ISA Security Compliance Institute. ISASecure Embedded Device Security Assurance Certification



Similar documents
ISA Security. Compliance Institute. Role of Product Certification in an Overall Cyber Security Strategy

EDSA-300. ISA Security Compliance Institute Embedded Device Security Assurance ISASecure certification requirements

ISA Security Compliance Institute ISASecure IACS Certification Programs

ISA Security Compliance Institute

1 ISA Security Compliance Institute

ISA Security Compliance Institute

CSSC-CL Announces ISASecure Certification of Hitachi and Yokogawa Industrial Control Devices. ~For More Globally Competitive Control System Devices ~

EDSA-201. ISA Security Compliance Institute Embedded Device Security Assurance Recognition process for communication robustness testing tools

SSA-312. ISA Security Compliance Institute System Security Assurance Security development artifacts for systems

Best Practices for Securing an Intelligent Building Management System

Symphony Plus Cyber security for the power and water industries

Does Aligning Cyber Security and Process Safety Reduce Risk?

CSMS. Cyber Security Management System. Conformity Assessment Scheme

Security Certification A critical review

Secure Networks for Process Control

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Cybersecurity in a Mobile IP World

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

Document ID. Cyber security for substation automation products and systems

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Deployment Guide. AX Series with Microsoft Office SharePoint Server

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

ClickShare Network Integration

IBM Connections Cloud Security

Cyber Security focus in ABB: a Key issue. 03 Luglio 2014, Roma 1 Conferenza Nazionale Cyber Security Marco Biancardi, ABB SpA, Power System Division

CompTIA Network+ (Exam N10-005)

Vetting Smart Instruments for the Nuclear Industry

Protecting systems and patient privacy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Goals. Understanding security testing

Cyber security measures in protection and control IEDs

Innovative Defense Strategies for Securing SCADA & Control Systems

Benefits of Network Level Security at the RTU Level. By: Kevin Finnan and Philippe Willems

Protecting Your Organisation from Targeted Cyber Intrusion

05.0 Application Development

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

ISA-99 Industrial Automation & Control Systems Security

Rethinking Cyber Security for Industrial Control Systems (ICS)

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Applying ISA/IEC to Control Systems MESAKNOWS. Graham Speake. Principal Systems Architect Yokogawa. Do you know MESA? Additional partner logos

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

This is a preview - click here to buy the full publication

How To Protect Your Network From Attack

Certification Report

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Deployment Guide. AX Series with Microsoft Exchange Server

Technical Information

Nakina Multi-Vendor Security Management Secure Your Network Operations

Safe Network Integration

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Achilles Assurance Platform. Dr. Nate Kube Founder / CTO Wurldtech

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

NERC CIP VERSION 5 COMPLIANCE

GE Measurement & Control. Cyber Security for NEI 08-09

TOP SECRETS OF CLOUD SECURITY

Cyber Security Design Methodology for Nuclear Power Control & Protection Systems. By Majed Al Breiki Senior Instrumentation & Control Manager (ENEC)

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Asset Discovery with Symantec Control Compliance Suite

Technical Proposition. Security

Connecting to and Setting Up a Network

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

NERC CIP Version 5 and the PI System

North American Electric Reliability Corporation (NERC) Cyber Security Standard

TECHNICAL SPECIFICATION

March

FISMA / NIST REVISION 3 COMPLIANCE

TRIPWIRE NERC SOLUTION SUITE

ISACA rudens konference

Secure SCADA Network Technology and Methods

Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization

GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY

MCITP MCITP: Enterprise Administrator on Windows Server 2008 (5 Modules)

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Waterfall for NERC-CIP Compliance

Professional Services Overview

Industrial Security Solutions

RuggedCom Solutions for

Acano solution. Security Considerations. August E

Frequently Asked Questions

LogRhythm and NERC CIP Compliance

SCADA Security Training

Managing the Transition of Your Applications to IPv6

How To Protect A Web Application From Attack From A Trusted Environment

TCP/IP ports on the CMM, IMM, IMM2, RSA II, BMC, and AMM management processors 1

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

Revision History Revision Date Changes Initial version published to

Deployment Guide. AX Series with Microsoft Office Communications Server

GoodData Corporation Security White Paper

CTS2134 Introduction to Networking. Module Network Security

Holistic View of Industrial Control Cyber Security

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Frequently Asked Questions (FAQ) Guidelines for quality compliance of. eprocurement System?

How do you give cybersecurity the highest priority in your organization? Cyber Protection & Resilience Solutions from CGI

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Transcription:

ISA Security Compliance Institute ISASecure Embedded Device Security Assurance Certification

Introduction The ISASecure program has been developed by an industry consortium called the ISA Security Compliance Institute (ISCI) with a goal to accelerate industry-wide improvement of cyber security for Industrial Automation and Control Systems (IACS). It achieves this goal by offering a common industry-recognized set of device and process requirements that drive device security, simplifying procurement for asset owners and device assurance for equipment vendors. This document provides an overview of the fi rst ISASecure certifi cation, which focuses on security of embedded devices and addresses device characteristics and supplier development practices for those devices. This certifi cation is the ISASecure Embedded Device Security Assurance Certifi cation, or ISASecure EDSA certifi cation. An embedded device that meets the requirements of the ISASecure specifi cations receives the ISASecure EDSA certifi cation a trademarked designation that provides instant recognition of product security characteristics and capabilities and provides an independent industry stamp of approval similar to a Safety Integrity Level Certifi cation (ISO/ IEC 61508). An embedded device is a special purpose device running embedded software designed to directly monitor, control, or actuate an industrial process (as defi ned by a work product of the ISA99 standards committee). Common examples are programmable logic controllers (PLCs), distributed control system (DCS) controllers, and remote terminal units (RTUs). The ISASecure EDSA certifi cation program offers three certifi cation levels for a device, offering increasing levels of device security assurance. These certifi cations are called ISASecure Level 1 for Devices, ISASecure Level 2 for Devices, and ISASecure Level 3 for Devices. All levels of certifi cation granted under this program contain the following technical elements: Software Development Security Assessment (SDSA) Functional Security Assessment (FSA) Communication Robustness Testing (CRT) SDSA and FSA requirements increase in rigor for levels 2 and 3, while CRT criteria are the same regardless of the certifi cation level. Figure 1 illustrates this concept. Level 1 Level 2 Level 3 Software Development Security Assessment Functional Security Assessment Communication Robustness Testing (all levels) Figure 1 - Structure of ISASecure EDSA Certification The remainder of this document further describes the three technical elements of certifi cation, the certifi cation levels, and the certifi cation program. This effort has leveraged communication robustness testing best practices available today in the marketplace to create a common industry-recognized standard for this kind of testing. It also followed and leveraged the parallel ISA99 standards efforts underway for embedded device cyber security requirements. When the ISA-99.04.01 standard is completed, the ISASecure EDSA certifi cation will be updated to serve as a compliance program for that standard. The ISASecure EDSA certifi cation program is similar in structure to functional safety certifi cation IEC 61508 which is a mature and broadly accepted program. The ISCI webpage, www.isasecure.org, describes how to participate in ISCI and this ongoing effort.

Technical Certification Elements For all levels of ISASecure EDSA certifi cation, a device undergoes a software development security assessment (SDSA), a functional security assessment (FSA), and communication robustness testing (CRT). The SDSA examines the process under which the device was developed. The FSA examines the security capabilities of the device, while recognizing that in some cases security functionality may be allocated to other components of the device s overall system environment. CRT examines the capability of the device to adequately maintain essential services while being subjected to normal and malformed network protocol traffi c at normal to extremely high traffi c rates (fl ood conditions). These tests include specifi c tests for susceptibility to known network attacks. The following sections further describe these technical certifi cation elements. Software Development Security Assessment At all levels, the SDSA covers requirements for the following development lifecycle phases: Security Management Process Security Requirements Specifi cation Software Architecture Design Security Risk Assessment and Threat Modeling Detailed Software Design Document Security Guidelines Software Module Implementation and Verifi cation Security Integration Testing Security Process Verifi cation Security Response Planning Security Validation Testing Security Response Execution An ISASecure auditor performs a SDSA audit based upon both document evidence submitted for the certifi cation and a site visit, including interviews of development personnel and managers. Basic criteria for passing a SDSA apply at all certifi cation levels and become more rigorous at higher certifi cation levels. For example, ISASecure devices at all certifi cation levels will have documented security requirements with a specifi ed content scope. A second example is that a change management process is required for all certifi cation levels; however, additional requirements may apply to this process for certifi cation levels 2 and 3. Functional Security Assessment The FSA examines the device from the point of view of required security capability and correct implementation. Security capabilities may be supported directly by the device itself or may be explicitly allocated to higher level components that support the device in its intended system environment. For example, in some cases a fi rewall with particular settings is required to be deployed along with the device to achieve adequate security. The FSA is organized using the accepted ISA99 Foundation Requirements found in ISA-99.03.03 System Security Requirements and Security Assurance Levels. The FSA covers the following areas, which are addressed by ISA-99.03.03: Access Control Use Control Data Integrity Data Confi dentiality Restricted Data Flow Timely Response to Event Network Resource Availability An ISASecure auditor performs the FSA based upon user and design documentation, documentation submitted specifi cally for the audit, and testing of the device itself. Basic criteria for passing an FSA apply at all levels of certifi cation with additional criteria being introduced at higher certifi cation levels. For example, ISASecure devices at all certifi cation levels must support automated enforcement of access control based on authentication of users, unless this functionality is allocated explicitly to a higher level component of the system architecture; while support for role-based access control is required for higher level certifi cations.

Communication Robustness Testing Communication robustness measures the extent to which network protocol implementations on an embedded device defend themselves and other device functions against unusual or intentionally malicious traffi c received from the network. Under the general concept called protocol fuzzing, invalid messages and sequences of messages are generated and sent to the device at varying traffi c rates. In addition, susceptibility to known attacks against each protocol will be tested as part of the certifi cation. Inappropriate message responses or failure of the device to continue to adequately maintain essential services demonstrate potential security vulner abilities within the device. Note that CRT does not examine the correctness of implementations or conformance to mandatory provisions of the controlling protocol standards. A key defi nition in ISASecure CRT is adequately maintain essential services. The following are always considered essential services: the process control/safety loop, process view, command (meaning change parameters of process control, such as setpoints), and process alarms. To pass the ISASecure communication robustness tests, the process control/safety loop must be maintained under all network traffi c conditions. Conversely, it is acceptable that other essential services may be lost due to interference from fl ooding on their own network interface, but not due to any other network traffi c conditions. Examples of other services that may be considered as essential services are those that provide critical process history information and peer-to-peer control communication. A certifi cation applicant may explicitly opt-out of testing for the behavior of these services if they are not relevant to their marketplace or architecture. ISCI will develop CRT specifi cations for the protocols in the table below, where the groups of protocols are arranged by priority with Group 1 being the highest priority. Tests for Group 1 protocols will be available for certifi cations at the rollout of this certifi cation program and tests for Groups 2 5 will be available in future releases of the ISASecure EDSA certifi cation program. Group 1 Group 2 Group 3 Group 4 Group 5 IEEE 802.3 (Ethernet) ARP IPv4 ICMPv4 TCP UDP BOOTP DHCP DNS NTP, SNTP FTP, TFTP HTTP SNMPv1-2 Telnet HTTPS TLS Modbus/TCP IPv6 OPC Ethernet/IP/CIP PROFINET FFHSE Selected wireless protocols/stacks with elements such as: - IEEE 802.11 - ISA100.11a - WirelessHART SNMPv3 SSH Server OPC-UA MMS IEC 61850 SMTP Table 1 - Protocols for ISASecure Communications Robustness Testing Any given embedded device will not support all of these certifi able protocols. A vendor will submit a confi guration for testing that enables all of their available software functionality. All protocols with ISCI test specifi cations, available at the time of the certifi cation and that are active in this confi guration, will be tested for all ISASecure EDSA certifi cation levels.

Frequently Asked Questions 1. What is the ISA Security Compliance Institute (ISCI)? Founded in 2007, the ISA Security Compliance Institute s mission is to provide the highest level of assurance possible for the cyber security of industrial automation control systems (IACS). ISCI is a non-profi t organization established by thought leaders from major organizations in the industrial automation controls community seeking to improve the cyber security posture of Critical Infrastructure for generations to come. ISCI s goals are realized through industry standards compliance programs, education, technical support, and improvements in suppliers development processes and users lifecycle management practices. ISCI membership is open to all interested organizations and individuals. For more information, visit www.isasecure.org. 2. Who will perform ISASecure EDSA certification assessment and testing? ISCI will accredit organizations (called certifi ers ) to perform these certifi cation evaluations. ISCI will also accredit test platforms designed to perform communication robustness testing for use by these organizations and by device vendors in preparation for certifi cation. 3. Who will grant ISASecure EDSA certifications? ISCI grants accredited certifi ers the right to grant ISASecure EDSA certifi cations for devices based upon the certifi er s tests and assessments conforming to ISASecure specifi cations. ISCI will publish a list of certifi ed products on its website (www.isasecure.org). 4. Which ISASecure EDSA certification will be available in 2010? Accredited certifi ers will be prepared to accept applications for ISASecure for Devices 2009 certifi cation, which will include all three certifi cation elements: software development security assessment (SDSA), functional security assessment (FSA), and communication robustness testing (CRT). CRT will include testing for the Group 1 protocols as shown in Table 1 (see previous page). 5. How were the ISASecure EDSA certification criteria developed? The ISASecure effort has leveraged the substantial existing work in general cyber security and process control system cyber security. The SDSA and FSA criteria are aligned, wherever possible, with draft work products of the ISA99 Standards committee. The SDSA requirements are ultimately traceable to requirements in the following source documents: Reference Sources for Software Development Security Assessment ISO/IEC 15408-1 through I5408-3 IEC 61508 Part 3 RTCA/DO-178B Information technology Security techniques Evaluation criteria for IT security Part 1 through Part 3 Functional safety of electrical/electronic/programmable electronic safety-related systems: Software Development Software Considerations in Airborne Systems and Equipment Certifications ISBN-13: 978-0735622142 The Security Development Lifecycle, M. Howard, S. Lipner, Microsoft Press (June 28, 2006) OWASP CLASP OWASP CLASP (Comprehensive, Lightweight Application Security Process)

The FSA requirements are ultimately traceable to requirements in the following source documents: Reference Sources for Functional Security Assessment ISA-99.03.03 Draft NERC Standards CIP-001-1 through CIP-001-9 System Security Requirements and Security Assurance Levels North American Electric Reliability Council Cyber Security Standards NIST 800-53 ISO/IEC 15408-1 through I5408-3 Recommended Security Controls for Federal Information Systems Information technology Security techniques Evaluation criteria for IT security Part 1 through Part 3 Department of Homeland Security: Catalog of Control Systems Security: Recommendations for Standards Developers Achieving an ISASecure EDSA certifi cation will not ensure compliance with the above standards. ISASecure EDSA certifi cation criteria were selected from these sources and refi ned by working groups of experts based upon application and importance to embedded device security. The CRT criteria were fi rst developed from principles based on relevant protocol standards by subject matter experts with assistance from existing organizations that perform this kind of testing. All ISASecure EDSA certifi cation criteria were reviewed and approved by both the ISCI membership and an external technical subject matter expert. 6. How does the ISASecure EDSA certification address proprietary protocols? ISCI will not directly address proprietary protocols as part of the CRT portion of the ISASecure EDSA certifi cation. CRT will focus on open-standards protocols that are used in IACS; conversely, the FSA and SDSA will provide assessments of the functional security of the IACS as well as the software development processes used to develop the IACS. The SDSA will assure that secure development processes are followed as part of protocol development, thus reducing the probability that a certifi ed embedded device contains common software errors which would lead to security and robustness issues. 7. How does the ISASecure EDSA certification address wireless capabilities? The initial ISASecure EDSA certifi cation will not apply to the wireless capabilities of embedded devices; however, ISCI plans to develop robustness test specifi cations for selected wireless protocols/stacks with elements such as IEEE 802.11, ISA100.11a, and WirelessHART. When these tests are available, they will become part of the communication robustness element of the ISASecure EDSA certifi cation. 8. How does the ISASecure EDSA certification address IPv6? The initial ISASecure EDSA certifi cation will address IPv4 and will not apply to the IPv6 capability of an embedded device; however, ISCI will develop communication robustness test specifi cations for IPv6 as IPv6 becomes a protocol used by IACS. 9. How are ISASecure EDSA certification levels related to ISA99 security assurance levels? ISASecure is based on published and draft standards from ISA99 in addition to other applicable standards. There is no formal relationship at this time between ISASecure EDSA certifi cation levels and ISA99 security assurance levels, but an effort has been made to align ISASecure EDSA levels with current ISA99 thinking. As the defi nitions for ISA99 security assurance levels are further developed, ISCI will examine more fully how these concepts are best coordinated. To achieve this coordination, ISCI and ISA99 have established a joint working group and a representative of the ISA99 committee holds a seat on the ISCI governing board. When the ISA-99.04.01 standard is completed, ISASecure will be updated to become the compliance program for that standard.

10. Will a vendor that has already obtained a certification for a device be allowed to submit those results for the ISASecure EDSA certification? Yes. ISCI has identifi ed specifi c certifi cations from which pre-existing artifacts may be offered as evidence for meeting specifi c certifi cation requirements in the ISASecure EDSA specifi cation. For example, an organization who has already received an IEC61508 certifi cation for a device may submit artifacts on their software development practices to satisfy specifi c requirements in the SDSA specifi cation section of the ISASecure EDSA certifi cation. 11. What is the process for recertification when a device is modified? A vendor that releases a modifi ed device may apply for recertifi cation of the modifi ed product. The applicant for recertifi cation will describe the changes in the new product in an ISCI-specifi ed format as well as provide an impact analysis of the change on FSA, SDSA, and CRT topic areas. For the FSA and SDSA, a similar discussion would determine which elements of these assessments would need to be revisited to support recertifi cation. In a simple CRT example, if a new product incorporated an enhanced control algorithm in the device but did not change any protocol stack, then no retesting would be needed. Modifi cations to be considered by the recertifi cation process include patches released to the fi eld. 12. What is the process for recertification as ISCI changes the ISASecure EDSA certification criteria, such as adding new protocols to the communication robustness tests? A device retains its certifi cation named for a designated year, even as ISASecure EDSA certifi cation requirements are subsequently updated. For example, even though ISASecure for Devices 2010 is updated to ISASecure for Devices 2011, the earlier certifi cation may still be displayed for a product. Whenever appropriate, ISCI will make available a set of delta test and assessment specifi cations to update a certifi cation to a later version of the same certifi cation; otherwise, a device would undergo the full certifi cation process required for the later certifi cation. Major changes from one year to the next that would require a full recertifi cation would be rare. Infrequently, the ISASecure EDSA certifi cation program will undergo signifi cant modifi cation at interim points within a year. For example, throughout 2010, as part of the ramp-up of the certifi cation program, CRT for a number of protocols will come on line, which means a device would be certifi ed with a designation such as ISASecure for Devices 2010.1, 2010.2, and so on. The certifi cation process will include determination by ISCI of the yearly and interim certifi cation updates for which a vendor certifi cation refresh is recommended. For example, consider the situation that in mid-2011 wireless protocols are added to communication robustness testing. Devices that have ISASecure for Devices 2010 certifi cation still retain that certifi cation. At their option, and based on marketplace demand, a vendor may opt to upgrade its certifi cation to test its wireless capability as required to obtain ISASecure for Devices 2011 certifi cation. 13. How will ISCI protect proprietary information required for the certification assessments? Part of the ISCI accreditation process for certifi ers will examine their process for protecting proprietary information of certifi cation applicants. This information will be available only to the certifi er and only on a need-to-know basis to those personnel involved in certifi cation activities. The ISCI organization itself will not have access to the proprietary information of certifi cation applicants.

About ASCI and the ISA Security Compliance Institute The Automation Standards Compliance Institute (ASCI) is a non-profi t organization incorporated by the International Society of Automation (ISA) in 2006 to provide a home for certifi cation, conformance, and compliance assessment activities in the automation arena. ASCI extends the work that ISA has conducted for over 50 years in standards development by facilitating the effective implementation of automation industry standards. ISA provides professional management services to ASCI, drawing on an experienced staffi ng, fi nancial, and administrative infrastructure. The ISA Security Compliance Institute (ISCI) functions as an operational group within ASCI. ASCI bylaws share the open constructs of ISA while accounting for compliance organization requirements. Operating the ISCI within ASCI allows the organization to efficiently leverage the organizational infrastructure of ASCI. For more information about the ISA Security Compliance Institute, visit www.isasecure.org. How to Join the ISA Security Compliance Institute Interested organizations and individuals may join at any time. Please feel free to contact us for more details using the contact information below. Membership application forms, including member fees and mailing instructions, are available for download at www.isasecure.org. Contact Information Andre Ristaino Managing Director, Automation Standards Compliance Institute Direct 919-990-9222 Fax 919-549-8288 Email aristaino@isa.org www.isasecure.org ISA Security Compliance Institute 67 Alexander Drive PO Box 12277 Research Triangle Park, NC 27709 Copyright 2010 ASCI - Automation Standards Compliance Institute All rights reserved. 6-0-3526-0310

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information