Cyber Security Standardization and 62443 · 2020. 4. 27. · ISA/IEC 62443-3-3 Rating of Maturity Level of operations acc. to operational policies and procedures ISA/IEC 62443-2-1

© 2006, ISA1

ISA Standards and Practices

Cyber Security Standardization and

62443Where we are today and

what’s up ahead

March 2020 Copyright © ISA – All Rights Reserved

ISA99 CommitteeYour speaker

• Judith Rossebø, Cyber Security Specialist, ABB– Involved in ISA99 and IEC TC 65 since 2011

– ABB voting member of ISA99 since 2016

– Member of NK65 since 2011

– Member of IECEE CMC TC Cyber Security (from 2016)

– Member of IEC SyC – Smart Energy – WG3 Cyber Security Task Force(from 2017)

– Chair CENELEC TC65X (from 2018)

1

0

1

© 2006, ISA2


ISA99 CommitteeScope

The scope of ISA/IEC 62443 Series is the Security of Industrial Automation and Control Systems (IACS)

An IACS is defined as a:collection of personnel, hardware, software, and policies involved in the operation of an industrial process.

2


ISA99 CommitteeThe Security Triad

Cyber Security is about technology, processes and people

• Objectives:– Security Management– Security Lifecycle– Risk Management– Access Control– System Integrity– System Availability– Data Confidentiality– Asset Management– Incident Management

3

2

3

© 2006, ISA3


ISA99 CommitteeSome Basic Questions…

1. Who are we?

2. How do we work?

3. What are our work products?

4. What are the standards based on?

5. Where do things stand?

4


ISA99 Committee

1. Who are we?2. How do we work?




5

4

5

© 2006, ISA4


ISA99 CommitteeISA99 Committee

The International Society of Automation (ISA) Committee on Security for Industrial Automation & Control Systems

• Members from around the world

• Multiple sectors and stakeholders

• Consistent leadership since c. 2002

6


ISA99 Committee

1. Who are we?

2. How do we work?3. What are our work products?

4. Who is using them?



7

6

7

© 2006, ISA5


ISA99 CommitteeCollaborative Development

• ISA-62443 (and IEC 62443) is a series of standards beingdeveloped by two groups:

– ISA99 ISA-62443

– IEC TC65/WG10 IEC 62443

• In consultation with:

– ISO/IEC JTC1/SC27 ISO/IEC 2700x

8


ISA99 Committee

1. Who are we?

2. How do we work?

3. What are our work products?4. What are the standards based on?


9

8

9

© 2006, ISA6


ISA99 CommitteeThe ISA/IEC 62443 Series

10

Security Program Rating

General

Policies & Procedure

System

Component


ISA99 Committee

1. Who are we?

2. How do we work?


4. What are the standards based on?5. Where do things stand?

11

10

11

© 2006, ISA7


ISA99 CommitteeSecurity Principles

• Security Context• Security Objectives• Response Elements (People, Process Technology)• Risk-Based Approach• Compensating Countermeasures• Least Privilege• Defense in Depth• Supply Chain Security• Security and Safety Source: ISA-62443-1-1, 2nd Edition (Under development)

12


ISA99 CommitteeFundamental Concepts

• Principal Roles

• Life Cycles and Processes

• Zones and Conduits

• Security Levels

• Maturity

• Security Program Rating

Source: ISA-62443-1-1, 2nd Edition (Under development)

13

12

13

© 2006, ISA8


ISA99 CommitteeZones and Conduits

• Network & system segmentationtechnique:• Prevents the spread of an incident

• Provides a front-line set of defenses

• The basis for risk assessment in systemdesign

19


ISA99 CommitteeSecurity Levels

15

Security Level

Definition Means Resources Skills Motivation

1 Protection against casual or coincidental violation

2

Protection against intentional violation with simple means with low resources, generic skills and low motivation

Simple Low Generic Low

3Protection against intentional violation with using sophisticated means with moderate resources, IACS skills and moderate motivation

Sophisticated ModerateIACS-

specificmoderate

4Protection against intentional violation with using sophisticated means with extended resources, IACS skills and high motivation

Sophisticated ExtendedIACS-

specifichigh

• A means of assessing technical capabilities

14

15

© 2006, ISA9


ISA99 CommitteeMaturity

16

Level

1 Initial• Product development typically ad-hoc and often undocumented• Consistency and repeatability may not be possible

2 Managed• Product development managed using written policies• Personnel have expertise and are trained to follow procedures• Processes are defined but some may not be in practice

3 Defined (practiced)• All processes are repeatable across the organization• All processes are in practice with documented evidence

4 Improving• Process metrics are used control effectiveness and performance• Continuous improvement

• A means of assessing organizational capabilities

• An evolving concept in the standards– Purpose is to provide a benchmark for meeting requirements


ISA99 CommitteeRoles, Products, Automation Solution and IACS

#

IACS environment

Independent of IACS environment

RolesIndustrial automation and control system (IACS)

maintains

operates

accountable for

designsand deploys

commissionsand validates

Asset Owner

Maintenance Service Provider

Integration Service Provider

developsand supports

Includes configured products(control systems and components)

Role

ProductSupplier

Products

Components

Supporting software

applications

Embeddeddevices

Networkdevices

Hostdevices

Control systems(as a combination of

components)

ZoneZone

Automation Solution

Essential functions

Controlfunctions

Safetyfunctions

Complementaryfunctions

Operation and routine maintenance according to security policies and procedures

16

17

© 2006, ISA10


ISA99 CommitteeSecurity Program Rating (SPR)

SPR 0

SPR 1

SPR 2

SPR 3

SPR 4

SPR 0

SPR 1

SPR 2

SPR 3

SL 0 SL 1 SL 3SL 2 SL 4SL 3 SL 4

Rating of Security Level of Automation Solution

Rat

ing

of M

atu

rity

Lev

el o

for

gani

zatio

nal m

easu

res

18


ISA99 Committee

1. Who are we?

2. How do we work?




19

18

19

© 2006, ISA11


ISA99 CommitteeISA/IEC Series Status

20

General

Policies & Procedure

System

Component

Status Key


ISA99 CommitteeCurrent Activity

• 62443-1-1 (Concepts & Models)– Preparing 2nd edition draft for comment

• 62443-1-2 (Master Glossary)– Circulated as a draft for comment

• 62443-1-4 (Case Studies)– Under development by WG10

• 62443-2-1 (Security Program)– Recently circulated for approval

• 62443-2-2 (Security Program Rating)– Circulated as a draft for comment

• 62443-2-3 (Patch Management)– Under revision to elevate to a standard

• 62443-3-2 (Risk Assessment)– Final Draft Standard being prepared for final vote

21

20

21

© 2006, ISA12


ISA99 CommitteeEvaluation of technical and organizational measures

Rating of Security Level of Automation SolutionISA/IEC 62443-3-3

Rat

ing

of M

atu

rity

Lev

elof

oper

atio

ns a

cc. t

o op

erat

ion

alpo

licie

s an

d pr

oced

ures

ISA

/IE

C 6

2443

-2-1

SPR: Security Program Rating

Automation Solution

Essential functions

Controlfunctions

Safetyfunctions

Complementaryfunctions

Secure operation

SPR 0

SPR 2

SPR 3 SPR 4

SL 1 SL 3SL 2 SL 4

SPR 2SPR 1ML 1

SPR 3SPR 2SPR 1

SPR 2

SPR 1

SPR 1

ML 2

ML 3

ML 4

SPR 0

SPR 1

SPR 3 SPR 4

ISA 99-62443-2-2 draft for comments


ISA99 Committee62443 Security Objectives (SO)

Tag Organizational Element Security Objective Includes

SM Security Management Establish and sustain the additional elements of an IACS Security Program

Requirements for the management of the Security program. Note: processes to support technical requirements are included in the other Elements

LF Security Lifecycle Secure Products and IACS throughout their Lifecycle

Product lifecycle, Automation Solution lifecyle.Security Lifecycles include quality management.

RM Risk Management Manage risks to Products and IACS throughout their Lifecycles

Risk assessment, Security Zones and Conduits, Security Requirements Specification

AC Access Control Restrict physical and logical access to Products and IACS

Physical access control, system access control, network access control

SI System Integrity Ensure system, network and data integrity for Products and IACS

Safety integrity, control integrity, data integrity, network integrity

AS System Availability Ensure system, network and data availability for Products and IACS

Safety availability, control availability, data availability, network availability

DC Data Confidentiality Prevent the unauthorized disclosure of sensitive data for Products and IACS

Authentication tokens, personally identifiable information (PII), data in transit, data at rest

AM Asset Management Inventory assets, understand criticality and manage vulnerabilities for Products and IACS

Inventory, configuration and vulnerability management

IM Incident Management Detect, respond and recover from cybersecurity incidents for Products and IACS

Detection of events, incident response, backup and recovery

22

23

© 2006, ISA13


ISA99 CommitteeHierarchical View of ISA/IEC 62443 Requirements

#

Part 1-1Concepts &

Models

Part 2-1Asset Owners

Part 3-2Risk Assess

Security Zones

Part 2-3Patch

Management

Part 2-4Service

Providers

Part 4-2Component

Requirements

Part 3-3System

Requirements

Part 4-1Product

Development

Part 2-2Security

Program Rating

Security Objectives

LegendCRS = Cybersecurity Requirements SpecificationSDL = Security Development Lifecycle

Derived RequirementsReferenced Requirements

----- Not Currently in the standard


ISA99 CommitteeISA/IEC 62443 Standards – Lifecycle View

#

Product Development Lifecycle

Automation Solution Lifecycle

Integration Operation and Maintenance

Part 1-1: Concepts and Models

Part 2-1: IACS requirements for Asset Owners

Part 2-2: IACS Security Program Rating

Part 2-3: IACS Patch management

Part 2-4: Security program requirements for IACS service providers

Part 3-2: Security risk assessment, system partitioning and security levels

Part 3-3: System security requirements and security levels

Part 4-1: Product development lifecycle

Part 4-2: Technical security requirements for IACS components

24

25

© 2006, ISA14


ISA99 CommitteeISA Global Cybersecurity Alliance (ISAGSA)

#

Bridge the gap between publication of the 62443 standards and adoption by stakeholders.

– Awareness & Outreach

– Advocacy & Adoption

– Compliance & Prevention

– Training & Education

• Launched July 2019

• Goal is to complete 8 key projects in 2020


ISA99 Committee2020 ISAGCA Projects Underway

#

1. An easy-to-follow, condensed how-to guide to using the ISA/IEC62443 series of standards (https://gca.isa.org/isagca-quick-start-guide-62443-standards)

2. A consolidated matrix that cross-references Key cybersecuritystandards to ISA/IEC 62443

3. A roadmap for expanded cooperation with worldwide governmentsthat are currently referencing the standards in their regulatoryrequirements or recommended practices

4. Workforce development- A multi-dimensional reference guidemapping system lifecycle phases and stakeholder roles to specificautomation cybersecurity knowledge, skills, and abilities needed tomanage each phase

5. Industry vertical overlays to the ISA/IEC 62443 standards for buildingautomation, medical devices; other sectors to be determined.

6. Speakers bureau - A database of speakers with expertise andexperience in automation cybersecurity and associated commitments tospeaking opportunities at industry events.

7. Additional projects in the evaluation/startup phase 20

26

27

© 2006, ISA15


ISA99 CommitteeCertification – ISASecure Certifications

#

• Security Development Lifecycle Assurance (SDLA)– Certifies that the SDL of a Product Supplier meets

requirements of 4-1

• System Security Assurance (SSA)– Certifies that Control System products have capabilities to

meet 3-3 and have been developed in accordance with anSDLA program.

• Component Security Assurance (CSA)– Certifies that Component products have capabilities to

meet 4-2 and have been developed in accordance with anSDLA program.

– Component types: Embedded device, Network device, Hostdevice, and Software application


ISA99CommitteeCertification – IECEE Conformity Assessment Schemes

#

Two types of Certificates of conformity are defined:

• Capability Assessment: An assessment of technical capabilities (3-3, 4-2)or process oriented capabilities (4-1, 2-4)

• Application of Capabilities Assessment: Use of Capability Assessedtechnical or process-oriented capability for a specific product or solution

Currently included in the program:

• ISA/IEC 62443-2-4: 2015/AMD1:2017

• ISA/IEC 62443-3-3: 2013

• ISA/IEC 62443-4-1: 2018

• ISA/IEC 62443-4-2: 2019

28

29

© 2006, ISA16


ISA99CommitteeCertification – IECEE Confomity Assessment Schemes

#

The following types of Certificates of Conformity are defined:

• Product Capability Assessment– IEC 62443-2-4, IEC 62443-3-3, IEC 62443-4-2

• Process Capability Assessment– IEC 62443-2-4, IEC 62443-4-1

• Product Application of Capabilities Assessment– IEC 62443-4-1

• Solution Application of Capabilities Assessment– IEC 62443-2-4, IEC 62443-3-3


ISA99 Committee

Conclusion

31

30

31

© 2006, ISA17


ISA99 Committee

• ISA99 committee page: http://www.isa.org/isa99• Twitter: @ISA99Chair

• Committee Co-Chairs: [email protected]– Eric Cosman– Jim Gilsinn

• Managing Director– Joe Weiss

• ISA Staff Contact– Eliana Brazda [email protected]

Please provide contact information & area of expertise or interest

More Information…

32


ISA99 CommitteeQuestions

33

32

33

Documents

Cyber Security Standardization and 62443 · 2020. 4. 27. · ISA/IEC 62443-3-3 Rating of Maturity Level of operations acc. to operational policies and procedures ISA/IEC 62443-2-1