Markus Bartsch

German Industrial Security Standard and Application Status

RAMI - ICS - SQ - 62443

1 © TÜV Informationstechnik GmbH

German Approach 3 parallel Activities

Legal Framework / CIP

Models & Methods

Technologies

2 © TÜV Informationstechnik GmbH

RAMI Reference Architecture Model Industry 4.0

Laye

rs

3 © TÜV Informationstechnik GmbH

RAMI OT Levels

Business

Functional

Information

Integration

Asset

Laye

rs

Hierarchy Levels IEC 62264 // IEC 61512

Communication

OT ICS / SCADA

(Office-) IT

4 © TÜV Informationstechnik GmbH

RAMI Hierarchy „Work Center“

Laye

rs

5

Common Criteria

6 © TÜV Informationstechnik GmbH

RAMI ICS - Hierarchies

Laye

rs

7 © TÜV Informationstechnik GmbH

IoT: Industrial Control System (ICS) Security Compendium 2 Parts: Operator / Vendor

Laye

rs

supported by:

8

ICS Security Compendium - part 1 Content

Threats of IT Security

Introduction

Best Practice Guide for Operators

Methods for Audits of ICS-Installations

Research and Trends

Organizations, Associations and their Standards

Basics of ICS

Summary and next steps

9

ICS Security Compendium - part 1 Audit Methods – Subject Levels

Subject Levels

Device

Application

Field Process Management

ICS Security

Tests

10 © TÜV Informationstechnik GmbH

RAMI ICS - Hierarchies

Laye

rs

11 © TÜV Informationstechnik GmbH

Evaluation Aspects Security Qualification (SQ)®

Change Management

Weakness Analyses and Penetration Tests Source Code Analyses

Operating Rules Development Process

Architecture and Design

Technical Security Requirements

IT-Systems IT-Products

Installation and Operation

Life

Cyc

le

12 © TÜV Informationstechnik GmbH

Security Assurance Level for IT Systems

Secu

rity

Assu

ranc

e Le

vel

Cer

tifia

ble

Tech

nica

l Sec

urity

R

equi

rem

ents

Arch

itect

ure

and

Des

ign

Inst

alla

tion

and

Ope

ratio

n

Wea

knes

s an

alys

is

and

Pene

trat

ion

Test

s

Cha

nge

Man

agem

ent

SEAL-1 X

SEAL-2 X X

SEAL-3 X X X

SEAL-4 X X X X

SEAL-5 X X X X X

13 © TÜV Informationstechnik GmbH

Security Assurance Level for IT Products

Secu

rity

Assu

ranc

e Le

vel

Cer

tifia

ble

Tech

nica

l Sec

urity

R

equi

rem

ents

Arch

itect

ure

and

Des

ign

Dev

elop

men

t Pr

oces

s

Ope

ratin

g ru

les

Wea

knes

s an

alys

is

and

Pene

trat

ion

Test

s

Sour

ce C

ode

Anal

yses

Cha

nge

Man

agem

ent

SEAL-1 X

SEAL-2 X X

SEAL-3 X X X X

SEAL-4 X X X X X X

SEAL-5 X X X X X X X

14

IEC 62443 Structure

© TÜV Informationstechnik GmbH

15

IEC 62443-4-2 Example of CR 1: Identification and Authentication (IAC) SL 1 SL 2 SL3 SL4 1. IAC of Human Users X X X X Unique IAC X X X Multifactor Auth for untrusted networks X X Multifactor Auth for all networks X

2. IAC of procs & devices X X X Unique IAC X X

3. Account Management X X X X Unique Account Management - -

4. Identifier Management X X X X 5. Authenticator Management X X X X Hardware Security for software process ID credentials X X

6. Wireless Access Management (in case of wireless) N N N N Unique IAC N N N

7. Strength of Password Auth X X X X Password generation & lifetime restrc. (human users) X X Password Lifetime restriction for all users X

8. PKI Certificates (in case PKI is supported) X X X 9. Strength of public key Auth (in case PKI is supported) X X X Hardware Security for PKI Authentication X X

10. Authenticator Feedback (in case authentication cap. is provided) X X X X 11. Unsuccessful Login Attempts in case authentication cap. is provided) X X X X 12. System Use Notification (in case local authentication) X X X X 13. Access via untrusted networks N N N N Explicit access request approval N N N

14. Strength of symmetric key Auth (in case of sym. key auth) X X X 19790 Lev 3 X X 19790 Lev 4 X

© TÜV Informationstechnik GmbH

16

IEC 62443-4-2

© TÜV Informationstechnik GmbH

CR 1 – Identification and Authentication (IAC) CR 2 – Use Control (UC) CR 3 – System Integrity (SI) CR 4 – Data Confidentiality (DC) CR 5 – Restricted Data Flow (RDF) CR 6 – Timely Response to Events (TRE) CR 7 – Resource Availability (RA)

17

Mapping: SQ 62443-4-1 (1)

© TÜV Informationstechnik GmbH

Security by Design

Secure Implementation

Security Verification &

Validation Testing

Security Update

Management

Security Defect

Management

Change Management

Weakness Analyses / Penetration Tests

Source Code Analyses

Operating Rules

Development Process

Architecture and Design

Technical Security Requirements

Defense-in-Depth

18

Mapping: SQ 62443-4-1 (3)

© TÜV Informationstechnik GmbH

Security Update Management

Security Verification & Validation Testing

Secure Implementation

Security Guidelines

Security Management

Security by Design

Spec. of Security Requirements

Security by Design

(Architecture & Design)

Secure Implementation

(Source Code Analyses)

Security Verification & Validation Testing

(Weakness Analyses Penetration Tests)

Security Update

Management

Security Defect

Management

Defense-in-Depth

Security Defect Management

19 © TÜV Informationstechnik GmbH

SQ conform to 62443-4-1 (1)

Secu

rity

Assu

ranc

e Le

vel

Cer

tifia

ble

Spec

of S

ecur

ity

Req

uire

men

ts

Secu

rity

by D

esig

n

Secu

rity

Man

agem

ent

Secu

rity

Gui

delin

es

Secu

rity

Valid

atio

n &

Ver

ifica

tion

Test

ing

Secu

re

Impl

emen

tatio

n

Secu

rity

Upd

ate

&

Secu

rity

Def

ect

Man

agem

ent

SEAL-1 X

SEAL-2 X X

SEAL-3 X X X X

SEAL-4 X X X X X X

SEAL-5 X X X X X X X

20 © TÜV Informationstechnik GmbH

SQ conform to 62443-4-1 (2): SEAL-3

Secu

rity

Assu

ranc

e Le

vel

Cer

tifia

ble

Spec

of S

ecur

ity

Req

uire

men

ts

Secu

rity

by D

esig

n

Secu

rity

Man

agem

ent

Secu

rity

Gui

delin

es

Secu

rity

Valid

atio

n &

Ver

ifica

tion

Test

ing

Secu

re

Impl

emen

tatio

n

Secu

rity

Upd

ate

&

Secu

rity

Def

ect

Man

agem

ent

SEAL-1 X

SEAL-2 X X

SEAL-3 X X X X

SEAL-4 X X X X X X

SEAL-5 X X X X X X X

21

SQ, SEAL-3 62443-4-1

© TÜV Informationstechnik GmbH

Security Update Management

Security Verification & Validation Testing

Secure Implementation

Security Guidelines

Security Management

Security by Design

Spec. of Security Requirements

Security by Design

(Architecture & Design)

Secure Implementation

(Source Code Analyses)

Security Update

Management

Security Defect

Management

Security Defect Management

Defense-in-Depth

Security Verification & Validation Testing

(Weakness Analyses Penetration Tests)

22 © TÜV Informationstechnik GmbH

RAMA – RAMI – SGAM

1

2 3

4

1

2 3

4

1

2

3

4

23

Thank you very much for your attention!

TÜV Informationstechnik GmbH

Member of TÜV NORD Group Markus Bartsch IT Security Langemarckstrasse 20 45141 Essen, Germany Phone: +49 201 8999 – 616 Fax: +49 201 8999 – 666 E-Mail: m.bartsch@tuvit.de URL: www.tuvit.net