industrial automation and controls systems...
TRANSCRIPT
![Page 1: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/1.jpg)
ISA Standards and Practices
Industrial Automation and
Controls Systems
Cybersecurity
The ISA99 Committee and
the 62443 Standards
![Page 2: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/2.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Purpose
Introduce the ISA99 committee and the ISA/IEC 62443
series of standards on Industrial Automation and Control
Systems Security.
1
![Page 3: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/3.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Topics
• Who are we?
• How do we work?
• What are the basics?
• What are our work products?
• Where do things stand?
2
![Page 4: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/4.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Who are we?
3
![Page 5: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/5.jpg)
February 2018 Copyright © ISA – All Rights Reserved
ISA99 Committee
The International Society of Automation (ISA) Committee on
Security for Industrial Automation & Control Systems
Almost 900 members from around the world
4
![Page 6: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/6.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Our Scope
“… industrial automation and control systems whose compromise
could result in any or all of the following situations:
– endangerment of public or employee safety
– environmental protection
– loss of public confidence
– violation of regulatory requirements
– loss of proprietary or confidential information
– economic loss
– impact on entity, local, state, or national security”
5
![Page 7: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/7.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Industry Contribution and Application
• Reflects expertise from many sectors, including:
– Chemical Processing
– Oil and Gas
– Food and Beverage
– Energy
– Pharmaceuticals
– Water
– Manufacturing
– ICS suppliers
6
![Page 8: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/8.jpg)
February 2018 Copyright © ISA – All Rights Reserved
How Do We Work?
7
![Page 9: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/9.jpg)
February 2018 Copyright © ISA – All Rights Reserved
ISA99 and ISA/IEC 62443
• ISA/IEC 62443 is a series of standards being developed by two
groups:
– ISA99 ANSI/ISA-62443
– IEC TC65/WG10 IEC 62443
• In consultation with:
– ISO/IEC JTC1/SC27 ISO/IEC 2700x
8
![Page 10: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/10.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Partners for Related Topics
• Process Safety (ISA84, IEC TC65)
• Wireless Communications (ISA100)
• Intelligent device Management (ISA108)
• Medical Device Security (MDISS)
• Certification (ISCI)
• Communications & Advocacy
(Automation Federation)
• Security Framework (NIST)
9
IACS
Security
![Page 11: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/11.jpg)
February 2018 Copyright © ISA – All Rights Reserved
The Basics
• General Concepts
• Fundamental Concepts
• Foundational Requirements
10
![Page 12: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/12.jpg)
February 2018 Copyright © ISA – All Rights Reserved
General Concepts
• Security Context
• Security Objectives
• Least Privilege
• Defense in Depth
• Threat-Risk Assessment
• Supply Chain Security
Source: ISA-62443-1-1, 2nd Edition (Under development)
11
![Page 13: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/13.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Fundamental Concepts
• Principal Roles
• Life Cycles
• Zones and Conduits
• Security Levels
• Maturity Assessment
• Security and Safety
12
Source: ISA-62443-1-1, 2nd Edition (Under development)
![Page 14: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/14.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Principal Roles
• Product Supplier (PS)
• Integration Provider (IP)
• Asset Owner (AO)
• Maintenance Provider (MP)
• Service Provider (SP)
• System Operator (SO)
• Regulatory Authority (RA)
• Compliance Authority (CA)
#
![Page 15: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/15.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Life Cycles
14
Based on VDI 2182
Operation
& Maintenance
Integration /
Commissioning
Product
Development
Product
SupplierSystem
Integrator
Asset
Owner
Security Documentation
Security Guidelines
Security Support
Requirements
![Page 16: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/16.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Zones and Conduits
• A means for defining…
– How different systems interact
– Where information flows between systems
– What form that information takes
– What devices communicate
– How fast/often those devices communicate
– The security differences between system
components
• Technology helps, but architecture is more
important
15
![Page 17: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/17.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Security Levels
16
Protection against…
![Page 18: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/18.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Maturity Assessment
• A means of assessing capability
• Similar to Capability Maturity
Models
– e.g., SEI-CMM
• An evolving concept in the
standards
– Applicability to IACS-SMS
20
![Page 19: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/19.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Security and Safety
• Safety is much of the reason for
security
– Presenting consequences
• Much to be learned from the safety
community
• Collaboration
– ISA99-ISA84 joint effort
– IEC TC65 work group 20
– ISA Safety and Security Division
18
![Page 20: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/20.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Foundational Requirements
• FR 1 – Identification & authentication control
• FR 2 – Use control
• FR 3 – System integrity
• FR 4 – Data confidentiality
• FR 5 – Restricted data flow
• FR 6 – Timely response to events
• FR 7 – Resource availability
19
![Page 21: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/21.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Work Products
20
![Page 22: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/22.jpg)
February 2018 Copyright © ISA – All Rights Reserved
The ISA-62443 Series
21
![Page 23: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/23.jpg)
February 2018 Copyright © ISA – All Rights Reserved
General Information
• 62443-1-1
– Concepts and Models
• 62443-1-2
– Master Glossary
• 62443-1-3
– Security Compliance Metrics
• 62443-1-4
– Lifecycle & Use Cases
• 62443-1-5
– Protection Levels
22
![Page 24: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/24.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Program Definition
• 62443-2-1
– Security Management System
• 62443-2-2
– Implementation Guidance
• 62443-2-3
– Patch Management
• 62443-2-4
– Requirements for Solution Suppliers
23
![Page 25: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/25.jpg)
February 2018 Copyright © ISA – All Rights Reserved
System Security
• 62443-3-1
– Security Technologies
• 62443-3-2
– Risk Assessment and System Design
• 62443-3-3
– System Requirements and
Security Levels
24
![Page 26: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/26.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Component Security
• 62443-4-1
– Product Development Requirements
• 62443-4-2
– Technical Requirement for Components
25
![Page 27: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/27.jpg)
February 2018 Copyright © ISA – All Rights Reserved
What is Happening
26
![Page 28: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/28.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-1-1 (2nd Edition)
– Preparing a draft for comment
• 62443-1-2
– Recently circulated as a draft for comment
• 62443-1-4
– Case studies being identified by WG10
• 62443-1-5
– Introduces the potential concept of “Protection Levels”
– Recently circulated as a draft for comment
27
![Page 29: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/29.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-2-1 (2nd Edition)
– Alignment with ISO 27001:2013
– Recently circulated as a draft for comment
• 62443-2-3
– Technical report published in July 2015
– Under revision to elevate to a standard
• 62443-2-4
– Published by IEC, adopted by ISA99
28
![Page 30: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/30.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-3-1
– Technical report on risk management being rewritten as a standard
• 62443-3-2
– Committee Draft for Vote (CDV) approved by ISA voting members
– IEC vote pending
29
![Page 31: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/31.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Current Activity
• 62443-4-1
– Approved by ISA and IEC
• 62443-4-2
– Soon to be submitted as a Final Draft Standard to ISA and IEC
30
![Page 32: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/32.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Review
✓ Who are we?
✓ How do we work?
✓ What are the basics?
✓ What are our work products?
✓ Where do things stand?
31
![Page 33: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/33.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Conclusion
32
![Page 34: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/34.jpg)
February 2018 Copyright © ISA – All Rights Reserved
• ISA99 committee page: http://www.isa.org/isa99
• Twitter: @ISA99Chair
• Committee Co-Chairs: [email protected]– Eric Cosman
– Jim Gilsinn
• Managing Director– Joe Weiss
• ISA Staff Contact– Eliana Brazda [email protected]
Please provide contact information & area of expertise or interest
More Information…
33
![Page 35: Industrial Automation and Controls Systems …isa99.isa.org/Public/Information/ISA99-ISA-62443-Overview.pdf · Industrial Automation and Controls Systems Cybersecurity The ISA99 Committee](https://reader031.vdocument.in/reader031/viewer/2022021417/5aa04b2b7f8b9a6c178ddc82/html5/thumbnails/35.jpg)
February 2018 Copyright © ISA – All Rights Reserved
Questions
34