ISA
![Page 17: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/17.jpg)
Security Levels
January 2015 17Copyright © ISA
![Page 18: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/18.jpg)
Foundational Requirements
• FR 1 – Identification & authentication control• FR 2 – Use control• FR 3 – System integrity• FR 4 – Data confidentiality• FR 5 – Restricted data flow• FR 6 – Timely response to events• FR 7 – Resource availability
January 2015 18Copyright © ISA
![Page 19: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/19.jpg)
Program Maturity
• A means of assessing capability• Similar in concept to Capability Maturity
Models– e.g., SEI-CMM
• An evolving concept in the standards– Applicability to IACS-SMS
January 2015 Copyright © ISA 20
![Page 20: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/20.jpg)
Safety and Security
• Safety is much of the “raison d’etre” for security– Presenting consequences
• Much to be learned from the Security community
• Collaboration– ISA99-ISA84 joint efforts– ISA Safety and Security Division
January 2015 20Copyright © ISA
![Page 21: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/21.jpg)
Fundamental Concepts Status
ü Security Life Cycleü Zones and Conduits→ Security Levelsü Foundational Requirements→ Program Maturity→ Safety and Security
January 2015 21Copyright © ISA
![Page 22: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/22.jpg)
Work Products
January 2015 22Copyright © ISA
![Page 23: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/23.jpg)
January 2015 23Copyright © ISA
The ISA-62443/IEC 62443 Series
![Page 24: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/24.jpg)
General Information
• ISA-62443-1-1– Concepts and Models
• ISA-TR62443-1-2– Master Glossary
• ISA-TR62443-1-3– Metrics
• ISA-TR62443-1-4– Lifecycle & Use Cases
January 2015 24Copyright © ISA
![Page 25: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/25.jpg)
Policies and Procedures
• ISA-62443-2-1– Security Management System
• ISA-TR62443-2-2– Implementation Guidance
• ISA-TR62443-2-3– Patch Management
• ISA-62443-2-4– Requirements for Suppliers
January 2015 25Copyright © ISA
![Page 26: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/26.jpg)
System Requirements
• ISA-62443-3-1– Security Technologies
• ISA-62443-3-2– Risk Assessment and Design
• ISA-62443-3-3– System Requirements
January 2015 26Copyright © ISA
![Page 27: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/27.jpg)
Component Requirements
• ISA-62443-4-1– Product Development
• ISA-62443-4-2– Technical Component
January 2015 27Copyright © ISA
![Page 28: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/28.jpg)
What is Happening
January 2015 28Copyright © ISA
![Page 29: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/29.jpg)
Recent Developments
• ISA-TR62443-1-3– Formally assigned to a new WG12 for
development• ISA-TR62443-2-3
– Approved; publication pending• IEC-62443-2-4
– Essentially complete– Proposed adoption by ISA
January 2015 29Copyright © ISA
![Page 30: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/30.jpg)
Current Areas of Attention
• Alignment of Management System with ISO 27001:2013
• Affirming of Fundamental Concepts– Security Levels– Zones and Conduits– Maturity Levels
• Detailed Requirements– Component Technical – Product Development
January 2015 30Copyright © ISA
![Page 31: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/31.jpg)
Pending Developments
• ISA-62443-3-2– Soon available for comment
• ISA-62443-4-1 and ISA-62443-4-2– Revised drafts soon
January 2015 31Copyright © ISA
![Page 32: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/32.jpg)
Review
ü Who are we?ü How do we work?ü What are the basics?ü What are our work products?ü Where do things stand?
January 2015 32Copyright © ISA
![Page 33: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/33.jpg)
Conclusion
January 2015 33Copyright © ISA
![Page 34: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/34.jpg)
• ISA99 Wiki – http//isa99.isa.org• Twitter – @ISA99Chair• Committee Co-Chairs
– General:[email protected]– Eric Cosman [email protected]– Jim Gilsinn [email protected]
• ISA Staff Contact– Charley Robinson, [email protected]
Please provide contact information & area of expertise or interest
Questions, Comments, Contributions…
January 2015 34Copyright © ISA
![Page 35: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/35.jpg)
Questions
January 2015 35Copyright © ISA
![Page 36: ISA99 - Industrial Automation and Controls Systems Security · January 2015 Copyright © ISA 34. Questions January 2015 Copyright © ISA 35. January 2015 Copyright © ISA 36 Document](https://reader035.fdocuments.us/reader035/viewer/2022081722/5ac648327f8b9af91c8e1240/html5/thumbnails/36.jpg)
January 2015 36Copyright © ISA
Document Description
Title and Description: ISA99 Committee Overview
Ownership: ISA99 Leadership
Last Revised: January 2015
Revision 3
Master Copy: This document is located on the committee collaboration site, in the Information folder
Copy control: Only the master copy will be maintained. Any other copies or previous revisions are considered obsolete at the time of copy.
Comments: