Maarten Oosterink for PPA 2010 Delft, 11-03-2010 Vendor Requirements Process Control Domain - Security Requirements for Vendors
Contents Purpose, Scope and Audience Development process Contents of WIB Standard Relationship with other initiatives Questions/discussion 2
Purpose, Scope and Audience Purpose Guarantee Vendors supplying secure systems & services at all stages of the lifecycle! Fit-for-purpose security, based on best practices in Shell and all the good work by many others Affordable solution for Vendors to gain certificate Minimum Standard freely available for everyone Many end-users to join, such that Vendors are only facing one requirement saving costs Step change now and evolve over time! Scope used with all new developments Audience big Vendors (MAC) small Vendors (>300) 3
Upfront Upfront Vendor Vendor Involvement = = Long Long Term Term Savings Savings Procurement Site Acceptance Run & Maintain $ Investment Trend With Certification INVESTMENT $ Investment Trend Without Certification 4
Contents Purpose, Scope and Audience Development process Contents of WIB Standard Relationship with other initiatives Questions/discussion 5
Smartness Level Concepts 6
Procurement Language Cyber Security Procurement Language for Control Systems Department of Homeland Security (DHS) http://www.us-cert.gov/control_systems/ More control over content e.g. describes multiple options for potential requirements Gaps e.g. only covers procurement phase Target audience different (procurement dept. vs. knowledgeable vendors) 7
Development of the ideal standard 8
WIB standards used ISO 27002 Code of Practice for Information Security Mgt AGA12-2 SCADA encryption API 1164 Security Guidelines for the Petroleum Industry CIDX (Cybersecurity in the chemical industry) ISO 17799 ISO 27001 ISO 27002 IEC 62351 IEC 62443 IEEE 1402 ISA99-1 ISA99-2 NERC Security Guidelines NERC CIP NIST SP800-53 NIST SP800-14 Principles and Practices for securing IT NIST SP800-82 ISA99-3 ISA99-4 ISA99-6 ISA SP100 Wireless Systems for Automation IEC 62439 High Availability Automation Networks ISO 2382-8 Information Technology - vocabulary - security IEC 61784-4 IEC 60870-6 Telecontrol Equipment and Systems 9
Development process IDEAL* IDEAL* standard standard Cyber Cyber Security Security Procurement Language Language for for Control Control Systems Systems Shell Shell DEP DEP Security Security requirement s s for for vendors vendors WIB WIB Security Security requirement s s for for vendors vendors 10
Development Process Global coverage outside Shell Standard shared with and comments received from: End-users: BP, Total, AkzoNobel, DSM, Heineken, Wintershall, Dow Chemical, DuPont, Southern Company, Laboralec, Aramco, Vendors: Invensys, Emerson, HIMA, Honeywell, READY! READY! 1st Vendor certified Min Min Security Security Std Std PCD PCD Systems Systems WIB WIB 650+ Comments 70+ Reviewers Wurldtech s Certificate Certificate Development Development Vendor s Vendor s Achilles Achilles Practices Practices Certificate Certificate 250+ Vendors March 2010 Time April 2010 2010-2011
WIB s Process Control Domain Security Requirements for Vendors Mandatory for the whole Shell Enterprise! 2010 Vendors to obtain Achilles Practices certificates 2011 Vendors with no Achilles certificate no new systems in Shell! Join us, save costs and operate more securely! 12
Contents Purpose, Scope and Audience Development process Contents of WIB Standard Relationship with other initiatives Questions/discussion 13
WIB Std -Table of Contents 1. INTRODUCTION 2. GENERAL SECURITY POLICY 3. PROCESS CONTROL SECURITY FOCAL POINT 4. CONTROLS AGAINST MALICIOUS CODE 5. SOFTWARE PATCH MANAGEMENT 6. SYSTEM HARDENING 7. PROTECTION OF PCD DOCUMENTATION 8. ACCOUNT MANAGEMENT 9. BACKUP, RESTORE AND DISASTER RECOVERY 10. REMOTE ACCESS AND TRANSFER OF DATA FILES 11. WIRELESS CONNECTIVITY 12. SECURE CONNECTIONS TO SIS (SAFETY INSTRUMENTED SYSTEMS) 13. STANDARDS AND CERTIFICATION 14. SECURITY MONITORING 15. PROCESS CONTROL DOMAIN NETWORK ARCHITECTURE 16. HANDLING OF REMOTE AND ADVISORY SETPOINTS 17. DATA HISTORIANS 18. COMMISSIONING AND MAINTENANCE 19. REFERENCES APPENDICES APPENDIX 1 ARCHITECTURE LEVELS IN ANSI/ISA-99.00.01, PART 1 APPENDIX 2 WIB s DACA (DATA ACQUISITION AND CONTROL ARCHITECTURE) APPENDIX 3 WIB S APPROVED CONNECTIVITY APPLICATIONS 20 % Technology 80 % People, Process 14
Example: Security Focal Point (chapter 3) The Vendor shall nominate a Process Control Security Focal Pointin its organization, who is responsible for the following. Acting as liaison with Principal or the Contractor, as appropriate, about compliance of the Vendor s system with this requirements document. Communicating the Vendor s point of view on process control security to Principal s Engineers, Project Managers, and other relevant staff. Ensuring that tenders to Principal are aligned and in compliancewith both this requirements document and the Vendor s own internal requirements for process control security. Communicating deviations from, or other issues not conforming with, this requirements document to the organization of the Principal that is requesting the tender. Providing Principal with timely information about cyber securityvulnerabilities in the vendor s supplied systems and services. Providing timely support and advice to the Principal in the event of cyber security incidents involving the Vendor s systems and services. 15
Contents Purpose, Scope and Audience Development process Contents of WIB Standard Relationship with other initiatives Questions/discussion 16
ISA-SP99 suite of standards ISA99 Common ISA-99.01.01 Terminology, Concepts And Models ISA-TR99.01.02 Master Glossary of Terms and Abbreviations ISA-99.01.03 System Security Compliance Metrics Security Program ISA-99.02.01 Establishing an IACS Security Program ISA-99.02.02 Operating an IACS Security Program ISA-TR99.02.03 Patch Management in the IACS Environment was ISA-99.03.03 Technical System ISA-99.03.02 Target Security Assurance Levels for Zones and Conduits was Target Security Levels ISA-99.03.03 System Security Requirements and Security Assurance Levels was Foundational Requirements was ISA-99.01.03 ISA-99.03.04 Product Development Requirements ISA-TR99.03.01 Security Technologies for Industrial Automation and Control Systems was ISA-TR99.00.01-2007 Technical Derived ISA-99.04.01 Embedded Devices ISA-99.04.02 Host Devices ISA-99.04.03 Network Devices ISA-99.04.04 Applications, Data And Functions Released 17 17
ISA 99 and links to other initiatives Standard 18 The Future
Contents Purpose, Scope and Audience Development process Contents of WIB Standard Relationship with other initiatives Questions/discussion 19
20