Upload
hadan
View
251
Download
8
Embed Size (px)
Citation preview
ISA Standards and Practices
Industrial Automation and
Controls Systems
Cybersecurity
The ISA99 Committee and
the 62443 Standards
February 2018 Copyright © ISA – All Rights Reserved
Purpose
Introduce the ISA99 committee and the ISA/IEC 62443
series of standards on Industrial Automation and Control
Systems Security.
1
February 2018 Copyright © ISA – All Rights Reserved
Topics
• Who are we?
• How do we work?
• What are the basics?
• What are our work products?
• Where do things stand?
2
February 2018 Copyright © ISA – All Rights Reserved
Who are we?
3
February 2018 Copyright © ISA – All Rights Reserved
ISA99 Committee
The International Society of Automation (ISA) Committee on
Security for Industrial Automation & Control Systems
Almost 900 members from around the world
4
February 2018 Copyright © ISA – All Rights Reserved
Our Scope
“… industrial automation and control systems whose compromise
could result in any or all of the following situations:
– endangerment of public or employee safety
– environmental protection
– loss of public confidence
– violation of regulatory requirements
– loss of proprietary or confidential information
– economic loss
– impact on entity, local, state, or national security”
5
February 2018 Copyright © ISA – All Rights Reserved
Industry Contribution and Application
• Reflects expertise from many sectors, including:
– Chemical Processing
– Oil and Gas
– Food and Beverage
– Energy
– Pharmaceuticals
– Water
– Manufacturing
– ICS suppliers
6
February 2018 Copyright © ISA – All Rights Reserved
How Do We Work?
7
February 2018 Copyright © ISA – All Rights Reserved
ISA99 and ISA/IEC 62443
• ISA/IEC 62443 is a series of standards being developed by two
groups:
– ISA99 ANSI/ISA-62443
– IEC TC65/WG10 IEC 62443
• In consultation with:
– ISO/IEC JTC1/SC27 ISO/IEC 2700x
8
February 2018 Copyright © ISA – All Rights Reserved
Partners for Related Topics
• Process Safety (ISA84, IEC TC65)
• Wireless Communications (ISA100)
• Intelligent device Management (ISA108)
• Medical Device Security (MDISS)
• Certification (ISCI)
• Communications & Advocacy
(Automation Federation)
• Security Framework (NIST)
9
IACS
Security
February 2018 Copyright © ISA – All Rights Reserved
The Basics
• General Concepts
• Fundamental Concepts
• Foundational Requirements
10
February 2018 Copyright © ISA – All Rights Reserved
General Concepts
• Security Context
• Security Objectives
• Least Privilege
• Defense in Depth
• Threat-Risk Assessment
• Supply Chain Security
Source: ISA-62443-1-1, 2nd Edition (Under development)
11
February 2018 Copyright © ISA – All Rights Reserved
Fundamental Concepts
• Principal Roles
• Life Cycles
• Zones and Conduits
• Security Levels
• Maturity Assessment
• Security and Safety
12
Source: ISA-62443-1-1, 2nd Edition (Under development)
February 2018 Copyright © ISA – All Rights Reserved
Principal Roles
• Product Supplier (PS)
• Integration Provider (IP)
• Asset Owner (AO)
• Maintenance Provider (MP)
• Service Provider (SP)
• System Operator (SO)
• Regulatory Authority (RA)
• Compliance Authority (CA)
#
February 2018 Copyright © ISA – All Rights Reserved
Life Cycles
14
Based on VDI 2182
Operation
& Maintenance
Integration /
Commissioning
Product
Development
Product
SupplierSystem
Integrator
Asset
Owner
Security Documentation
Security Guidelines
Security Support
Requirements
February 2018 Copyright © ISA – All Rights Reserved
Zones and Conduits
• A means for defining…
– How different systems interact
– Where information flows between systems
– What form that information takes
– What devices communicate
– How fast/often those devices communicate
– The security differences between system
components
• Technology helps, but architecture is more
important
15
February 2018 Copyright © ISA – All Rights Reserved
Security Levels
16
Protection against…
February 2018 Copyright © ISA – All Rights Reserved
Maturity Assessment
• A means of assessing capability
• Similar to Capability Maturity
Models
– e.g., SEI-CMM
• An evolving concept in the
standards
– Applicability to IACS-SMS
20
February 2018 Copyright © ISA – All Rights Reserved
Security and Safety
• Safety is much of the reason for
security
– Presenting consequences
• Much to be learned from the safety
community
• Collaboration
– ISA99-ISA84 joint effort
– IEC TC65 work group 20
– ISA Safety and Security Division
18
February 2018 Copyright © ISA – All Rights Reserved
Foundational Requirements
• FR 1 – Identification & authentication control
• FR 2 – Use control
• FR 3 – System integrity
• FR 4 – Data confidentiality
• FR 5 – Restricted data flow
• FR 6 – Timely response to events
• FR 7 – Resource availability
19
February 2018 Copyright © ISA – All Rights Reserved
Work Products
20
February 2018 Copyright © ISA – All Rights Reserved
The ISA-62443 Series
21
February 2018 Copyright © ISA – All Rights Reserved
General Information
• 62443-1-1
– Concepts and Models
• 62443-1-2
– Master Glossary
• 62443-1-3
– Security Compliance Metrics
• 62443-1-4
– Lifecycle & Use Cases
• 62443-1-5
– Protection Levels
22
February 2018 Copyright © ISA – All Rights Reserved
Program Definition
• 62443-2-1
– Security Management System
• 62443-2-2
– Implementation Guidance
• 62443-2-3
– Patch Management
• 62443-2-4
– Requirements for Solution Suppliers
23
February 2018 Copyright © ISA – All Rights Reserved
System Security
• 62443-3-1
– Security Technologies
• 62443-3-2
– Risk Assessment and System Design
• 62443-3-3
– System Requirements and
Security Levels
24
February 2018 Copyright © ISA – All Rights Reserved
Component Security
• 62443-4-1
– Product Development Requirements
• 62443-4-2
– Technical Requirement for Components
25
February 2018 Copyright © ISA – All Rights Reserved
What is Happening
26
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-1-1 (2nd Edition)
– Preparing a draft for comment
• 62443-1-2
– Recently circulated as a draft for comment
• 62443-1-4
– Case studies being identified by WG10
• 62443-1-5
– Introduces the potential concept of “Protection Levels”
– Recently circulated as a draft for comment
27
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-2-1 (2nd Edition)
– Alignment with ISO 27001:2013
– Recently circulated as a draft for comment
• 62443-2-3
– Technical report published in July 2015
– Under revision to elevate to a standard
• 62443-2-4
– Published by IEC, adopted by ISA99
28
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-3-1
– Technical report on risk management being rewritten as a standard
• 62443-3-2
– Committee Draft for Vote (CDV) approved by ISA voting members
– IEC vote pending
29
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-4-1
– Approved by ISA and IEC
• 62443-4-2
– Soon to be submitted as a Final Draft Standard to ISA and IEC
30
February 2018 Copyright © ISA – All Rights Reserved
Review
✓ Who are we?
✓ How do we work?
✓ What are the basics?
✓ What are our work products?
✓ Where do things stand?
31
February 2018 Copyright © ISA – All Rights Reserved
Conclusion
32
February 2018 Copyright © ISA – All Rights Reserved
• ISA99 committee page: http://www.isa.org/isa99
• Twitter: @ISA99Chair
• Committee Co-Chairs: [email protected]– Eric Cosman
– Jim Gilsinn
• Managing Director– Joe Weiss
• ISA Staff Contact– Eliana Brazda [email protected]
Please provide contact information & area of expertise or interest
More Information…
33
February 2018 Copyright © ISA – All Rights Reserved
Questions
34