Upload
jim-gilsinn
View
1.183
Download
5
Embed Size (px)
DESCRIPTION
Presented @ BSidesDE November 2012 https://www.youtube.com/watch?v=kIMBQp0uX1c Industrial automation and control system (IACS) and supervisory control and data acquisition (SCADA) cyber security has gotten a lot of press recently due to those systems being the target of attacks by Stuxnet, Duqu, Flame, and others. These are not the first viruses, worms, or malware to affect IACS and SCADA systems, but they carried payloads specifically targeting those systems. While the exact vulnerabilities exploited were considered zero-days, the basic methods they used to infect their target systems were not unknown: infected removable media and drives, peer-to-peer infection on a network, rootkits, and hard-coded passwords. It is unlikely that all of these infections could have been prevented completely, but many common cyber security methods and controls could have prevented different aspects of each of these attacks. IACS and SCADA cyber security is more about using proven security methods, controls, and technology than it is about the newest widget being sold by your favorite vendor. Many of the same methods, controls, and technology used in the IT environment can be used in the industrial environment, but their usage needs to be carefully analyzed before they can be applied. IACS and SCADA systems have real-world consequences that necessitate taking a risk-based approach to security. The International Society of Automation’s (ISA’s) committee on security for IACS (ISA99) and IEC have developed a series of standards (ISA/IEC 62443) to define procedures for implementing and measuring cyber security. This talk is a primer on the ISA/IEC 62443 series. It’s not intended as a deep-dive, but an introduction to what is and what is not part of the series and where you can go for more information.
Citation preview
KENEXISCopyright © 2012 Kenexis Security Corporation
KENEXIS
Copyright © 2012 Kenexis Security Corporation
CYBER SECURITY FOR THE INDUSTRIAL ENV.: AN INTRO TO ISA/IEC 62443
KENEXISCopyright © 2012 Kenexis Security Corporation
• Recently Joined Kenexis Consulting– Network & security design
• Previously Worked for U.S. National Institute of Standards & Technology (NIST)– 20 years in Engineering Laboratory
• Cyber Security– Co-Chair, ISA99 Committee– Co-Chair, ISA99-WG2 Security Program– Co-Chair, ISA99-WG7 Safety & Security
• Industrial Ethernet Reliability & Performance– Developed metrics, tests, and tools– Measure, analyze, and report performance for industrial
Ethernet devices & systems
Jim GilsinnTwitter – @jimgilsinn
LinkedIn – linkedin.com/jimgilsinn
KENEXISCopyright © 2012 Kenexis Security Corporation
RespondPlan Prepare Defend
WHAT IS ISA99 & ISA/IEC 62443?
KENEXISCopyright © 2012 Kenexis Security Corporation
• The International Society of Automation (ISA) Committee on Security for Industrial Automation & Control Systems (ISA99)– Formed in 2002– 550+ members
• 50+ active participants
– >200 companies across all sectors, including:• Chemical Processing• Petroleum Refining• Food and Beverage• Energy• Pharmaceuticals• Water• Manufacturing
ISA99 Committee
KENEXISCopyright © 2012 Kenexis Security Corporation
• ISA/IEC 62443 is a Series of Standards• Being Developed by 3 Groups
– ISA99 ANSI/ISA-62443– IEC TC65/WG10 IEC 62443– ISO/IEC JTC1/SC27 ISO/IEC 2700x
How Does ISA/IEC 62443 Relate to ISA99?
KENEXISCopyright © 2012 Kenexis Security Corporation
KENEXISCopyright © 2012 Kenexis Security Corporation
• ISA-TR62443-0-3, Stuxnet Gap Analysis– Look for gaps in ISA-99.02.01-2009 security
program standard– 35 gaps identified– 33 recommended improvements
• ISA-TR62443-0-4, Implications of SIS Integration with Control Networks– Build on the work of the LOGIIC Consortium
Other Documents
KENEXISCopyright © 2012 Kenexis Security Corporation
RespondPlan Prepare Defend
FUNDAMENTAL CONCEPTS
KENEXISCopyright © 2012 Kenexis Security Corporation
Components of Security
Identification, A
uthentication and Access Control (A
C)
Use Control (U
C)
Data Integrity (D
I)
Data Confidentiality (D
C)
Restrict D
ata Flow (RDF)
Timely Response to Event (TRE)
Resource Availability (R
A)
Security Policy
Organization of Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations ManagementAccess Control
Systems acquisition, development and maintenance
Incident Management
Business Continuity ManagementCompliance
Rel
atio
nsh
ips
Inte
nt, B
uy-
In, S
upp
ort
Mot
ivat
ion
vs. D
efia
nce
Dec
isio
ns a
nd A
war
ene
ss
Tra
inin
g an
d C
apa
bilit
y
Cla
uses
Foundational Requirem
ents (currently)
Clauses (new original content to be developed)
KENEXISCopyright © 2012 Kenexis Security Corporation
• FR 1 – Identification and authentication control• FR 2 – Use control• FR 3 – System integrity• FR 4 – Data confidentiality• FR 5 – Restricted data flow• FR 6 – Timely response to events• FR 7 – Resource availability
Foundational Requirements
KENEXISCopyright © 2012 Kenexis Security Corporation
Security Levels
Casual or Coincidental Violation
Intentional Violation Using Simple Means with Low Resources, Generic Skills & Low Motivation
Intentional Violation Using Sophisticated Means with Moderate Resources, IACS Specific Skills &
Moderate Motivation
Intentional Violation Using Sophisticated Means with Extended Resources, IACS Specific Skills &
High Motivation
KENEXISCopyright © 2012 Kenexis Security Corporation
Zones & Conduits –
Chemical Truck
Loading Example
KENEXISCopyright © 2012 Kenexis Security Corporation
Zones & Conduits – Manufacturing Example
KENEXISCopyright © 2012 Kenexis Security Corporation
RespondPlan Prepare Defend
KENEXISCopyright © 2012 Kenexis Security Corporation
• ISA99 Wiki – http//isa99.isa.org• Twitter – @ISA99Chair• Committee Co-Chairs
– Eric Cosman, [email protected]– Jim Gilsinn, [email protected]
• ISA Staff Contact– Charley Robinson, [email protected]
• Please provide contact info & area of expertise/interest
Questions, Comments, Contributions…