Protection Levels, Holistic Approach
Security is about technology, processes and people Policies and procedures Functional security measures Competency A holistic security protection concept has to include technology, processes and people
A holistic security concept is context dependent Onsite / project specific How is the automation solution operated and maintained? How has the automation solution been deployed? Protection Levels What is technically implemented and configured in the automation solution? How are people following the processes? Offsite / project independent How have the products been developed? Which capabilities are offered by a service provider? Capability Levels What are the functional security capabilities of the products? How are people following the processes?
A holistic security concept is context dependent Onsite / project specific Protection Levels Offsite / project independent Capability Levels
What are Protection Levels? Onsite / site specific Operational policies and procedures Maintenance policies and procedures Integration policies and procedures Functional security capabilities configured for the Automation Solution 2-1 2-4 3-3 Competency Protection Levels is a methodology to evaluate the protection of plants in operation The methodology includes the evaluation of technical capabilities AND the related processes in a combined evaluation Page 5
Protect Levels bridges two worlds Easy to handle, easy to communicate Level 1 Level 2 Easy to handle Level 3 Level 4 Common language Complex, multidimensional Role based access Network segmentation Firewalls Data encryption Certification Governmental acts Dashboard Protection of the plant Protection Levels Audit trail Data integrity Back-up / restore Patch management NON EXPERT Wireless Event management Asset Owner Insurance company Governmental body Insurance fees Authenticator management IEC 62443-2-1 IEC 62443-2-3 IEC 62443-3-3 IEC 62443-2-4 IEC 62443-4-1 Remote access IEC 62443-4-2
Usage of Protection Levels by the Asset Owner Easy to handle, easy to communicate Provide a consistent and repeatable way evaluate current security posture / achievement of Protection Levels Provide a consistent and repeatable way to define security targets for solution providers SOLUTION PROVIDER ASSET OWNER ASSET OWNER Protection Levels Methodology to differentiate the level of risk reduction provided by a security control class e.g. how effective is a given security control class in a specific application Provide a consistent and repeatable way to demonstrate security posture to governments, regulators, insurance companies, etc. GOVERNMENTS REGULATORS ASSET OWNER INSURANCE COMPANIES 7
Protection Levels combine the evaluation of technical and organizational measures Protection against cyber threats in operational phase Industrial Automation and Control System (IACS) Protection Levels Organizational measures Processes People Operational Maintenance Integration Technical measures of the Automation Solution
Protection Levels is based on slices of IEC 62443 grouped into Security Control Classes (SCCs)
Examples of potential SCCs IEC 62443-2-1 Protection Levels IEC 62443-2-4 IEC 62443-3-3 Capability Levels Products Malware Protection 4.3.4.3.8 Establish and document antivirus/malware management procedure SP 10.xx Malware protection SR 3.2 Malicious code protection CR 3.2 Malicious code protection Event Management 4.3.4.5.x Incident planning and response 4.3.2.5.x Business continuity plan SP 08.xx Event management SR 2.8 Auditable events SR 2.9 Audit storage capacity SR 2.10 Response to audit processing failures SR 2.11 Timestamps SR 6.1 Audit log accessibility CR 2.8 Auditable events CR 2.9 Audit storage capacity CR 2.11 Timestamps SR 6.2 Continuous monitoring 10
Examples of potential SCCs IEC 62443-2-1 Protection Levels IEC 62443-2-4 IEC 62443-3-3 Capability Levels Products Backup Restore 4.3.4.3.9 Establish backup and restoration procedure SP12.xx Backup/Restore SR 7.3 Control system backup SR 7.4 Control system recovery and reconstitution User Management And Access Control 4.3.3.5.x Access control Account administration 4.3.3.6.x Access control Authentication 4.3.3.7.x Access control Authorization SP 09.xx Account management SP 08 Event management FR 1 Identification and authentication control FR 2 Use control FR 1 Identification and authentication control FR 2 Use control 11
SCCs can have different granularity Easy to handle, easy to communicate Complex, multidimensional Views Security Control Classes (SCCs) NON EXPERT Asset Owner Insurance company Governmental body 12
Protection Level can have different use cases Level of protection of a plant in operation How secure is my IACS Level of risk reduction provided by a security control class How effective is a given security control class in a specific application NON EXPERT Asset Owner Insurance company Governmental body 13
Protection Levels link both worlds Easy to handle, easy to communicate Complex, multidimensional Protection Levels NON EXPERT Asset Owner Insurance company Governmental body 14
Each requirement is mapped to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional Each reqt mapped to one or several Each reqt mapped to one or several Each reqt mapped to one or several IEC 62443-2-1 IEC 62443-2-4 IEC 62443-3-3 Each reqt mapped to one or several Each reqt mapped to one or several Each reqt mapped to one or several NON EXPERT Asset Owner Insurance company Governmental body 15
Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional 4.3.3.6.x Access control Account administration IEC 62443-2-4 IEC 62443-3-3 NON EXPERT Asset Owner Insurance company Governmental body 16
Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional IEC 62443-2-1 SP12.xx Backup/Restore IEC 62443-3-3 NON EXPERT Asset Owner Insurance company Governmental body 17
Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional IEC 62443-2-1 IEC 62443-2-4 SR 1.2 Software process and device identification and authentication NON EXPERT Asset Owner Insurance company Governmental body 18
Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional IEC 62443-2-1 IEC 62443-2-4 SR 1.1 Human user identification and authentication NON EXPERT Asset Owner Insurance company Governmental body 19
Maturity Level Protection Levels cover security functionalities and processes Based on IEC 62443-3-3 Based on IEC 62443-2-1, ISO 27000 and on IEC 63443-2-4 Evaluation of security functionalities Evaluation of security processes SL 1 Capability to protect against casual or coincidental violation ML 1 Initial - Process unpredictable, poorly controlled and reactive. SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation ML 2 Managed - Process characterized, reactive SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation ML 3 Defined - Process characterized, proactive deployment SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Improved - Process measured, controlled and continuously improved Protection Levels Page 20 3 or 4 1 or 2 No PL according to this standard 1 2 3 4 Security Level PL 1 PL 2 PL 3 PL 4 Protection against casual or coincidental violation Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
Backup
Maturity Level Protection Levels cover security functionalities and processes Based on IEC 62443-3-3 Based on IEC 62443-2-1, ISO 27000 and on IEC 63443-2-4 Evaluation of security functionalities Evaluation of security processes SL 1 Capability to protect against casual or coincidental violation ML 1 Initial - Process unpredictable, poorly controlled and reactive. SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation ML 2 Managed - Process characterized, reactive SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation ML 3 Defined - Process characterized, proactive deployment SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Improved - Process measured, controlled and continuously improved Protection Levels 4 PL 1 Protection against casual or coincidental violation Page 22 3 2 1 1 2 3 4 Security Level PL 2 PL 3 PL 4 Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
Use of protection levels in the workflow described in part 3-2
Use of protection levels in the lifecycle described in part 1-1