Protection Levels, Holistic Approach. ISA-99 WG 3 TG 3 Protection Levels

Transcription

1 Protection Levels, Holistic Approach

2 Security is about technology, processes and people Policies and procedures Functional security measures Competency A holistic security protection concept has to include technology, processes and people

3 A holistic security concept is context dependent Onsite / project specific How is the automation solution operated and maintained? How has the automation solution been deployed? Protection Levels What is technically implemented and configured in the automation solution? How are people following the processes? Offsite / project independent How have the products been developed? Which capabilities are offered by a service provider? Capability Levels What are the functional security capabilities of the products? How are people following the processes?

4 A holistic security concept is context dependent Onsite / project specific Protection Levels Offsite / project independent Capability Levels

5 What are Protection Levels? Onsite / site specific Operational policies and procedures Maintenance policies and procedures Integration policies and procedures Functional security capabilities configured for the Automation Solution Competency Protection Levels is a methodology to evaluate the protection of plants in operation The methodology includes the evaluation of technical capabilities AND the related processes in a combined evaluation Page 5

6 Protect Levels bridges two worlds Easy to handle, easy to communicate Level 1 Level 2 Easy to handle Level 3 Level 4 Common language Complex, multidimensional Role based access Network segmentation Firewalls Data encryption Certification Governmental acts Dashboard Protection of the plant Protection Levels Audit trail Data integrity Back-up / restore Patch management NON EXPERT Wireless Event management Asset Owner Insurance company Governmental body Insurance fees Authenticator management IEC IEC IEC IEC IEC Remote access IEC

7 Usage of Protection Levels by the Asset Owner Easy to handle, easy to communicate Provide a consistent and repeatable way evaluate current security posture / achievement of Protection Levels Provide a consistent and repeatable way to define security targets for solution providers SOLUTION PROVIDER ASSET OWNER ASSET OWNER Protection Levels Methodology to differentiate the level of risk reduction provided by a security control class e.g. how effective is a given security control class in a specific application Provide a consistent and repeatable way to demonstrate security posture to governments, regulators, insurance companies, etc. GOVERNMENTS REGULATORS ASSET OWNER INSURANCE COMPANIES 7

8 Protection Levels combine the evaluation of technical and organizational measures Protection against cyber threats in operational phase Industrial Automation and Control System (IACS) Protection Levels Organizational measures Processes People Operational Maintenance Integration Technical measures of the Automation Solution

9 Protection Levels is based on slices of IEC grouped into Security Control Classes (SCCs)

10 Examples of potential SCCs IEC Protection Levels IEC IEC Capability Levels Products Malware Protection Establish and document antivirus/malware management procedure SP 10.xx Malware protection SR 3.2 Malicious code protection CR 3.2 Malicious code protection Event Management x Incident planning and response x Business continuity plan SP 08.xx Event management SR 2.8 Auditable events SR 2.9 Audit storage capacity SR 2.10 Response to audit processing failures SR 2.11 Timestamps SR 6.1 Audit log accessibility CR 2.8 Auditable events CR 2.9 Audit storage capacity CR 2.11 Timestamps SR 6.2 Continuous monitoring 10

11 Examples of potential SCCs IEC Protection Levels IEC IEC Capability Levels Products Backup Restore Establish backup and restoration procedure SP12.xx Backup/Restore SR 7.3 Control system backup SR 7.4 Control system recovery and reconstitution User Management And Access Control x Access control Account administration x Access control Authentication x Access control Authorization SP 09.xx Account management SP 08 Event management FR 1 Identification and authentication control FR 2 Use control FR 1 Identification and authentication control FR 2 Use control 11

12 SCCs can have different granularity Easy to handle, easy to communicate Complex, multidimensional Views Security Control Classes (SCCs) NON EXPERT Asset Owner Insurance company Governmental body 12

13 Protection Level can have different use cases Level of protection of a plant in operation How secure is my IACS Level of risk reduction provided by a security control class How effective is a given security control class in a specific application NON EXPERT Asset Owner Insurance company Governmental body 13

14 Protection Levels link both worlds Easy to handle, easy to communicate Complex, multidimensional Protection Levels NON EXPERT Asset Owner Insurance company Governmental body 14

15 Each requirement is mapped to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional Each reqt mapped to one or several Each reqt mapped to one or several Each reqt mapped to one or several IEC IEC IEC Each reqt mapped to one or several Each reqt mapped to one or several Each reqt mapped to one or several NON EXPERT Asset Owner Insurance company Governmental body 15

16 Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional x Access control Account administration IEC IEC NON EXPERT Asset Owner Insurance company Governmental body 16

17 Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional IEC SP12.xx Backup/Restore IEC NON EXPERT Asset Owner Insurance company Governmental body 17

18 Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional IEC IEC SR 1.2 Software process and device identification and authentication NON EXPERT Asset Owner Insurance company Governmental body 18

19 Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional IEC IEC SR 1.1 Human user identification and authentication NON EXPERT Asset Owner Insurance company Governmental body 19

20 Maturity Level Protection Levels cover security functionalities and processes Based on IEC Based on IEC , ISO and on IEC Evaluation of security functionalities Evaluation of security processes SL 1 Capability to protect against casual or coincidental violation ML 1 Initial - Process unpredictable, poorly controlled and reactive. SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation ML 2 Managed - Process characterized, reactive SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation ML 3 Defined - Process characterized, proactive deployment SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Improved - Process measured, controlled and continuously improved Protection Levels Page 20 3 or 4 1 or 2 No PL according to this standard Security Level PL 1 PL 2 PL 3 PL 4 Protection against casual or coincidental violation Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

21 Backup

22 Maturity Level Protection Levels cover security functionalities and processes Based on IEC Based on IEC , ISO and on IEC Evaluation of security functionalities Evaluation of security processes SL 1 Capability to protect against casual or coincidental violation ML 1 Initial - Process unpredictable, poorly controlled and reactive. SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation ML 2 Managed - Process characterized, reactive SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation ML 3 Defined - Process characterized, proactive deployment SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Improved - Process measured, controlled and continuously improved Protection Levels 4 PL 1 Protection against casual or coincidental violation Page Security Level PL 2 PL 3 PL 4 Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

23 Use of protection levels in the workflow described in part 3-2

24 Use of protection levels in the lifecycle described in part 1-1