Introduction to Industrial Security Standards3.ppt - pera.net

1 9/19/2011. Proposed Topics Introduction What are S99 & IEC 62443. Industrial Systems Security What other standards groups are relevant Summary ? Gary Rathwell November 24, 2006. Introduction Gary Rathwell What are ISA S99 and IEC. President, Enterprise Consultants, Inc (ECI) 62443 ? Long experience in Industrial Controls & Telecom ISA S99 guidance documents and Fluor - Functional Leader of Controls and Automation standards on IT Security to existing Simons Director, Mill Wide Systems Industrial control and automation Systems ICI and Texaco Manager process control and optimization Part 1 defines terms and models used in Proponent of PERA (Purdue Enterprise Reference automation Security Architecture) Architecture and Master Planning Lead more than 12 master planning studies for multi-billion $ Part 2 establishing Cyber Security enterprises Management Systems Contributed to many more plans & studies for major corporations IEC 62443 mainly addresses technical Member of S95, S99 and IEC TC184 Standards Teams.

2 Aspects of system Security architecture, Author of many engineering tools and standards. See , , and What kind of Attacks Have What is the Threat ? Occurred? Terrorists, Hackers and Organized Nuclear Plant shutdown (virus). Massive release of human sewage (malicious Crime Threats employee). Must defend against both internal and Shutdown of major US airport (technical and external threats contract failure). Many banking system breaches (many more not For small companies most threats are publicized Russia in 1999). external Tests of North American Power grid showed For large companies most threats are many openings. internal 1. 9/19/2011. Why is a Security Standard What has changed? Needed ? Hackers, Terrorists and Organized Crime are Need to have a standard to audit against becoming more sophisticated. Need standards to train next generation of Increased use of Standardized LAN and engineers.

3 Operating Systems in ICD mean many more people know how to attack them Need standards so Security products can Wireless technologies present major new work compatibly together. challenges 911 and increased terrorist activity What Sort of Security Policies What Sort of Security Policies Does Does my Company Need ? my Company Need ? Every manufacturing organization needs ICD ( Industrial Control Domain) policies and effective implementation No non-critical applications in ICD. Need a well documented and managed Corporate Eliminate unstructured applications Control and Information Systems architecture, particularly for the ICD email If processes are critical or dangerous, need a regular audit of ICD Security Eliminate communication access points The Firewalls between MES & ICD and MES and IT maintenance dial-ins must be very carefully designed, managed and regularly audited.

4 Single point control If any ICD links traverse external networks, require secure VLAN and monitoring. every application adds vulnerabilities Most medium to large companies will require a secured Must be auditable Industrial Data Center where MES and SCADA. (Supervisory Control and Data Acquisition) systems reside. Why not use existing IS standards for ICD Security ? Authentication and Authorization Technologies Operator's ability to recall and enter a password may be impacted by the urgency of the situation S99 - Standard Filtering/Blocking/Access Control Technologies Adds delay to control system communications Lack of firewall products for non-IP based protocols Encryption Technologies Slows down communication as additional time is required to encrypt, decrypt, and authenticate message Auditing Tools Many legacy process control devices do not have the capability to provide logs 2.

5 9/19/2011. Part 1 - Models & Terminology Part 1 - Models & Terminology Theme References Establish the scope and define terminology Purdue CIM Reference Model Typical Questions Addressed ISA S84 Safety Instrumented Systems What is a control system? ISA S88 Batch Control How is it different from a typical business system? ISA S95 Enterprise- Control Systems Integration What are the different levels of data confidentiality for control systems applications? Models How can these levels be established? Identify threats and vulnerabilities What are the key Security terms and concepts and Classify assets how are they defined in this context? Define boundaries and information flows Define Security policy Part 2 - Establishing a Security Part 1 Application Example Program Internet Theme PCs ERP Firewall E-Mail Office Applications Give practical guidance and direction on how to establish business case for a Security program and Business LAN how to design the program to meet business needs.

6 Analysis Firewall Tools MES LIMS PIMS Typical Questions Addressed Manufacturing LAN. How to make a business case for Security in M&CS. Firewall environment? What is the step-by-step process of building such a HMI HMI Eng Stn App Stn program? What skills and organizations need to be involved? Process Control Network (PCN). Proposed Timeline First committee vote expected in July 2005. Part 3 - Operating a Security Part 4 Specific Security Program Requirements for M&CS. Theme Theme Details of how a program is run after it is designed Focus on those operational and design requirements and implemented that set apart manufacturing and control systems from Typical Questions Addressed IT systems What should the short-term and long-term responsible Typical Questions Addressed organization look like? What is so special about the Manufacturing and What do I do when the project team goes away?

7 Controls Environment that it requires a different How do I keep a program relevant and effective in the response and design? face of changing technology and business needs? How do I work effectively with my IT and audit Timeline organizations? First Draft March 2006. Proposed Timeline First Draft December 2005. 3. 9/19/2011. What other Groups are Working in this Area What other Groups are Working in this Area ? ? The National Strategy to Secure Cyberspace published Working Group 7. in Feb. 2003 Proactively seeks partnerships and coordinate activities with DHS Initiatives (Fact Sheet Published Feb. 2005) pertinent outside groups Established the US Computer Emergency Readiness Team Participate in meetings of these outside organizations, as well as (CERT) Control Systems Center monitor progress and review published documents Established, the Control Systems Security and Test Center Report back to ISA areas of overlap and viewpoints that are (CSSTC) in conjunction with Idaho National Environmental and either cooperative or conflicting Engineering Laboratory Organizations Launched a new Process Control Systems Forum as a joint DHS (Department of Homeland Security ).

8 Effort between National Cyber Security Division (NCSD) and IEC (International Electrotechnical Commission). Science & Technology (S&T) Directorate NIST PCSRF (Process Control Security Requirements Forum). Other Standards Organizations CIDX (Chemical Industry Data eXchange). IEC, NERC, NIST, CIDX and several other organizations NERC (North American Electric Reliability Council). Other standards organizations Summary Rapidly increasing Industrial systems integration market Complexity and risks are also increasing S95 represents the ONLY efficient way to implement links between automation, MES and ERP ( SAP etc.). S99 and Security architectures are essential at all enterprise levels. Failures have legal implications if best technology was not applied 4.