KENEXISCopyright © 2012 Kenexis Security Corporation
KENEXIS
Copyright © 2012 Kenexis Security Corporation
CYBER SECURITY FOR THE INDUSTRIAL ENV.: AN INTRO TO ISA/IEC 62443
KENEXISCopyright © 2012 Kenexis Security Corporation
• Recently Joined Kenexis Consulting– Network & security design
• Previously Worked for U.S. National Institute of Standards & Technology (NIST)– 20 years in Engineering Laboratory
• Cyber Security– Co-Chair, ISA99 Committee– Co-Chair, ISA99-WG2 Security Program– Co-Chair, ISA99-WG7 Safety & Security
• Industrial Ethernet Reliability & Performance– Developed metrics, tests, and tools– Measure, analyze, and report performance for industrial
Ethernet devices & systems
Jim GilsinnTwitter – @jimgilsinn
LinkedIn – linkedin.com/jimgilsinn
KENEXISCopyright © 2012 Kenexis Security Corporation
RespondPlan Prepare Defend
WHAT IS ISA99 & ISA/IEC 62443?
KENEXISCopyright © 2012 Kenexis Security Corporation
• The International Society of Automation (ISA) Committee on Security for Industrial Automation & Control Systems (ISA99)– Formed in 2002– 550+ members
• 50+ active participants
– >200 companies across all sectors, including:• Chemical Processing• Petroleum Refining• Food and Beverage• Energy• Pharmaceuticals• Water• Manufacturing
ISA99 Committee
KENEXISCopyright © 2012 Kenexis Security Corporation
• ISA/IEC 62443 is a Series of Standards• Being Developed by 3 Groups
– ISA99 ANSI/ISA-62443– IEC TC65/WG10 IEC 62443– ISO/IEC JTC1/SC27 ISO/IEC 2700x
How Does ISA/IEC 62443 Relate to ISA99?
KENEXISCopyright © 2012 Kenexis Security Corporation
KENEXISCopyright © 2012 Kenexis Security Corporation
• ISA-TR62443-0-3, Stuxnet Gap Analysis– Look for gaps in ISA-99.02.01-2009 security
program standard– 35 gaps identified– 33 recommended improvements
• ISA-TR62443-0-4, Implications of SIS Integration with Control Networks– Build on the work of the LOGIIC Consortium
Other Documents
KENEXISCopyright © 2012 Kenexis Security Corporation
RespondPlan Prepare Defend
FUNDAMENTAL CONCEPTS
KENEXISCopyright © 2012 Kenexis Security Corporation
Components of Security
Identification, A
uthentication and Access Control (A
C)
Use Control (U
C)
Data Integrity (D
I)
Data Confidentiality (D
C)
Restrict D
ata Flow (RDF)
Timely Response to Event (TRE)
Resource Availability (R
A)
Security Policy
Organization of Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations ManagementAccess Control
Systems acquisition, development and maintenance
Incident Management
Business Continuity ManagementCompliance
Rel
atio
nsh
ips
Inte
nt, B
uy-
In, S
upp
ort
Mot
ivat
ion
vs. D
efia
nce
Dec
isio
ns a
nd A
war
ene
ss
Tra
inin
g an
d C
apa
bilit
y
Cla
uses
Foundational Requirem
ents (currently)
Clauses (new original content to be developed)
KENEXISCopyright © 2012 Kenexis Security Corporation
• FR 1 – Identification and authentication control• FR 2 – Use control• FR 3 – System integrity• FR 4 – Data confidentiality• FR 5 – Restricted data flow• FR 6 – Timely response to events• FR 7 – Resource availability
Foundational Requirements
KENEXISCopyright © 2012 Kenexis Security Corporation
Security Levels
Casual or Coincidental Violation
Intentional Violation Using Simple Means with Low Resources, Generic Skills & Low Motivation
Intentional Violation Using Sophisticated Means with Moderate Resources, IACS Specific Skills &
Moderate Motivation
Intentional Violation Using Sophisticated Means with Extended Resources, IACS Specific Skills &
High Motivation
KENEXISCopyright © 2012 Kenexis Security Corporation
Zones & Conduits –
Chemical Truck
Loading Example
KENEXISCopyright © 2012 Kenexis Security Corporation
Zones & Conduits – Manufacturing Example
KENEXISCopyright © 2012 Kenexis Security Corporation
RespondPlan Prepare Defend
KENEXISCopyright © 2012 Kenexis Security Corporation
• ISA99 Wiki – http//isa99.isa.org• Twitter – @ISA99Chair• Committee Co-Chairs
– Eric Cosman, [email protected]– Jim Gilsinn, [email protected]
• ISA Staff Contact– Charley Robinson, [email protected]
• Please provide contact info & area of expertise/interest
Questions, Comments, Contributions…
Recommended
![Quick Start Guide - ASCI/0920-ISASecure...lifecycle meets the requirements of ISA/IEC-62443-4-1 – Product security development lifecycle requirements. [36] Quick Start Guide: An](https://img.pdfslide.us/doc/110x75/6145a55e07bb162e665fd1bc/quick-start-guide-asci0920-isasecure-lifecycle-meets-the-requirements-of-isaiec-62443-4-1.jpg)
