IEC 62443 - INDAT - Elektrotechnische Normen und … · Unrestricted / © Siemens AG 2015. All Rights Reserved. siemens.com/industrialsecurity IEC 62443 - INDA Industrial Security

Unrestricted / © Siemens AG 2015. All Rights Reserved. siemens.com/industrialsecurity

IEC 62443 - INDAIndustrial Security - Protecting productivity

Unrestricted / © Siemens AG 2015. All Rights Reserved.07.10.2015Page 2 DKE-Workshop Konformitätsbewertungsbedarf IT-Sicherheit Dr. Pierre Kobes

• IEC 62443

Industrial Security


IACS environment / project specific

IACS, automation solution, control system

Independent of IACS environment

Industrial Automation and Control System(IACS)

Product Supplier

SystemIntegrator

Asset Owner

develops

designs and deploys

operates

Control Systemas a combination of

Hostdevices

Networkcomponents ApplicationsEmbedded

devices

is the base for

+

4-1

2-4

3-2

3-3

2-1

2-4

3-3

4-2

Operational and Maintenancepolicies and procedures

Automation solutionBasic Process

Control System(BPCS)

Safety InstrumentedSystem (SIS)

ComplementaryHardware and

Software


Actual structure of IEC / ISA-62443Main documents to be published

ComponentSystemPolicies and proceduresGeneral

1-1 Terminology, concepts andmodels

1-2 Master glossary of terms andabbreviations

1-3 System security compliancemetrics

IEC / ISA-62443

DefinitionsMetrics

Requirements to secure systemcomponents

Functional requirements Processes / procedures

Requirements placed on securityorganization and processes of the

plant owner and suppliers

Requirements to achieve asecure system

3-3 System security requirementsand security levels

3-1 Security technologies for IACS

2-3 Patch management in the IACSenvironment

4-2 Technical security requirementsfor IACS products

4-1 Product developmentrequirements

2-4 Requirements for IACS solutionsuppliers

3-2 Security risk assessment andsystem design

IS* 08/2013

IS* 06/15

DC* 3Q15

DC* 1Q15

2-1 Requirements for an IACSsecurity management system

Ed.2.0Profile of

ISO 27001 / 27002

CDV* 3Q15CDV* 3Q15

TR* 06/15

IS* 2009 TR* 2009

*DC: Draft for Comment*CDV: Committee Draft for Vote

*IS: International Standard*TR: Technical Report

*ID: Initial Draft

DTS* 1Q14Rejected




Various parts of IEC / ISA-62443 are addressing Defense in Depth

2-4

3-2

2-1

2-4

3-3

4-2

4-1

Asset Owner

Operational and Maintenancespolicies and procedures

System Integrator

Policies and procedures

3-3

Product Supplier

Development process

Security capabilities of the products

Security capabilities of theAutomation Solution



Each stakeholder can create vulnerabilitiesExample User Identification and Authentication


Industrial Automation and Control System(IACS)

Product Supplier

SystemIntegrator

Asset Owner

develops

designs and deploys

operates

Control Systemas a combination of

Hostdevices

Networkcomponents ApplicationsEmbedded

devices

is the base for

+

Operational and Maintenancepolicies and procedures

Automation solutionBasic Process

Control System(BPCS)

Safety InstrumentedSystem (SIS)

ComplementaryHardware and

Software

Hard coded passwords

Elevation of privileges

Default passwords notchanged

Temporary accounts notdeleted

Non confidential passwords

Passwords not renewed

Invalid accounts notdeleted

Example: User Identification and Authentication

can createweaknesses




• IECEE / INDA

Industrial Security


IECEE INDA / Industrial Security

IEC CB Schemes

IndustrialPOWMEAS

SecurityProduct SafetyEMC

ManagementProcesses Products

Contracts

……

……..

Systems

Organizational

ProductDevelopmentPlant Audit


IEC EE INDA / Industrial Security

IEC CB Schemes

IndustrialPOWMEAS

SecurityProduct SafetyEMC

ManagementProcesses Products

Contracts

……

……..

Systems

Organizational

ProductDevelopmentPlant Audit1 2

3 4


Actual structure of IEC / ISA-62443Main documents to be published





IEC / ISA-62443

DefinitionsMetrics






3-3 System security requirementsand security levels







IS* 08/2013

IS* 06/15

DC* 3Q15

DC* 1Q15


Ed.2.0Profile of

ISO 27001 / 27002

CDV* 3Q15CDV* 3Q15

TR* 06/15

IS* 2009 TR* 2009



*ID: Initial Draft

DTS* 1Q14Rejected

12

3

4

1


IEC / IECEE Working Groups

IEC CAB WG 17 Group for Cyber Security• Decision 37/21 — CAB WG 17 – Cyber Security

The CAB thanked WG 17 for its report, CAB/1383/R, noted that its scope is focused onhome automation, smart devices (such as smart meters) and medical devices, and indicatedthat WG 17 should focus on all those sectors concerned with cyber security except thosecurrently being worked on in IECEE (industrial automation).

IECEE-PSC WG 3 TF 2 Task Force Cyber SecurityTerms of Reference:• To make an unique approach for conformity assessment to IEC62433 series• The initial set-up of a guidance Operational Document to describe how the conformity

assessment can be handled.• To describe the use of testing tools (start of instrument list) and test protocols.


• Protection Levels / Holistic Approach

Industrial Security


IECEEWG3 TF2

Assessment scopes

Productsupplier

System Integrator(Service Provider)

Operational andmaintenanceprocedures

Realized capabilitiesof the Automation

Solution

System capabilities

Policies / procedures

System capabilities

Development process

Product capabilities

Protection of an installation in operation• Assessment of the operational and maintenance policies and procedures of the asset

owner incl. people qualification• Assessment of the (realized) functional capabilities of the Automation Solution

Asset Owner

Service Provider

System Integrator

Capabilities of the system integrator• Assessment of the capabilities of a representative instance of an automation solution• Assessment of the processes of the system integrator

Capabilities of the products• Assessment of the capabilities of products and the systems• Assessment of the quality of the development process

Objective of cybersecurity

Gives a certain confidence that the system integrator can realize the requiredfunctionalities of the automation solution

Gives a certain confidence that the products and systems realize the claimedfunctionalities and have “less” vulnerabilities4-1

3-3

4-2

2-43-2

3-3

2-4

3-3

2-1

2-4


Goal of governments

Operational andmaintenanceprocedures

Realized capabilitiesof the Automation

Solution

Protection of an installation in operation• Assessment of the operational and maintenance policies and procedures of the asset

owner incl. people qualification• Assessment of the (realized) functional capabilities of the Automation Solution

Asset Owner

Service Provider

System IntegratorObjective of cybersecurity

Improving Critical Infrastructure Cybersecurity,Executive Order 13636

Ø NIST Cybersecurity FrameworkLoi de programmation militaire pour les années 2014 à 2019Ø ANSSI Cybersécurité pour les systèmes industriels,

Mesures détaillées

Commission Proposal for a Directive concerning measures to ensure a high commonlevel of network

and information security (NIS) across the Union

Control System Security Center (CSSC)Ø CSS-Base6 Cybersecurity Test Bed

IT SicherheitsgesetzØ BSI

Bundesamt für Sicherheit der Informationssysteme

Goal of the governments:Protection of critical infrastructures

Scope ofProtectionLevels


Basic documents of IEC / ISA-62443 are stable enough to be used





IEC / ISA-62443

DefinitionsMetrics













*ID: Initial Draft


Ed.2.0Profile of

ISO 27001 / 27002


3-3 System security requirementsand security levels Approved

Approved

ISO/IEC 27001 can be usedtill this part is approved



Process requirements and functional requirements are linked

Protection LevelConformance Cluster 1

Related policies andprocedures

IEC 62443-2-1IEC 62443-2-4

Realizedcapabilities

of the Solution

IEC 62443-3-3



IEC 62443-2-1IEC 62443-2-4


of the Solution

IEC 62443-3-3

Protection LevelConformance Cluster n


IEC 62443-2-1IEC 62443-2-4


of the Solution

IEC 62443-3-3PS

SI

AO


SL 4 Capability to protect against intentional violation using sophisticatedmeans with extended resources, IACS specific skills and high motivation

SL 3Capability to protect against intentional violation using sophisticatedmeans with moderate resources, IACS specific skills and moderatemotivation

Capability to protect against casual or coincidental violation

Capability to protect against intentional violation using simple means withlow resources, generic skills and low motivationSL 2

SL 1

Protection Levels cover security functionalities and processes

Protection Levels

Assessment of security functionalities

ML 4 Optimized - Process measured, controlled and continuouslyimproved

ML 3 Defined - Process characterized, proactive deployment

Initial - Process unpredictable, poorly controlled and reactive.

Managed - Process characterized , reactiveML 2

ML 1

Assessment of security processes

4

3

2

1Mat

urity

Leve

l

2 3 41Security Level

PL 2 Protection against intentional violation using simple means with low resources, generic skills andlow motivation

Protection against intentional violation using sophisticated means with extended resources, IACSspecific skills and high motivation

Protection against intentional violation using sophisticated means with moderate resources, IACSspecific skills and moderate motivationPL 3

PL 4

PL 1 Protection against casual or coincidental violation


Assessment is conducted in 4 steps

Assess Business Risk todetermine Criticality

Assign TargetProtection Levels

AssessProtection Levels

AchievedProtection Levels

Conformance Clusters should cover all relevant security dimensions The Protection Level is assessedfor each Conformance Cluster

PL 1 Protection against casual or coincidental violation

PL 2 Protection against intentional violation using simple means with lowresources, generic skills and low motivation

Protection against intentional violation using sophisticated meanswith extended resources, IACS specific skills and high motivation

Protection against intentional violation using sophisticated meanswith moderate resources, IACS specific skills and moderatemotivation

PL 3

PL 4

ConformanceCluster 1





Conformance Clusters


Process controls and functional requirements provide the framework for anholistic assessment of Protection Levels


IEC

6244

3-2-

1IS

O/IE

C27

001

IEC

6244

3-2-

4IE

C62

443-

3-3

Ass

etO

wne

rSe

rvic

ePr

ovid

erA

utom

atio

nSo

lutio

n





All controls of IEC 62443-2-1 / ISO 27001

All requirements of IEC 62443-3-3

All requirements of IEC 62443-2-4


Dr. Pierre Kobes

Product and Solution Security Officer

PD TI ATS TM 2

E-Mail: [email protected]

Thank you for your attention!

siemens.com/industrialsecurity

Documents

IEC 62443 - INDAT - Elektrotechnische Normen und … · Unrestricted / © Siemens AG 2015. All Rights Reserved. siemens.com/industrialsecurity IEC 62443 - INDA Industrial Security