Industrial Automation and Controls Systems...
Transcript of Industrial Automation and Controls Systems...
ISA Standards and Practices
Industrial Automation and
Controls Systems
Cybersecurity
The ISA99 Committee and
the 62443 Standards
February 2018 Copyright © ISA – All Rights Reserved
Purpose
Introduce the ISA99 committee and the ISA/IEC 62443
series of standards on Industrial Automation and Control
Systems Security.
1
February 2018 Copyright © ISA – All Rights Reserved
Topics
• Who are we?
• How do we work?
• What are the basics?
• What are our work products?
• Where do things stand?
2
February 2018 Copyright © ISA – All Rights Reserved
Who are we?
3
February 2018 Copyright © ISA – All Rights Reserved
ISA99 Committee
The International Society of Automation (ISA) Committee on
Security for Industrial Automation & Control Systems
Almost 900 members from around the world
4
February 2018 Copyright © ISA – All Rights Reserved
Our Scope
“… industrial automation and control systems whose compromise
could result in any or all of the following situations:
– endangerment of public or employee safety
– environmental protection
– loss of public confidence
– violation of regulatory requirements
– loss of proprietary or confidential information
– economic loss
– impact on entity, local, state, or national security”
5
February 2018 Copyright © ISA – All Rights Reserved
Industry Contribution and Application
• Reflects expertise from many sectors, including:
– Chemical Processing
– Oil and Gas
– Food and Beverage
– Energy
– Pharmaceuticals
– Water
– Manufacturing
– ICS suppliers
6
February 2018 Copyright © ISA – All Rights Reserved
How Do We Work?
7
February 2018 Copyright © ISA – All Rights Reserved
ISA99 and ISA/IEC 62443
• ISA/IEC 62443 is a series of standards being developed by two
groups:
– ISA99 ANSI/ISA-62443
– IEC TC65/WG10 IEC 62443
• In consultation with:
– ISO/IEC JTC1/SC27 ISO/IEC 2700x
8
February 2018 Copyright © ISA – All Rights Reserved
Partners for Related Topics
• Process Safety (ISA84, IEC TC65)
• Wireless Communications (ISA100)
• Intelligent device Management (ISA108)
• Medical Device Security (MDISS)
• Certification (ISCI)
• Communications & Advocacy
(Automation Federation)
• Security Framework (NIST)
9
IACS
Security
February 2018 Copyright © ISA – All Rights Reserved
The Basics
• General Concepts
• Fundamental Concepts
• Foundational Requirements
10
February 2018 Copyright © ISA – All Rights Reserved
General Concepts
• Security Context
• Security Objectives
• Least Privilege
• Defense in Depth
• Threat-Risk Assessment
• Supply Chain Security
Source: ISA-62443-1-1, 2nd Edition (Under development)
11
February 2018 Copyright © ISA – All Rights Reserved
Fundamental Concepts
• Principal Roles
• Life Cycles
• Zones and Conduits
• Security Levels
• Maturity Assessment
• Security and Safety
12
Source: ISA-62443-1-1, 2nd Edition (Under development)
February 2018 Copyright © ISA – All Rights Reserved
Principal Roles
• Product Supplier (PS)
• Integration Provider (IP)
• Asset Owner (AO)
• Maintenance Provider (MP)
• Service Provider (SP)
• System Operator (SO)
• Regulatory Authority (RA)
• Compliance Authority (CA)
#
February 2018 Copyright © ISA – All Rights Reserved
Life Cycles
14
Based on VDI 2182
Operation
& Maintenance
Integration /
Commissioning
Product
Development
Product
SupplierSystem
Integrator
Asset
Owner
Security Documentation
Security Guidelines
Security Support
Requirements
February 2018 Copyright © ISA – All Rights Reserved
Zones and Conduits
• A means for defining…
– How different systems interact
– Where information flows between systems
– What form that information takes
– What devices communicate
– How fast/often those devices communicate
– The security differences between system
components
• Technology helps, but architecture is more
important
15
February 2018 Copyright © ISA – All Rights Reserved
Security Levels
16
Protection against…
February 2018 Copyright © ISA – All Rights Reserved
Maturity Assessment
• A means of assessing capability
• Similar to Capability Maturity
Models
– e.g., SEI-CMM
• An evolving concept in the
standards
– Applicability to IACS-SMS
20
February 2018 Copyright © ISA – All Rights Reserved
Security and Safety
• Safety is much of the reason for
security
– Presenting consequences
• Much to be learned from the safety
community
• Collaboration
– ISA99-ISA84 joint effort
– IEC TC65 work group 20
– ISA Safety and Security Division
18
February 2018 Copyright © ISA – All Rights Reserved
Foundational Requirements
• FR 1 – Identification & authentication control
• FR 2 – Use control
• FR 3 – System integrity
• FR 4 – Data confidentiality
• FR 5 – Restricted data flow
• FR 6 – Timely response to events
• FR 7 – Resource availability
19
February 2018 Copyright © ISA – All Rights Reserved
Work Products
20
February 2018 Copyright © ISA – All Rights Reserved
The ISA-62443 Series
21
February 2018 Copyright © ISA – All Rights Reserved
General Information
• 62443-1-1
– Concepts and Models
• 62443-1-2
– Master Glossary
• 62443-1-3
– Security Compliance Metrics
• 62443-1-4
– Lifecycle & Use Cases
• 62443-1-5
– Protection Levels
22
February 2018 Copyright © ISA – All Rights Reserved
Program Definition
• 62443-2-1
– Security Management System
• 62443-2-2
– Implementation Guidance
• 62443-2-3
– Patch Management
• 62443-2-4
– Requirements for Solution Suppliers
23
February 2018 Copyright © ISA – All Rights Reserved
System Security
• 62443-3-1
– Security Technologies
• 62443-3-2
– Risk Assessment and System Design
• 62443-3-3
– System Requirements and
Security Levels
24
February 2018 Copyright © ISA – All Rights Reserved
Component Security
• 62443-4-1
– Product Development Requirements
• 62443-4-2
– Technical Requirement for Components
25
February 2018 Copyright © ISA – All Rights Reserved
What is Happening
26
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-1-1 (2nd Edition)
– Preparing a draft for comment
• 62443-1-2
– Recently circulated as a draft for comment
• 62443-1-4
– Case studies being identified by WG10
• 62443-1-5
– Introduces the potential concept of “Protection Levels”
– Recently circulated as a draft for comment
27
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-2-1 (2nd Edition)
– Alignment with ISO 27001:2013
– Recently circulated as a draft for comment
• 62443-2-3
– Technical report published in July 2015
– Under revision to elevate to a standard
• 62443-2-4
– Published by IEC, adopted by ISA99
28
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-3-1
– Technical report on risk management being rewritten as a standard
• 62443-3-2
– Committee Draft for Vote (CDV) approved by ISA voting members
– IEC vote pending
29
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-4-1
– Approved by ISA and IEC
• 62443-4-2
– Soon to be submitted as a Final Draft Standard to ISA and IEC
30
February 2018 Copyright © ISA – All Rights Reserved
Review
✓ Who are we?
✓ How do we work?
✓ What are the basics?
✓ What are our work products?
✓ Where do things stand?
31
February 2018 Copyright © ISA – All Rights Reserved
Conclusion
32
February 2018 Copyright © ISA – All Rights Reserved
• ISA99 committee page: http://www.isa.org/isa99
• Twitter: @ISA99Chair
• Committee Co-Chairs: [email protected]– Eric Cosman
– Jim Gilsinn
• Managing Director– Joe Weiss
• ISA Staff Contact– Eliana Brazda [email protected]
Please provide contact information & area of expertise or interest
More Information…
33
February 2018 Copyright © ISA – All Rights Reserved
Questions
34