German Industrial Security Standard and Application Status. RAMI - ICS - SQ Markus Bartsch

Transcription

1 German Industrial Security Standard and Application Status RAMI - ICS - SQ Markus Bartsch

2 German Approach 3 parallel Activities Legal Framework / CIP Models & Methods Technologies 1 TÜV Informationstechnik GmbH

3 RAMI Reference Architecture Model Industry 4.0 Layers 2 TÜV Informationstechnik GmbH

4 RAMI OT Levels Hierarchy Levels IEC // IEC OT ICS / SCADA (Office-) IT Business Functional Layers Information Communication Integration Asset 3 TÜV Informationstechnik GmbH

5 RAMI Hierarchy Work Center Layers 4 TÜV Informationstechnik GmbH

6 Common Criteria 5

7 RAMI ICS - Hierarchies Layers 6 TÜV Informationstechnik GmbH

8 IoT: Industrial Control System (ICS) Security Compendium 2 Parts: Operator / Vendor supported by: Layers 7 TÜV Informationstechnik GmbH

9 ICS Security Compendium - part 1 Content Introduction Threats of IT Security Basics of ICS Organizations, Associations and their Standards Best Practice Guide for Operators Methods for Audits of ICS-Installations Research and Trends Summary and next steps 8

10 ICS Security Compendium - part 1 Audit Methods Subject Levels ICS Security Tests Subject Levels Device Application Field Process Management 9

11 RAMI ICS - Hierarchies Layers 10 TÜV Informationstechnik GmbH

12 Evaluation Aspects Security Qualification (SQ) IT-Systems IT-Products Technical Security Requirements Architecture and Design Life Cycle Installation and Operation Development Process Operating Rules Weakness Analyses and Penetration Tests Source Code Analyses Change Management 11 TÜV Informationstechnik GmbH

13 Security Assurance Level for IT Systems Security Assurance Level Certifiable Technical Security Requirements Architecture and Design Installation and Operation Weakness analysis and Penetration Tests Change Management SEAL-1 X SEAL-2 X X SEAL-3 X X X SEAL-4 X X X X SEAL-5 X X X X X 12 TÜV Informationstechnik GmbH

14 Security Assurance Level for IT Products Security Assurance Level Certifiable Technical Security Requirements Architecture and Design Development Process Operating rules Weakness analysis and Penetration Tests Source Code Analyses Change Management SEAL-1 X SEAL-2 X X SEAL-3 X X X X SEAL-4 X X X X X X SEAL-5 X X X X X X X 13 TÜV Informationstechnik GmbH

15 IEC Structure 14 TÜV Informationstechnik GmbH

16 IEC Example of CR 1: Identification and Authentication (IAC) SL 1 SL 2 SL3 SL4 1. IAC of Human Users X X X X Unique IAC X X X Multifactor Auth for untrusted networks X X Multifactor Auth for all networks X 2. IAC of procs & devices X X X Unique IAC X X 3. Account Management X X X X Unique Account Management Identifier Management X X X X 5. Authenticator Management X X X X Hardware Security for software process ID credentials X X 6. Wireless Access Management (in case of wireless) N N N N Unique IAC N N N 7. Strength of Password Auth X X X X Password generation & lifetime restrc. (human users) X X Password Lifetime restriction for all users X 8. PKI Certificates (in case PKI is supported) X X X 9. Strength of public key Auth (in case PKI is supported) X X X Hardware Security for PKI Authentication X X 10. Authenticator Feedback (in case authentication cap. is provided) X X X X 11. Unsuccessful Login Attempts in case authentication cap. is provided) X X X X 12. System Use Notification (in case local authentication) X X X X 13. Access via untrusted networks N N N N Explicit access request approval N N N 14. Strength of symmetric key Auth (in case of sym. key auth) X X X Lev 3 X X Lev 4 X 15 TÜV Informationstechnik GmbH

17 IEC CR 1 Identification and Authentication (IAC) CR 2 Use Control (UC) CR 3 System Integrity (SI) CR 4 Data Confidentiality (DC) CR 5 Restricted Data Flow (RDF) CR 6 Timely Response to Events (TRE) CR 7 Resource Availability (RA) 16 TÜV Informationstechnik GmbH

18 Mapping: SQ (1) Technical Security Requirements Architecture and Design Security Update Management Security Defect Management Defensein-Depth Security Verification & Validation Testing Security by Design Secure Implementation Development Process Operating Rules Weakness Analyses / Penetration Tests Source Code Analyses Change Management 17 TÜV Informationstechnik GmbH

19 Mapping: SQ (3) Spec. of Security Requirements Security Update Management Security Defect Management Defensein-Depth Security Verification & Validation Testing (Weakness Analyses Penetration Tests) Security by Design (Architecture & Design) Secure Implementation (Source Code Analyses) Security by Design Security Management Security Guidelines Security Verification & Validation Testing Secure Implementation Security Update Management Security Defect Management 18 TÜV Informationstechnik GmbH

20 SQ conform to (1) Security Assurance Level Certifiable Spec of Security Requirements Security by Design Security Management Security Guidelines Security Validation & Verification Testing Secure Implementation Security Update & Security Defect Management SEAL-1 X SEAL-2 X X SEAL-3 X X X X SEAL-4 X X X X X X SEAL-5 X X X X X X X 19 TÜV Informationstechnik GmbH

21 SQ conform to (2): SEAL-3 Security Assurance Level Certifiable Spec of Security Requirements Security by Design Security Management Security Guidelines Security Validation & Verification Testing Secure Implementation Security Update & Security Defect Management SEAL-1 X SEAL-2 X X SEAL-3 X X X X SEAL-4 X X X X X X SEAL-5 X X X X X X X 20 TÜV Informationstechnik GmbH

22 SQ, SEAL Spec. of Security Requirements Security Update Management Security Defect Management Defensein-Depth Security Verification & Validation Testing (Weakness Analyses Penetration Tests) Security by Design (Architecture & Design) Secure Implementation (Source Code Analyses) Security by Design Security Management Security Guidelines Security Verification & Validation Testing Secure Implementation Security Update Management Security Defect Management 21 TÜV Informationstechnik GmbH

23 RAMA RAMI SGAM TÜV Informationstechnik GmbH

24 Thank you very much for your attention! TÜV Informationstechnik GmbH Member of TÜV NORD Group Markus Bartsch IT Security Langemarckstrasse Essen, Germany Phone: Fax: URL: 23