Standards Certification Education & Training Publishing Conferences & Exhibits 1 Copyright © ISA ISA99 - Industrial Automation and Controls Systems Security Committee Summary and Activity Update August 2015 August 2015
Jan 08, 2018
StandardsCertificationEducation & TrainingPublishingConferences & Exhibits
1Copyright © ISA
ISA99 - Industrial Automation and Controls Systems Security
Committee Summary and Activity UpdateAugust 2015
August 2015
2Copyright © ISA
Purpose
• Introduce the ISA99 committee and the ISA-62443 series of standards on Industrial Automation and Control Systems Security.
August 2015
3Copyright © ISA
Topics
• Who are we?• How do we work?• What are the basics?• What are our work products?• Where do things stand?
August 2015
Who we are
August 2015 4Copyright © ISA
5Copyright © ISA
ISA99 Committee
• The International Society of Automation (ISA) Committee on Security for Industrial Automation & Control Systems (ISA99)– 500+ members– Representing companies across all sectors, including:
– Chemical Processing– Petroleum Refining– Food and Beverage– Energy– Pharmaceuticals– Water– Manufacturing
August 2015
6Copyright © ISA
Our Scope
• “… industrial automation and control systems whose compromise could result in any or all of the following situations:– endangerment of public or employee safety– environmental protection– loss of public confidence– violation of regulatory requirements– loss of proprietary or confidential information– economic loss– impact on entity, local, state, or national security”
August 2015
How we Work
August 2015 7Copyright © ISA
8Copyright © ISA
ISA99 and ISA/IEC 62443
• ISA/IEC 62443 is a Series of Standards• Being Developed by 3 Groups
– ISA99 ANSI/ISA-62443– IEC TC65/WG10 IEC 62443– ISO/IEC JTC1/SC27 ISO/IEC 2700x
August 2015
9Copyright © ISA
Other Partners for Related Topics
• Process Safety (ISA84, IEC TC65)• Wireless Communications (ISA100)• Certification (ISCI)• Information Sharing (ICSJWG)• Security Framework (NIST)• International Reach (IEC/ISO)• etc.
August 2015
IACSSecurity
The Basics
• General Concepts• Fundamental Concepts
August 2015 10Copyright © ISA
General Concepts
• Security Context• Security Objectives• Least Privilege• Defense in Depth• Threat-Risk Assessment• Policies and Procedures
Source: ISA-62443-1-1, 2nd Edition (Under development)
August 2015 11Copyright © ISA
12Copyright © ISA
Fundamental Concepts
• Security Life Cycle• Zones and Conduits• Security Levels• Foundational Requirements• Program Maturity• Safety and Security
August 2015
Source: ISA-62443-1-1, 2nd Edition (Under development)
Security Life Cycles
August 2015 13Copyright © ISA
Source: ISA-62443-1-1, 2nd Edition (Under development)
14Copyright © ISA
Zones and Conduits
A network & system segmentation technique:• Prevents the spread of an incident• Provides a front-line set of defenses• The basis for risk assessment in system
design
August 2015
15Copyright © ISA
System Segmentation
• A process to understand:– How different systems interact– Where information flows between systems– What form that information takes– What devices communicate– How fast/often those devices communicate– The security differences between system
components• Technology helps, but architecture is more
important
August 2015
Example
August 2015 16Copyright © ISA
Security Levels
August 2015 17Copyright © ISA
Casual or Coincidental Violation
Intentional Violation Using Simple Means with Low Resources, Generic Skills & Low Motivation
Intentional Violation Using Sophisticated Means with Moderate Resources, IACS Specific Skills & Moderate
Motivation
Intentional Violation Using Sophisticated Means with Extended Resources, IACS Specific Skills & High
Motivation
18Copyright © ISA
Foundational Requirements
• FR 1 – Identification & authentication control• FR 2 – Use control• FR 3 – System integrity• FR 4 – Data confidentiality• FR 5 – Restricted data flow• FR 6 – Timely response to events• FR 7 – Resource availability
August 2015
Program Maturity
• A means of assessing capability• Similar in concept to Capability Maturity
Models– e.g., SEI-CMM
• An evolving concept in the standards– Applicability to IACS-SMS
August 2015 Copyright © ISA 20
Safety and Security
• Safety is much of the “raison d’etre” for security– Presenting consequences
• Much to be learned from the Security community
• Collaboration– ISA99-ISA84 joint efforts– ISA Safety and Security Division
August 2015 20Copyright © ISA
21Copyright © ISA
Fundamental Concepts Status
Security Life Cycle Zones and Conduits→ Security Levels Foundational Requirements→ Program Maturity→ Safety and Security
August 2015
Work Products
August 2015 22Copyright © ISA
August 2015 23Copyright © ISA
The ISA-62443/IEC 62443 SeriesG
ener
alP
olic
ies
&
Pro
cedu
res
Sys
tem
Com
pone
nt
Concepts and models Master glossary ofterms and abbreviations
System security conformance metrics
IACS security life-cycle and use-cases
Requirements for an IACS security
management system
Implementation guidance for an IACS security management system
Patch management inthe IACS environment
Requirements for IACS solution suppliers
Security technologiesfor IACS
Security risk assessment and system design
System security requirements and
security levels
Product development requirements
Technical security requirements for IACS
components
ISA-62443-1-1 ISA-TR62443-1-2 ISA-62443-1-3 ISA-TR62443-1-4
ISA-62443-2-1 ISA-TR62443-2-2 ISA-TR62443-2-3 ISA-62443-2-4
ISA-TR62443-3-1 ISA-62443-3-2 ISA-62443-3-3
ISA-62443-4-1 ISA-62443-4-2
Sta
tus
Key
Published
Published (under review)
In development
Out for comment/vote
Planned
24Copyright © ISA
General Information
• ISA-62443-1-1– Concepts and Models
• ISA-TR62443-1-2– Master Glossary
• ISA-TR62443-1-3– Metrics
• ISA-TR62443-1-4– Lifecycle & Use Cases
August 2015
25Copyright © ISA
Policies and Procedures
• ISA-62443-2-1– Security Management System
• ISA-TR62443-2-2– Implementation Guidance
• ISA-TR62443-2-3– Patch Management
• ISA-62443-2-4– Requirements for Suppliers
August 2015
26Copyright © ISA
System Requirements
• ISA-62443-3-1– Security Technologies
• ISA-62443-3-2– Risk Assessment and Design
• ISA-62443-3-3– System Requirements
August 2015
27Copyright © ISA
Component Requirements
• ISA-62443-4-1– Product Development
• ISA-62443-4-2– Technical Component Security
August 2015
What is Happening
August 2015 28Copyright © ISA
29Copyright © ISA
Recent Developments
• ISA-TR62443-1-3– Formally assigned to a new WG12 for
development• ISA-TR62443-2-3
– Published in July 2015• IEC-62443-2-4
– Published by IEC– Proposed adoption by ISA
August 2015
30Copyright © ISA
Recent Developments
• ISA-TR62443-3-2– Submitted to committee for approval
• ISA-TR62443-4-1– Submitted to committee for comment
• ISA-TR62443-4-2– Submitted to committee for comment
August 2015
31Copyright © ISA
Current Areas of Attention
• Alignment of Management System with ISO 27001:2013
• Affirming of Fundamental Concepts• Detailed Requirements
– Component Technical – Product Development
• The relationship between security and safety
August 2015
32Copyright © ISA
Review
Who are we? How do we work? What are the basics? What are our work products? Where do things stand?
August 2015
Conclusion
August 2015 33Copyright © ISA
• ISA99 Wiki – http//isa99.isa.org• Twitter – @ISA99Chair• Committee Co-Chairs
– General: [email protected]– Eric Cosman [email protected]– Jim Gilsinn [email protected]
• ISA Staff Contact– Charley Robinson, [email protected]
Please provide contact information & area of expertise or interest
Questions, Comments, Contributions…
August 2015 34Copyright © ISA
Questions
August 2015 35Copyright © ISA