Transcript ISA 99.00.04

Security Zones, Conduits
and Levels
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
ISA 99 WG4 Meeting
West Palm Beach, Florida
June 3 – 5, 2008
Contents
•
•
•
•
•
Study Group Objective
Definitions
Security Life Cycle
Use Case Application
Open Questions
2
Security Zones, Conduits and Level
Study Group Objective
3
Security Zones, Conduits and Levels
Study Group
• Security Zones, Conduits and Level concepts introduced
in ISA 99 Part 1 document, however no guidance was
provided on how to use the concepts in real applications
• ISA 99 Part 4 document aims to establish security
requirements, either performance or prescriptive, for IACS
based on Foundational Requirements using the Security
Zones, Conduits and Levels concept
• The objective of this Study Group is to
– Develop a Use Case to explain Security Zones, Conduit and
Levels concepts
– To help develop security requirements using the Security Zones
and Conduits identified in the Use Case
4
Definitions
5
Definitions – Security Zones and
Conduits
• Security Zone is a grouping of logical and/or physical
assets that share common security requirements
– Typically based on function
– Independent of communication medium (i. e. wireless is included)
– Physical boundary of a Security Zone may expand or contract
• Security Conduit is a logical grouping of communication
assets that protects the security of the channels it
contains
– A special type of Security Zone containing communication assets
– Communication assets within a Conduit impact the security of the
Zones that it connects
• Channel is a specific communication link established
within a Conduit
– Typically a point-to-point logical link between two Security Zones
6
Granularity of Security Zones and
Conduits
• The level of granularity used to identify Security Zones
and Conduits will depend on various factors which
include:
–
–
–
–
–
Size of IACS
Location of IACS components
Company policy and organization
Type of assets associated with IACS
Criticality of assets associated with IACS
7
Definitions – Security Levels
• Security Level (SL) corresponds to the required
effectiveness of technical or administrative measures and
inherent security properties of IACS components within a
Security Zone or Conduit
– Provides the ability to categorize risk associated with a Security
Zone or Conduit
– Security capabilities of IACS components and implemented
technical and administrative countermeasures must function as
coordinated system to achieve a desired Security Level
• Security Levels
– SL(Target) - Target Security Level
– SL(Achieved) - Achieved Security Level
8
SL(Target) - Target Security Level
• SL(Target) is assigned to a Zone or Conduit during risk
assessment
• Factors that influence determination of SL(Target) for a
Security Zone or Conduit are:
– Network architecture with defined zone boundaries and conduits
– SL(Target) of the zones with which the zone under consideration
will communicate with
– SL(Target) of conduit, if assigned, used for communication by the
zone
– Physical access to devices and systems within the zone
9
SL(Achieved) - Achieved Security Level
• SL(Achieved) is determined after the recommended
technical and administrative countermeasures for the
Security Zone or Conduit have been implemented
• SL(Achieved) depends on several factors:
– SL(Capability) of implemented security measures and inherent
security properties of components within the zone or conduit
– SL(Achieved) by the zones with which they communicate
– SL(Achieved) by conduits used to communicate with other zones
– Effectiveness of countermeasures
– Audit and testing interval
– Attacker expertise and resources available to attacker
– Degradation of countermeasures and inherent security properties
of IACS components over time
– Available response time on intrusion detection
10
Degradation of SL(Achieved)
• Countermeasures and inherent security properties of
devices and systems will degrade over time due to
–
–
–
–
Discovery of new vulnerabilities
Improved attackers skills
Attacker familiarity with existing countermeasures,
Availability of better resources to attackers
• Countermeasures need be updated and upgraded based
on audit and testing results to maintain SL(Achieved)
equal to or better than SL(Target)
11
Security Life Cycle
12
Security Life Cycle
Assess Phase
Addressed in SP99
Part 2
Develop &
Implement
Phase
Addressed in SP99
Part 2
Maintain Phase
Addressed in SP99
Part 3
SP99 Part 4 explores SL(Capability)
ISA 99 Part 1: Figure 8 – Security Life Cycle
13
Security Life Cycle – Assess Phase
Address security
of IACS
No
Are Zones
established for
the IACS
Yes
Assess
consequence/risk
of the process
Is SL(Target)
known for the zone
& conduit?
Yes
No
Establish IACS
zones & conduits
Assess company’s
risk tolerance
Select appropriate
SL(Target) for the
zone & conduit
Review the degree
of security
protection offered
by each SL
SL(Target) goal for
zone & conduit
Reassess
SL(Target) of
IACS
From Maintain Phase
Vendor
& User
task
Vendor
task
To Develop &
Implement Phase
ISA 99 Part 1: Figure 9 – Security
Life Cycle Assess Phase
User
task
14
Security Life Cycle – Develop &
Implement Phase
From Assess Phase
From Maintain Phase
New IACS
New Countermeasure
Change to IACS
Change to SL(Target)
Is this a new
or existing
IACS?
Existing
Design IACS to
meet SL(Target)
New
Factory
Acceptance Test
IACS using the
security assurance
properties for the
SL level
Select devices
based on
SL(Capability)
Install new IACS
devices in the field
Validate system
SL(Capability)
Develop integrated
design
Test integrated
IACS for the
security assurance
properties
Install IACS in the
field
To Maintain Phase
SL(Achieved)t0 for
the zone & conduit
Note: t0 = at time 0
Yes
Is
SL(Achieved)
acceptable?
No
Implement
additional
countermeasures
or accept risk
Vendor
& User
task
Vendor
task
User
task
Factor in the
security assurance
implications
associated with
the
countermeasures
in place in the field
ISA 99 Part 1: Figure 10 – Security Life
Cycle Develop & Implement Phase
Determine the
SL(Achieved)
15
Security Life Cycle – Maintain Phase
From Develop &
Implement Phase
Process change
New
SL(Achieved)tn for
the zone & conduit
New vulnerability
detected
Conduct security
review to assess
vulnerabilities
Scheduled periodic
security review
Review vendor
assessment of OS
patches and
updates
Vendor publishes
results
Test OS patches &
updates and
application fixes in
off-line
environment
Vendor application
fixes
Record
SL(Achieved)tn+1
No
Deploy patches &
updates in
controlled manner
to minimize
potential of
common mode
failure
Determine
SL(Achieved)tn+1
No
Accept the risk and
document
SL(Achieved)tn.
Document plans to
address Risk gap.
To Assess Phase
Vendor
task
Yes
Compatibility and
SL(Capability)
impact
No
Vendor
& User
task
Yes
No
Is there a patch
addressing the
vulnerability?
Yes
OS Vendor issues OS
patches & updates
Vendor develops
application fixes as
necessary
Is actual
SL(Achieved)
acceptable?
Note: tn = at some
later time other than
at time 0.
Decommission of
countermeasure
Vendor tests OS
patches & updates
for functional
compatibility and
security assurance
properties
Examine impact,
determine
SL(Achieved)tn+1
User
task
Is actual
SL(Achieved)
acceptable?
Implement
additional
countermeasures
or consider
decommissioning
devices with high
security risk and
replacing with
devices with
improved
SL(Capabiity)
Yes
To Develop and
Implement Phase
ISA 99 Part 1: Figure 12 – Security
Life Cycle Maintain Phase
16
Use Case Application
17
Use Case Selection - Considerations
• Some considerations for use case selection
–
–
–
–
–
–
–
Defense-in-depth concept
Connectivity to enterprise systems
Remote access
Safety Instrumented Systems (SIS)
Process analyzer systems
Zone within a zone
Wireless instruments
• Questions:
– What are the attributes of a Security Zone? Function, assets,
interfaces, criticality, risk
– What rules to be followed when one zone is connected to another
zone or when it is a member of another zone?
• Use analogies from the field of process safety
18
Selected Use Case Application
• Decided to use a Chemical or Petrochemical plant site as
the use case application to explain the Security Zone,
Conduits and Level Concept and develop Security
Requirements
• Agreed that there is a need to develop other use cases,
however they will be developed at a later
• Electric utility industry will most likely be the next use case
to be developed
19
Security Life Cycle Approach for Use
Case
• Identify IACS components and develop architecture
drawing
• Group IACS components into Security Zones and
Conduits
• Conduct risk assessment and assign Target Security
Level to Zones and Conduits
• Identify technical and administrative countermeasures to
achieve the target Security Level
• Implement technical and administrative countermeasures
to achieve the target Security Level
• Maintain effectiveness of implemented technical and
administrative countermeasures
20
Identify IACS Components and Develop
Network Architecture
Enterprise Network
Conduit
3rd Party
Administrative
Tools
Analysis
Tools
Reporting
Apps
Data
Historian
MES
Apps
Conduit
Maintenance
Tools
HMI
Engr Stn
App Stn
Wireless Gateway
Controller
IO Interface
Plant B
Mobile Worker
BPCS
Analyzers
Safety PLC
Serial
Fieldbus
Field Instruments
Fieldbus Devices
Field Instruments
Wireless Gateway
Wireless Devices
Plant A
21
Group into Security Zones and Conduits
Enterprise Network
Conduit
3rd Party
Administrative
Tools
Analysis
Tools
Reporting
Apps
Data
Historian
MES
Apps
Conduit
Maintenance
Tools
HMI
Engr Stn
App Stn
Wireless Gateway
Controller
IO Interface
Plant B
Mobile Worker
BPCS
Analyzers
Safety PLC
Serial
Fieldbus
Field Instruments
Fieldbus Devices
Field Instruments
Wireless Gateway
Wireless Devices
Plant A
22
Use case – Security Zones
• Plant A Control Systems Zone
–
–
–
–
Monitoring and control systems for Plant A
Safety Instrumented System (SIS) Zone
Wireless Field devices Zone
Wireless Mobile Worker
• Manufacturing Execution Systems (MES) Zone
– Analysis tools, MES applications, Data historian
• Administrative Tools Zone
– Backup tools, patch management
• Maintenance Tools Zone
– Instrument calibration, configuration and troubleshooting using 3rd
part resources
• Enterprise Zone
23
Use case – Security Conduits
• Conduit facilitating communication between the following
Security Zones:
– Plant A Zone
– MES Zone
– Administrative Tools Zone
• Conduit facilitating communication between the following
Security Zones:
– MES Zone
– Administrative Tools Zone
– Enterprise Zone
24
Risk Assessment – Assigning Security
Levels to Security Zones and Conduits
• Qualitative approach - Example using a Risk Matrix
• Performance based (quantitative) approach using risk
measures based on consequence and incident frequency
estimation
• In both cases, target SL determines the required
effectiveness of technical and administrative security
countermeasures that will reduce the incident frequency
and thereby the risk to an acceptable level
25
Selection of Countermeasures to
Achieve Target Security Level
• Qualitative approach – Selection from a combination of
prescriptive technical and/or administrative countermeasures corresponding to each SL
• Quantitative approach – Conduct an analysis taking into
consideration event frequencies and probability of failure
of countermeasures
Example quantitative analysis for an Windows based HMI
26
Risk Assessment Considerations
• Take into consideration all possible scenarios, including
all internal and external threats, that can lead to an
incident
– Internal threats: Untrained or disgruntled employees
– External threats: Connection to the Internet or allowing partner
companies to access IACS components
Example Connections to a Control System
27
How to Assign Security Levels for Use
Case?
• Need to specify the number of Security Levels
• Will require to get into functional details such as
hazardous chemicals being used, type of control system,
physical set up of system etc.
• Decided to develop a list of questions
– Can be used for any Security Zone or Conduit
– Based on Foundational Requirements
• Security Zone for which questions were developed
– Enterprise Zone
– SIS Zone
– Administrative Tools Zone
28
Enterprise Network Zone Assumptions
• Connected to the enterprise are the asset owner's
business functions, business partners, vendors, regulatory
agencies, government oversight agencies, etc.
• Data residing in any repository connected to the
enterprise has a point of presence and may be accessed
and used with anyone having the proper access control
and use privileges.
• The granularity of security control may be specified for
any named data object.
• A comprehensive security policy is needed to address the
seven foundational requirements of ISA 99.00.01.
29
Enterprise Network Zone - Question 1
• Given the diversity of those having access to the
information and functions at the enterprise level, who is
responsible for establishing access and use credentials,
and monitoring accesses to these data and functions?
– Consider the requirements for a federated security management
scheme.
– Consider an approach of centralized control negotiated with all
parties and decentralized execution of the security functions
30
Enterprise Network Zone - Question 2
• Hypothesis: Since the asset owner owns the enterprise
data and functions, establishment, maintenance and
management of access and use control of any named
data object must be controlled by the asset owner.
• What agreements must be negotiated with business
partners, vendors, regulatory agencies, and government
oversight agencies to ensure the integrity of the asset
owner's security strategy?
– What security credential management functions can be off-loaded
to external organizations to efficiently operate the security
system?
– How are dynamic changes for access and use coordinated in a
timely manner?
 Pre-negotiated automated functions
 In-time permission to access/use requested data
31
Enterprise Network Zone - Question 3
• If the asset owner outsources the security management
functions to a 3rd party, what provisions must be included
in the outsource agreement?
• What oversight must the asset owner perform to ensure
proper execution of the security functions performed by a
3rd party?
32
Enterprise Network Zone - Access and
Use Control Credentials
• Access and use control credentials is the underlying
mechanism to enforcing a strong security policy
• A life-cycle model is needed
– To identify the interaction of security functions associated with
these credentials
 Assets needed to perform all security functions such as key management,
logging and reporting, alarm/alert notification
 Secure repositories for master certificates
 Secure physical boundaries for management operations
– To allocate management responsibility within the asset owners
organization – include in security policy
– To allocate management responsibility between the asset owner
and external organizations – include in negotiated agreement
– If security functions are outsourced, allocate functional and
management responsibility – include in the negotiated service
contract
33
Enterprise Network Zone - Access and
Use Control Credentials
• Access and use control credentials is the underlying
mechanism to enforcing a strong security policy
• A life-cycle model is needed
– To identify the interaction of security functions associated with
these credentials
 Assets needed to perform all security functions such as key management,
logging and reporting, alarm/alert notification
 Secure repositories for master certificates
 Secure physical boundaries for management operations
– To allocate management responsibility within the asset owners
organization – include in security policy
– To allocate management responsibility between the asset owner
and external organizations – include in negotiated agreement
– If security functions are outsourced, allocate functional and
management responsibility – include in the negotiated service
contract
34
Administrative Tools Zone
• The administrative zone would contain systems that
directly or indirectly support industrial and automated
control systems (IACS) environment, but are not
themselves IACS, and therefore may have unique security
requirements.
• Examples of such systems are those used for patch
management, virus scanning, data backup, proxy servers,
enterprise domain controllers, etc.
35
Administrative Tools Zone - Questions
based on Foundational Requirements
•
Access Control (AC)
What administrative systems are required?
– Patch management, Virus Scanning, Data Backup, Remote
Access, Proxy Servers, Enterprise Domain Controllers, Others
•
Who is allowed to access administrative systems and
how is the access authorized?
– Support Engineers, IT Support Personnel, Operators
•
What communication interfaces exist between the
administrative systems and IACS? How is access to
these interfaces controlled?
36
Administrative Tools Zone - Questions based
on Foundational Requirements (cont.)
•
Use Control (UC)
Who is allowed use of administrative systems and how is
the use controlled?
– Support Engineers, IT Support Personnel
•
•
Data Integrity (DI)
Is data integrity an issue with any of the administrative
systems?
Where this is an issue, how is data integrity ensured?
– Client access, Communication interfaces to IACS, Software agent
installed on IACS
37
Administrative Tools Zone - Questions based
on Foundational Requirements (cont.)
•
•
Data Confidentiality (DC)
Is data confidentiality an issue with any of the
administrative systems?
Where this is an issue, how is data integrity ensured?
– Client access, Communication interfaces to IACS, Software agent
installed on IACS
•
Restrict Data Flow (RDF)
How is data flow restricted?
– Client access, Communication interfaces to IACS, Software agent
installed on IACS
38
Administrative Tools Zone - Questions based
on Foundational Requirements (cont.)
Timely Response to Event (TRE)
– Is there a plan in place to respond to security violations?
– Can these systems be isolated from the supported IACS during
an emergency incident?
Resource Availability (RA)
– How is resource availability ensured?
– Can these systems be isolated from the supported IACS during
an emergency incident?
Organization - Which organization is the administrator of
each system?
• Does this group also provide support for the system?
– Automation Group?
– IT Support Group?
•
Is 24x7 coverage required?
39
SIS Zone
•
•
•
The SIS zone contains safety related systems such as
Emergency Shutdown Systems, Burner Management
Systems
These are high reliability systems that bring the process
to safe state on a demand e.g. high pressure condition
Any security breach that results in the SIS being unable
to respond to a demand has a significant impact on
health, safety and environment
40
SIS Zone - Questions based on
Foundational Requirements
•
Access Control (AC)
Who is allowed to access to SIS components and how is
the access authorized?
– Safety PLC hardware components, engineering software,
operator interface, SIS components in the field
•
•
What communication interfaces exist between the SIS
and other systems and how is access to these interfaces
controlled?
Use Control (UC)
Who is allowed use of SIS components and how is the
use controlled?
– Operators, Supervisors, Maintenance Technicians, Engineers
41
SIS Zone - Questions based on
Foundational Requirements (cont.)
•
Data Integrity (DI)
How is data integrity ensured?
– Signals from field devices, Operator interface, Communication
interfaces
•
Data Confidentiality (DC)
Is data confidentiality an issue?
– Communication interfaces
•
Restrict Data Flow (RDF)
How is data flow restricted?
– Communication interfaces
•
Timely Response to Event (TRE)
Is there a plan in place to respond to security violations?
42
SIS Zone - Questions based on
Foundational Requirements (cont.)
•
•
Resource Availability (RA)
How is resource availability ensured?
Organization
Who is responsible for the SIS and its interfaces?
– Operators, unit engineer, safety engineer
43
Discussion Points based on Security
Zones
•
•
Assumption: Physical security, such as locked rooms and
cabinets, has been considered and measures
implemented
Electronic security considerations for IACS can be
classified based on type of access
– Local Access
– Remote Access
•
•
Security needs to be enabled as close to the originating
function or data as possible
Effective security solutions require complete
understanding of the security needs and benefits, as well
as commitment and vigilance to enforce the security
policies.
44
Mapping of Security Levels to
Foundational Requirements
•
Once a Security Level (SL) has been assigned to a
Security Zone or Conduit, based on Risk Assessment, it
should meet the Prescriptive Foundational Requirements
for that SL
FR 1.20 MONITORING PHYSICAL ACCESS
(800-53 PE-6)
Requirement: The organization monitors physical access to the IACS to detect and respond to
physical security incidents.
Rationale/Supplemental Guidance: The organization reviews physical access logs periodically
and investigates apparent security violations or suspicious physical access activities. Response to
detected physical security incidents is part of the organization’s incident response capability.
Requirement Enhancements:
(1) The organization monitors real-time physical intrusion alarms and surveillance equipment.
(2) The organization employs automated mechanisms to recognize potential intrusions and
initiate appropriate response actions.
Security Assurance Levels:
SAL 1: FR 1.20
SAL 2: FR 1.20 (1)
SAL 3: FR 1.20 (1) (2)
SAL 4: FR 1.20 (1) (2)
45
Open Questions
46
Open Questions
•
•
•
Methodology for assigning Security Levels to Security
Zones and Conduits
Performance vs Prescriptive requirements for each
Security Level
Tasks for the Security Zone, Conduit and Levels Study
Group
47
Thanks to everyone who contributed to
the discussions!
48