ISA–The Instrumentation, Systems, and Automation Society

ISA SP-99 Introduction: Manufacturing and Control

Systems Security --Kickoff Meeting

Call to Order

Images Contained Herein May Not be Used Without Explicit Permission

ISA SP-99 Agenda Item 2

Introductions/Circulate Roster

ISA SP-99 Agenda Item 3

Review and Modify the Agenda

ISA SP-99 Agenda Item 4

Nominate Vice-Chairman and Secretary

•Discussions on Nominations•Identify Nominees if possible

ISA SP-99 Agenda Item 5

Review Officer Responsibilitiesand Guidelines

•Managing Director appoints Chairman•Appoint Vice Chairman•Appoint Secretary•Other responsibilities …

1- From S&P Manual of Procedures, Dec 8 1997

ISA SP-99 Agenda Item 6

Recommendations for FurtherAppointments

• Editor(s)• Others

ISA SP-99 Agenda Item 7

S&P Procedures

•Standards and Practices Committee Guide•Standard and Practices Department Manual of Procedures

ISA SP-99 Agenda Item 8

Review of Scope, Purpose, Title,Tasks

ISA SP-99 Scope and PurposeManufacturing & Process Control systems whose failure or

compromise of contained information could endanger public or employee health or safety, violate federal or state regulations, or cause economic loss, and which have interfaces providing communications with external systems.

For the purposes of this standard, manufacturing & process control systems is taken in the broadest possible sense, to include both process control, manufacturing operations and systems, continuous, discrete, and batch, control and safety systems, serving all types of plants, facilities, and systems in all industries.

Agenda Item 11

ISA SP-99 Title

Manufacturing and Control Systems Security

Agenda Item 11

ISA SP-99 Committee Liaisons

•ISA SP-95 Keith Unger•ISA SP-67 Bob Webb•ISA SP-91 TBD•ISA SP-84 Vic Maggioli•ISA SP-50 TBD•NIST PCSRF – Dave Teumim• IEC, IEEE, IAS?•Others?

ISA SP-99 Vendor Representatives

•Who do we have Currently Represented?•Who Else should we Attempt to Involve?

ISA SP-99 Agenda Item 10

Technical Report Working GroupInitial Proposed Section Titles:• Manufacturing and Control Systems Security Overview• Survey of Technology as Applicable to Manufacturing and Control Systems• Integrating Security into the Manufacturing and Control Systems Environment•Audit and Metrics of Security Performance

ISA SP-99 Technical Report Purpose “Close the Barn Door After the Horse is Gone.” Security is

already a problem Make technical and procedural recommendations that will

improve current security of process control systems, but not necessarily finalized measures

Represent current “best practice” thoughts and general recommendations in absence of the full discovery and analysis of the standards creation process

Essence should be on speed of delivery with definite goals, under the premise that a full standards effort is right behind the technical report

Agenda Item 11

Technical Report Section 1:Manufacturing and Control System Security Overview Provide General Introduction, Statement of Intent, Purpose, Etc

for Technical Report Definition of Scope Definition of Terminologies Used Within Report Reference Resources Used in Creation of Report

ISO/IEC 17799 BS 17799-2 ISO/IEC 15408 NIST PCSRF SPS ISO/IEC 13335 Others?

Agenda Item 11

ISA–The Instrumentation, Systems, and Automation Society

Technical Report Section 2: Survey of Technology as Applicable to Control Systems

Eric Byres, P.Eng.

eric_byres@bcit.ca

Agenda Item 12

The Task

Prepare an abstract for:Section 2 -Survey of Technology as applicable to Manufacturing and Control Systems.

Base this on ISO 17799 standard.

Bad News…

The ISO 17799 Standard Doesn’t Really Address Technology Well.

Focuses on Audit “Check List”

Agenda Item 12

Proposed Solution

Define 5 Broad Classes for Security Technology:1. Filtering/blocking Technology (E.G. Firewalls)2. Encryption Technology 3. Authentication Technology 4. Detection Technology (Intrusion Prevention)5. Data Validation/ Integrity Technology

Agenda Item 12

Comments?

Is There Better Technology Classifications to Be Found Elsewhere?

Are We Missing Anything? E.G. Technology for Non-repudiation? E.G. Should Filtering Be Part of Authentication?

Will Something New Show up Next Year?

Agenda Item 12

Technical Report Section 3- Integrating Security into the Manufacturing and Control Systems Environment

Agenda Item 13

Technical Report Section 3 Overview

Agenda Item 13

Guidelines for Asset Identification and Business Requirements Modeling for Process Control Systems

General Guidelines for Threat Vulnerability and Assessment

Application of Commonly Accepted Technologies and Security Practices to the Control Systems Environment

Technical Report Section 4 – Audit and Metrics

Agenda Item 14

Tools, Checklists, Etc for Self Evaluation of Security Policies, Practices, and Procedures

Evaluation Tools for Analyzing Technological Performance a Security Measures

Audit Procedures for Evaluating Performance of Business Model Including Security Policies.

ISA SP-99 Agenda Item 15

Next Steps for Technical Report

• Organize Committee Into General Subcommittees toContinue Work• Produce Framework of Report Sections by January 2003•Produce Initial Draft of Sections by March 2003•Produce Final Draft for Approval by July 2003

ISA SP-99 Agenda Item 16

Schedule Next Meetings

• Conference Call in November?• Conference Call in December?• ISA Show in Houston, next Face to Face?

ISA SP-99 Agenda Item 17

Additional Agenda Items – New Business

ISA SP-99 Agenda Item 18

Review Action Items

ISA SP-99 Agenda Item 19

Final Comments/Adjourn

Bryan_singer@entegreat.com