1

Validating the Security Assurance of Industrial Automation Products

Andre Ristaino, ASCI Managing Director

Andre Ristaino, ASCI Managing Director (ISA)

Graham Speake, Principal Systems Architect, Yokogawa

John Cusimano, Director of Security Services, Exida

ICSJWG Spring 2011

ISASecure™

www.isasecure.org

www.ansi.org/isasecure

2

Agenda

• ISA Security Compliance Institute (ISCI) Organization

• ISASecure Embedded Device Security Assurance Program

• Program benefits

• Who to contact for more information

• Questions

3

ISA Security Compliance Institute (ISCI) Organization

4

An ISA Owned Organization

ISA

AutomationStandards

ComplianceInstitute

ISA Security Compliance Institute Interest Group

IndustrialInteroperability

WirelessOther Interest

Groups

Governing Board

Technical Steering Committee

Working Groups

2011 ASCI Board of Directors

ChairmanISA Past President

(Nelson Ninin)

Vice ChairmanISA VP Stds./Practices

(Donald Dunn)

SecretaryISA Exec. Director

(Pat Gouhin)

At Large – legal counsel

(Hugh Webster)

ISA Treasurer

(Jim Keaveney)

At Large – Compliance Expert

(Michael Hamm)

Designated SeniorISA Staff Director(vacant for 2010)

6

ISA Security Compliance Institute (ISCI)

Who We AreConsortium of Asset Owners, Suppliers, and Industry Organizations formed in 2007 under the ISA Automation Standards Compliance Institute (ASCI):

MissionEstablish a set of well-engineered specifications and processes for the testing and certification of critical control systems products

Decrease the time, cost, and risk of developing, acquiring, and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers, and other stakeholders

7 7

ISCI Member Companies

• ISCI membership is open to all organizations– Strategic membership level– Technical membership level– Informational membership level

• Current membership– Chevron– Egemin– exida– ExxonMobil– Honeywell– Invensys– Siemens– Yokogawa– ISA99/ISCI Joint Working Group Liaison

8

ISASecure Designation

• Trademarked designation that provides instant recognition of product security characteristics and capabilities.

• Independent Industry stamp of approval.

• Similar to ‘Safety Integrity Level’ Certification (ISO/IEC 61508).

ANSI/ACLASS Accredited Conformance Scheme

9

ISASecure Embedded Device Security Assurance (EDSA) certification accredited as an ISO/IEC Guide 65 conformance scheme by ANSI/ACLASS. This includes both ISO/IEC 17025 and ISO/IEC 17011.

Go to www.ansi.org/isasecure for details.

1.Provides global recognition for ISASecure certification

2.Independent CB accreditation by ANSI/ACLASS

3.ISASecure can scale on a global basis

4.Ensures certification process is open, fair, credible,

and robust.

Why Do We Need Secure Devices

• Increased Industrial Control System exploits and attacks– Stuxnet– Nearly 40 exploits released recently

• Hacker conferences starting to have control system tracks– Black Hat– Hacker Halted

• Control systems using standard IT devices

10

ISASecure Certification Specification Process

• ISCI board defines scope and work process• Technical steering committee manages working groups

who draft specifications• Specifications reviewed by external 3rd party if required• Voted and approved by full ISCI voting membership• Approved specifications adopted by ISCI Governing

Board and posted on website• Specifications developed to-date have been donated to

ISA for submission to the ISA99 Standards Committee

11

ISASecure Supplier Device Approval Process

• Supplier submits device to ANSI ACLASS charted lab• Charted lab completes three part assessment

– Physically evaluates device for functional security (FSA)– Conducts communication robustness test (CRT) using ISCI-

approved test tool– Charted lab completes supplier audit (SDSA) on software

development practices

• Charted lab issues final assessment report and certification upon successful test and audit

12

13

ISA 99 Work Products

14

ISCI Program Outreach

• Website www.isasecure.org

• ISASecure EDSA Certification Specifications and Program Definition Documents Approved and posted for public access at www.isasecure.org

• ISCI Board donated EDSA FSA and SDSA technical specification to ISA-99 Committee via ISA99-ISCI Joint Working Group

• Webinar Series throughout 2011

15

ISASecure Embedded Device Security Assurance Program

Embedded Device

• Special purpose device running embedded software designed to directly monitor, control or actuate an industrial process

• Examples: – Programmable Logic Controller (PLC)– Distributed Control System (DCS) controller– Safety Logic Solver– Programmable Automation Controller (PAC)– Intelligent Electronic Device (IED)– Digital Protective Relay– Smart Motor Starter/Controller– SCADA Controller– Remote Terminal Unit (RTU)– Turbine controller– Vibration monitoring controller– Compressor controller

16

Embedded Device Security Assurance Certification

Integrated Threat Analysis(ITA)

Software Development Security Assurance (SDSA)

Functional Security Assessment (FSA)

Communications Robustness Testing (CRT)

Detects and Avoids systematic design faults

• The vendor’s software development and maintenance processes are audited

• Ensures the organization follows a robust, secure software development process

Detects Implementation Errors / Omissions

• A component’s security functionality is audited against its derived requirements for its target security level

• Ensures the product has properly implemented the security functional requirements

Identifies vulnerabilities in networks and devices

• A component’s communication robustness is tested against communication robustness requirements

• Tests for vulnerabilities in the 4 layers of OSI Reference Model

Provides a common perspective on how threat scenarios can be sufficiently covered

• Documents the expected resistance of the system to potential threat agents and threat scenarios

• Clearly documents expected user measures versus inherent product protection measures

ISASecure Levels

Communication Robustness Testing

Software Development Security Assessment

Functional Security Assessment

Software Development Security Assessment

Functional Security Assessment

Software Development Security Assessment

Functional Security Assessment

LEVEL 1

LEVEL 2

LEVEL 3

Requirements Necessary to Achieve Certification LevelsLevel 1 Level 2 Level 3 Total Count in Specification

SDSA 130 149 170 170FSA 20 49 82 82

CRT All All AllCRT Common Specification plus all 6 Protocol CRT Specifications

Communications Robustness Test (CRT)

• Measures the extent to which network protocol implementations on an embedded device defends themselves and other device functions against unusual or intentionally malicious traffic received from the network.

• Inappropriate message response (s), or failure of the device to continue to adequately maintain essential services, demonstrates potential security vulnerabilities within the device.

• Common CRT Requirements (EDSA-310)

Communication Robustness Testing

• Ethernet (EDSA-401)• IPv4 (EDSA-403)• ICMP (EDSA-404)

• ARP (EDSA-402)• TCP (EDSA-406)• UDP (EDSA-405)

Functional Security Assessment (FSA)

Security Feature TestsPurpose:

– Verification and validation that the device or system under test incorporates a minimum set of security features needed to counteract common security threats

Composition– Set of requirements, derived from existing reference standards

and traceable to source standard– One or more acceptable solutions (countermeasures) identified

for each requirement– If applicable, procedures to verify the requirement has been

satisfied

Functional Security Assessment

Structure of FSA Requirements

Access Control User authorization, user authentication, system use notification, session locking/termination

Use Control Device authentication, audit trail

Data Integrity Data in transit, data at rest

Data Confidentiality Data in transit, data at rest, crypto

Restrict Data Flow Information flow enforcement, application partitioning, function isolation

Timely Response to Event

Incident response

Network Resource Availability

Denial of service protection, backup & recovery

21

Software Security Development Assessment

Secure Software Engineering

Purpose: – Verification and validation that software for the device or system

under test was developed following appropriate engineering practices to minimize software errors that could lead to security vulnerabilities

Composition– Set of requirements, derived from existing reference standards

and traceable to source standard (IEC 61508, ISO/IEC 15408)– One or more acceptable arguments identified for each

requirement

Software Development Security Assessment

Security Development Lifecycle

23

EDSA Certification Process

Level 1 Level 2 Level 3

1. CRT test all accessible TCP/IP interfaces

1 - 2 weeks 1 - 2 weeks 1 - 2 weeks

2. Perform FSA on device and all interfaces

< 1 week 1 week 1 – 2 weeks

3. Audit supplier’s software development process

1 week 1 – 2 weeks 1 – 2 weeks

4. Perform ITA and issue report

1 week 1 week 1 week

3 – 5 weeks 4 – 6 weeks 4 – 10 weeks

Typical Chartered Lab Level of Effort in Man Weeks

25

Why ISASecure?

Benefits

End-user• Easy to specify• Build security requirement

into RFP• Reduced time in FAT/SAT• Know security level out of

the box

Supplier• Evaluated once• Recognition for effort• Build in security• Product differentiator

26

27

Who to contact for more information

28

Who to Contact to Certify Products

ISASecure EDSA Chartered Lab

exida

John Cusimano

Director of Security Services

Phone: (215) 453-1720

Fax: (215) 257-1657

Email: jcusimano@exida.com

Website: http://www.exida.com

29

Who to contact for CRT Test Tool

http://www.wurldtech.com

Wurldtech Security Technologies, Inc.

Greg Maciel

Achilles Sales Manager

Phone: (949) 300-4040

Email: gmaciel@wurldtech.com

30

Who to contact for ISCI Membership

Andre Ristaino

Managing Director, ASCI

Direct Phone: 919-990-9222

Fax: 919-549-8288

Email: aristaino@isa.org

Website: http://www.isasecure.org

Q&A

31

Questions?

FAQ’s1. Who will perform ISASecure certification assessment and testing?

ANSI/ACLASS accredit organizations (called “chartered labs”) to perform ISASecure certification evaluations. ISCI will also recognize test platforms designed to perform communication robustness testing for use by these organizations and by device vendors in preparation for certification.

2. Who will grant ISASecure certifications?

The chartered labs will register ISASecure certified devices when the device has passed the ISASecure certification requirements. ISCI will publish a list of certified products on its web site.

3. Describe the First ISASecure certification that will be available.

The ISASecure Embedded Device Security Assurance Certification is the first certification offered. The certification will include all three certification elements: software development security assessment, functional security assessment, and communication robustness testing..

Functional Security Assessment Reference Standards

[N1]ISA-99.01.03D2-20090527

Security for Industrial Automation and Control Systems: System Security Requirements and Security Assurance Levels ISA-99.01.03

[N2]NERC Standards CIP-001-1 through CIP-001-9

North American Electric Reliability Council Cyber Security Standards

[N3] NIST 800-53Recommended Security Controls for Federal Information Systems

[N4]ISO/IEC 15408-1 through I5408-3

Information technology — Security techniques — Evaluation criteria for IT security — Part 1 through Part 3

[N5]Department of Homeland Security: Catalog of Control Systems Security: Recommendations for Standards Developers

SDSA Specification Development

Reference Standards for Software Development Security Assessment

[N4]ISO/IEC 15408-1 through I5408-3

Information technology — Security techniques — Evaluation criteria for IT security — Part 1 through Part 3

[N6] IEC 61508 Part 3Functional safety of electrical/electronic/programmable electronic safety-related systems: Software Development

[N7] RTCA/DO-178BSoftware Considerations in Airborne Systems and Equipment Certifications

[N8]ISBN-13: 978-0735622142

The Security Development Lifecycle, M. Howard, S. Lipner, Microsoft Press (June 28, 2006)

[N9] OWASP CLASPOWASP CLASP (Comprehensive, Lightweight Application Security Process)

4. How were the ISASecure certification criteria developed?

The ISASecure effort has leveraged the substantial existing work in general cyber security and process control system cyber security. The SDSA and SFA criteria are aligned wherever possible with draft work products of the ISA SP-99 committee. The Software Development Security Assessment requirements are ultimately traceable to requirements in the following source documents:

FAQ’s

Reference Standards for Software Development Security Assessment

ISO/IEC 15408-1 through I5408-3

Information technology — Security techniques — Evaluation criteria for IT security — Part 1 through Part 3

IEC 61508 Part 3 Functional safety of electrical/electronic/programmable electronic safety-related systems: Software Development

RTCA/DO-178B Software Considerations in Airborne Systems and Equipment Certifications

ISBN-13: 978-0735622142

The Security Development Lifecycle, M. Howard, S. Lipner, Microsoft Press (June 28, 2006)

OWASP CLASP OWASP CLASP (Comprehensive, Lightweight Application Security Process)

Reference Standards for Functional Security Assessment

ISA-99.01.03D2-20090527

Security for Industrial Automation and Control Systems: System Security Requirements and Security Assurance Levels ISA-99.01.03

NERC Standards CIP-001-1 through CIP-001-9

North American Electric Reliability Council Cyber Security Standards

NIST 800-53 Recommended Security Controls for Federal Information Systems

ISO/IEC 15408-1 through I5408-3

Information technology — Security techniques — Evaluation criteria for IT security — Part 1 through Part 3

Department of Homeland Security: Catalog of Control Systems Security: Recommendations for Standards Developers

The Functional Security Assessment requirements are ultimately traceable to requirements in the following source documents:

FAQ’s

5. Will a vendor that has already obtained a certification for a device be allowed to submit those results for the ISASecure certification?

Yes. ISCI has identified specific certifications from which pre-existing artifacts may be offered as evidence for meeting specific certification requirements in the ISASecure specification.

For example, an organization who has already received an IEC61508 certification for a device may submit artifacts on their software development practices to satisfy specific requirements in the ISASecure Software Development Security Assurance specification section of the EDSA certification.

FAQ’s