1 iec-62443 application to iiot
TRANSCRIPT
IEC-62443 Application to IIoT
1
About the Speaker
Kevin Staggs
Senior Fellow
Kevin Staggs possesses over 43 years of experience in hardware, software and systems engineering at Honeywell with 39 years focused on control systems. Mr. Staggs has been driving product cybersecurity development since 1996. Mr. Staggs is currently a Senior Fellow in Honeywell’s Advanced Connected Technology Solutions organization and serves as a cybersecurity consultant to Honeywell’s product development organizations. Mr. Staggs currently serves as co-chairperson of ISA99 working group 4 and is also the technical Chairman of the ISA Security Compliance Institute - a non-profit organization seeking to improve ICS security through standards compliance.
2
Agenda ISA and ISA-99
IEC 62443 Overview
ISA-99 Working Group 9
IIoT Certification Study
Summary
3
ISA4
ISA99 Global Standards Committee
The ISA99 committee was formed in 2002 – works closely with technical committee 65 of the International Electrotechnical Commission (IEC).
ISA/IEC 62443 standards contain over 500 normative requirements and associated rationale that address all phases of the system life cycle,
The committee has over 1,000 volunteer members, representing a wide range of industry sectors and constituency groups from all areas of the world.
The ISA99 committee includes formal and informal liaison relationships with other standards development organizations, consortia and interest groups such as IEC, OPAF, NAMUR, WIB, NIST, DHS, INL, ISASecure, and ISAGCA.
The ISA99 committee desires to engage with sector, industry, government and company programs in their efforts to address automation systems cybersecurity. Contact the committee leadership at [email protected].
5
ISA-99 Committee
Responsible for creation of the majority of 62443 standards and technicalreports
Comprised of multiple working groups and task groups
All work coordinated by Working Group 5
Working Group 9 (WG9) formed to address IIoT The group Is focused on cybersecurity of IoT within industrial usage
Membership in the group is open to members of ISA-99 committee
6
IEC 62443 Standards Family
7
General Principles
Security Context Security Objectives Response Elements (People, Process Technology) Risk-Based Approach Compensating Countermeasures Least Privilege Defense in Depth Supply Chain Security Security and Safety
Source: ISA-62443-1-1, 2nd Edition (Under development)
8
8
Fundamental Concepts
System Taxonomy Principal Roles Life Cycles and Processes Zones and Conduits Security Levels Maturity Security Program Rating
9
Source: ISA-62443-1-1, 2nd Edition (Under development)
ISA99-WG9 Addressing IIoT
The group will analyze the specific characteristics of the IIoT in terms of threats, attack surface and vulnerabilities, and examine whether the approach developed by the ISA99 committee for securing IACS is appropriate and sufficient for IIoT. In particular, it will examine the content to be given to the concept of "secure by design" objects, as a prelude to a possible certification. It will examine the arrangements to be made to secure the architectures, either in a centralized or decentralized approach, classifying data transmitted from the perspective of inherent risk, and to detect any anomalies.
10
Early work identified some concerns
Proliferation of communications with IIoT Proliferation of applications at lower levels of the control system architecture New, and unanticipated, movement of data Lack of controls for new functions
Lack of application controls Inadequate identity management Lack of tools for management
Leading to: Potential lack of trustworthiness Potential loss of control and visibility over automated systems
11
Current Activities
Development of a Technical Report on IIoT cybersecurity The report is technical guidance in the application of the requirements of IEC 62443 to
cybersecurity of IIoT
It is written predominantly for asset owners and integrators Although service providers and vendors may find it useful
Will present information on how the requirements of the IEC 62443 can be applied in the introduction of IIoT into assets.
Currently in first draft within the working group
12
Current Activities - 2
A TR is NOT a standard Recommendations or permission
No requirements
The report will not define IIoT
13
How we got here
WG9 was formed to determine if IEC 62443 could be used to address the cybersecurity of IIoT
The WG created a use case and considered whether IEC 62443 provided sufficient requirements The use case was developed to be extreme
The WG decided that IEC 62443 did have sufficient requirements, but it was unclear how to apply them Examples
Securing multi-functional devices
How to work with IIoT with cloud-based functionality
14
IIoT Certification Study
Various certification laboratories offer IACS product certifications to 62443-4-2 (component) and 62443-3-3 (system)
Asset owners seeing IIoT deployments Unsure of sufficiency of existing product certification programs Creating their own procurement criteria Prefer industry-vetted, standards-based product certification Urgent need Key new factor is direct connection to Internet
ISA-99 WG9 working on technical report on application of 62443 to IIoT ISAGCA and ISCI (ISA Security Compliance Institute) joint study to accelerate availability of vetted IIoT
certification based on 62443 Identify any gaps in 62443 certification programs Recommend next steps for creation of IIoT certification programs
To follow progress of ISA-99 WG9 IIoT and contribute study results
15
Overall approach
Definition - candidate gap: Something that might be missing in existing certification programs, to be able to meaningfully certify IIoT under 62443
1. Find candidate gaps by reviewing industry sources on topic of IoT/IIoT security Leverage large body of existing studies and other efforts
2. Find and categorize candidate gaps considering Map to 62443
Map to existing certification criteria
3. Identify next steps for addressing gaps as appropriate In standard
In certification programs
16
Status
Initial scope IIoT devices and gateways, find gaps with respect to 62443-4-2 certification Fully outsourced IIoT systems
Results to date - for IIoT devices and gateways Reviewed 6 industry sources for IoT/IIoT security Many requirements found already in 62443-4-2
Many start at capability security levels (SL-C) >=2 Some gaps identified Outlined certification criteria In-progress, opinions here not yet formally those of ISAGCA/ISCI
17
Status
Next stepsReport draft underway Team reviewSystem level study
18
Scope of study for components = IIoT devices and gateways
19
IIoT gateway(network device
and software application)
Firewall (network device)
Historian (software
application)
PLC (embedded
device)
IIoT device(embedded
device)
IIoT device(embedded
device)
Other IACS components (may or may not connect to IIoT gateway, no direct Internet connection)
IIoT devices
IIoT gateway, directly connected to the Internet
Industry sources analyzed against 62443-4-2
1. Any candidate gaps from WG92. Any candidate gaps from ISAGCA/ISCI IIoT team3. Microsoft seven properties of highly secure devices4. Industrial Internet Consortium Reference Architecture and Security Framework 5. ENISA Baseline Security Recommendations for IoT in the context of Critical Information
Infrastructures (2017)6. IoT Cybersecurity Certification Program’ which was announced by CTIA, a US wireless
industry association, in August 2018 https://www.ctia.org/news/ctia-iot-cybersecurity-certification-program-certifies-first-device https://www.ctia.org/news/wireless-industry-announces-internet-of-things-cybersecurity-certificationprogram, test plan at https://www.ctia.org/certification-resources
7. NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline 8. NIST catalog of IoT device cybersecurity capabilities - https://pages.nist.gov/FederalProfile-
8259A/
20
How to get involved
Join ISA-99 WG9 and contribute to writing and reviewing the technical report You do not need to be a member of ISA to participate
Contact Eliana Brazda at [email protected]
Join ISASecure or ISA-GCA to contribute to certification study
Join ISA-GCA
21
ISA Global Cybersecurity Alliance
Bridge the gap between publication of the 62443 standards and adoption by stakeholders.
Awareness & Outreach Advocacy & Adoption Compliance & Prevention Training & Education
Launched July 2019
25 members in 2nd half 2019; add 50 more in 2020
Added industry groups – LOGIIC, ISASecure, ISA99; in discussion with others
Globalize - Establish regional teams for outreach activities and regulatory tracking (NA, EU, Japan, MEA) in 2020
Complete 8 key projects in 2020
22
ISA-GCA Member Companies23
ISASecure
Globally recognized ISA/IEC 62443 certification brand
Started in 2007, first certification in 2011 Eight certification global bodies in EU, ASEAN, Japan, USA, Canada Certifies systems, components, development organizations Promotes adoption of ISA/IEC 62443 standards in
collaboration with ISAGCA and ISA99 standards committee OPAF agreement to use ISASecure scheme for assessing prototype components Can certify IOT components/devices today New certifications in development
1) IIOT system certification
2) facility certification for building management systems (BMS).
24
ISASecure supporters past and present
YPF Trust CB
25
Summary
• Applicability of IEC-62443 to IIot is a work in progress• Contributors to the work are needed
• ISA-99 WG9 for the technical report
• ISASecure for certification report
• ISA-GCA for promotion and adoption of ISA-62443
26
Contacts and information
• For ISA-99 (IEC/ISA-62443):• https://www.isa.org/isa99• Contact Eliana Brazda at [email protected] or ISA-99 chairs at
• For ISA-GCA:• https://isaautomation.isa.org/cybersecurity-alliance/• Contact Andre Ristaino at [email protected]
• For ISASecure:• https://isasecure.org/en-US/• Contact Andre Ristaino at [email protected]
27
Thank you