Cyber Security for the Industrial Environment: An Intro to ISA/IEC 62443

KENEXISCopyright © 2012 Kenexis Security Corporation

KENEXIS

Copyright © 2012 Kenexis Security Corporation

CYBER SECURITY FOR THE INDUSTRIAL ENV.: AN INTRO TO ISA/IEC 62443


• Recently Joined Kenexis Consulting– Network & security design

• Previously Worked for U.S. National Institute of Standards & Technology (NIST)– 20 years in Engineering Laboratory

• Cyber Security– Co-Chair, ISA99 Committee– Co-Chair, ISA99-WG2 Security Program– Co-Chair, ISA99-WG7 Safety & Security

• Industrial Ethernet Reliability & Performance– Developed metrics, tests, and tools– Measure, analyze, and report performance for industrial

Ethernet devices & systems

Jim GilsinnTwitter – @jimgilsinn

LinkedIn – linkedin.com/jimgilsinn


RespondPlan Prepare Defend

WHAT IS ISA99 & ISA/IEC 62443?


• The International Society of Automation (ISA) Committee on Security for Industrial Automation & Control Systems (ISA99)– Formed in 2002– 550+ members

• 50+ active participants

– >200 companies across all sectors, including:• Chemical Processing• Petroleum Refining• Food and Beverage• Energy• Pharmaceuticals• Water• Manufacturing

ISA99 Committee


• ISA/IEC 62443 is a Series of Standards• Being Developed by 3 Groups

– ISA99 ANSI/ISA-62443– IEC TC65/WG10 IEC 62443– ISO/IEC JTC1/SC27 ISO/IEC 2700x

How Does ISA/IEC 62443 Relate to ISA99?


• ISA-TR62443-0-3, Stuxnet Gap Analysis– Look for gaps in ISA-99.02.01-2009 security

program standard– 35 gaps identified– 33 recommended improvements

• ISA-TR62443-0-4, Implications of SIS Integration with Control Networks– Build on the work of the LOGIIC Consortium

Other Documents



FUNDAMENTAL CONCEPTS


Components of Security

Identification, A

uthentication and Access Control (A

C)

Use Control (U

C)

Data Integrity (D

I)

Data Confidentiality (D

C)

Restrict D

ata Flow (RDF)

Timely Response to Event (TRE)

Resource Availability (R

A)

Security Policy

Organization of Security

Asset Management

Human Resources Security

Physical and Environmental Security

Communications and Operations ManagementAccess Control

Systems acquisition, development and maintenance

Incident Management

Business Continuity ManagementCompliance

Rel

atio

nsh

ips

Inte

nt, B

uy-

In, S

upp

ort

Mot

ivat

ion

vs. D

efia

nce

Dec

isio

ns a

nd A

war

ene

ss

Tra

inin

g an

d C

apa

bilit

y

Cla

uses

Foundational Requirem

ents (currently)

Clauses (new original content to be developed)


• FR 1 – Identification and authentication control• FR 2 – Use control• FR 3 – System integrity• FR 4 – Data confidentiality• FR 5 – Restricted data flow• FR 6 – Timely response to events• FR 7 – Resource availability

Foundational Requirements


Security Levels

Casual or Coincidental Violation

Intentional Violation Using Simple Means with Low Resources, Generic Skills & Low Motivation

Intentional Violation Using Sophisticated Means with Moderate Resources, IACS Specific Skills &

Moderate Motivation

Intentional Violation Using Sophisticated Means with Extended Resources, IACS Specific Skills &

High Motivation


Zones & Conduits –

Chemical Truck

Loading Example


Zones & Conduits – Manufacturing Example


• ISA99 Wiki – http//isa99.isa.org• Twitter – @ISA99Chair• Committee Co-Chairs

– Eric Cosman, [email protected]– Jim Gilsinn, [email protected]

• ISA Staff Contact– Charley Robinson, [email protected]

• Please provide contact info & area of expertise/interest

Questions, Comments, Contributions…

mailto:[email protected]



Cyber Security for the Industrial Environment: An Intro to ISA/IEC 62443

Technology

Transcript of Cyber Security for the Industrial Environment: An Intro to ISA/IEC 62443