ISA Security Compliance Institute



Similar documents
ISA Security Compliance Institute

1 ISA Security Compliance Institute

ISA Security Compliance Institute ISASecure IACS Certification Programs

ISA Security. Compliance Institute. Role of Product Certification in an Overall Cyber Security Strategy

CSSC-CL Announces ISASecure Certification of Hitachi and Yokogawa Industrial Control Devices. ~For More Globally Competitive Control System Devices ~

SSA-312. ISA Security Compliance Institute System Security Assurance Security development artifacts for systems

ISA Security Compliance Institute. ISASecure Embedded Device Security Assurance Certification

EDSA-300. ISA Security Compliance Institute Embedded Device Security Assurance ISASecure certification requirements

Does Aligning Cyber Security and Process Safety Reduce Risk?

Applying ISA/IEC to Control Systems MESAKNOWS. Graham Speake. Principal Systems Architect Yokogawa. Do you know MESA? Additional partner logos

Security Standards Overview

Industrial Control System Cyber Security

EDSA-201. ISA Security Compliance Institute Embedded Device Security Assurance Recognition process for communication robustness testing tools

Rethinking Cyber Security for Industrial Control Systems (ICS)

Frequently Asked Questions

CSMS. Cyber Security Management System. Conformity Assessment Scheme

Revision History Revision Date Changes Initial version published to

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Is your current safety system compliant to today's safety standard?

Innovative Defense Strategies for Securing SCADA & Control Systems

Cybersecurity in a Mobile IP World

This is a preview - click here to buy the full publication

Fire and Gas Solutions. Improving Safety and Business Performance

ISACA rudens konference

Session 14: Functional Security in a Process Environment

White Paper. 7 Steps to ICS and SCADA Security. Tofino Security exida Consulting LLC. Contents. Authors. Version 1.0 Published February 16, 2012

Certification Report

Industrial Cyber Security 101. Mike Spear

Security Certification A critical review

Ernie Hayden CISSP CEH GICSP Executive Consultant

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Seeing Though the Clouds

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

SCADA City of Raleigh. Martin Petherbridge, CPA, CIA Internal Audit Manager Shirley McFadden, CPA, CIA Senior Internal Auditor

Cyber Security Implications of SIS Integration with Control Networks

Cyber Security focus in ABB: a Key issue. 03 Luglio 2014, Roma 1 Conferenza Nazionale Cyber Security Marco Biancardi, ABB SpA, Power System Division

IT Security and OT Security. Understanding the Challenges

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium , Miami Beach FL / USA

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Secure Networks for Process Control

Certification Report

Industrial Control Systems Security Guide

Verve Security Center

PLCs and SCADA Systems

What Risk Managers need to know about ICS Cyber Security

Frequently Asked Questions (FAQ) Guidelines for quality compliance of. eprocurement System?

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications

Reducing Risk in Large-scale Process Automation Projects

Start building a trusted environment now... (before it s too late) IT Decision Makers

ISA CERTIFIED AUTOMATION PROFESSIONAL (CAP ) CLASSIFICATION SYSTEM

Security Testing in Critical Systems

Erik Johansson, , Virtualization in Control Systems Possibilities and Challenges

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

Turbine Controls Update

AUTOMATION AND PROCESS CONTROL

Selecting Sensors for Safety Instrumented Systems per IEC (ISA )

Siemens Openlab Major Review. PLCs Security. October Author: Filippo Tilaro Supervised by: Brice Copy

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Safe Network Integration

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Certification Report

Document ID. Cyber security for substation automation products and systems

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Implementation of Operator Authentication Processes on an Enterprise Level. Mark Heard Eastman Chemical Company

Introducing atsec information security. Helmut Kurth, Sal la Pietra and Staffan Persson

Industrial Security Solutions

WORKSHOP Rethinking Cyber Security for Industrial Control Systems

PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft

Software Defined Networking - a new approach to network design and operation. Paul Horrocks Pre-Sales Strategist 8 th November 2012

Certification Report

Symphony Plus Cyber security for the power and water industries

The rocky relationship between safety and security

Frequently Asked Questions

Certification Report

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Adobe Systems Incorporated

MCSE Core exams (Networking) One Client OS Exam. Core Exams (6 Exams Required)

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

SCADA Security Training

Cyber Security Design Methodology for Nuclear Power Control & Protection Systems. By Majed Al Breiki Senior Instrumentation & Control Manager (ENEC)

Wireless Process Control Network Architecture Overview

Cyber Security nei prodotti di automazione

A Security Specification Language (SSL) for Run-Time Policy Enforcement

PCN Cyber-security Considerations for Manufacturers. Based on Chevron Phillips Chemical Company PCN Architecture Design and Philosophy

TECHNICAL SPECIFICATION

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Industrial Communications Training

Transcription:

ISA Security Compliance Institute Andre Ristaino, Managing Director, ISCI 28 May 2013 CSSC 1 ISA Security Compliance Institute

agenda topics About ISA Security Compliance Institute (ISCI) About ISA 99 Standards 2013 ISCI Certification Programs: Embedded Device Security Assurance (EDSA) System Security Assurance (SSA) Security Development Lifecycle Assurance (SDLA) 2 ISA Security Compliance Institute

About ISCI Organization Consortium of Asset Owners, Suppliers, and Industry Organizations formed in 2007 under the ISA Automation Standards Compliance Institute (ASCI): Mission Establish a set of well-engineered specifications and processes for the testing and certification of critical control systems products Decrease the time, cost, and risk of developing, acquiring, and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers, and other stakeholders 3 ISA Security Compliance Institute

Internationally Accredited Conformance Scheme ISASecure certification programs are accredited as an ISO/IEC Guide 65 conformance scheme and ISO/IEC 17025 lab operations by ASI/ACLASS. Provides global recognition for ISASecure certification Independent CB accreditation by ASI/ACLASS and other global Accreditation Bodies such as JAB or UKAS ISASecure can scale on a global basis Ensures certification process is open, fair, credible, and robust. 4 4 ISA Security Compliance Institute

Global Adoption Information-technology Promotion Agency, Japan Translated ISASecure specifications to Japanese Setting up a test lab in Tagajo city Japan JAB is undertaking the lab accreditation process Promoting ISASecure as part of the Japanese critical infrastructure security scheme. 5 5 ISA Security Compliance Institute

ISCI Member Companies ISCI membership is open to all organizations Strategic membership Technical membership Government membership Associate membership Informational membership Member organizations Chevron exida ExxonMobil Honeywell IT Promotion Agency, Japan (IPA) Invensys RTP Corp. Siemens Yokogawa ISA99 Committee Liaison 6 ISA Security Compliance Institute

Key Global Challenges International Cybersecurity standards not yet complete. International baseline cybersecurity conformance scheme not fully adopted. eed Internationally recognized: 1 standard 1 conformance specification and test 1 certification mark 7 ISA Security Compliance Institute

About ISA99 Standards Systems Devices 8 ISA Security Compliance Institute

ISASecure Security Levels Composition of Assessments for Each Level LEVEL 3 LEVEL 2 Secure Development Lifecycle Assessment LEVEL 1 Secure Development Lifecycle Assessment Functional Security Assessment Secure Development Lifecycle Assessment Functional Security Assessment Functional Security Assessment Robustness Testing 9 ISA Security Compliance Institute

ISASecure Security Development Lifecycle Assurance (SDLA) 10 ISA Security Compliance Institute

SDLA Phases 1. Security Management Process 2. Security Requirements Specification 3. Security Architecture Design 4. Security Risk Assessment (Threat Model) 5. Detailed Software Design 6. Document Security Guidelines 7. Module Implementation & Verification 8. Security Integration Testing 9. Security Process Verification 10. Security Response Planning 11. Security Validation Testing 12. Security Response Execution 11 ISA Security Compliance Institute

Multiple Product Certification Security Development Lifecycle Assessment An organization s product development process is certified once per the SDLA requirements Security Development Artifacts Functional Security Assessment Security Development Artifacts Functional Security Assessment Individual products are assessed for artifacts to verify the certified SDLA process was followed. Robustness Testing Robustness Testing Product #1 Product #n 12 ISA Security Compliance Institute

ISASecure Embedded Device Security Assurance (EDSA) 13 ISA Security Compliance Institute

What is an Embedded Device? Special purpose device running embedded software designed to directly monitor, control or actuate an industrial process, examples: Programmable Logic Controller (PLC) Distributed Control System (DCS) controller Safety Logic Solver Programmable Automation Controller (PAC) Intelligent Electronic Device (IED) Digital Protective Relay Smart Motor Starter/Controller SCADA Controller Remote Terminal Unit (RTU) Turbine controller Vibration monitoring controller Compressor controller 14 ISA Security Compliance Institute

ISASecure EDSA Certification Program Embedded Device Security Assurance (EDSA) Software Development Security Assessment (SDSA) Functional Security Assessment (FSA) Detects and Avoids systematic design faults The vendor s software development and maintenance processes are audited for artifacts for DUT Ensures the organization follows a robust, secure software development process Detects Implementation Errors / Omissions A component s security functionality is audited against its derived requirements for its specified security level Ensures the product has properly implemented the security functional requirements Communications Robustness Testing (CRT) Identifies vulnerabilities in device networking capabilities A component s communication robustness is tested against communication robustness requirements Tests for vulnerabilities in the 4 layers of OSI Reference Model 15 ISA Security Compliance Institute

ISASecure EDSA Certified Devices Supplier Type Model Version ISASecure Level Honeywell Safety System Safety Manager R145 Level 1 RTP Corp. Safety System RTP 3000 A4.36 Level 2 Honeywell DCS Controller Experion C300 R400 Level 1 Honeywell Fieldbus Interface Experion FIM R400 Level 1 16 ISA Security Compliance Institute

ISASecure System Security Assurance (SSA) 17 ISA Security Compliance Institute

What is a System? An Industrial Control System (ICS) or SCADA system that is available from a single system supplier It may be comprised of hardware and software components from several manufacturers but must be integrated into a single system and supported, as a whole, by a single supplier 18 ISA Security Compliance Institute

Zones and Accessible etwork Interfaces TD TD Test Device: source for CRT or ST network traffic etwork stress tests; source TD connected to zone switch E1 External interface 1 C C-LA 1 Operator Consoles PROCESS OPERATIOS ZOE C En C Basic and load stress CRT; source TD connected to switch with exceptions noted in text Basic and load stress CRT; source TD at External Interface n TD E1 C E1 C SIS Engineering Workstation ` SIS LA PROCESS SAFETY ZOE TD TD C-LA 2 C-LA 2 Control System Server(s) Control System Engineering Workstation PROCESS COTROL ZOE ` C C FS-PES Control PES E2 C Extemal interface 2 TD 19 ISA Security Compliance Institute

ISASecure SSA Certification Program System Security Assessment (SSA) Security Development Lifecycle Assessment (SDLA) Functional Security Assessment (FSA) Ensures Security Was Designed-In The supplier s system development and maintenance processes are audited for artifacts to confirm security practices Ensures the system was designed following a robust, secure development process Ensures Fundamental Security Features are Provided A system s security functionality is audited against defined requirements for its target security level Ensures the system has properly implemented the security functional requirements Identifies Vulnerabilities in Actual Implementation System Robustness Testing (SRT) Structured penetration testing at all entry points including 3 types of testing: 1. Scan for known vulnerabilities (VIT) 2. Communication Robustness Testing (CRT) 3. etwork Stress Testing (ST) 20 ISA Security Compliance Institute

Typical changes driven by the certification process Review / update Secure Development Lifecycle Security training for development and test teams Security experts identified for each development location ew security documentation created Increased risk analysis and expanded threat modeling Expanded abuse case, DoS, and fuzz testing Tracking security issues / security impact of product issues 21 ISA Security Compliance Institute

Who to Contact to Certify Products 1. ISASecure EDSA Chartered Lab: exida John Cusimano Director of Security Services Phone: (215) 453-1720 Fax: (215) 257-1657 Email: jcusimano@exida.com Website: http://www.exida.com 2. Japan CSSC Accepting submissions for product certifications starting 2014. 22 ISA Security Compliance Institute

Who to contact for ISCI Membership Andre Ristaino Managing Director, ASCI Phone: 919-990-9222 Fax: 919-549-8288 Email: aristaino@isa.org Website: http://www.isasecure.org 23 ISA Security Compliance Institute

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information