Markus Bartsch
German Industrial Security Standard and Application Status
RAMI - ICS - SQ - 62443
1 © TÜV Informationstechnik GmbH
German Approach 3 parallel Activities
Legal Framework / CIP
Models & Methods
Technologies
2 © TÜV Informationstechnik GmbH
RAMI Reference Architecture Model Industry 4.0
Laye
rs
3 © TÜV Informationstechnik GmbH
RAMI OT Levels
Business
Functional
Information
Integration
Asset
Laye
rs
Hierarchy Levels IEC 62264 // IEC 61512
Communication
OT ICS / SCADA
(Office-) IT
4 © TÜV Informationstechnik GmbH
RAMI Hierarchy „Work Center“
Laye
rs
5
Common Criteria
6 © TÜV Informationstechnik GmbH
RAMI ICS - Hierarchies
Laye
rs
7 © TÜV Informationstechnik GmbH
IoT: Industrial Control System (ICS) Security Compendium 2 Parts: Operator / Vendor
Laye
rs
supported by:
8
ICS Security Compendium - part 1 Content
Threats of IT Security
Introduction
Best Practice Guide for Operators
Methods for Audits of ICS-Installations
Research and Trends
Organizations, Associations and their Standards
Basics of ICS
Summary and next steps
9
ICS Security Compendium - part 1 Audit Methods – Subject Levels
Subject Levels
Device
Application
Field Process Management
ICS Security
Tests
10 © TÜV Informationstechnik GmbH
RAMI ICS - Hierarchies
Laye
rs
11 © TÜV Informationstechnik GmbH
Evaluation Aspects Security Qualification (SQ)®
Change Management
Weakness Analyses and Penetration Tests Source Code Analyses
Operating Rules Development Process
Architecture and Design
Technical Security Requirements
IT-Systems IT-Products
Installation and Operation
Life
Cyc
le
12 © TÜV Informationstechnik GmbH
Security Assurance Level for IT Systems
Secu
rity
Assu
ranc
e Le
vel
Cer
tifia
ble
Tech
nica
l Sec
urity
R
equi
rem
ents
Arch
itect
ure
and
Des
ign
Inst
alla
tion
and
Ope
ratio
n
Wea
knes
s an
alys
is
and
Pene
trat
ion
Test
s
Cha
nge
Man
agem
ent
SEAL-1 X
SEAL-2 X X
SEAL-3 X X X
SEAL-4 X X X X
SEAL-5 X X X X X
13 © TÜV Informationstechnik GmbH
Security Assurance Level for IT Products
Secu
rity
Assu
ranc
e Le
vel
Cer
tifia
ble
Tech
nica
l Sec
urity
R
equi
rem
ents
Arch
itect
ure
and
Des
ign
Dev
elop
men
t Pr
oces
s
Ope
ratin
g ru
les
Wea
knes
s an
alys
is
and
Pene
trat
ion
Test
s
Sour
ce C
ode
Anal
yses
Cha
nge
Man
agem
ent
SEAL-1 X
SEAL-2 X X
SEAL-3 X X X X
SEAL-4 X X X X X X
SEAL-5 X X X X X X X
14
IEC 62443 Structure
© TÜV Informationstechnik GmbH
15
IEC 62443-4-2 Example of CR 1: Identification and Authentication (IAC) SL 1 SL 2 SL3 SL4 1. IAC of Human Users X X X X Unique IAC X X X Multifactor Auth for untrusted networks X X Multifactor Auth for all networks X
2. IAC of procs & devices X X X Unique IAC X X
3. Account Management X X X X Unique Account Management - -
4. Identifier Management X X X X 5. Authenticator Management X X X X Hardware Security for software process ID credentials X X
6. Wireless Access Management (in case of wireless) N N N N Unique IAC N N N
7. Strength of Password Auth X X X X Password generation & lifetime restrc. (human users) X X Password Lifetime restriction for all users X
8. PKI Certificates (in case PKI is supported) X X X 9. Strength of public key Auth (in case PKI is supported) X X X Hardware Security for PKI Authentication X X
10. Authenticator Feedback (in case authentication cap. is provided) X X X X 11. Unsuccessful Login Attempts in case authentication cap. is provided) X X X X 12. System Use Notification (in case local authentication) X X X X 13. Access via untrusted networks N N N N Explicit access request approval N N N
14. Strength of symmetric key Auth (in case of sym. key auth) X X X 19790 Lev 3 X X 19790 Lev 4 X
© TÜV Informationstechnik GmbH
16
IEC 62443-4-2
© TÜV Informationstechnik GmbH
CR 1 – Identification and Authentication (IAC) CR 2 – Use Control (UC) CR 3 – System Integrity (SI) CR 4 – Data Confidentiality (DC) CR 5 – Restricted Data Flow (RDF) CR 6 – Timely Response to Events (TRE) CR 7 – Resource Availability (RA)
17
Mapping: SQ 62443-4-1 (1)
© TÜV Informationstechnik GmbH
Security by Design
Secure Implementation
Security Verification &
Validation Testing
Security Update
Management
Security Defect
Management
Change Management
Weakness Analyses / Penetration Tests
Source Code Analyses
Operating Rules
Development Process
Architecture and Design
Technical Security Requirements
Defense-in-Depth
18
Mapping: SQ 62443-4-1 (3)
© TÜV Informationstechnik GmbH
Security Update Management
Security Verification & Validation Testing
Secure Implementation
Security Guidelines
Security Management
Security by Design
Spec. of Security Requirements
Security by Design
(Architecture & Design)
Secure Implementation
(Source Code Analyses)
Security Verification & Validation Testing
(Weakness Analyses Penetration Tests)
Security Update
Management
Security Defect
Management
Defense-in-Depth
Security Defect Management
19 © TÜV Informationstechnik GmbH
SQ conform to 62443-4-1 (1)
Secu
rity
Assu
ranc
e Le
vel
Cer
tifia
ble
Spec
of S
ecur
ity
Req
uire
men
ts
Secu
rity
by D
esig
n
Secu
rity
Man
agem
ent
Secu
rity
Gui
delin
es
Secu
rity
Valid
atio
n &
Ver
ifica
tion
Test
ing
Secu
re
Impl
emen
tatio
n
Secu
rity
Upd
ate
&
Secu
rity
Def
ect
Man
agem
ent
SEAL-1 X
SEAL-2 X X
SEAL-3 X X X X
SEAL-4 X X X X X X
SEAL-5 X X X X X X X
20 © TÜV Informationstechnik GmbH
SQ conform to 62443-4-1 (2): SEAL-3
Secu
rity
Assu
ranc
e Le
vel
Cer
tifia
ble
Spec
of S
ecur
ity
Req
uire
men
ts
Secu
rity
by D
esig
n
Secu
rity
Man
agem
ent
Secu
rity
Gui
delin
es
Secu
rity
Valid
atio
n &
Ver
ifica
tion
Test
ing
Secu
re
Impl
emen
tatio
n
Secu
rity
Upd
ate
&
Secu
rity
Def
ect
Man
agem
ent
SEAL-1 X
SEAL-2 X X
SEAL-3 X X X X
SEAL-4 X X X X X X
SEAL-5 X X X X X X X
21
SQ, SEAL-3 62443-4-1
© TÜV Informationstechnik GmbH
Security Update Management
Security Verification & Validation Testing
Secure Implementation
Security Guidelines
Security Management
Security by Design
Spec. of Security Requirements
Security by Design
(Architecture & Design)
Secure Implementation
(Source Code Analyses)
Security Update
Management
Security Defect
Management
Security Defect Management
Defense-in-Depth
Security Verification & Validation Testing
(Weakness Analyses Penetration Tests)
22 © TÜV Informationstechnik GmbH
RAMA – RAMI – SGAM
1
2 3
4
1
2 3
4
1
2
3
4
23
Thank you very much for your attention!
TÜV Informationstechnik GmbH
Member of TÜV NORD Group Markus Bartsch IT Security Langemarckstrasse 20 45141 Essen, Germany Phone: +49 201 8999 – 616 Fax: +49 201 8999 – 666 E-Mail: [email protected] URL: www.tuvit.net