Security Levels in ISA-99 / IEC 62443

Transcription

1 Summary Assessment of the security protection of a plant A Security Protection Level has to be assessed in a plant in operation A Protection Level requires both: The fulfillment of the policies and procedures by the asset owner according to a Security Management (Series 2) and The fulfillment of a Security Level of the solution operated by the asset owner to control the plant (Series 3) Proposal: Assess the fulfillment of the policies and procedures according to the CMMI model Assess the functional capabilities of the solution according to the SLs Define Protection Levels (PLs)as a combination of both Assessment of the security capabilities of control systems and components There is no direct relationship between Capability SLs as currently defined and component capability levels There is no contribution of levels of the product development process to component capability levels Proposal: Control s: Assess the functional capabilities according to the Capability SLs (already described in the SAL vector concept). No explicit requirements to the components. Components: Specify the product development requirements without any level Assess the fulfillment of the product development requirements according to the CMMI model Assess the functional capabilities of the component according to the Component Feature Levels Define Component Capability Levels (CCLs) as a combination of both

2 Outline 1. ISA-99 / IEC documents addressing policies and procedures vs. functional requirements 2. Assessment of protection levels of a plant vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs) 3. Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs) 4. Summary if ISA-99 / IEC relevant document for the various assessments types

3 ISA-99 / IEC covers requirements on processes / procedures as well as functional requirements IEC / ISA-99 General Policies and procedures Component 1-1 Terminology, concepts and models 2-1 Establishing an IACS security program 3-1 Security technologies for IACS 4-1 Product development requirements 1-2 Master glossary of terms and abbreviations 1-3 security compliance metrics Definitions Metrics WIB M Operating an IACS security program 2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices Requirements to the security organization and processes of the plant owner and suppliers 3-2 Security assurance levels for zones and conduits 3-3 security requirements and security assurance levels Requirements to a secure system Functional requirements 4-2 Technical security requirements for IACS products Requirements to secure system components Processes / procedures

4 ISA-99 / IEC covers requirements on processes / procedures as well as functional requirements IEC / ISA-99 General Policies and procedures Component 1-1 Terminology, concepts and models 2-1 Establishing an IACS security program 3-1 Security technologies for IACS 4-1 Product development requirements 1-2 Master glossary of terms and abbreviations 2-2 Operating an IACS security program 3-2 Security assurance levels for zones and conduits 4-2 Technical security requirements for IACS products 1-3 security compliance metrics 2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices 3-3 security requirements and security assurance levels Definitions Metrics Requirements to the security organization and processes of the plant owner and suppliers Requirements to a secure system Functional requirements Requirements to secure system components Processes / procedures

5 Outline 1. ISA-99 / IEC documents addressing policies and procedures vs. functional requirements 2. Assessment of protection levels of a plant vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs) 3. Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs) 4. Summary if ISA-99 / IEC relevant document for the various assessments types

6 A solution is a deployed control system to fulfill the protection requirements of a plant Plant environment Asset Owner specifies Required protection level of the plant ISA-99 IEC Integrator deploys the control system to Part 3-2 Zones and Conduits Product supplier develops Independent of plant environment Control as a combination of PLCs HMIs PC devices Network Devices Software Part 3-3 requirements Series 4 Components

7 All stakeholder are involved in the protection of the plant during plant life cycle Product supplier Product development Phase PLCs Control as a combination of Network Devices HMIs PC devices Software Asset Owner Requirement specification Required protection level of the plant Deliverable of a phase Project phases Design FAT SAT Commissioning Operation Maintenance Integrator Asset Owner deployment Project application Configuration User Mgmnt Security settings Project application Configuration User Mgmnt Security settings Security settings Operational policies and procedures Security settings Operational policies and procedures Plant operation

8 A Security Protection Level has to be assessed in a plant in operation operates Asset Owner Protection Level Has the appropriate policies and procedures in place -> Security Management to operate in a secure fashion a solution Fulfills the functional capabilities required by the target protection level of the plant -> Security Level ISA-99 IEC Series 2 Policies and Procedures Series 3 controls Plant A Protection Level requires Fulfillment of policies and procedures AND Fulfillment of a Security Level of the solution

9 An assessment of the protection level is mainly relevant in a plant in operation Phase Deliverable of a phase Protection Level fulfills the functional capabilities required by the target protection level of the plant -> Security Level Commissioning Operation Maintenance Asset Owner Asset Owner has the appropriate policies and procedures in place -> Security Management to operate in a secure fashion a solution Security settings Operational policies and procedures Security settings Operational policies and procedures Plant operation

10 The concept of SL applies to a solution and a control system IEC / ISA-99 SL 1 SL 2 SL 3 SL 4 Protection against casual or coincidental violation Protection against intentional violation using simple means Protection against intentional violation using sophisticated means Protection against intentional violation using sophisticated means with extended resources 3-2 Security assurance levels for zones and conduits 3-3 security requirements and security assurance levels Risk assessment architecture zones, conduits Target SLs Achieved SLs Capabilty SLs Control features The concept of SL is coherent within Part 3-2 and Part 3-3: 1. Part 3-2: asset owner / system integrator define zones and conduits with target SLs 2. Part 3-3: product supplier provides system features according to capability SLs 3. In the project design phase capability SLs are deployed to match target SLs

11 The concept of SL is coherent within Part 3-2 and Part 3-3 Plant environment Required protection level of the plant ISA-99 IEC Part 3-2 Zones and Conduits Risk assessment architecture zones, conduits Target SLs Achieved SLs Control Part 3-3 requirements Capabilty SLs Control features Independant of plant environment

12 The SL concept is applicable mainly in the design phase of the plant life cycle Product supplier Product development Phase Control Capabilty SLs Control features Required protection level of the plant Deliverable of a phase Project phases Design FAT SAT Integrator Risk assessment deployment Project application Configuration User Mgmnt Security settings Project application Configuration User Mgmnt Security settings architecture zones, conduits Target SLs Achieved SLs

13 A protection level can only be assessed in plant in operation Protection Level Asset Owner has the appropriate policies and procedures in place -> Security Management to operate in a secure fashion a solution fulfills the functional capabilities required by the target protection level of the plant -> Security Level ISA-99 IEC Series 2 Policies and Procedures Series 3 Assessment type Assessment of management system (e.g. ISO 9000, ISO ) CMMI levels are appropriate Assessment of solution capabilities Security Levels are appropriate

14 Proposal for the assessment of protection levels Protection Level PL1 PL2 PL3 PL4 Asset Owner has the appropriate policies and procedures in place -> Security Management to operate in a secure fashion a solution CMMI >1 >2 >3 >3 fulfills the functional capabilities required by the target protection level of the plant -> Security Level SL

15 Outline 1. ISA-99 / IEC documents addressing policies and procedures vs. functional requirements 2. Assessment of protection levels of a plant vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs) 3. Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs) 4. Summary if ISA-99 / IEC relevant document for the various assessments types

16 Control system features are often realized by a combination of component features ISA-99 IEC Control Control features () Capabilty SLs 3-3 requirements contribute to No direct relationship PLCs HMIs PC devices Component features Network Devices Software Component Capabilty Levels 4-2 Technical security requirements for IACS products There no direct relationship between Component Capability Levels and () Capability SLs

17 Example from Identification and Authentication Control There no direct relationship between Component Capability Levels and () Capability SLs Control system HMI Terminal bus trusted Server bus trusted Firewall Extract of ISA , Draft 4 Requirement SR 1.1 The control system shall provide the capability to identify and authenticate all users (humans, software processes and devices). This capability shall enforce such identification and authentication on all interfaces which provide access to the control system to support segregation of duties and least privilege in accordance with applicable security policies and procedures. SR 1.1 RE 1 The control system shall provide the capability to uniquely identify and authenticate all users (humans, software processes and devices) SR 1.1 RE 2 The control system shall provide the capability to employ multifactor authentication for human user access to the control system via an untrusted network (see 4.12, SR 1.10 Access via untrusted networks). SR 1.1 RE 3 The control system shall provide the capability to employ multifactor authentication for all human user access to the control system. SL PLC PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level

18 Example from Identification and Authentication Control Control system HMI Terminal bus trusted Server bus trusted Firewall PLC Case 1 HMI fulfills only SR 1.1 PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level SL 1 Case 2 HMI fulfills SR 1.1 and RE 1 and has multifactor authentication PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level Different capability SLs can be realized with the same Component Capabilty Level of the PLC A requested capability SL does not require a given / minimum Component Capability Level of the Embedded Devices SL 4 There no direct relationship between Component Capability Levels and () Capability SLs

19 Components Capability Levels are only defined by component features Component features ISA-99 IEC PLCs HMIs PC devices Network Devices Software Component Capabilty Levels 4-2 Technical security requirements for IACS products Product Development Levels? 4-1 Product development requirements Product development levels don t contribute to Component Capability Levels -> Proposal: Specify the product development requirements without levels Follow the CMMI approach

20 Proposal for the assessment of Component Capability Levels Component Capabilty Level CCL1 CCL2 CCL3 CCL4 Product Supplier has the appropriate policies and procedures in place -> Product Development Process to develop the product according to security requirements CMMI >2 >2 >3 >3 Component fulfills the functional capabilities required by the Component Capability Level -> Component (Security) Feature Level CFL

21 Outline 1. ISA-99 / IEC documents addressing policies and procedures vs. functional requirements 2. Assessment of protection levels of a plant vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs) 3. Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs) 4. Summary if ISA-99 / IEC relevant document for the various assessments types

22 ISA-99 / IEC documents relevant for the assessment of the protection of a plant IEC / ISA-99 General Policies and procedures Component Assessment 1-1 Terminology, concepts of the and models protection of a plant according to Protection Levels 1-2 Master glossary of terms and abbreviations 2-1 Establishing an IACS security program 2-2 Operating an IACS security program 3-1 Security technologies for IACS 3-2 Security assurance levels for zones and conduits 4-1 Product development requirements 4-2 Technical security requirements for IACS products 1-3 security compliance metrics 2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices 3-3 security requirements and security assurance levels Definitions Metrics Requirements to the security organization and processes of the plant owner and suppliers Requirements to a secure system Functional requirements Requirements to secure system components Processes / procedures

23 ISA-99 / IEC documents relevant for the assessment of the control system functional capabilities IEC / ISA-99 General Assessment 1-1 Terminology, concepts of the and models functional capabilties of a control system 1-2 Master glossary of according terms and abbreviations to Capabilty SLs 1-3 security compliance metrics Policies and procedures 2-1 Establishing an IACS security program 2-2 Operating an IACS security program 2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices 3-1 Security technologies for IACS 3-2 Security assurance levels for zones and conduits 3-3 security requirements and security assurance levels Component 4-1 Product development requirements 4-2 Technical security requirements for IACS products Definitions Metrics Requirements to the security organization and processes of the plant owner and suppliers Requirements to a secure system Functional requirements Requirements to secure system components Processes / procedures

24 ISA-99 / IEC documents relevant for the assessment of the component functional capabilities IEC / ISA-99 General 1-3 security compliance metrics Policies and procedures Assessment 1-1 Terminology, concepts of the and models functional capabilties of components 1-2 Master glossary of according terms and abbreviations to Component Capability Levels 2-1 Establishing an IACS security program 2-2 Operating an IACS security program 2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices 3-1 Security technologies for IACS 3-2 Security assurance levels for zones and conduits 3-3 security requirements and security assurance levels Component 4-1 Product development requirements 4-2 Technical security requirements for IACS products Definitions Metrics Requirements to the security organization and processes of the plant owner and suppliers Requirements to a secure system Functional requirements Requirements to secure system components Processes / procedures