ISA99 Industrial Automation and Controls Systems Security

Transcription

1 ISA99 Industrial Automation and Controls Systems Security Standards Certification Education & Training Publishing Conferences & Exhibits Committee Status Update June 2015 June 2015 Copyright ISA 1

2 Purpose Provide and update on the status of the ISA99 committee and the work products 2

3 Topics Who are we? How do we work? What are the basics? What are our work products? Where do we stand? 3

4 Who are we? 4

5 ISA99 Committee The International Society of Automation (ISA) Committee on Security for Industrial Automation & Control Systems (ISA99) 555 members (as of March 2015) 36 voting members Representing companies across all sectors, including: Chemical Processing Petroleum Refining Food and Beverage Energy Pharmaceuticals Water Manufacturing 5

6 Voting Members (1) Name Company Dennis Brandl BR&L Consulting Eric Byres Byres Consulting Eric Cosman OIT Concepts, LLC William Cotter 3M Co. Ed Crawford Chevron Energy Technology C. John Cusimano AE Solutions Maarten de Caluwe The Dow Chemical Company Mark Fabro Lofty Perch Inc Ronald Forrest Forrest Automation & Technology Solutions James Gilsinn Kenexis Consulting Thomas Good E I DuPont De Nemours & Co Evan Hand Conagra Foods Mark Heard Consultant Dennis Holstein OPUS Consulting Group Bruce Honda City of Federal Way Eric Hopp Rockwell Automation Bob Huba Emerson Process Management Nate Kube Wurldtech Security Technologies 6

7 Voting Members (2) Name Joel Langill Suzanne Lightman Charles Mastromonico Mike Medoff Johan Nye Bryan Owen Tom Phinney Bob Radvanovsky Ragnar Schierholz Omar Sherin Kevin Staggs Leon Steinocher Herman Storey Tatsuaki Takebe Bradley Taylor Zachary Tudor Joseph Weiss Ludwig Winkel Company Infrastructure Defense Sec Sys NIST Westinghouse Savannah River Co Exida ExxonMobil Research and Engineering OSISoft Inc Consultant Infracritical ABB Technology Ltd Q-Cert Honeywell Inc Redstone Investors Herman Storey Consulting Yokogawa Electric Corp George Washington University SRI International Applied Control Solutions LLC Siemens AG 7

8 Our Scope industrial automation and control systems whose compromise could result in any or all of the following situations: endangerment of public or employee safety environmental protection loss of public confidence violation of regulatory requirements loss of proprietary or confidential information economic loss impact on entity, local, state, or national security 8

9 How do we work? 9

10 ISA and IEC is a Series of Standards developed by two groups ISA99 ANSI/ISA IEC TC65/WG10 IEC Consistent with ISO/IEC JTC1/SC27 ISO/IEC 2700x

11 Other Partners for Specific Topics Process Safety (ISA84) Wireless Communications (ISA100) Certification (ISCI) Information Sharing (ICSJWG) Security Framework (NIST) International Reach (IEC/ISO) and others IACS Security 11

12 What are the Basics? General Concepts Fundamental Concepts 12

13 General Concepts Represent common best practice in information systems security Applicable (to some degree) to IACS environments Establish context and relevance 13

14 General Concepts Security Context Security Objectives Least Privilege Defense in Depth Threat-Risk Assessment Policies and Procedures Source: ISA , 2 nd Edition (Under development) 14

15 Fundamental Concepts Much of the basis for the series Unique to or specifically interpreted for the IACS context Introduced in Expanded and interpreted in the remainder of the series 15

16 Fundamental Concepts Introductory Descriptions ISA Detailed Standards Fundamental Concepts Fundamental Concepts Details and Refinements 16

17 Fundamental Concepts Life Cycles Zones and Conduits Security Levels Foundational Requirements Maturity Models Security and Safety Source: ISA , 2 nd Edition (Under development) 17

18 Life Cycle Context Security Documentation Security Guidelines Security Support Product Development Integration / Commissioning Operation & Maintenance Product Suppliers System Integrators Asset Owners Requirements Source: ISA , 2 nd Edition (Under development) 18

19 Zones and Conduits A means to define: How different systems interact Information flows between systems What devices communicate How fast/often those devices communicate The security differences between system components Prevent the spread of an incident Provide a front-line set of defenses The basis for risk assessment in system design 19

20 Example 20

21 Security Levels 21

22 Foundational Requirements FR 1 Identification & authentication control FR 2 Use control FR 3 System integrity FR 4 Data confidentiality FR 5 Restricted data flow FR 6 Timely response to events FR 7 Resource availability 22

23 Maturity Models A means of assessing capability Similar in concept to Capability Maturity Models e.g., SEI-CMM An evolving concept in the standards Applicability to IACS-SMS 20

24 Safety and Security Safety is much of the raison d etre for security Presenting consequences Much to be learned from the Safety community Collaboration ISA99-ISA84 joint efforts ISA Safety and Security Division 24

25 Fundamental Concepts Status Life Cycles General agreement; editing required Zones and Conduits Editing for brevity Security Levels Basic editing Foundational Requirements Basic editing Program Maturity Adapted from IEC Safety and Security Concepts from ISA-TR

26 Where do we stand? Work Products Work and Task Groups Resource Needs 26

27 Work Products 27

28 The Series 28

29 Recent Developments ISA-TR (Metrics) Formally assigned to a new WG12 for development ISA-TR (Patch Management) Approved and in publication IEC (Solution Supplier Requirements) Published by IEC; Pending adoption by ISA 29

30 Recent Developments ISA (Risk Assessment and System Design) New committee draft for vote (CDV) soon the be distributed ISA (Product Development Requirements) Draft for comments; comments being addressed IEC (Component Requirements) New committee draft for comment (DC) soon the be distributed 30

31 Work Product Roadmap 31

32 Legend 32

33 Work and Task Groups 33

34 Areas of Focus WG1 (Security Technologies) Preparation of an updated version WG2 (Security Management System) WG3 Preparation of a second edition, consistent with ISO 2700x WG (Concepts and Models) Affirming of Fundamental Concepts Completion of a draft for comment (Master Glossary) Completion of a draft for comment 34

35 Areas of Focus WG (Risk Assessment & System Design) Circulation of new draft for vote ISA (Product Development Requirements) Resolution of comments on recent draft for comment ISA (Component Requirements) Circulation of a draft for comment WG5 (Committee) (Supplier Certification) ISA adoption as ISA WG7 Security and Safety fundamental concept 35

36 Areas of Focus WG8 (Communication and Outreach) Increased communication and promotion WG11 Outreach to the nuclear industry WG12 Development of (Metrics) WG5 (Committee) ISA adoption as ISA

37 Resource Needs 37

38 Opportunities WG3 (Terminology, Concepts and Models) Contributors and reviewers to complete (2 nd Edition) Assistance in assembling the master glossary WG5TG1 (Editors) Skilled and experience editors WG7 (Security and Safety) Group chair WG8 (Communications and Outreach) Group chair 38

39 Review Who are we? How do we work? What are the basics? What are our work products? Where do we stand? 39

40 Questions, Comments, Contributions ISA99 Wiki http//isa99.isa.org Committee Co-Chairs General: Eric Cosman Jim Gilsinn ISA Staff Contact Charley Robinson, Please provide contact information & area of expertise or interest 40

41 Questions and Discussion 41