- 1. S4 Japan 2014 Closing RemarksYokogawa Electric
CorporationIAMK014-0411Copyright Yokogawa Electric Corporation- 1
-Tatsuaki TakebeAll brand or product names in this document are
trademarks or registered trademarks of theirrespective
companies.
2. First Self-destructprogram (RichardSkrenta) First
Self-replicateprogram (Skrentas ElkCloner) Brain Virusdeveloped by
twoPakistanis Yale, Cascade,Jerusalem,Lehigh, etc. KenThompsondemo
firstTrojan Horse Fred CohensVAX VirusesProtocol Weaknesses/Buffer
overflowIAMK014-0411Copyright Yokogawa Electric Corporation- 2 -
Apple II Computer Commodore Atari TI-99 TRS-80 First Wormdeveloped
in XeroxPalo Alto FBI arrest 414sHacker Group FirstConceptMacro
Virus Stealth virus (Whale) Variable Encryption (1260) Morris Worm
Robert T Morrisfined $10K, 3 yearsprobation Code Red Nimda
Philippines ILOVE YOUvirus Melissa virus($80m) Excel MacroVirus
(crossplatform) Solar Sunrise -Two California Teensattack on 500
Military,Govt, & PrivateComputer Systems(Vul) Slammer Blaster
WeiChia MyDoom Sasser Melissas authorsentenced 20 monthsjail DDoS
on 13root serversStandalone Systems Disk/Diskette
SharingInformation WarfareComputer CrimesTrusted Operating Systems
(Orange Book) Trusted Network (Red Book) ITSEC Phishing
attacksproliferatedUK Green Book to BS 7799 to ISO 17799 to ISO
27001Common Criteria (ISO 15408)Insecure Default/Weak Security
Techniques/Feature Misuse/Social Engineering Spyware Bots
Phishingbegins inAOL Cuckoos Eggin LBLCyber Crimes SPAM
MailsDiscovery Experimentation Criminal Exploitation
197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006
Pharmingattacks (DNSpoisoning) Kevin Mitnickarrested,
fiveyearsimprisonment ZoTob WMFInternet World Client-server/PC-LAN
Networks Wide Web Web 2.0By Meng Chow Kang 3. " Attack
Sophistication & Intruder Knowledge" Everybody can be an
attacker." Attack tools can be used for the control
systems.Stealth/AdvancedScanning TechniquesNetwork Management
DiagnosticsSweepersDisabling AuditsMalicious CodeMorphingWWW
AttacksAutomated Probes/ScansHijacking SessionsExploiting Known
VulnerabilitiesPassword CrackingSelf-Replicating
CodeIAMK014-0411Copyright Yokogawa Electric Corporation- 3
-Password GuessingSniffersBOTSDistributed Attack ToolsDenial of
ServiceGUIPacket SpoofingHigh1980 1985 1990 1995 2000 2005
2010Intruder KnowledgeLowAttackersBack DoorsZombiesAttack
SophisticationLipson, H. F., Tracking and Tracing Cyber-Attacks:
Technical Challenges and Global Policy Issues, Special Report
CMS/SEI-2002-SR-009, November 2002, page 10. 4. Security Incidents
From The Repository of Industrial Security
IncidentsIAMK014-0411Copyright Yokogawa Electric Corporation- 4
-35302520151050198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011
5. " Industrial Control Systems Security
CoverageTCIPIAMK014-0411Copyright Yokogawa Electric
CorporationISCIISCII3P SCADA LOGIIC AchillesWurld-Tech- 5
-PCSRFAGAPowerOil &GasChemWaterTransportCommReq R&D Dev
Test Eval Demo Deploy OperationSCADA
SBIRsCSSPCSSPNSTBISA|99API114FERCNERCSP|99ISACIDXChemITCMuDynamicsICSJWG
6. Critical Infrastructure & StdsIEC ISO/IEC/JTC1ISO/IEC 15408,
18045,19790, 24759,
27001,27002(17799)62351-1762443-13NSTBCSSPCPNI(NISCC Tech Note
Series)FERC EPRINERC International Govmtl Industry
OutcomeNISTSP800-82, 53, 30, 18, 37FIPS 199, 200, 140-2CMVP,
CAVPISCII3P LOGIICAPIChemical CIDXR isk M a pA ccessP o licyT o o
lE m era ldD E A D B O L TS ecS SH S M T UWater Sewerage
IAMK014-0411Copyright Yokogawa Electric Corporation- 6 -AGAa
ccCIP-002-X -009-XAPI 1164AGA12Guidance for Addressing Cyber
Securityin the Chemical IndustryIn tellig en tID SINLCyber
SecurityProcurementLanguage for ControlSystemsIEEE IE E E -1 4 0 2
,1 6 8 6DOE 21 Steps to ImproveCyber SecurityUnite
PCSFOrganizations &PeopleISA99
WG1-6ISA99.01.01,02.01,03.01,CCEVS,NVLAP(TestLab)Test SpecsTest
LabsPCSRFSPP-ICS PPPowerOilGasTransportRailroadTelecommunicationAny
7. " Industrial Control Systems Security
CoverageIAMK014-0411Copyright Yokogawa Electric
CorporationISCIISCI- 7 -PowerOil &GasChemWaterTransportCommReq
R&D Dev Test Eval Demo Deploy OperationISA99 ISA99 8.
IAMK014-0411Copyright Yokogawa Electric Corporation- 8 -8" IEC/ISA
62443 Series structure 9. " ISA 99 organizational
structureIAMK014-0411Copyright Yokogawa Electric Corporation- 9 -9
10. IAMK014-0411Copyright Yokogawa Electric Corporation- 10 -" IEC
TC 65 11. Cards & PI BioMetricsIAMK014-0411Copyright Yokogawa
Electric Corporation- 11 -"
ISOIECSecurityFinancialServicesVocabulary 12. IAMK014-0411Copyright
Yokogawa Electric Corporation- 12 -" ISO/IEC JTC 1/SC 27SC 27WG 1WG
2WG 3WG 4WG 5ISMSCryptoSecurityEvaluationSecurityControl
&ServicesIDMgmnt &Privacy2700X1540819790247602910029101ISA
99IEC TC 65/WG10SC 22/WG 23ISA 99IEC TC 65/WG10 13.
IAMK014-0411Copyright Yokogawa Electric Corporation- 13 -" ISO/IEC
JTC 1 SC 22SC
22WG4COBOLWG5FortranWG9ADAWG14CWG17PrologWG19Formalprogramming
languagesWG21C++WG23Prog Lang VulTR24772SC 27/WG 3 14. Secure IACS
and maintain operational security IAMK014-0411Copyright Yokogawa
Electric Corporation- 14 -System Security Compliance
MetricsEstablishing an Industrial Automationand Control Systems
Security ProgramOperating an industrial automationand control
system security programIEC 62443-2-4
practicesIACSsuppliersecuritypoliciesandTargetSecurityAssuranceLevelsforISA
99.01.03ISA 99.02.01ISA 99.02.02ISA 99.02.03ISA 99.03.02
ZonesandConduitsSystem security requirements and securityassurance
levelsISA 99.03.03ISA 99.02.01ISA 99.03.02ISA 99.03.02ISA
99.01.03ISA 99.03.03ISA 99.01.03ISA 99.02.02ISA 99.02.03ISA
99.02.01 ISA 99.04.01ISA 99.04.02IEC 62443-2-4IEC 62443-2-4How to
fit the entire pieces together? 15. " Compliance" IEC 62443-2-1
ISMS compliance for Asset Owners (62443-2-1 isIAMK014-0411Copyright
Yokogawa Electric Corporation- 15 -aligned with ISO/IEC 27001)" IEC
62443-2-4 Vendor/System Integrator Security Maturity 16. Product
security IEC 62443-4-1Assurance Sec Rea IEC 62443-4-2Functional Sec
ReqIAMK014-0411Copyright Yokogawa Electric Corporation- 16 - 17.
ISASecure LevelsCommunication Robustness
TestingIAMK014-0411Copyright Yokogawa Electric Corporation- 17
-Software Development SecurityAssessmentFunctional Security
AssessmentSoftware DevelopmentSecurity AssessmentFunctional
SecurityAssessmentSoftware DevelopmentSecurity AssessmentFunctional
SecurityAssessmentLEVEL 1LEVEL 2LEVEL 3Requirements Necessary to
AchieveCertification LevelsLevel 1 Level 2 Level 3Total Count
inSpecificationSDSA 130 149 170 170FSA 20 49 82 82CRT All All
AllCRT Common Specificationplus all 6 Protocol CRTSpecifications
18. ISASecure EDSA Certification ProgramIAMK014-0411Copyright
Yokogawa Electric CorporationDetects and Avoids systematic design
faults The vendors software development and maintenanceprocesses
are audited for artifacts for DUT Ensures the organization follows
a robust, secure softwaredevelopment process- 18 -Embedded
DeviceSecurity AssuranceSoftware DevelopmentSecurity Assurance
(SDSA)Functional SecurityAssessment (FSA)CommunicationsRobustness
Testing (CRT)Detects Implementation Errors/Omissions A components
security functionality is audited against itsderived requirements
for its specified security level Ensures the product has properly
implemented the securityfunctional requirementsIdentifies
vulnerabilities in device networking capabilities A components
communication robustness is tested againstcommunication robustness
requirements Tests for vulnerabilities in the 4 layers of OSI
Reference Model 19. ISA Security Compliance Institute Document
Structure for ProductEvaluation" Similar structure for system
evaluation is being discussed now.IAMK014-0411Copyright Yokogawa
Electric Corporation- 19 -19Tatsuaki Takebe Yokogawa Electric Corp.
20. In order to decrease the chances to be hacked, You need
investments Attackers need skill, resources to crack the secure
system Lets make an agreement and grade the levelLvl
4IAMK014-0411Copyright Yokogawa Electric Corporation- 20 -Attackers
Skill,Resources,Tools,TimeHow much security?Investment,Efforts,Tech
Level,AssuranceLevelChances to getcompromised.Lvl 3Lvl 2Lvl 1 21. "
62443-3-3 System security requirements and security assurance
levelsFrom Draft 3 ISA 62443-3-3(99.03.03) Sep 20114. FR 1
Identification and authentication controlTo prevent unauthorized
access to device and/or inquiry of its infoTo prevent unauthorized
operation of deviceTo prevent tampering dataTo prevent data
leakageTo prevent unauthorized information leakageTo notify
security violation to authority and to report forensic evidenceTo
protect the entire NW resources from DoS
attacksIAMK014-0411Copyright Yokogawa Electric Corporation- 21 -5.
FR 2 Use control6. FR 3 Data integrity7. FR 4 Data
confidentiality8. FR 5 Restricted data flow9. FR 6 Timely response
to events10. FR 7 Resource availability21Tatsuaki Takebe Yokogawa
Electric Corp. 22. " 62443-3-3 System security requirements and
security assurance levelsFrom Draft 3 ISA 62443-3-3(99.03.03) Sep
20114. Identify and authenticate all users (humans, processes
anddevices), and allow them access to the system or assets. SL 1
Identify and authenticate all users (humans, processes anddevices)
by mechanisms which protect against casual orcoincidental access by
unauthorized entities. SL 2 Identify and authenticate all users
(humans, processes anddevices) by mechanisms which protect against
intentionalunauthorized access by entities using simple means. SL 3
Identify and authenticate all users (humans, processes anddevices)
by mechanisms which protect against intentionalunauthorized access
by entities using sophisticated means. SL 4 Identify and
authenticate all users (humans, processes anddevices) by mechanisms
which protect against intentionalunauthorized access by entities
using sophisticated means withextended
resources.IAMK014-0411Copyright Yokogawa Electric Corporation- 22
-22Tatsuaki Takebe Yokogawa Electric Corp. 23. " 62443-4-1 Product
Development RequirementsFrom Draft 1 Edit 1 ISA-99.04.01 Jun 20115.
Phase 1 Security Management Plan (SMP) SDSA-SMP-1 - Security
Management Plan SDSA-SMP-2 - Action Item Resolution SDSA-SMP-3 -
Documentation of softwarereleases SDSA-SMP-4 - Development
Environment SecurityDocumentation SDSA-SMP-5 - CM System SDSA-SMP-6
- Configuration Management Plan SDSA-SMP-7 - Configuration
ListIAMK014-0411Copyright Yokogawa Electric Corporation- 23
-23Tatsuaki Takebe Yokogawa Electric Corp. 24. " 62443-4-1 Product
Development RequirementsFrom Draft 1 Edit 1 ISA-99.04.01 Jun 20116.
Phase 2 - Security Requirements Specification (SRS)7. Phase 3
Software Architecture Design (SAD)8. Phase 4 - Security Risk
Assessment and Threat ModelingIAMK014-0411Copyright Yokogawa
Electric Corporation- 24 -(SRA)9. Phase 5 - Detailed Software
Design (DSD)10. Phase 6 - Document Security Guidelines (DSG)11.
Phase 7 - Module Implementation & Verification (MIV)12. Phase 8
- Security Integration Testing (SIT)13. Phase 9 - Security Process
Verification (SPV)14. Phase 10 - Security Response Planning
(SPR)15. Phase 11 - Security Validation Testing (SVT)16. Phase 12 -
Security Response Execution (SRE)24Tatsuaki Takebe Yokogawa
Electric Corp. 25. ConclusionsIAMK014-0411Copyright Yokogawa
Electric Corporation- 25 - Why standards? No security is perfect.
Standards are the golden mean agreedupon by the stakeholders.
Compliance/Certification givesassurance if something happens. 26.
Thank you very muchfor your attentionIAMK014-0411Copyright Yokogawa
Electric Corporation- 26 -