Professional Documents
Culture Documents
Summary
Assessment of the security protection of a plant A Security Protection Level has to be assessed in a plant in operation A Protection Level requires both: The fulfillment of the policies and procedures by the asset owner according to a Security Management System (Series 2) and The fulfillment of a Security Level of the solution operated by the asset owner to control the plant (Series 3) Proposal: Assess the fulfillment of the policies and procedures according to the CMMI model Assess the functional capabilities of the solution according to the SLs Define Protection Levels (PLs)as a combination of both Assessment of the security capabilities of control systems and components There is no direct relationship between Capability SLs as currently defined and component capability levels There is no contribution of levels of the product development process to component capability levels Proposal: Control Systems: Assess the functional capabilities according to the Capability SLs (already described in the SAL vector concept). No explicit requirements to the components. Components: Specify the product development requirements without any level Assess the fulfillment of the product development requirements according to the CMMI model Assess the functional capabilities of the component according to the Component Feature Levels Define Component Capability Levels (CCLs) as a combination of both Pierre Kobes
2.
Assessment of protection levels of a plant Solution vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs)
3.
Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs)
4.
Summary if ISA-99 / IEC 62443 relevant document for the various assessments types
Pierre Kobes
System
3-1 Security technologies for IACS
Component
4-1 Product development requirements 4-2 Technical security requirements for IACS products
3-2 Security assurance levels for zones and conduits 3-3 System security requirements and security assurance levels
2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices
Definitions Metrics
Requirements to the security organization and processes of the plant owner and suppliers
Functional requirements
Pierre Kobes
System
3-1 Security technologies for IACS
Component
4-1 Product development requirements 4-2 Technical security requirements for IACS products
3-2 Security assurance levels for zones and conduits 3-3 System security requirements and security assurance levels
2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices
Definitions Metrics
Requirements to the security organization and processes of the plant owner and suppliers
Functional requirements
Pierre Kobes
2.
Assessment of protection levels of a plant Solution vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs)
3.
Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs)
4.
Summary if ISA-99 / IEC 62443 relevant document for the various assessments types
Pierre Kobes
Plant environment
Asset Owner specifies Required protection level of the plant ISA-99 IEC 62443 deploys the control system to Solution
System Integrator
develops
Product supplier
Requirement specification
Project phases
System Design
FAT SAT
Commissioning
System Integrator
Solution
Project application Configuration User Mgmnt
Solution
Project application Configuration User Mgmnt
Solution deployment
Plant operation
Security settings
Security settings
Pierre Kobes
Protection Level
Asset Owner Has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution
operates
+
Fulfills the functional capabilities required by the target protection level of the plant -> Security Level Series 3 System
Solution
controls A Protection Level requires Fulfillment of policies and procedures AND Fulfillment of a Security Level of the solution
Pierre Kobes
Plant
Protection Level
Solution fulfills the functional capabilities required by the target protection level of the plant -> Security Level Commissioning Operation Maintenance Asset Owner
+
Asset Owner has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution
Plant operation
Pierre Kobes
Solution
3-3 System security requirements and security assurance levels Capabilty SLs
The concept of SL is coherent within Part 3-2 and Part 3-3: 1. Part 3-2: asset owner / system integrator define zones and conduits with target SLs 2. Part 3-3: product supplier provides system features according to capability SLs 3. In the project design phase capability SLs are deployed to match target SLs
Plant environment
Required protection level of the plant ISA-99 IEC 62443
Risk assessment
Solution
Solution
Control System
Pierre Kobes
Control System
Project phases
System Design
System Integrator
Solution
Project application Configuration User Mgmnt
Solution
Project application Configuration User Mgmnt
Solution deployment
Security settings
Security settings
Protection Level
Asset Owner has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution
Assessment type
Assessment of management system (e.g. ISO 9000, ISO 27000) CMMI levels are appropriate
+
Solution fulfills the functional capabilities required by the target protection level of the plant -> Security Level Series 3 System Assessment of solution capabilities Security Levels are appropriate
Pierre Kobes
Protection Level
Asset Owner has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution CMMI
PL1
>1
PL2
>2
PL3
>3
PL4
>3
+
Solution fulfills the functional capabilities required by the target protection level of the plant -> Security Level SL
+
1
+
2
+
3
+
4
Pierre Kobes
2.
Assessment of protection levels of a plant Solution vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs)
3.
Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs)
4.
Summary if ISA-99 / IEC 62443 relevant document for the various assessments types
Pierre Kobes
No direct relationship
Component features PLCs HMIs PC devices Network Devices Software Component Capabilty Levels 4-2 Technical security requirements for IACS products
There no direct relationship between Component Capability Levels and (System) Capability SLs
Pierre Kobes
Control system
HMI
Terminal bus trusted
System Requirement SR 1.1 The control system shall provide the capability to identify and authenticate all users (humans, software processes and devices). This capability shall enforce such identification and authentication on all interfaces which provide access to the control system to support segregation of duties and least privilege in accordance with applicable security policies and procedures. SR 1.1 RE 1 The control system shall provide the capability to uniquely identify and authenticate all users (humans, software processes and devices) SR 1.1 RE 2 The control system shall provide the capability to employ multifactor authentication for human user access to the control system via an untrusted network (see 4.12, SR 1.10 Access via untrusted networks). SR 1.1 RE 3 The control system shall provide the capability to employ multifactor authentication for all human user access to the control system.
SL
Server
System bus trusted
2 3 4
Firewall
PLC
PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level
Pierre Kobes
Control system
HMI
Terminal bus trusted
Case 1 HMI fulfills only SR 1.1 PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level
SL
Case 2 HMI fulfills SR 1.1 and RE 1 and has multifactor authentication PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level
SL
Server
System bus trusted
Firewall
Different capability SLs can be realized with the same Component Capabilty Level of the PLC A requested capability SL does not require a given / minimum Component Capability Level of the Embedded Devices
PLC
There no direct relationship between Component Capability Levels and (System) Capability SLs
Pierre Kobes
ISA-99 IEC 62443 Component features 4-2 Technical security requirements for IACS products
Product development levels dont contribute to Component Capability Levels -> Proposal: Specify the product development requirements without levels Follow the CMMI approach
Pierre Kobes
CMMI
>2
>2
>3
>3
+
Component fulfills the functional capabilities required by the Component Capability Level -> Component (Security) Feature Level CFL
+
1
+
2
+
3
+
4
Pierre Kobes
2.
Assessment of protection levels of a plant Solution vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs)
3.
Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs)
4.
Summary if ISA-99 / IEC 62443 relevant document for the various assessments types
Pierre Kobes
System
3-1 Security technologies for IACS
Component
4-1 Product development requirements 4-2 Technical security requirements for IACS products
Assessment of the 1-1 Terminology, concepts and models protection of a plant according to1-2 Master glossary of Protection Levels terms and abbreviations
1-3 System security compliance metrics
3-2 Security assurance levels for zones and conduits 3-3 System security requirements and security assurance levels
2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices
Definitions Metrics
Requirements to the security organization and processes of the plant owner and suppliers
Functional requirements
Pierre Kobes
System
3-1 Security technologies for IACS
Component
4-1 Product development requirements 4-2 Technical security requirements for IACS products
Assessment of the 1-1 Terminology, concepts and models functional capabilties of a control system 1-2 Master glossary of according terms and abbreviations to Capabilty SLs
1-3 System security compliance metrics
3-2 Security assurance levels for zones and conduits 3-3 System security requirements and security assurance levels
2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices
Definitions Metrics
Requirements to the security organization and processes of the plant owner and suppliers
Functional requirements
Pierre Kobes
Component
4-1 Product development requirements 4-2 Technical security requirements for IACS products
Assessment of the 1-1 Terminology, concepts 2-1 Establishing an IACS and models functional capabilties security program of components 1-2 Master glossary of 2-2 Operating an IACS according terms and abbreviations security program to Component Capability Levels
1-3 System security compliance metrics 2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices
3-2 Security assurance levels for zones and conduits 3-3 System security requirements and security assurance levels
Definitions Metrics
Requirements to the security organization and processes of the plant owner and suppliers
Functional requirements
Pierre Kobes