Cyber Security Standards Developments

Transcription

1 INTERNATIONAL ELECTROTECHNICAL COMMISSION Cyber Security Standards Developments Bart de Wijs Head of Cyber Security Power Grids Division ABB b.v. Frédéric Buchi Sales&Consulting Cyber Security Siemens Energy Management Siemens AG

2 Overview of Standards for Cyber Security in Energy Grids Focus: Power Systems Design Details / Technical Aspects Smart Grid Coordination Group / Smart Grid Information Security Mandate M/490 and its successor activities under SEG-CG/CSP Details for Operations Focus: Information Systems Focus: Industrial Automation IEC IEEE C IEC IEEE 1686 IETF RFC 7252 CoAP ISO/IEC & ISO/IEC IETF RFC 6960 OCSP IETF RFC 7030 EST IETF GDOI Enhance IETF Draft TLS v1.3 ISO/IEC IEC ISO / IEC ISO/IEC IEC Relevance for Products ISO/IEC TR ISO/IEC 27001/2 Completeness / Governance & Policy Aspects Source: SG-CG/M490/H_ Smart Grid Information Security; Smart Grid Coordination Group Document for the M/490 Mandate Smart Grid Information 30/11/2016 Security. Cyber Security Standards Developments 2

3 Key Intl Standards for Cyber Security in Energy Grids Focus: Power Systems Focus: Information Systems Focus: Industrial Automation Design Details / Technical Aspects IEC NIST CSF Details for Operations NERC-CIP IEC Relevance for Products Key Standards ISO/IEC TR IEC (System Security) IEC (Communication Security) ISO/IEC 27001/27019 (Security Mgmt) ISO/IEC 27001/2 Completeness / Governance & Policy Aspects 3

4 NERC CIP - Current Status Version 3 Version 6 CIP Critical Cyber Asset Identification CIP Security Management Controls CIP-004-3a - Personnel & Training CIP-005-3a - Electronic Security Perimeters CIP-006-3c - Physical Security of Critical Cyber Assets CIP-007-3a - Systems Security Management CIP Incident Reporting and Response Planning CIP Recovery Plans for Critical Cyber Assets 30/11/2016 Cyber Security Standards Developments CIP BES Cyber System Categorization CIP Security Management Controls CIP Personnel & Training CIP Electronic Security Perimeters CIP Physical Security of BES Cyber Systems CIP Systems Security Management CIP Incident Reporting and Response Planning CIP Recovery Plans for BES Cyber Systems CIP Configuration Change Management and Vulnerability Assessments CIP Cyber Security Information Protection 4

5 NIST Cyber Security Framework Core What assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? 30/11/2016 Cyber Security Standards Developments 5

6 NIST - Cyber Security Framework Core Excerpt PROTECT (PR) Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC-1: Identities and credentials are managed for authorized devices and users PR.AC-2: Physical access to assets is managed and protected PR.AC-3: Remote access is managed PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate CCS CSC 16 COBIT 5 DSS05.04, DSS06.03 ISA : ISA :2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A NIST SP Rev. 4 AC-2, IA Family COBIT 5 DSS01.04, DSS05.05 ISA : , ISO/IEC 27001:2013 A , A , A , A , A NIST SP Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9 COBIT 5 APO13.01, DSS01.04, DSS05.03 ISA : ISA :2013 SR 1.13, SR 2.6 ISO/IEC 27001:2013 A.6.2.2, A , A NIST SP Rev. 4 AC-17, AC-19, AC-20 CCS CSC 12, 15 ISA : ISA :2013 SR 2.1 ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A NIST SP Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16 ISA : ISA :2013 SR 3.1, SR 3.8 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 AC-4, SC-7 Source: - Cybersecurity Framework (Excel) 30/11/2016 Cyber Security Standards Developments 6

7 ISO/IEC Information Security Management System (ISMS) ISO/IEC 27001: Information security management systems - Requirements Maintaining the confidentiality, integrity and availability, whatever the form of information, values. This includes all written, pictorial and spoken information. An ISMS? Information Security Management System ISMS part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security [ISO27000] Management System framework of policies, procedures, guidelines and associated resources to achieve the objective s of the organization 7

8 ISO/IEC Information Security Management System (ISMS) ISMS Family of standards Vocabulary standard Requirement standards Guidline standards Sector-specific guidline standard Overview and vocabulary Information security management systems - Requirements Code of practice for information security controls Information security management systems implementation guidance Information security management - Measurement Information security management guidelines based on ISO/IEC for process control systems specific to the energy utility industry (other sector-specific guidelines) Requirements for bodies providing audit and certification of Information security management systems Information security risk management Guidline for information security mgmt systems auditing May be used as part of the ISMS implementation Guidelines specific to power utilities 8

9 IEC Overview IEC TC57 WG15 Architecture of Information Standards 30/11/2016 Source: IEC TC57 WG15 Cyber Security Standards Developments 9

10 IEC Next Steps Cyber Security Event Logging - IEC To standardize a secure way of logging security events and user activities at devices and system level Conformance Test Cases and Interoperability Drafting of IEC (Conformance test cases for the IEC and its companion standards for secure data exchange communication interfaces) To develop test specifications, which shall allow vendors to test their compliance and interoperability of IEC based devices and system with the security standard - IEC and IEC Security for IEC and derivatives - IEC To specify deployment use cases that shall describe on how to apply the certificate management method of IEC on the devices operating on key management protocol DKMP, as used in IEC Role Based Access Control (RBAC) Development of IEC and IEC (Joint effort between IEC WG 15 and IEC WG 10) To specify use cases on how to apply Role Based Access Control (RBAC) for accessing IEC hierarchical objects Will be a prerequisite for a revision of IEC (RBAC) in addition to incorporation of further profiles for authorization 30/11/2016 Cyber Security Standards Developments 10

11 ISA99 and ISA/IEC ISA/IEC is a series of standards being developed by two groups: ISA99 ANSI/ISA IEC TC65/WG10 IEC In consultation with: ISO/IEC JTC1/SC27 ISO/IEC 2700x 11

12 IEC / ISA International Standards (and work in progress) International Standards 12

13 IEC Contents: System security requirements and security levels Industrial Automation and Control System (IACS) Asset Owner operates Operational and maintenance capabilities (policies and procedures) + System Integrator Integration capabilities (design and deployment) IACS environment / project specific Basic Process Control System (BPCS) Automation solution Safety Instrumented System (SIS) Complementary hardware and software Includes a configured instance of the Control System Product Product Supplier develops Supporting Applications Control System Product as a combination of Embedded devices Network components Host devices Independent of IACS environment Source: IEC

14 IEC Framework Overview Content: IEC A targeted Security Level (SL) is typically associated to each Foundational Requirement (FR) IAC UC SI DC RDF TRE RA Identif. and Auth. Control Use Control System Integrity Data Confidentiality Restricted Data Flow Timely Resp. to Events Resource Availability Each FR consists of several System Requirements (SR) FR 1 IAC SL4 FR 7 RA SL3 SL2 SL1 FR 2 UC An Integrator FR 6 TRE FR 3 SI. implements System Requirements (SR) on components with given SL-C [Capabilities] in order for the Asset Owner to meet the SL-T [Target] associated to each FR. FR 5 RDF Target FR 4 DC Achieved 14

15 IEC Framework Overview Examples: IEC FR 1 Identification and authentication control SR 1.1 Human user identification and authentication Requirement The control system shall provide the capability to identify and authenticate all human users. This capability shall enforce such identification and authentication on all interfaces which provide human user access to the control system to support segregation of duties and least privilege in accordance with applicable security policies and procedures. Rationale and supplemental guidance All human users need to be identified and authenticated for all access to the control system. Authentication of the identity of these users should be accomplished by using methods such [ ] Requirement enhancements SR 1.1 RE 1 Unique identification and authentication SR 1.1 RE 2 Multifactor authentication for untrusted networks SR 1.1 RE 3 Multifactor authentication for all networks Security levels SL-C(IAC, control system) 1: SR 1.1 SL-C(IAC, control system) 2: SR 1.1 (1) SL-C(IAC, control system) 3: SR 1.1 (1) (2) SL-C(IAC, control system) 4: SR 1.1 (1) (2) (3) 15

16 IEC / ISA International Standards (and work in progress) IEC / Requirements for IACS service providers 16

17 IEC Framework Overview Examples: IEC / Requirements for IACS service providers ID Functional Area Topic Requirement SP BR Assurance Hardening guidelines The service provider shall have the capability to provide documentation to the asset owner that describes how to harden the Automation Solution. SP RE (1) Assurance Hardening guidelines The service provider shall have the capability to verify that its security hardening guidelines and procedures are followed during Automation Solution related activities. BR: Base Requirement RE: Requirement Enhancement 17

18 IEC Framework Overview Example: IEC / Patch Management Technical Report on Patch Management 18

19 IEC Framework Overview Example: IEC / Patch Management IACS asset owners should: a) establish and maintain an inventory of all electronic devices [ ] b) establish and maintain an accurate record of the currently installed versions [ ] c) determine on a regular schedule what upgrades and updates are available [ ] d) determine on a regular schedule the released versions of upgrades and updates which identified as compatible by the IACS product supplier [ ] e) test the deployment of patches in a manner that reflects the production environment [ ] f) schedule authorized, effective patches for installation at the next available opportunity [ ] g) update records at a planned interval, on at least a quarterly basis [ ] h) identify a planned interval, such as when patches are available or on at least an annual basis; and i) implement patches, or compensating countermeasures to mitigate security vulnerabilities[ ] Source: ISA-TR WD 19

20 IEC Framework Overview Example: IEC / Patch Management IACS product suppliers should: a) provide documentation describing the software patching policy for the products and its systems they supply; b) qualify in terms of applicability and compatibility of all patches by analyzing and verifying the patches, including patches that are released by the supplier of the OS and third party software used by the IACS products c) provide a list of all patches and their approval status including the information and data format described in chapter 7 and annex A; d) inform the asset owners and update the list of patches, mentioned above and described in chapter 7 and annex A, periodically and ideally within 30 days after a patch is released by the manufacturer of the OS or thirdparty software; and e) provide adequate warning ( at least two years before) about the components reaching end of life. f) provide information to IACS users regarding the policy of supporting IACS products, including security updates Source: ISA-TR WD 20

21 Current Areas of Activity (2 nd Edition) Draft for comment by EOY (2 nd Edition) Alignment of Management System with ISO 27001: Risk assessment & system design Detailed Requirements for product development Detailed Requirements for components The IECEE Certification Management Committee (CMC) Task Force (TF) Cyber Security has recently commenced work on an Industrial Cyber Security Conformance Program for the IEC series. 21

22 An harmonized Approach can only be done if based on International Standards Regulations (e.g. NIS Directive) should refer to International Standards. Cyber security requirements should be based on international standards (e.g. IEC , IEC ) Interoperability on security solutions is vital in heterogeneous environments (e.g. IEC62351) Caution warranted on Technical Product Certification (Snapshot/LifeCycle, Sense of Security, Costly, No Context) Cyber security certification should be system oriented and focused on processes 30/11/2016 Cyber Security Standards Developments 22

23 INTERNATIONAL ELECTROTECHNICAL COMMISSION Questions? Comments? Bart de Wijs Head of Cyber Security Power Grids Division ABB b.v. Frédéric Buchi Sales&Consulting Cyber Security Siemens Energy Management Siemens AG