1 Validating the Security Assurance of Industrial Automation Products Andre Ristaino, ASCI Managing...
-
Upload
emma-nichols -
Category
Documents
-
view
224 -
download
1
Transcript of 1 Validating the Security Assurance of Industrial Automation Products Andre Ristaino, ASCI Managing...
1
Validating the Security Assurance of Industrial Automation Products
Andre Ristaino, ASCI Managing Director
Andre Ristaino, ASCI Managing Director (ISA)
Graham Speake, Principal Systems Architect, Yokogawa
John Cusimano, Director of Security Services, Exida
ICSJWG Spring 2011
ISASecure™
www.isasecure.org
www.ansi.org/isasecure
2
Agenda
• ISA Security Compliance Institute (ISCI) Organization
• ISASecure Embedded Device Security Assurance Program
• Program benefits
• Who to contact for more information
• Questions
4
An ISA Owned Organization
ISA
AutomationStandards
ComplianceInstitute
ISA Security Compliance Institute Interest Group
IndustrialInteroperability
WirelessOther Interest
Groups
Governing Board
Technical Steering Committee
Working Groups
2011 ASCI Board of Directors
ChairmanISA Past President
(Nelson Ninin)
Vice ChairmanISA VP Stds./Practices
(Donald Dunn)
SecretaryISA Exec. Director
(Pat Gouhin)
At Large – legal counsel
(Hugh Webster)
ISA Treasurer
(Jim Keaveney)
At Large – Compliance Expert
(Michael Hamm)
Designated SeniorISA Staff Director(vacant for 2010)
6
ISA Security Compliance Institute (ISCI)
Who We AreConsortium of Asset Owners, Suppliers, and Industry Organizations formed in 2007 under the ISA Automation Standards Compliance Institute (ASCI):
MissionEstablish a set of well-engineered specifications and processes for the testing and certification of critical control systems products
Decrease the time, cost, and risk of developing, acquiring, and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers, and other stakeholders
7 7
ISCI Member Companies
• ISCI membership is open to all organizations– Strategic membership level– Technical membership level– Informational membership level
• Current membership– Chevron– Egemin– exida– ExxonMobil– Honeywell– Invensys– Siemens– Yokogawa– ISA99/ISCI Joint Working Group Liaison
8
ISASecure Designation
• Trademarked designation that provides instant recognition of product security characteristics and capabilities.
• Independent Industry stamp of approval.
• Similar to ‘Safety Integrity Level’ Certification (ISO/IEC 61508).
ANSI/ACLASS Accredited Conformance Scheme
9
ISASecure Embedded Device Security Assurance (EDSA) certification accredited as an ISO/IEC Guide 65 conformance scheme by ANSI/ACLASS. This includes both ISO/IEC 17025 and ISO/IEC 17011.
Go to www.ansi.org/isasecure for details.
1.Provides global recognition for ISASecure certification
2.Independent CB accreditation by ANSI/ACLASS
3.ISASecure can scale on a global basis
4.Ensures certification process is open, fair, credible,
and robust.
Why Do We Need Secure Devices
• Increased Industrial Control System exploits and attacks– Stuxnet– Nearly 40 exploits released recently
• Hacker conferences starting to have control system tracks– Black Hat– Hacker Halted
• Control systems using standard IT devices
10
ISASecure Certification Specification Process
• ISCI board defines scope and work process• Technical steering committee manages working groups
who draft specifications• Specifications reviewed by external 3rd party if required• Voted and approved by full ISCI voting membership• Approved specifications adopted by ISCI Governing
Board and posted on website• Specifications developed to-date have been donated to
ISA for submission to the ISA99 Standards Committee
11
ISASecure Supplier Device Approval Process
• Supplier submits device to ANSI ACLASS charted lab• Charted lab completes three part assessment
– Physically evaluates device for functional security (FSA)– Conducts communication robustness test (CRT) using ISCI-
approved test tool– Charted lab completes supplier audit (SDSA) on software
development practices
• Charted lab issues final assessment report and certification upon successful test and audit
12
14
ISCI Program Outreach
• Website www.isasecure.org
• ISASecure EDSA Certification Specifications and Program Definition Documents Approved and posted for public access at www.isasecure.org
• ISCI Board donated EDSA FSA and SDSA technical specification to ISA-99 Committee via ISA99-ISCI Joint Working Group
• Webinar Series throughout 2011
Embedded Device
• Special purpose device running embedded software designed to directly monitor, control or actuate an industrial process
• Examples: – Programmable Logic Controller (PLC)– Distributed Control System (DCS) controller– Safety Logic Solver– Programmable Automation Controller (PAC)– Intelligent Electronic Device (IED)– Digital Protective Relay– Smart Motor Starter/Controller– SCADA Controller– Remote Terminal Unit (RTU)– Turbine controller– Vibration monitoring controller– Compressor controller
16
Embedded Device Security Assurance Certification
Integrated Threat Analysis(ITA)
Software Development Security Assurance (SDSA)
Functional Security Assessment (FSA)
Communications Robustness Testing (CRT)
Detects and Avoids systematic design faults
• The vendor’s software development and maintenance processes are audited
• Ensures the organization follows a robust, secure software development process
Detects Implementation Errors / Omissions
• A component’s security functionality is audited against its derived requirements for its target security level
• Ensures the product has properly implemented the security functional requirements
Identifies vulnerabilities in networks and devices
• A component’s communication robustness is tested against communication robustness requirements
• Tests for vulnerabilities in the 4 layers of OSI Reference Model
Provides a common perspective on how threat scenarios can be sufficiently covered
• Documents the expected resistance of the system to potential threat agents and threat scenarios
• Clearly documents expected user measures versus inherent product protection measures
ISASecure Levels
Communication Robustness Testing
Software Development Security Assessment
Functional Security Assessment
Software Development Security Assessment
Functional Security Assessment
Software Development Security Assessment
Functional Security Assessment
LEVEL 1
LEVEL 2
LEVEL 3
Requirements Necessary to Achieve Certification LevelsLevel 1 Level 2 Level 3 Total Count in Specification
SDSA 130 149 170 170FSA 20 49 82 82
CRT All All AllCRT Common Specification plus all 6 Protocol CRT Specifications
Communications Robustness Test (CRT)
• Measures the extent to which network protocol implementations on an embedded device defends themselves and other device functions against unusual or intentionally malicious traffic received from the network.
• Inappropriate message response (s), or failure of the device to continue to adequately maintain essential services, demonstrates potential security vulnerabilities within the device.
• Common CRT Requirements (EDSA-310)
Communication Robustness Testing
• Ethernet (EDSA-401)• IPv4 (EDSA-403)• ICMP (EDSA-404)
• ARP (EDSA-402)• TCP (EDSA-406)• UDP (EDSA-405)
Functional Security Assessment (FSA)
Security Feature TestsPurpose:
– Verification and validation that the device or system under test incorporates a minimum set of security features needed to counteract common security threats
Composition– Set of requirements, derived from existing reference standards
and traceable to source standard– One or more acceptable solutions (countermeasures) identified
for each requirement– If applicable, procedures to verify the requirement has been
satisfied
Functional Security Assessment
Structure of FSA Requirements
Access Control User authorization, user authentication, system use notification, session locking/termination
Use Control Device authentication, audit trail
Data Integrity Data in transit, data at rest
Data Confidentiality Data in transit, data at rest, crypto
Restrict Data Flow Information flow enforcement, application partitioning, function isolation
Timely Response to Event
Incident response
Network Resource Availability
Denial of service protection, backup & recovery
21
Software Security Development Assessment
Secure Software Engineering
Purpose: – Verification and validation that software for the device or system
under test was developed following appropriate engineering practices to minimize software errors that could lead to security vulnerabilities
Composition– Set of requirements, derived from existing reference standards
and traceable to source standard (IEC 61508, ISO/IEC 15408)– One or more acceptable arguments identified for each
requirement
Software Development Security Assessment
EDSA Certification Process
Level 1 Level 2 Level 3
1. CRT test all accessible TCP/IP interfaces
1 - 2 weeks 1 - 2 weeks 1 - 2 weeks
2. Perform FSA on device and all interfaces
< 1 week 1 week 1 – 2 weeks
3. Audit supplier’s software development process
1 week 1 – 2 weeks 1 – 2 weeks
4. Perform ITA and issue report
1 week 1 week 1 week
3 – 5 weeks 4 – 6 weeks 4 – 10 weeks
Typical Chartered Lab Level of Effort in Man Weeks
Benefits
End-user• Easy to specify• Build security requirement
into RFP• Reduced time in FAT/SAT• Know security level out of
the box
Supplier• Evaluated once• Recognition for effort• Build in security• Product differentiator
26
28
Who to Contact to Certify Products
ISASecure EDSA Chartered Lab
exida
John Cusimano
Director of Security Services
Phone: (215) 453-1720
Fax: (215) 257-1657
Email: [email protected]
Website: http://www.exida.com
29
Who to contact for CRT Test Tool
http://www.wurldtech.com
Wurldtech Security Technologies, Inc.
Greg Maciel
Achilles Sales Manager
Phone: (949) 300-4040
Email: [email protected]
30
Who to contact for ISCI Membership
Andre Ristaino
Managing Director, ASCI
Direct Phone: 919-990-9222
Fax: 919-549-8288
Email: [email protected]
Website: http://www.isasecure.org
FAQ’s1. Who will perform ISASecure certification assessment and testing?
ANSI/ACLASS accredit organizations (called “chartered labs”) to perform ISASecure certification evaluations. ISCI will also recognize test platforms designed to perform communication robustness testing for use by these organizations and by device vendors in preparation for certification.
2. Who will grant ISASecure certifications?
The chartered labs will register ISASecure certified devices when the device has passed the ISASecure certification requirements. ISCI will publish a list of certified products on its web site.
3. Describe the First ISASecure certification that will be available.
The ISASecure Embedded Device Security Assurance Certification is the first certification offered. The certification will include all three certification elements: software development security assessment, functional security assessment, and communication robustness testing..
Functional Security Assessment Reference Standards
[N1]ISA-99.01.03D2-20090527
Security for Industrial Automation and Control Systems: System Security Requirements and Security Assurance Levels ISA-99.01.03
[N2]NERC Standards CIP-001-1 through CIP-001-9
North American Electric Reliability Council Cyber Security Standards
[N3] NIST 800-53Recommended Security Controls for Federal Information Systems
[N4]ISO/IEC 15408-1 through I5408-3
Information technology — Security techniques — Evaluation criteria for IT security — Part 1 through Part 3
[N5]Department of Homeland Security: Catalog of Control Systems Security: Recommendations for Standards Developers
SDSA Specification Development
Reference Standards for Software Development Security Assessment
[N4]ISO/IEC 15408-1 through I5408-3
Information technology — Security techniques — Evaluation criteria for IT security — Part 1 through Part 3
[N6] IEC 61508 Part 3Functional safety of electrical/electronic/programmable electronic safety-related systems: Software Development
[N7] RTCA/DO-178BSoftware Considerations in Airborne Systems and Equipment Certifications
[N8]ISBN-13: 978-0735622142
The Security Development Lifecycle, M. Howard, S. Lipner, Microsoft Press (June 28, 2006)
[N9] OWASP CLASPOWASP CLASP (Comprehensive, Lightweight Application Security Process)
4. How were the ISASecure certification criteria developed?
The ISASecure effort has leveraged the substantial existing work in general cyber security and process control system cyber security. The SDSA and SFA criteria are aligned wherever possible with draft work products of the ISA SP-99 committee. The Software Development Security Assessment requirements are ultimately traceable to requirements in the following source documents:
FAQ’s
Reference Standards for Software Development Security Assessment
ISO/IEC 15408-1 through I5408-3
Information technology — Security techniques — Evaluation criteria for IT security — Part 1 through Part 3
IEC 61508 Part 3 Functional safety of electrical/electronic/programmable electronic safety-related systems: Software Development
RTCA/DO-178B Software Considerations in Airborne Systems and Equipment Certifications
ISBN-13: 978-0735622142
The Security Development Lifecycle, M. Howard, S. Lipner, Microsoft Press (June 28, 2006)
OWASP CLASP OWASP CLASP (Comprehensive, Lightweight Application Security Process)
Reference Standards for Functional Security Assessment
ISA-99.01.03D2-20090527
Security for Industrial Automation and Control Systems: System Security Requirements and Security Assurance Levels ISA-99.01.03
NERC Standards CIP-001-1 through CIP-001-9
North American Electric Reliability Council Cyber Security Standards
NIST 800-53 Recommended Security Controls for Federal Information Systems
ISO/IEC 15408-1 through I5408-3
Information technology — Security techniques — Evaluation criteria for IT security — Part 1 through Part 3
Department of Homeland Security: Catalog of Control Systems Security: Recommendations for Standards Developers
The Functional Security Assessment requirements are ultimately traceable to requirements in the following source documents:
FAQ’s
5. Will a vendor that has already obtained a certification for a device be allowed to submit those results for the ISASecure certification?
Yes. ISCI has identified specific certifications from which pre-existing artifacts may be offered as evidence for meeting specific certification requirements in the ISASecure specification.
For example, an organization who has already received an IEC61508 certification for a device may submit artifacts on their software development practices to satisfy specific requirements in the ISASecure Software Development Security Assurance specification section of the EDSA certification.
FAQ’s