Embed Size (px)
Citation preview
Security Levels in ISA-99 / IEC 62443
Summary
Pierre Kobes
Assessment of the security protection of a plant A Security Protection Level has to be assessed in a plant in operationA Protection Level requires both:
The fulfillment of the policies and procedures by the asset owner according to a Security Management System (Series 2)andThe fulfillment of a Security Level of the solution operated by the asset owner to control the plant (Series 3)
Proposal:Assess the fulfillment of the policies and procedures according to the CMMI modelAssess the functional capabilities of the solution according to the SLsDefine Protection Levels (PLs)as a combination of both
Assessment of the security capabilities of control systems and componentsThere is no direct relationship between Capability SLs as currently defined and component capability levelsThere is no contribution of levels of the product development process to component capability levelsProposal:
Control Systems:Assess the functional capabilities according to the Capability SLs (already described in the SAL vector concept). No explicit requirements to the components.
Components: Specify the product development requirements without any levelAssess the fulfillment of the product development requirements according to the CMMI modelAssess the functional capabilities of the component according to the Component Feature LevelsDefine Component Capability Levels (CCLs) as a combination of both
Security Levels in ISA-99 / IEC 62443
Outline
Pierre Kobes
1. ISA-99 / IEC 62443 documents addressing policies and procedures vs. functional requirements
2. Assessment of protection levels of a plantSolution vs. control systemPlant life cycle and product developmentRequirements for the protection of a plantThe SLs concept is coherent for a solution and a control systemProposal for Protection Levels (PLs)
3. Assessment of security capabilities of control systems and componentsNo direct relationship between capability SLs and Component Capability Levels (CCL)No contribution of levels of the Product Development Requirements to the CCLProposal for Componet Capability Levels (CCLs)
4. Summary if ISA-99 / IEC 62443 relevant document for the various assessments types
Security Levels in ISA-99 / IEC 62443
ComponentSystemPolicies and proceduresGeneral
1-1 Terminology, concepts and models
1-2 Master glossary of terms and abbreviations
3-3 System security requirements and security
assurance levels
3-1 Security technologies for IACS
2-3 Patch management in the IACS environment
2-2 Operating an IACS security program
2-1 Establishing an IACS security program
1-3 System security compliance metrics
4-2 Technical security requirements for IACS
products
4-1 Product development requirements
IEC 62443 / ISA-99
DefinitionsMetrics
Requirements to the security organization and
processes of the plant owner and suppliers
Requirements to a secure system
Requirements to secure system components
2-4 Certification of IACS supplier security policies
and practices
Functional requirements Processes / procedures
WIB M-2784 2.0
ISA-99 / IEC 62443 covers requirements on processes / procedures as well as functional requirements
Pierre Kobes
3-2 Security assurance levels for zones and
conduits
Security Levels in ISA-99 / IEC 62443
ComponentSystemPolicies and proceduresGeneral
1-1 Terminology, concepts and models
1-2 Master glossary of terms and abbreviations
3-3 System security requirements and security
assurance levels
3-1 Security technologies for IACS
2-3 Patch management in the IACS environment
2-2 Operating an IACS security program
2-1 Establishing an IACS security program
1-3 System security compliance metrics
4-2 Technical security requirements for IACS
products
4-1 Product development requirements
IEC 62443 / ISA-99
DefinitionsMetrics
Requirements to the security organization and
processes of the plant owner and suppliers
Requirements to a secure system
Requirements to secure system components
2-4 Certification of IACS supplier security policies
and practices
Functional requirements Processes / procedures
ISA-99 / IEC 62443 covers requirements on processes / procedures as well as functional requirements
3-2 Security assurance levels for zones and
conduits
Pierre Kobes
Security Levels in ISA-99 / IEC 62443
Outline
Pierre Kobes
1. ISA-99 / IEC 62443 documents addressing policies and procedures vs. functional requirements
2. Assessment of protection levels of a plantSolution vs. control systemPlant life cycle and product developmentRequirements for the protection of a plantThe SLs concept is coherent for a solution and a control systemProposal for Protection Levels (PLs)
3. Assessment of security capabilities of control systems and componentsNo direct relationship between capability SLs and Component Capability Levels (CCL)No contribution of levels of the Product Development Requirements to the CCLProposal for Componet Capability Levels (CCLs)
4. Summary if ISA-99 / IEC 62443 relevant document for the various assessments types
Independent of plant environment
Plant environment
Security Levels in ISA-99 / IEC 62443
A solution is a deployed control system to fulfill the protection requirements of a plant
Product supplier
ControlSystem
HMIsPC devices
NetworkDevices
Software
develops
PLCs
as a combination of
System Integrator Solution
deploys thecontrol system to
ISA-99IEC 62443
Part 3-2Zones andConduits
Part 3-3System
requirements
Required protection levelof the plant
Series 4
Components
Series 4
Pierre Kobes
Asset Owner specifies
AssetOwner
SystemDesign
FATSAT Commissioning Operation
MaintenanceProjectphases
Phase
Deliverableof a
phase
Product supplier Productdevelopment
Control System
HMIsPC devices
NetworkDevices
SoftwarePLCs
as a combination of
SystemIntegrator
Solutiondeployment
Solution SolutionSolution
Projectapplication
ConfigurationUser MgmntSecuritysettings
…
Plant operation
Solution
Pierre Kobes
Security Levels in ISA-99 / IEC 62443
All stakeholder are involved in the protection of the plant during plant life cycle
Projectapplication
ConfigurationUser MgmntSecuritysettings
…
Securitysettings
Operationalpolicies andprocedures
Securitysettings
Operationalpolicies andprocedures
Asset Owner Requirementspecification
Required protection levelof the plant
Protection Level
Security Levels in ISA-99 / IEC 62443
Pierre Kobes
Asset Owner
Has the appropriate policies and procedures in place
-> Security Management Systemto operate in a secure fashion a solution
Fulfills the functional capabilities required by the target protection level of the plant
-> Security LevelSolution
operates
Plant
controls
+
ISA-99IEC 62443
Series 2
Policiesand
Procedures
A Security Protection Level has to be assessed in a plant in operation
Series 3
System
A Protection Level requiresFulfillment of policies and procedures
ANDFulfillment of a Security Level of the solution
AssetOwner
OperationMaintenance
Phase
Deliverableof a
phase
Plant operation
Solution
Pierre Kobes
Security Levels in ISA-99 / IEC 62443
An assessment of the protection level is mainly relevant in a plant in operation
Protection Level
Asset Owner has the appropriate policies and procedures in place
-> Security Management Systemto operate in a secure fashion a solution
Solution fulfills the functional capabilities required by the target protection level of the plant
-> Security Level
+Securitysettings
Operationalpolicies andprocedures
Commissioning
Solution
Securitysettings
Operationalpolicies andprocedures
System
3-3 System security requirements and security
assurance levels
IEC 62443 / ISA-99
SL 1 Protection against casual or coincidental violation
SL 2 Protection against intentional violation using simple means
SL 3 Protection against intentional violation using sophisticated means
SL 4 Protection against intentional violation using sophisticated means with
extended resources
The concept of SL is coherent within Part 3-2 and Part 3-3:1. Part 3-2: asset owner / system integrator define zones and conduits with target SLs2. Part 3-3: product supplier provides system features according to capability SLs3. In the project design phase capability SLs are deployed to match target SLs
Risk assessment
System architecturezones, conduits
Control System features
Capabilty SLs
Target SLs
Solution
Achieved SLs
Security Levels in ISA-99 / IEC 62443
The concept of SL applies to a solution and a control system
3-2 Security assurance levels for zones and
conduits
Independant of plant environment
Plant environment
Security Levels in ISA-99 / IEC 62443
The concept of SL is coherent within Part 3-2 and Part 3-3
ControlSystem
Solution
ISA-99IEC 62443
Part 3-2Zones andConduits
Part 3-3System
requirements
Required protection levelof the plant
Pierre Kobes
Risk assessment
System architecturezones, conduits
Control System features
Capabilty SLs
Target SLs
Solution
Achieved SLs
SystemDesign
FATSAT
Projectphases
Phase
Deliverableof a
phase
Product supplier Productdevelopment
Control System
SystemIntegrator
Solutiondeployment
SolutionSolution
Projectapplication
ConfigurationUser MgmntSecuritysettings
…
Pierre Kobes
Security Levels in ISA-99 / IEC 62443
The SL concept is applicable mainly in the design phase of the plant life cycle
Projectapplication
ConfigurationUser MgmntSecuritysettings
…
Required protection levelof the plant
Risk assessment
System architecturezones, conduits
Control System features
Capabilty SLs
Target SLs
Solution
Achieved SLs
Protection Level
Security Levels in ISA-99 / IEC 62443
Pierre Kobes
Asset Owner has the appropriate policies and procedures in place
-> Security Management Systemto operate in a secure fashion a solution
Solution fulfills the functional capabilities required by the target protection level of the plant
-> Security Level
+
A protection level can only be assessed in plant in operation
ISA-99IEC 62443
Series 2
Policiesand
Procedures
Series 3
System
Assessment type
Assessment of management system (e.g. ISO 9000, ISO
27000…)
CMMI levels are appropriate
Assessment of solution capabilities
Security Levels are appropriate
Protection Level
Security Levels in ISA-99 / IEC 62443
Pierre Kobes
Asset Owner has the appropriate policies and procedures in place
-> Security Management Systemto operate in a secure fashion a solution
Solution fulfills the functional capabilities required by the target protection level of the
plant-> Security Level
+
Proposal for the assessment of protection levels
CMMI
SL
PL1
>1
1
+
PL2
>2
2
+
PL3
>3
3
+
PL4
>3
4
+
Security Levels in ISA-99 / IEC 62443
Outline
Pierre Kobes
1. ISA-99 / IEC 62443 documents addressing policies and procedures vs. functional requirements
2. Assessment of protection levels of a plantSolution vs. control systemPlant life cycle and product developmentRequirements for the protection of a plantThe SLs concept is coherent for a solution and a control systemProposal for Protection Levels (PLs)
3. Assessment of security capabilities of control systems and componentsNo direct relationship between capability SLs and Component Capability Levels (CCL)No contribution of levels of the Product Development Requirements to the CCLProposal for Componet Capability Levels (CCLs)
4. Summary if ISA-99 / IEC 62443 relevant document for the various assessments types
Security Levels in ISA-99 / IEC 62443
Control system features are often realized by a combination of component features
ControlSystem
HMIsPC devices
NetworkDevices
Software
PLCs
ISA-99IEC 62443
Pierre Kobes
Control System features
(System) Capabilty SLs
Component features
Component Capabilty Levels
contribute to No directrelationship
3-3System
requirements
4-2 Technical security
requirements for IACS products
There no direct relationship betweenComponent Capability Levels and (System) Capability SLs
Control system
Security Levels in ISA-99 / IEC 62443
Example from Identification and Authentication ControlThere no direct relationship between
Component Capability Levels and (System) Capability SLs
Pierre Kobes
PLC
HMI
Server
Terminal bus
System bus
Firewall
SR 1.1 The control system shall provide the capability to identify and authenticate all users (humans, software processes and devices). This capability shall enforce such identification and authentication on all interfaces which provide access to the control system to support segregation of duties and least privilege in accordance with applicable security policies and procedures.
1
SR 1.1 RE 1 The control system shall provide the capability to uniquely identify and authenticate all users (humans, software processes and devices) 2
SR 1.1 RE 2 The control system shall provide the capability to employ multifactor authentication for human user access to the control system via an untrustednetwork (see 4.12, SR 1.10 – Access via untrusted networks).
3
System Requirement SL
PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device.-> Regarding SR 1.1 the PLC has a low Component Capability Level
Extract of ISA-99.03.03, Draft 4
SR 1.1 RE 3 The control system shall provide the capability to employ multifactor authentication for all human user access to the control system. 4
trusted
trusted
Control system
Security Levels in ISA-99 / IEC 62443
Example from Identification and Authentication Control
Pierre Kobes
PLC
HMI
Server
Firewall
HMI fulfills only SR 1.1
1
Case 1 SL
PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device.-> Regarding SR 1.1 the PLC has a low Component Capability Level
HMI fulfills SR 1.1 and RE 1 and has multifactor authentication
4
Case 2 SL
PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device.-> Regarding SR 1.1 the PLC has a low Component Capability Level
Different capability SLs can be realized with the sameComponent Capabilty Level of the PLC
A requested capability SL does not require a given / minimum Component Capability Level of the Embedded
Devices
Terminal bus
System bus
trusted
trusted
There no direct relationship betweenComponent Capability Levels and (System) Capability SLs
Security Levels in ISA-99 / IEC 62443
Components Capability Levels are only defined by component features
HMIsPC devices
NetworkDevices
Software
PLCs
ISA-99IEC 62443
Pierre Kobes
Component features
Component Capabilty Levels
4-2 Technical security
requirements for IACS products
4-1 Product development requirements
Product Development
Levels ?
Product development levels don’t contribute to Component Capability Levels
-> Proposal:Specify the product development requirements without levelsFollow the CMMI approach
Component Capabilty Level
Security Levels in ISA-99 / IEC 62443
Pierre Kobes
Product Supplier has the appropriate policies and procedures in place
-> Product Development Processto develop the product according to security
requirements
Component fulfills the functional capabilities required by the Component Capability Level
-> Component (Security) Feature Level
+
Proposal for the assessment of Component Capability Levels
CMMI
CFL
CCL1
>2
1
+
CCL2
>2
2
+
CCL3
>3
3
+
CCL4
>3
4
+
Security Levels in ISA-99 / IEC 62443
Outline
Pierre Kobes
1. ISA-99 / IEC 62443 documents addressing policies and procedures vs. functional requirements
2. Assessment of protection levels of a plantSolution vs. control systemPlant life cycle and product developmentRequirements for the protection of a plantThe SLs concept is coherent for a solution and a control systemProposal for Protection Levels (PLs)
3. Assessment of security capabilities of control systems and componentsNo direct relationship between capability SLs and Component Capability Levels (CCL)No contribution of levels of the Product Development Requirements to the CCLProposal for Componet Capability Levels (CCLs)
4. Summary if ISA-99 / IEC 62443 relevant document for the various assessments types
Security Levels in ISA-99 / IEC 62443
ComponentSystemPolicies and proceduresGeneral
1-1 Terminology, concepts and models
1-2 Master glossary of terms and abbreviations
3-1 Security technologies for IACS
1-3 System security compliance metrics
4-2 Technical security requirements for IACS
products
4-1 Product development requirements
IEC 62443 / ISA-99
DefinitionsMetrics
Requirements to secure system components
Functional requirements Processes / procedures
ISA-99 / IEC 62443 documents relevant for the assessment of the protection of a plant
Pierre Kobes
Assessment of theprotection of a plantaccordingto Protection Levels
2-3 Patch management in the IACS environment
2-2 Operating an IACS security program
2-1 Establishing an IACS security program
Requirements to the security organization and
processes of the plant owner and suppliers
2-4 Certification of IACS supplier security policies
and practices
3-3 System security requirements and security
assurance levels
Requirements to a secure system
3-2 Security assurance levels for zones and
conduits
Security Levels in ISA-99 / IEC 62443
ComponentSystemPolicies and proceduresGeneral
1-1 Terminology, concepts and models
1-2 Master glossary of terms and abbreviations
3-1 Security technologies for IACS
1-3 System security compliance metrics
4-2 Technical security requirements for IACS
products
4-1 Product development requirements
IEC 62443 / ISA-99
DefinitionsMetrics
Requirements to secure system components
Functional requirements Processes / procedures
ISA-99 / IEC 62443 documents relevant for the assessment of the control system functional capabilities
Pierre Kobes
2-3 Patch management in the IACS environment
2-2 Operating an IACS security program
2-1 Establishing an IACS security program
Requirements to the security organization and
processes of the plant owner and suppliers
2-4 Certification of IACS supplier security policies
and practices
3-2 Security assurance levels for zones and
conduits
Assessment of thefunctional capabiltiesof a control systemaccordingto Capabilty SLs
3-3 System security requirements and security
assurance levels
Requirements to a secure system
Security Levels in ISA-99 / IEC 62443
ComponentSystemPolicies and proceduresGeneral
1-1 Terminology, concepts and models
1-2 Master glossary of terms and abbreviations
3-1 Security technologies for IACS
1-3 System security compliance metrics
IEC 62443 / ISA-99
DefinitionsMetrics
Requirements to secure system components
Functional requirements Processes / procedures
ISA-99 / IEC 62443 documents relevant for the assessment of the component functional capabilities
Pierre Kobes
2-3 Patch management in the IACS environment
2-2 Operating an IACS security program
2-1 Establishing an IACS security program
Requirements to the security organization and
processes of the plant owner and suppliers
2-4 Certification of IACS supplier security policies
and practices
3-2 Security assurance levels for zones and
conduits
3-3 System security requirements and security
assurance levels
Assessment of thefunctional capabiltiesof componentsaccordingto Component Capability Levels
Requirements to a secure system
4-2 Technical security requirements for IACS
products
4-1 Product development requirements
