Maarten Oosterink for PPA 2010 Delft, Vendor Requirements. Process Control Domain - Security Requirements for Vendors

Similar documents
ISA99 - Industrial Automation and Controls Systems Security

Cyber Security Standards Developments

ISA99 - Industrial Automation and Controls Systems Security

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

Cyber Security for Process Control Systems ABB's view

Work Package 2.4. (Public) Procurement Expert Group on the security and resilience of communication networks and information systems for Smart Grids

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

PROCESS CONTROL DOMAIN - SECURITY REQUIREMENTS FOR SUPPLIERS

AUTHORITY FOR ELECTRICITY REGULATION

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Triconex Safety System Platforms

Cybersecurity. Can Standards Bring Clarity from the Confusion? Speaker: David Doggett

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

ISASecure SSA Certification for DeltaV and DeltaV SIS

Altius IT Policy Collection Compliance and Standards Matrix

ISA Security Compliance Institute

Cyber Security Standards Drafting Team Update

Altius IT Policy Collection Compliance and Standards Matrix

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Smart Grid Standards and Certification

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Industrial Security - Protecting productivity IEC INDA

ISASecure. Securing the Supply Chain

ISA99 Industrial Automation and Controls Systems Security

TITLE: IECEx Cybersecurity Workshop, June 2018, Weimar Report as copy of workshop presentation INTRODUCTION

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

ISASecure. Securing the Supply Chain

Security analysis and assessment of threats in European signalling systems?

Cybersecurity Overview

IPM Secure Hardening Guidelines

TABLE OF CONTENTS. Section Description Page

RIPE RIPE-17. Table of Contents. The Langner Group. Washington Hamburg Munich

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Altius IT Policy Collection

Securing Industrial Control Systems

Framework for Improving Critical Infrastructure Cybersecurity

Security in Power System Automation Status and Application of IEC Steffen Fries, Siemens Corporate Technology, June 13 th, 2017

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

in e-business demand fulfillment Entegreat, Inc. ISA SP95 Chairman

Digital Wind Cyber Security from GE Renewable Energy

Cyber Security What Do I Need to Do Now?

Cyber security - why and how

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Cyber security for digital substations. IEC Europe Conference 2017

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Cyber Security Requirements for Electronic Safety and Security

Standard Development Timeline

Standard CIP Cyber Security Critical Cyber Asset Identification

Honeywell Users Group Dynamic Solutions. Endless Possibilities. Herman Storey ISA100 Wireless Standards Update

Standard CIP Cyber Security Critical Cyber Asset Identification

Recommendations for Implementing an Information Security Framework for Life Science Organizations

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

INDUSTRIAL CYBER SECURITY

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

K12 Cybersecurity Roadmap

Critical Cyber Asset Identification Security Management Controls

Security Challenges in Smart Distribution

SCADA Security at. City of Guelph Water Services

ARC VIEW. Leveraging New Automation Approaches Across the Plant Lifecycle. Keywords. Summary. By Larry O Brien

Industrial control system (ICS) security

Network Architectural Design for Cybersecurity in a Virtual World

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

The cybersecurity platform for industrial small and medium-sized enterprises (SME) Andreas Harner, Head of

Security in grid control centers: Spectrum Power TM Cyber Security

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Cyber Security Incident Report

By: Ayman AL-Issa, Chief Technologist & Senior Advisor Industrial Cyber Security (MENA), Booz Allen Hamilton

Minimum Support Needed for a Reliable SCADA System

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Industrial Defender ASM. for Automation Systems Management

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Cybersecurity Training

Hvordan kommer man i gang med et Industrial Security-koncept?

Control System Security for Social Infrastructure

ISO/IEC TR TECHNICAL REPORT. Software engineering Product quality Part 4: Quality in use metrics

APTA 2011 Rail Conference. Controls & Communications Security Standards Development Work Group Recommended Practices for Securing Our Transit Systems

Networks - Technical specifications of the current networks features used vs. those available in new networks.

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

IoT & SCADA Cyber Security Services

Cybersecurity for the Electric Grid

IEC TC57 WG15 - Cybersecurity Status & Roadmap

Cyber Risk in the offshore energy space

Cyber Security Solutions for Industrial Controls

Protection Levels, Holistic Approach. ISA-99 WG 3 TG 3 Protection Levels

Ensuring Your Plant is Secure Tim Johnson, Cyber Security Consultant

Just How Vulnerable is Your Safety System?

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

IoT Utility Day. Securing Critical Infrastructure. Nadya Bartol, CISSP, CGEIT. Vice President of Industry Affairs and Cybersecurity Strategist

ADIENT VENDOR SECURITY STANDARD

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

RKNEAL Verve Security Center Supports Effective, Efficient Cybersecurity Management

Standard CIP 007 3a Cyber Security Systems Security Management

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

Tips for Passing an Audit or Assessment

Disaster Recovery and Business Continuity Planning (Mile2)

Predstavenie štandardu ISO/IEC 27005

Transcription:

Maarten Oosterink for PPA 2010 Delft, 11-03-2010 Vendor Requirements Process Control Domain - Security Requirements for Vendors

Contents Purpose, Scope and Audience Development process Contents of WIB Standard Relationship with other initiatives Questions/discussion 2

Purpose, Scope and Audience Purpose Guarantee Vendors supplying secure systems & services at all stages of the lifecycle! Fit-for-purpose security, based on best practices in Shell and all the good work by many others Affordable solution for Vendors to gain certificate Minimum Standard freely available for everyone Many end-users to join, such that Vendors are only facing one requirement saving costs Step change now and evolve over time! Scope used with all new developments Audience big Vendors (MAC) small Vendors (>300) 3

Upfront Upfront Vendor Vendor Involvement = = Long Long Term Term Savings Savings Procurement Site Acceptance Run & Maintain $ Investment Trend With Certification INVESTMENT $ Investment Trend Without Certification 4

Contents Purpose, Scope and Audience Development process Contents of WIB Standard Relationship with other initiatives Questions/discussion 5

Smartness Level Concepts 6

Procurement Language Cyber Security Procurement Language for Control Systems Department of Homeland Security (DHS) http://www.us-cert.gov/control_systems/ More control over content e.g. describes multiple options for potential requirements Gaps e.g. only covers procurement phase Target audience different (procurement dept. vs. knowledgeable vendors) 7

Development of the ideal standard 8

WIB standards used ISO 27002 Code of Practice for Information Security Mgt AGA12-2 SCADA encryption API 1164 Security Guidelines for the Petroleum Industry CIDX (Cybersecurity in the chemical industry) ISO 17799 ISO 27001 ISO 27002 IEC 62351 IEC 62443 IEEE 1402 ISA99-1 ISA99-2 NERC Security Guidelines NERC CIP NIST SP800-53 NIST SP800-14 Principles and Practices for securing IT NIST SP800-82 ISA99-3 ISA99-4 ISA99-6 ISA SP100 Wireless Systems for Automation IEC 62439 High Availability Automation Networks ISO 2382-8 Information Technology - vocabulary - security IEC 61784-4 IEC 60870-6 Telecontrol Equipment and Systems 9

Development process IDEAL* IDEAL* standard standard Cyber Cyber Security Security Procurement Language Language for for Control Control Systems Systems Shell Shell DEP DEP Security Security requirement s s for for vendors vendors WIB WIB Security Security requirement s s for for vendors vendors 10

Development Process Global coverage outside Shell Standard shared with and comments received from: End-users: BP, Total, AkzoNobel, DSM, Heineken, Wintershall, Dow Chemical, DuPont, Southern Company, Laboralec, Aramco, Vendors: Invensys, Emerson, HIMA, Honeywell, READY! READY! 1st Vendor certified Min Min Security Security Std Std PCD PCD Systems Systems WIB WIB 650+ Comments 70+ Reviewers Wurldtech s Certificate Certificate Development Development Vendor s Vendor s Achilles Achilles Practices Practices Certificate Certificate 250+ Vendors March 2010 Time April 2010 2010-2011

WIB s Process Control Domain Security Requirements for Vendors Mandatory for the whole Shell Enterprise! 2010 Vendors to obtain Achilles Practices certificates 2011 Vendors with no Achilles certificate no new systems in Shell! Join us, save costs and operate more securely! 12

Contents Purpose, Scope and Audience Development process Contents of WIB Standard Relationship with other initiatives Questions/discussion 13

WIB Std -Table of Contents 1. INTRODUCTION 2. GENERAL SECURITY POLICY 3. PROCESS CONTROL SECURITY FOCAL POINT 4. CONTROLS AGAINST MALICIOUS CODE 5. SOFTWARE PATCH MANAGEMENT 6. SYSTEM HARDENING 7. PROTECTION OF PCD DOCUMENTATION 8. ACCOUNT MANAGEMENT 9. BACKUP, RESTORE AND DISASTER RECOVERY 10. REMOTE ACCESS AND TRANSFER OF DATA FILES 11. WIRELESS CONNECTIVITY 12. SECURE CONNECTIONS TO SIS (SAFETY INSTRUMENTED SYSTEMS) 13. STANDARDS AND CERTIFICATION 14. SECURITY MONITORING 15. PROCESS CONTROL DOMAIN NETWORK ARCHITECTURE 16. HANDLING OF REMOTE AND ADVISORY SETPOINTS 17. DATA HISTORIANS 18. COMMISSIONING AND MAINTENANCE 19. REFERENCES APPENDICES APPENDIX 1 ARCHITECTURE LEVELS IN ANSI/ISA-99.00.01, PART 1 APPENDIX 2 WIB s DACA (DATA ACQUISITION AND CONTROL ARCHITECTURE) APPENDIX 3 WIB S APPROVED CONNECTIVITY APPLICATIONS 20 % Technology 80 % People, Process 14

Example: Security Focal Point (chapter 3) The Vendor shall nominate a Process Control Security Focal Pointin its organization, who is responsible for the following. Acting as liaison with Principal or the Contractor, as appropriate, about compliance of the Vendor s system with this requirements document. Communicating the Vendor s point of view on process control security to Principal s Engineers, Project Managers, and other relevant staff. Ensuring that tenders to Principal are aligned and in compliancewith both this requirements document and the Vendor s own internal requirements for process control security. Communicating deviations from, or other issues not conforming with, this requirements document to the organization of the Principal that is requesting the tender. Providing Principal with timely information about cyber securityvulnerabilities in the vendor s supplied systems and services. Providing timely support and advice to the Principal in the event of cyber security incidents involving the Vendor s systems and services. 15

Contents Purpose, Scope and Audience Development process Contents of WIB Standard Relationship with other initiatives Questions/discussion 16

ISA-SP99 suite of standards ISA99 Common ISA-99.01.01 Terminology, Concepts And Models ISA-TR99.01.02 Master Glossary of Terms and Abbreviations ISA-99.01.03 System Security Compliance Metrics Security Program ISA-99.02.01 Establishing an IACS Security Program ISA-99.02.02 Operating an IACS Security Program ISA-TR99.02.03 Patch Management in the IACS Environment was ISA-99.03.03 Technical System ISA-99.03.02 Target Security Assurance Levels for Zones and Conduits was Target Security Levels ISA-99.03.03 System Security Requirements and Security Assurance Levels was Foundational Requirements was ISA-99.01.03 ISA-99.03.04 Product Development Requirements ISA-TR99.03.01 Security Technologies for Industrial Automation and Control Systems was ISA-TR99.00.01-2007 Technical Derived ISA-99.04.01 Embedded Devices ISA-99.04.02 Host Devices ISA-99.04.03 Network Devices ISA-99.04.04 Applications, Data And Functions Released 17 17

ISA 99 and links to other initiatives Standard 18 The Future

Contents Purpose, Scope and Audience Development process Contents of WIB Standard Relationship with other initiatives Questions/discussion 19

20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback