Cyber Security Standardization and 62443 · 2020. 4. 27. · ISA/IEC 62443-3-3 Rating of Maturity...
Transcript of Cyber Security Standardization and 62443 · 2020. 4. 27. · ISA/IEC 62443-3-3 Rating of Maturity...
© 2006, ISA1
ISA Standards and Practices
Cyber Security Standardization and
62443Where we are today and
what’s up ahead
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeYour speaker
• Judith Rossebø, Cyber Security Specialist, ABB– Involved in ISA99 and IEC TC 65 since 2011
– ABB voting member of ISA99 since 2016
– Member of NK65 since 2011
– Member of IECEE CMC TC Cyber Security (from 2016)
– Member of IEC SyC – Smart Energy – WG3 Cyber Security Task Force(from 2017)
– Chair CENELEC TC65X (from 2018)
1
0
1
© 2006, ISA2
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeScope
The scope of ISA/IEC 62443 Series is the Security of Industrial Automation and Control Systems (IACS)
An IACS is defined as a:collection of personnel, hardware, software, and policies involved in the operation of an industrial process.
2
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeThe Security Triad
Cyber Security is about technology, processes and people
• Objectives:– Security Management– Security Lifecycle– Risk Management– Access Control– System Integrity– System Availability– Data Confidentiality– Asset Management– Incident Management
3
2
3
© 2006, ISA3
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeSome Basic Questions…
1. Who are we?
2. How do we work?
3. What are our work products?
4. What are the standards based on?
5. Where do things stand?
4
March 2020 Copyright © ISA – All Rights Reserved
ISA99 Committee
1. Who are we?2. How do we work?
3. What are our work products?
4. What are the standards based on?
5. Where do things stand?
5
4
5
© 2006, ISA4
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeISA99 Committee
The International Society of Automation (ISA) Committee on Security for Industrial Automation & Control Systems
• Members from around the world
• Multiple sectors and stakeholders
• Consistent leadership since c. 2002
6
March 2020 Copyright © ISA – All Rights Reserved
ISA99 Committee
1. Who are we?
2. How do we work?3. What are our work products?
4. Who is using them?
5. What are the standards based on?
6. Where do things stand?
7
6
7
© 2006, ISA5
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeCollaborative Development
• ISA-62443 (and IEC 62443) is a series of standards beingdeveloped by two groups:
– ISA99 ISA-62443
– IEC TC65/WG10 IEC 62443
• In consultation with:
– ISO/IEC JTC1/SC27 ISO/IEC 2700x
8
March 2020 Copyright © ISA – All Rights Reserved
ISA99 Committee
1. Who are we?
2. How do we work?
3. What are our work products?4. What are the standards based on?
5. Where do things stand?
9
8
9
© 2006, ISA6
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeThe ISA/IEC 62443 Series
10
Security Program Rating
General
Policies & Procedure
System
Component
March 2020 Copyright © ISA – All Rights Reserved
ISA99 Committee
1. Who are we?
2. How do we work?
3. What are our work products?
4. What are the standards based on?5. Where do things stand?
11
10
11
© 2006, ISA7
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeSecurity Principles
• Security Context• Security Objectives• Response Elements (People, Process Technology)• Risk-Based Approach• Compensating Countermeasures• Least Privilege• Defense in Depth• Supply Chain Security• Security and Safety Source: ISA-62443-1-1, 2nd Edition (Under development)
12
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeFundamental Concepts
• Principal Roles
• Life Cycles and Processes
• Zones and Conduits
• Security Levels
• Maturity
• Security Program Rating
Source: ISA-62443-1-1, 2nd Edition (Under development)
13
12
13
© 2006, ISA8
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeZones and Conduits
• Network & system segmentationtechnique:• Prevents the spread of an incident
• Provides a front-line set of defenses
• The basis for risk assessment in systemdesign
19
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeSecurity Levels
15
Security Level
Definition Means Resources Skills Motivation
1 Protection against casual or coincidental violation
2
Protection against intentional violation with simple means with low resources, generic skills and low motivation
Simple Low Generic Low
3Protection against intentional violation with using sophisticated means with moderate resources, IACS skills and moderate motivation
Sophisticated ModerateIACS-
specificmoderate
4Protection against intentional violation with using sophisticated means with extended resources, IACS skills and high motivation
Sophisticated ExtendedIACS-
specifichigh
• A means of assessing technical capabilities
14
15
© 2006, ISA9
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeMaturity
16
Level
1 Initial• Product development typically ad-hoc and often undocumented• Consistency and repeatability may not be possible
2 Managed• Product development managed using written policies• Personnel have expertise and are trained to follow procedures• Processes are defined but some may not be in practice
3 Defined (practiced)• All processes are repeatable across the organization• All processes are in practice with documented evidence
4 Improving• Process metrics are used control effectiveness and performance• Continuous improvement
• A means of assessing organizational capabilities
• An evolving concept in the standards– Purpose is to provide a benchmark for meeting requirements
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeRoles, Products, Automation Solution and IACS
#
IACS environment
Independent of IACS environment
RolesIndustrial automation and control system (IACS)
maintains
operates
accountable for
designsand deploys
commissionsand validates
Asset Owner
Maintenance Service Provider
Integration Service Provider
developsand supports
Includes configured products(control systems and components)
Role
ProductSupplier
Products
Components
Supporting software
applications
Embeddeddevices
Networkdevices
Hostdevices
Control systems(as a combination of
components)
ZoneZone
Automation Solution
Essential functions
Controlfunctions
Safetyfunctions
Complementaryfunctions
Operation and routine maintenance according to security policies and procedures
16
17
© 2006, ISA10
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeSecurity Program Rating (SPR)
SPR 0
SPR 1
SPR 2
SPR 3
SPR 4
SPR 0
SPR 1
SPR 2
SPR 3
SL 0 SL 1 SL 3SL 2 SL 4SL 3 SL 4
Rating of Security Level of Automation Solution
Rat
ing
of M
atu
rity
Lev
el o
for
gani
zatio
nal m
easu
res
18
March 2020 Copyright © ISA – All Rights Reserved
ISA99 Committee
1. Who are we?
2. How do we work?
3. What are our work products?
4. What are the standards based on?
5. Where do things stand?
19
18
19
© 2006, ISA11
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeISA/IEC Series Status
20
General
Policies & Procedure
System
Component
Status Key
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeCurrent Activity
• 62443-1-1 (Concepts & Models)– Preparing 2nd edition draft for comment
• 62443-1-2 (Master Glossary)– Circulated as a draft for comment
• 62443-1-4 (Case Studies)– Under development by WG10
• 62443-2-1 (Security Program)– Recently circulated for approval
• 62443-2-2 (Security Program Rating)– Circulated as a draft for comment
• 62443-2-3 (Patch Management)– Under revision to elevate to a standard
• 62443-3-2 (Risk Assessment)– Final Draft Standard being prepared for final vote
21
20
21
© 2006, ISA12
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeEvaluation of technical and organizational measures
Rating of Security Level of Automation SolutionISA/IEC 62443-3-3
Rat
ing
of M
atu
rity
Lev
elof
oper
atio
ns a
cc. t
o op
erat
ion
alpo
licie
s an
d pr
oced
ures
ISA
/IE
C 6
2443
-2-1
SPR: Security Program Rating
Automation Solution
Essential functions
Controlfunctions
Safetyfunctions
Complementaryfunctions
Secure operation
SPR 0
SPR 2
SPR 3 SPR 4
SL 1 SL 3SL 2 SL 4
SPR 2SPR 1ML 1
SPR 3SPR 2SPR 1
SPR 2
SPR 1
SPR 1
ML 2
ML 3
ML 4
SPR 0
SPR 1
SPR 3 SPR 4
ISA 99-62443-2-2 draft for comments
March 2020 Copyright © ISA – All Rights Reserved
ISA99 Committee62443 Security Objectives (SO)
Tag Organizational Element Security Objective Includes
SM Security Management Establish and sustain the additional elements of an IACS Security Program
Requirements for the management of the Security program. Note: processes to support technical requirements are included in the other Elements
LF Security Lifecycle Secure Products and IACS throughout their Lifecycle
Product lifecycle, Automation Solution lifecyle.Security Lifecycles include quality management.
RM Risk Management Manage risks to Products and IACS throughout their Lifecycles
Risk assessment, Security Zones and Conduits, Security Requirements Specification
AC Access Control Restrict physical and logical access to Products and IACS
Physical access control, system access control, network access control
SI System Integrity Ensure system, network and data integrity for Products and IACS
Safety integrity, control integrity, data integrity, network integrity
AS System Availability Ensure system, network and data availability for Products and IACS
Safety availability, control availability, data availability, network availability
DC Data Confidentiality Prevent the unauthorized disclosure of sensitive data for Products and IACS
Authentication tokens, personally identifiable information (PII), data in transit, data at rest
AM Asset Management Inventory assets, understand criticality and manage vulnerabilities for Products and IACS
Inventory, configuration and vulnerability management
IM Incident Management Detect, respond and recover from cybersecurity incidents for Products and IACS
Detection of events, incident response, backup and recovery
22
23
© 2006, ISA13
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeHierarchical View of ISA/IEC 62443 Requirements
#
Part 1-1Concepts &
Models
Part 2-1Asset Owners
Part 3-2Risk Assess
Security Zones
Part 2-3Patch
Management
Part 2-4Service
Providers
Part 4-2Component
Requirements
Part 3-3System
Requirements
Part 4-1Product
Development
Part 2-2Security
Program Rating
Security Objectives
LegendCRS = Cybersecurity Requirements SpecificationSDL = Security Development Lifecycle
Derived RequirementsReferenced Requirements
----- Not Currently in the standard
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeISA/IEC 62443 Standards – Lifecycle View
#
Product Development Lifecycle
Automation Solution Lifecycle
Integration Operation and Maintenance
Part 1-1: Concepts and Models
Part 2-1: IACS requirements for Asset Owners
Part 2-2: IACS Security Program Rating
Part 2-3: IACS Patch management
Part 2-4: Security program requirements for IACS service providers
Part 3-2: Security risk assessment, system partitioning and security levels
Part 3-3: System security requirements and security levels
Part 4-1: Product development lifecycle
Part 4-2: Technical security requirements for IACS components
24
25
© 2006, ISA14
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeISA Global Cybersecurity Alliance (ISAGSA)
#
Bridge the gap between publication of the 62443 standards and adoption by stakeholders.
– Awareness & Outreach
– Advocacy & Adoption
– Compliance & Prevention
– Training & Education
• Launched July 2019
• Goal is to complete 8 key projects in 2020
March 2020 Copyright © ISA – All Rights Reserved
ISA99 Committee2020 ISAGCA Projects Underway
#
1. An easy-to-follow, condensed how-to guide to using the ISA/IEC62443 series of standards (https://gca.isa.org/isagca-quick-start-guide-62443-standards)
2. A consolidated matrix that cross-references Key cybersecuritystandards to ISA/IEC 62443
3. A roadmap for expanded cooperation with worldwide governmentsthat are currently referencing the standards in their regulatoryrequirements or recommended practices
4. Workforce development- A multi-dimensional reference guidemapping system lifecycle phases and stakeholder roles to specificautomation cybersecurity knowledge, skills, and abilities needed tomanage each phase
5. Industry vertical overlays to the ISA/IEC 62443 standards for buildingautomation, medical devices; other sectors to be determined.
6. Speakers bureau - A database of speakers with expertise andexperience in automation cybersecurity and associated commitments tospeaking opportunities at industry events.
7. Additional projects in the evaluation/startup phase 20
26
27
© 2006, ISA15
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeCertification – ISASecure Certifications
#
• Security Development Lifecycle Assurance (SDLA)– Certifies that the SDL of a Product Supplier meets
requirements of 4-1
• System Security Assurance (SSA)– Certifies that Control System products have capabilities to
meet 3-3 and have been developed in accordance with anSDLA program.
• Component Security Assurance (CSA)– Certifies that Component products have capabilities to
meet 4-2 and have been developed in accordance with anSDLA program.
– Component types: Embedded device, Network device, Hostdevice, and Software application
March 2020 Copyright © ISA – All Rights Reserved
ISA99CommitteeCertification – IECEE Conformity Assessment Schemes
#
Two types of Certificates of conformity are defined:
• Capability Assessment: An assessment of technical capabilities (3-3, 4-2)or process oriented capabilities (4-1, 2-4)
• Application of Capabilities Assessment: Use of Capability Assessedtechnical or process-oriented capability for a specific product or solution
Currently included in the program:
• ISA/IEC 62443-2-4: 2015/AMD1:2017
• ISA/IEC 62443-3-3: 2013
• ISA/IEC 62443-4-1: 2018
• ISA/IEC 62443-4-2: 2019
28
29
© 2006, ISA16
March 2020 Copyright © ISA – All Rights Reserved
ISA99CommitteeCertification – IECEE Confomity Assessment Schemes
#
The following types of Certificates of Conformity are defined:
• Product Capability Assessment– IEC 62443-2-4, IEC 62443-3-3, IEC 62443-4-2
• Process Capability Assessment– IEC 62443-2-4, IEC 62443-4-1
• Product Application of Capabilities Assessment– IEC 62443-4-1
• Solution Application of Capabilities Assessment– IEC 62443-2-4, IEC 62443-3-3
March 2020 Copyright © ISA – All Rights Reserved
ISA99 Committee
Conclusion
31
30
31
© 2006, ISA17
March 2020 Copyright © ISA – All Rights Reserved
ISA99 Committee
• ISA99 committee page: http://www.isa.org/isa99• Twitter: @ISA99Chair
• Committee Co-Chairs: [email protected]– Eric Cosman– Jim Gilsinn
• Managing Director– Joe Weiss
• ISA Staff Contact– Eliana Brazda [email protected]
Please provide contact information & area of expertise or interest
More Information…
32
March 2020 Copyright © ISA – All Rights Reserved
ISA99 CommitteeQuestions
33
32
33