isa99 - industrial automation and controls systems security
DESCRIPTION
Purpose Introduce the ISA99 committee and the ISA-62443 series of standards on Industrial Automation and Control Systems Security. The purpose of this presentation is to provide a general introduction to the ISA99 committee on industrial automation and control system security and its work products. The intent is not to go into a great deal of detail, but merely to provide enough information to allow the reader to understand the scope and status of the committee’s efforts. A secondary and perhaps more selfish purpose is to elicit your questions and comments, as members of the ISA99 stakeholders community. August 2015 Copyright © ISATRANSCRIPT
![Page 1: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/1.jpg)
StandardsCertificationEducation & TrainingPublishingConferences & Exhibits
1Copyright © ISA
ISA99 - Industrial Automation and Controls Systems Security
Committee Summary and Activity UpdateAugust 2015
August 2015
![Page 2: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/2.jpg)
2Copyright © ISA
Purpose
• Introduce the ISA99 committee and the ISA-62443 series of standards on Industrial Automation and Control Systems Security.
August 2015
![Page 3: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/3.jpg)
3Copyright © ISA
Topics
• Who are we?• How do we work?• What are the basics?• What are our work products?• Where do things stand?
August 2015
![Page 4: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/4.jpg)
Who we are
August 2015 4Copyright © ISA
![Page 5: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/5.jpg)
5Copyright © ISA
ISA99 Committee
• The International Society of Automation (ISA) Committee on Security for Industrial Automation & Control Systems (ISA99)– 500+ members– Representing companies across all sectors, including:
– Chemical Processing– Petroleum Refining– Food and Beverage– Energy– Pharmaceuticals– Water– Manufacturing
August 2015
![Page 6: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/6.jpg)
6Copyright © ISA
Our Scope
• “… industrial automation and control systems whose compromise could result in any or all of the following situations:– endangerment of public or employee safety– environmental protection– loss of public confidence– violation of regulatory requirements– loss of proprietary or confidential information– economic loss– impact on entity, local, state, or national security”
August 2015
![Page 7: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/7.jpg)
How we Work
August 2015 7Copyright © ISA
![Page 8: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/8.jpg)
8Copyright © ISA
ISA99 and ISA/IEC 62443
• ISA/IEC 62443 is a Series of Standards• Being Developed by 3 Groups
– ISA99 ANSI/ISA-62443– IEC TC65/WG10 IEC 62443– ISO/IEC JTC1/SC27 ISO/IEC 2700x
August 2015
![Page 9: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/9.jpg)
9Copyright © ISA
Other Partners for Related Topics
• Process Safety (ISA84, IEC TC65)• Wireless Communications (ISA100)• Certification (ISCI)• Information Sharing (ICSJWG)• Security Framework (NIST)• International Reach (IEC/ISO)• etc.
August 2015
IACSSecurity
![Page 10: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/10.jpg)
The Basics
• General Concepts• Fundamental Concepts
August 2015 10Copyright © ISA
![Page 11: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/11.jpg)
General Concepts
• Security Context• Security Objectives• Least Privilege• Defense in Depth• Threat-Risk Assessment• Policies and Procedures
Source: ISA-62443-1-1, 2nd Edition (Under development)
August 2015 11Copyright © ISA
![Page 12: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/12.jpg)
12Copyright © ISA
Fundamental Concepts
• Security Life Cycle• Zones and Conduits• Security Levels• Foundational Requirements• Program Maturity• Safety and Security
August 2015
Source: ISA-62443-1-1, 2nd Edition (Under development)
![Page 13: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/13.jpg)
Security Life Cycles
August 2015 13Copyright © ISA
Source: ISA-62443-1-1, 2nd Edition (Under development)
![Page 14: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/14.jpg)
14Copyright © ISA
Zones and Conduits
A network & system segmentation technique:• Prevents the spread of an incident• Provides a front-line set of defenses• The basis for risk assessment in system
design
August 2015
![Page 15: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/15.jpg)
15Copyright © ISA
System Segmentation
• A process to understand:– How different systems interact– Where information flows between systems– What form that information takes– What devices communicate– How fast/often those devices communicate– The security differences between system
components• Technology helps, but architecture is more
important
August 2015
![Page 16: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/16.jpg)
Example
August 2015 16Copyright © ISA
![Page 17: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/17.jpg)
Security Levels
August 2015 17Copyright © ISA
Casual or Coincidental Violation
Intentional Violation Using Simple Means with Low Resources, Generic Skills & Low Motivation
Intentional Violation Using Sophisticated Means with Moderate Resources, IACS Specific Skills & Moderate
Motivation
Intentional Violation Using Sophisticated Means with Extended Resources, IACS Specific Skills & High
Motivation
![Page 18: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/18.jpg)
18Copyright © ISA
Foundational Requirements
• FR 1 – Identification & authentication control• FR 2 – Use control• FR 3 – System integrity• FR 4 – Data confidentiality• FR 5 – Restricted data flow• FR 6 – Timely response to events• FR 7 – Resource availability
August 2015
![Page 19: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/19.jpg)
Program Maturity
• A means of assessing capability• Similar in concept to Capability Maturity
Models– e.g., SEI-CMM
• An evolving concept in the standards– Applicability to IACS-SMS
August 2015 Copyright © ISA 20
![Page 20: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/20.jpg)
Safety and Security
• Safety is much of the “raison d’etre” for security– Presenting consequences
• Much to be learned from the Security community
• Collaboration– ISA99-ISA84 joint efforts– ISA Safety and Security Division
August 2015 20Copyright © ISA
![Page 21: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/21.jpg)
21Copyright © ISA
Fundamental Concepts Status
Security Life Cycle Zones and Conduits→ Security Levels Foundational Requirements→ Program Maturity→ Safety and Security
August 2015
![Page 22: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/22.jpg)
Work Products
August 2015 22Copyright © ISA
![Page 23: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/23.jpg)
August 2015 23Copyright © ISA
The ISA-62443/IEC 62443 SeriesG
ener
alP
olic
ies
&
Pro
cedu
res
Sys
tem
Com
pone
nt
Concepts and models Master glossary ofterms and abbreviations
System security conformance metrics
IACS security life-cycle and use-cases
Requirements for an IACS security
management system
Implementation guidance for an IACS security management system
Patch management inthe IACS environment
Requirements for IACS solution suppliers
Security technologiesfor IACS
Security risk assessment and system design
System security requirements and
security levels
Product development requirements
Technical security requirements for IACS
components
ISA-62443-1-1 ISA-TR62443-1-2 ISA-62443-1-3 ISA-TR62443-1-4
ISA-62443-2-1 ISA-TR62443-2-2 ISA-TR62443-2-3 ISA-62443-2-4
ISA-TR62443-3-1 ISA-62443-3-2 ISA-62443-3-3
ISA-62443-4-1 ISA-62443-4-2
Sta
tus
Key
Published
Published (under review)
In development
Out for comment/vote
Planned
![Page 24: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/24.jpg)
24Copyright © ISA
General Information
• ISA-62443-1-1– Concepts and Models
• ISA-TR62443-1-2– Master Glossary
• ISA-TR62443-1-3– Metrics
• ISA-TR62443-1-4– Lifecycle & Use Cases
August 2015
![Page 25: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/25.jpg)
25Copyright © ISA
Policies and Procedures
• ISA-62443-2-1– Security Management System
• ISA-TR62443-2-2– Implementation Guidance
• ISA-TR62443-2-3– Patch Management
• ISA-62443-2-4– Requirements for Suppliers
August 2015
![Page 26: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/26.jpg)
26Copyright © ISA
System Requirements
• ISA-62443-3-1– Security Technologies
• ISA-62443-3-2– Risk Assessment and Design
• ISA-62443-3-3– System Requirements
August 2015
![Page 27: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/27.jpg)
27Copyright © ISA
Component Requirements
• ISA-62443-4-1– Product Development
• ISA-62443-4-2– Technical Component Security
August 2015
![Page 28: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/28.jpg)
What is Happening
August 2015 28Copyright © ISA
![Page 29: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/29.jpg)
29Copyright © ISA
Recent Developments
• ISA-TR62443-1-3– Formally assigned to a new WG12 for
development• ISA-TR62443-2-3
– Published in July 2015• IEC-62443-2-4
– Published by IEC– Proposed adoption by ISA
August 2015
![Page 30: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/30.jpg)
30Copyright © ISA
Recent Developments
• ISA-TR62443-3-2– Submitted to committee for approval
• ISA-TR62443-4-1– Submitted to committee for comment
• ISA-TR62443-4-2– Submitted to committee for comment
August 2015
![Page 31: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/31.jpg)
31Copyright © ISA
Current Areas of Attention
• Alignment of Management System with ISO 27001:2013
• Affirming of Fundamental Concepts• Detailed Requirements
– Component Technical – Product Development
• The relationship between security and safety
August 2015
![Page 32: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/32.jpg)
32Copyright © ISA
Review
Who are we? How do we work? What are the basics? What are our work products? Where do things stand?
August 2015
![Page 33: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/33.jpg)
Conclusion
August 2015 33Copyright © ISA
![Page 34: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/34.jpg)
• ISA99 Wiki – http//isa99.isa.org• Twitter – @ISA99Chair• Committee Co-Chairs
– General: [email protected]– Eric Cosman [email protected]– Jim Gilsinn [email protected]
• ISA Staff Contact– Charley Robinson, [email protected]
Please provide contact information & area of expertise or interest
Questions, Comments, Contributions…
August 2015 34Copyright © ISA
![Page 35: ISA99 - Industrial Automation and Controls Systems Security](https://reader035.vdocuments.net/reader035/viewer/2022062302/5a4d1af47f8b9ab059980198/html5/thumbnails/35.jpg)
Questions
August 2015 35Copyright © ISA