Assessing Security Levels in ISA-99 / IEC 62443 Standards

Security Levels in ISA-99 / IEC 62443
Summary
Assessment of the security protection of a plant A Security Protection Level has to be assessed in a plant in operation A Protection Level requires both: The fulfillment of the policies and procedures by the asset owner according to a Security Management System (Series 2) and The fulfillment of a Security Level of the solution operated by the asset owner to control the plant (Series 3) Proposal: Assess the fulfillment of the policies and procedures according to the CMMI model Assess the functional capabilities of the solution according to the SLs Define Protection Levels (PLs)as a combination of both Assessment of the security capabilities of control systems and components There is no direct relationship between Capability SLs as currently defined and component capability levels There is no contribution of levels of the product development process to component capability levels Proposal: Control Systems: Assess the functional capabilities according to the Capability SLs (already described in the SAL vector concept). No explicit requirements to the components. Components: Specify the product development requirements without any level Assess the fulfillment of the product development requirements according to the CMMI model Assess the functional capabilities of the component according to the Component Feature Levels Define Component Capability Levels (CCLs) as a combination of both Pierre Kobes

Outline
1. ISA-99 / IEC 62443 documents addressing policies and procedures vs. functional requirements
2.
Assessment of protection levels of a plant Solution vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs)
3.
Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs)
4.
Summary if ISA-99 / IEC 62443 relevant document for the various assessments types
Pierre Kobes

ISA-99 / IEC 62443 covers requirements on processes / procedures as well as functional requirements IEC 62443 / ISA-99
General
1-1 Terminology, concepts and models
Policies and procedures

2-1 Establishing an IACS security program
System
3-1 Security technologies for IACS
Component
4-1 Product development requirements 4-2 Technical security requirements for IACS products
1-2 Master glossary of terms and abbreviations
2-2 Operating an IACS security program
3-2 Security assurance levels for zones and conduits 3-3 System security requirements and security assurance levels
1-3 System security compliance metrics
2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices
WIB M-2784 2.0
Definitions Metrics
Requirements to the security organization and processes of the plant owner and suppliers
Requirements to a secure system
Requirements to secure system components

Processes / procedures
Functional requirements
Pierre Kobes

ISA-99 / IEC 62443 covers requirements on processes / procedures as well as functional requirements IEC 62443 / ISA-99
General
1-1 Terminology, concepts and models
Policies and procedures

System
Component
1-2 Master glossary of terms and abbreviations
Definitions Metrics

Pierre Kobes

Outline
2.
3.
4.
Pierre Kobes

A solution is a deployed control system to fulfill the protection requirements of a plant
Plant environment
Asset Owner specifies Required protection level of the plant ISA-99 IEC 62443 deploys the control system to Solution
System Integrator
Part 3-2 Zones and Conduits
develops
Product supplier
Control System as a combination of PLCs HMIs PC devices Network Devices Software
Part 3-3 System requirements Series 4 Components
Independent of plant environment

Pierre Kobes

All stakeholder are involved in the protection of the plant during plant life cycle
Product supplier Product development Asset Owner
Software
Phase Deliverable of a phase
Control System as a combination of PLCs Network Devices HMIs PC devices
Requirement specification
Required protection level of the plant
Project phases
System Design
FAT SAT
Commissioning
Operation Maintenance Asset Owner
System Integrator
Solution
Project application Configuration User Mgmnt
Solution
Solution Security settings Operational policies and procedures
Solution deployment
Plant operation
Security settings
Security settings
Pierre Kobes

A Security Protection Level has to be assessed in a plant in operation
Protection Level
Asset Owner Has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution
ISA-99 IEC 62443 Series 2 Policies and Procedures
operates
+
Fulfills the functional capabilities required by the target protection level of the plant -> Security Level Series 3 System
Solution
controls A Protection Level requires Fulfillment of policies and procedures AND Fulfillment of a Security Level of the solution
Pierre Kobes
Plant

An assessment of the protection level is mainly relevant in a plant in operation
Phase Deliverable of a phase
Protection Level
Solution fulfills the functional capabilities required by the target protection level of the plant -> Security Level Commissioning Operation Maintenance Asset Owner
+
Asset Owner has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution
Plant operation
Pierre Kobes

The concept of SL applies to a solution and a control system
IEC 62443 / ISA-99 SL 1 SL 2 SL 3 SL 4

Protection against casual or coincidental violation Protection against intentional violation using simple means Protection against intentional violation using sophisticated means Protection against intentional violation using sophisticated means with extended resources System Risk assessment System architecture zones, conduits
3-2 Security assurance levels for zones and conduits Target SLs Achieved SLs
Solution
3-3 System security requirements and security assurance levels Capabilty SLs
Control System features
The concept of SL is coherent within Part 3-2 and Part 3-3: 1. Part 3-2: asset owner / system integrator define zones and conduits with target SLs 2. Part 3-3: product supplier provides system features according to capability SLs 3. In the project design phase capability SLs are deployed to match target SLs

The concept of SL is coherent within Part 3-2 and Part 3-3
Plant environment
Required protection level of the plant ISA-99 IEC 62443
Risk assessment
System architecture zones, conduits Target SLs Achieved SLs
Solution
Part 3-2 Zones and Conduits
Solution
Control System
Part 3-3 System requirements
Capabilty SLs Control System features
Independant of plant environment
Pierre Kobes

The SL concept is applicable mainly in the design phase of the plant life cycle
Product supplier Product development Phase Deliverable of a phase Required protection level of the plant
Control System
Capabilty SLs Control System features
Project phases
System Design
FAT SAT Risk assessment System architecture zones, conduits

Target SLs Achieved SLs
System Integrator
Solution
Solution
Solution deployment
Security settings
Security settings
Solution Pierre Kobes

A protection level can only be assessed in plant in operation
Protection Level
Asset Owner has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution
ISA-99 IEC 62443 Series 2 Policies and Procedures
Assessment type
Assessment of management system (e.g. ISO 9000, ISO 27000) CMMI levels are appropriate
+
Solution fulfills the functional capabilities required by the target protection level of the plant -> Security Level Series 3 System Assessment of solution capabilities Security Levels are appropriate
Pierre Kobes

Proposal for the assessment of protection levels
Protection Level
Asset Owner has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution CMMI
PL1
>1
PL2
>2
PL3
>3
PL4
>3
+
Solution fulfills the functional capabilities required by the target protection level of the plant -> Security Level SL
+
1
+
2
+
3
+
4
Pierre Kobes

Outline
2.
3.
4.
Pierre Kobes

Control system features are often realized by a combination of component features
ISA-99 IEC 62443 Control System Control System features contribute to 3-3 System requirements
(System) Capabilty SLs
No direct relationship
Component features PLCs HMIs PC devices Network Devices Software Component Capabilty Levels 4-2 Technical security requirements for IACS products
There no direct relationship between Component Capability Levels and (System) Capability SLs
Pierre Kobes

Example from Identification and Authentication Control There no direct relationship between Component Capability Levels and (System) Capability SLs
Extract of ISA-99.03.03, Draft 4
Control system
HMI
Terminal bus trusted
System Requirement SR 1.1 The control system shall provide the capability to identify and authenticate all users (humans, software processes and devices). This capability shall enforce such identification and authentication on all interfaces which provide access to the control system to support segregation of duties and least privilege in accordance with applicable security policies and procedures. SR 1.1 RE 1 The control system shall provide the capability to uniquely identify and authenticate all users (humans, software processes and devices) SR 1.1 RE 2 The control system shall provide the capability to employ multifactor authentication for human user access to the control system via an untrusted network (see 4.12, SR 1.10 Access via untrusted networks). SR 1.1 RE 3 The control system shall provide the capability to employ multifactor authentication for all human user access to the control system.
SL
Server
System bus trusted
2 3 4
Firewall
PLC
PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level
Pierre Kobes

Example from Identification and Authentication Control
Control system
HMI
Terminal bus trusted
Case 1 HMI fulfills only SR 1.1 PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level
SL
Case 2 HMI fulfills SR 1.1 and RE 1 and has multifactor authentication PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level
SL
Server
System bus trusted
Firewall
Different capability SLs can be realized with the same Component Capabilty Level of the PLC A requested capability SL does not require a given / minimum Component Capability Level of the Embedded Devices
PLC
There no direct relationship between Component Capability Levels and (System) Capability SLs
Pierre Kobes

Components Capability Levels are only defined by component features
ISA-99 IEC 62443 Component features 4-2 Technical security requirements for IACS products
PLCs HMIs PC devices
Network Devices Software
Component Capabilty Levels
Product Development Levels ?
4-1 Product development requirements
Product development levels dont contribute to Component Capability Levels -> Proposal: Specify the product development requirements without levels Follow the CMMI approach
Pierre Kobes

Proposal for the assessment of Component Capability Levels
Component Capabilty Level

Product Supplier has the appropriate policies and procedures in place -> Product Development Process to develop the product according to security requirements
CCL1 CCL2 CCL3 CCL4
CMMI
>2
>2
>3
>3
+
Component fulfills the functional capabilities required by the Component Capability Level -> Component (Security) Feature Level CFL
+
1
+
2
+
3
+
4
Pierre Kobes

Outline
2.
3.
4.
Pierre Kobes

ISA-99 / IEC 62443 documents relevant for the assessment of the protection of a plant
IEC 62443 / ISA-99

General Policies and procedures
System
Component
Assessment of the 1-1 Terminology, concepts and models protection of a plant according to1-2 Master glossary of Protection Levels terms and abbreviations
Definitions Metrics

Pierre Kobes

ISA-99 / IEC 62443 documents relevant for the assessment of the control system functional capabilities IEC 62443 / ISA-99
General Policies and procedures
System
Component
Assessment of the 1-1 Terminology, concepts and models functional capabilties of a control system 1-2 Master glossary of according terms and abbreviations to Capabilty SLs
Definitions Metrics

Pierre Kobes

ISA-99 / IEC 62443 documents relevant for the assessment of the component functional capabilities IEC 62443 / ISA-99
General Policies and procedures System
Component
Assessment of the 1-1 Terminology, concepts 2-1 Establishing an IACS and models functional capabilties security program of components 1-2 Master glossary of 2-2 Operating an IACS according terms and abbreviations security program to Component Capability Levels
1-3 System security compliance metrics 2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices
Definitions Metrics

Pierre Kobes

Assessing Security Levels in ISA-99 / IEC 62443 Standards

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Assessing Security Levels in ISA-99 / IEC 62443 Standards

Uploaded by

Copyright:

Available Formats

Security Levels in ISA-99 / IEC 62443

Security Levels in ISA-99 / IEC 62443

Security Levels in ISA-99 / IEC 62443

Policies and procedures

1-2 Master glossary of terms and abbreviations

2-2 Operating an IACS security program

1-3 System security compliance metrics

WIB M-2784 2.0

Requirements to a secure system

Requirements to secure system components

Security Levels in ISA-99 / IEC 62443

Policies and procedures

1-2 Master glossary of terms and abbreviations

2-2 Operating an IACS security program

1-3 System security compliance metrics

Requirements to a secure system

Requirements to secure system components

Security Levels in ISA-99 / IEC 62443

Security Levels in ISA-99 / IEC 62443

Part 3-2 Zones and Conduits

Control System as a combination of PLCs HMIs PC devices Network Devices Software

Part 3-3 System requirements Series 4 Components

Independent of plant environment

Security Levels in ISA-99 / IEC 62443

Phase Deliverable of a phase

Control System as a combination of PLCs Network Devices HMIs PC devices

Required protection level of the plant

Operation Maintenance Asset Owner

Solution Security settings Operational policies and procedures

Solution Security settings Operational policies and procedures

Security Levels in ISA-99 / IEC 62443

ISA-99 IEC 62443 Series 2 Policies and Procedures

Security Levels in ISA-99 / IEC 62443

Solution Security settings Operational policies and procedures

Solution Security settings Operational policies and procedures

Security Levels in ISA-99 / IEC 62443

IEC 62443 / ISA-99 SL 1 SL 2 SL 3 SL 4

Control System features

Security Levels in ISA-99 / IEC 62443

System architecture zones, conduits Target SLs Achieved SLs

Part 3-2 Zones and Conduits

Part 3-3 System requirements

Capabilty SLs Control System features

Independant of plant environment

Security Levels in ISA-99 / IEC 62443

Capabilty SLs Control System features

FAT SAT Risk assessment System architecture zones, conduits

Solution Pierre Kobes

Security Levels in ISA-99 / IEC 62443

ISA-99 IEC 62443 Series 2 Policies and Procedures

Security Levels in ISA-99 / IEC 62443

Security Levels in ISA-99 / IEC 62443

Security Levels in ISA-99 / IEC 62443

(System) Capabilty SLs

Security Levels in ISA-99 / IEC 62443

Security Levels in ISA-99 / IEC 62443

Security Levels in ISA-99 / IEC 62443

PLCs HMIs PC devices

Network Devices Software

Component Capabilty Levels

Product Development Levels ?

4-1 Product development requirements