DRAFT dISA-99.00.02
DRAFT dISA-99.00.02 Manuf actu rin g and C ont rol Syst ems Se cur ity Part 2: Establishi ng a M anuf actu rin g and Contro l Syst em Secur ity Prog ram Draft 1, Edit 5 September 20, 2005
THIS DRAFT VERSION IS STRICTLY FOR REVIEW BY ISA SP-99 MEMBERS ONLY
This document is a draft that represents work being done by an ISA Standards Committee leading to the development of an I SA Standard. ISA grants permis sion to anyone to reprodu ce and distr ibut e copi es of this draft ISA sta ndard, in whole or in part, but only f or the followi ng purposes and only as long as the recipient is not ch arged any fee for the copy (nor may the copy be inclu ded as part of a package with other materia ls or presenta tions for w hich a fee is ch arged): 1.
Review of and comment on the draft standard;
2.
Provide to others for review and comment;
3.
Promotion of the standa rd; or
4.
Informi ng and educating others about the standard.
In addition, a ll copies must reproduce a copyright
notice as follows:
Copyrig ht 2004 © ISA. All rig hts reserved. Reproduced and dist ISA rese rves a ll other rights to the draft standard. prior w ritten consent of IS A is prohib ited.
ribu ted with perm issio n of ISA.
Any other reproduction or distrib
ution without t he
The reader is cautioned that this document has not been approved and cannot be presumed to reflect the posi tion of ISA or any other committ ee, society, or group . Althou gh every effort has been made to ensure accuracy, neither ISA, members of th e S&P Department, nor t heir emplo yers shall be held li able for error s or limi tations.
dISA-99.00.02 (Draft 1, Edit 5)
DRAFT dISA-99.00.02
Editor’s Comment This is a working draft, owned and maintained by Working Group #2 of the ISA SP-99 committee. All updates and revisions are tracked using a two-tiered structure that includes a Draft number and an Edit number. Document content is developed in a series of smaller documents, each containing material for a specific section. New Drafts are typically created after each comprehensive review of document content (e.g., working group meetings), with Edits being created as individual sections are added or updated. Explanatory and supported comments appear throughout this document in Red Bookman-Italic font. They will not appear in final or published versions of the document. This editor’s comment will also be removed from any final or published copies.
dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program ISBN: 1-55617-976-6
Copyright © 2005 by the Instrumentation, Systems and Automation Society. All rights reserved. Not for resale. Printed in the United States of America. ISA 67 Alexander Drive P. O. Box 12277 Research Triangle Park, NC 27709 USA
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
DRAFT dISA-99.00.02
Preface This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-d99.00.02. This document has been prepared as part of the service of ISA, the Instrumentation, Systems and Automation Society, toward a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail:
[email protected]. The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, this Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommended practices, and technical reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing & Materials as IEEE/ASTM SI 1097, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices, and technical reports. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops. CAUTION – ISA adheres to the policy of the American National Standards Institute with regard to patents. I f ISA is in formed of an existin g patent that is r equired for use of the standard, it will require the owner of th e pate nt to either grant a royalty-fre e license for use of t he pate nt by users complyin g with th e standa rd or a license on reasonable te rms and con ditions that are fre e from unfair discrimination. Even if ISA is unaware of any patent covering th is Standard, the user is cautioned that implementation of the standard may require use of techniques, processes, or materia ls covered by patent rights. IS A takes no position on the existence or validity of any patent rights that may be involved in i mplementing the standard. I SA is not responsib le for identifying all patents that may require a license be fore implementation of the standard or for in vestigating the validity or sco pe of any patents bro ught to its attention. The user should c arefully i nvestigate rele vant patents before using the standard for th e user’s intended application. Howeve r, ISA asks th at anyone reviewing this standard who is aware of any patents th at may impact imp lementa tion of the s tandard notify the IS A Standards and Practices De partment of th e patent and its owner. Ad di ti on all y, the u se of t hi s s tandar d m ay inv ol ve hazard ou s mater ial s, oper ati on s o r equi pm ent . The sta ndard cannot antici pate a ll poss ible applications o r address all possi ble safety issues associated with use in haza rdous conditio ns. The user of this standard must exercise sound professional judgm ent concerning its us e and applicability und er the use r’s particular circums tances. The use r must also co nsider the applicability of any go vernmental regula tory limitations and established safe ty and health practices before implementing thi s standard.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
DRAFT dISA-99.00.02
The following people served as active members of ISA SP-99 Working Group #2 for the preparation of this document: Name
Company
Paul Baybutt Rahul Bhojani Dennis Brandl Eric Byres Keith Chambers Andy Corbbett Eric Cosman Lynn Craig Jean-Pierre Dalzon Daniel Dziadiw Robert Evans Lois Ferson Ron Forrest Robert Frost-Hunt James Gilsinn *** Thomas Good * Evan Hand Mark Heard Karen Hirst Charles Mastromonico
Primatech Bayer BRL Consulting BCIT Datasweep BP The Dow Chemical Company
Contri but or
Reviewer
X
X Schering-Plough INL
X
Ohio State University Suncor NIST DuPont Kraft Foods Eastman Chemical DuPont Savana River Site
Dave Mills ** Shinji Oda Richard Oyen William Phillips Bryan Singer Brad Taylor David Teumim Loren Uden Bob Webb Joe Weiss Marge Widmeyer
X X X
Proctor & Gamble Yokogawa ABB CH2M Rockwell Automation
X X X
Teumim Technical Equistar
X
KEMA, Inc.
X
X
*
Chairman
**
Vice Chairman
***
Editor
****
Secretary
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
Contents 1
2
Scope ..................................................................................................................... 20 1.1
Functional Criteria ........................................................................................................................20
1.2
Activity-Based Criteria .................................................................................................................. 21
Defini ti on s.............................................................................................................. 22 2.1
Information Technology (IT) .........................................................................................................22
2.2
Cyber Security Management System (CSMS).............................................................................22
2.3
Human-Machine Interface (HMI) ..................................................................................................22
2.4
stakeholder ................................................................................................................................... 22
2.5
asset ............................................................................................................................................. 22
2.6
business continuity plan ...............................................................................................................22
2.7
gatekeeper....................................................................................................................................22
2.8
consequence ................................................................................................................................ 22
2.9
Safety Instrumented System (SIS) ............................................................................................... 22
2.10
Burner Management System ....................................................................................................22
2.11
Manufacturing Execution System (MES) ..................................................................................23
2.12
likelihood ................................................................................................................................... 23
2.13
threat likelihood ......................................................................................................................... 23
2.14
vulnerability likelihood ...............................................................................................................23
2.15
risk tolerance.............................................................................................................................23
2.16
Programmable Logic Controller (PLC)......................................................................................23
2.17
Process Information Management (PIM) system...................................................................... 23
2.18
Cyber Security Vulnerability Assessment (CSVA)....................................................................23
2.19
Vulnerability Assessment Methodology (VAM).........................................................................23
2.20
risk mitigation ............................................................................................................................ 23
2.21
account......................................................................................................................................23
2.22
operator..................................................................................................................................... 23
2.23
Health, Safety, and Environmental (HS&E) ..............................................................................24
2.24
Media Access Control (MAC) address......................................................................................24
2.25
change management ................................................................................................................ 24
2.26
legacy system ........................................................................................................................... 24
2.27
incident ......................................................................................................................................24
2.28
ISO/IEC 17799 .......................................................................................................................... 24
2.29
compliance ................................................................................................................................ 24
2.30
remote access........................................................................................................................... 24
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
5
DRAFT dISA-99.00.02
3
4
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
2.31
Process Safety Management (PSM).........................................................................................24
2.32
social engineering .....................................................................................................................24
2.33
Six-Sigma..................................................................................................................................24
2.34
authenticator .............................................................................................................................24
2.35
Administrative Practices............................................................................................................25
2.36
Local user..................................................................................................................................25
2.37
Remote user..............................................................................................................................25
Normativ e Referenc es .......................................................................................... 26 3.1
Other References ......................................................................................................................... 26
3.2
Informational References & Resources........................................................................................26
3.2.1
Industry/Sector Specific......................................................................................................... 26
3.2.2
Websites ................................................................................................................................27
3.2.3
Other Documents & Resources.............................................................................................27
Executiv e Overvi ew............................................................................................... 28 4.1
Maturity of a Company’s Cyber Security Program .......................................................................28
4.2
Establishing an Integrated Security Program...............................................................................30
4.2.1
Overview of a Cyber Security Management System.............................................................30
4.2.2
Activities Required to Develop a Cyber Security Program....................................................33
4.3
How to Use This Document.......................................................................................................... 33
5 Establis hing t he Business Ca se for Manufacturing and Contro l System Securi ty ........................................................................................................................ 35 6 Ac ti viti es Requ ir ed to Develo p a Cyb er Secur it y Management Sys tem – An Overvi ew ...................................................................................................................... 38
6
6.1
Activity 1 – Develop a Business Case..........................................................................................38
6.2
Activity 2 – Obtain Leadership Commitment, Support, and Funding ...........................................39
6.3
Activity 3 – Define the Charter and Scope of M&CS Security for Your Company ....................... 39
6.4
Activity 4 – Form a Team of Stakeholders ...................................................................................39
6.5
Activity 5 – Raise Staff Cyber Security Capability Through Training ...........................................40
6.6
Activity 6 – Characterize the Key M&CS Risks ............................................................................ 40
6.7
Activity 7 – Prioritize and Calibrate Risks.....................................................................................40
6.8
Activity 8 – Establish High-Level Cyber Security Policies that Support the Risk Tolerance Level 41
6.9
Activity 9 – Organize for Security .................................................................................................41
6.10
Activity 10 – Inventory M&CS Devices and Networks ..............................................................41
6.11
Activity 11 – Screening and Prioritization of M&CS Systems ................................................... 41
6.12
Activity 12 – Conduct a Detailed Security Assessment ............................................................41 dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
6.13
Activity 13 – Develop Detailed M&CS Cyber Security Policies and Procedures......................42
6.14
Activity 14 – Define the Standard Set of M&CS Security Risk Mitigation Controls................... 42
6.15
Activity 15 – Develop Additional Elements of the Cyber Security Management System Plan . 42
6.16
Activity 16 – Quick Fix...............................................................................................................42
6.17
Activity 17 – Charter, Design, and Execute Cyber Security Risk Mitigation Projects............... 43
6.17.1
Charter the Cyber Security Risk Mitigation Project ........................................................... 43
6.17.2
Project
6.17.3
Project Execution...............................................................................................................43
6.17.4
Decisions to Make When Planning a Test Program .......................................................... 44
6.17.5
Testing ...............................................................................................................................44
Design....................................................................................................................43
6.18
Activity 18 – Refine and Implement the Cyber Security Management System ........................ 44
6.19
Activity 19 – Adopt Continuous Improvement Operational Measures ......................................45
7 Ac ti viti es Requ ir ed to Develo p a Cyb er Secur it y Management System – A Detailed Discu ss io n .................................................................................................... 46 7.1
Activity 1 – Develop a Business Case..........................................................................................48
7.1.1 7.2
Key Components of the Business Case................................................................................48
Activity 2 – Obtain Leadership Commitment, Support, and Funding ...........................................49
7.2.1
Identify Appropriate Senior Managers................................................................................... 49
7.2.2
Identify Gatekeepers and Persuade, If Necessary................................................................49
7.2.3 7.2.4
Revise the Business Case, If Necessary .............................................................................. 50 Present the Case to the Senior Managers ............................................................................ 50
7.2.5
Prerequisites..........................................................................................................................50
7.3
Activity 3 – Define the Charter and Scope of M&CS Security for Your Company ....................... 50
7.3.1 7.4
7.4.1 7.5
Prerequisites..........................................................................................................................51
Activity 4 – Form a Team of Stakeholders ...................................................................................52 Prerequisites..........................................................................................................................53
Activity 5 – Raise Staff Cyber Security Capability Through Training ...........................................53
7.5.1
Plan........................................................................................................................................53
7.5.2
Do .......................................................................................................................................... 53
7.5.3
Check.....................................................................................................................................53
7.5.4
Act.......................................................................................................................................... 53
7.5.5 Prerequisites..........................................................................................................................54 7.6 Activity 6 – Characterize the Key M&CS Risks ............................................................................ 54 7.6.1
Qualitative vs. Quantitative....................................................................................................54
7.6.2
Scenario-Based vs. Asset-Based.......................................................................................... 54
7.6.3
Risk Analysis Session ...........................................................................................................55
7.6.4
Prerequisites..........................................................................................................................55
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
7
DRAFT dISA-99.00.02
7.7
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Activity 7 – Prioritize and Calibrate Risks.....................................................................................55
7.7.1
The Risk Equation ................................................................................................................. 55
7.7.2
Calibrating Likelihood and Consequence Scales.................................................................. 56
7.7.3
Risk Tolerance Level .............................................................................................................57
7.7.4
Prerequisites..........................................................................................................................57
7.8
Activity 8 – Establish High-Level Cyber Security Policies that Support the Risk Tolerance Level 57
7.8.1
Prerequisites..........................................................................................................................58
7.9 Activity 9 – Organize for Security .................................................................................................58 7.9.1 Prerequisites..........................................................................................................................59 7.10
Activity 10 – Inventory M&CS Devices and Networks ..............................................................60
7.10.1
Locate and identify key manufacturing and control devices and systems.........................60
7.10.2
Group the devices and systems and develop an inventory ...............................................60
7.10.2.1 7.10.3 7.11
Prerequisites......................................................................................................................63 Activity 11 – Screening and Prioritization of M&CS Systems ................................................... 63
7.11.1
Preliminary assessment of overall vulnerability of each identified system........................64
7.11.2
Prioritize the Systems ........................................................................................................ 64
7.11.3 7.12
Prerequisites......................................................................................................................65 Activity 12 – Conduct a Detailed Security Assessment ............................................................65
7.12.1
Select the cyber security vulnerability assessment methodology .....................................65
7.12.2
Conduct the cyber security vulnerability assessment........................................................67
7.12.2.1 7.12.2.2 7.12.3 7.13
Pitfalls to avoid ............................................................................................................... 69 Interrelationship with physical security measures..........................................................69 Prerequisites......................................................................................................................70
Activity 13 – Develop Detailed M&CS Cyber Security Policies and Procedures......................70
7.13.1 7.14
Prerequisites......................................................................................................................70 Activity 14 – Define the Standard Set of M&CS Security Risk Mitigation Controls................... 71
7.14.1
Risk
7.14.2
Business Continuity Plan ...................................................................................................72
7.14.3
Mitigation....................................................................................................................71
Access Control Procedures ...............................................................................................72
7.14.3.1
Account Administration .................................................................................................. 73
7.14.3.2
Authentication.................................................................................................................74
7.14.3.2.1
Authentication for Local Users .................................................................................74
7.14.3.2.2
Authentication for Remote Users ............................................................................. 76
7.14.3.2.3
Authentication for Task-To-Task Communication....................................................76
7.14.3.3
8
Develop Simple Network Diagrams ...............................................................................63
Authorization .................................................................................................................. 76
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program 7.14.3.3.1
Authorization for Local Users:..................................................................................77
7.14.3.3.2
Authorization for Remote Users...............................................................................77
7.14.4
Network Segmentation ......................................................................................................78
7.14.5
Security Tools ....................................................................................................................78
7.14.6 7.15
Prerequisites......................................................................................................................79 Activity 15 – Develop Additional Elements of the Cyber Security Management System Plan . 79
7.15.1
Communications, Operations and Change Management..................................................79
7.15.2
Incident Planning and Response....................................................................................... 79
7.15.3
System Development and Maintenance............................................................................ 80
7.15.4
Develop and Implement an Integrated Audit and Compliance Process ............................80
7.15.5
Prerequisites......................................................................................................................81
7.16
Activity 16 – Quick Fix...............................................................................................................81
7.17
Activity 17 – Charter, Design, and Execute Cyber Security Risk Mitigation Projects............... 81
7.17.1
Charter the Cyber Security Risk Mitigation Project ........................................................... 81
7.17.2
Project
7.17.3
Project Execution...............................................................................................................82
7.17.4
Separation of Development and Test Environments .........................................................83
7.17.5
Decisions to Make When Planning a Test Program .......................................................... 83
7.17.6
Types of Testing ................................................................................................................ 83
Design....................................................................................................................82
7.17.6.1
Component Testing........................................................................................................ 83
7.17.6.2
Integration Testing ......................................................................................................... 84
7.17.6.3
System Validation Testing..............................................................................................84
7.17.7
Test Plans .......................................................................................................................... 84
7.17.8
Test Performance ..............................................................................................................85
7.17.9
Test data review and analysis ...........................................................................................85
7.17.10
Installation of integrated system components ................................................................... 85
7.17.11
Prerequisites......................................................................................................................85
7.18
Activity 18 – Refine and Implement the Cyber Security Management System ........................ 85
7.18.1 7.19
8
DRAFT dISA-99.00.02
Prerequisites......................................................................................................................86 Activity 19 – Adopt Continuous Improvement Operational Measures ......................................86
7.19.1
Implement Processes for System Development................................................................87
7.19.2
Types of Operational Measures.........................................................................................87
7.19.2.1
Audit Results ..................................................................................................................87
7.19.2.2
Incident Data ..................................................................................................................87
7.19.2.3
Organizational Capability Data.......................................................................................87
Cyber Secur it y Managem ent Syst em Detail s ...................................................... 88
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
9
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
8.1
Introduction................................................................................................................................... 88
8.2
Overview of the CSMS .................................................................................................................88
8.3
The 18 Key Elements to a Cyber Security Management System ................................................ 91
8.3.1
Statement of Management Practice............................................................................... 92
8.3.1.2
Applicability to Cyber Security in M&CS ........................................................................92
8.3.1.3
Baseline Practices.......................................................................................................... 93
8.3.1.4
Additional M&CS Security Practices ..............................................................................94
8.3.1.5
Resources Used............................................................................................................. 94
8.3.2
Scope of a Cyber Security Management System .................................................................94
8.3.2.1
Statement of Management Practice............................................................................... 94
8.3.2.2
Applicability to Cyber Security in M&CS ........................................................................95
8.3.2.3
Baseline Practices.......................................................................................................... 95
8.3.2.4
Additional M&CS Security Practices ..............................................................................96
8.3.2.5
Resources Used............................................................................................................. 96
8.3.3
Security Policy .......................................................................................................................96
8.3.3.1
Statement of Management Practice............................................................................... 96
8.3.3.2
Applicability to Cyber Security in M&CS ........................................................................96
8.3.3.3
Baseline Practices.......................................................................................................... 97
8.3.3.4
Additional M&CS Security Practices ..............................................................................97
8.3.3.5
Resources Used............................................................................................................. 98
8.3.4
Organizational Security .........................................................................................................98
8.3.4.1
Statement of Management Practice............................................................................... 98
8.3.4.2
Applicability to Cyber Security in M&CS ........................................................................98
8.3.4.3
Baseline Practices.......................................................................................................... 99
8.3.4.4
Additional M&CS Security Practices ..............................................................................99
8.3.4.5
Resources Used........................................................................................................... 100
8.3.5
Personnel Security .............................................................................................................. 100
8.3.5.1
Statement of Management Practice.............................................................................100
8.3.5.2
Applicability to Cyber Security in M&CS ......................................................................101
8.3.5.3
Baseline Practices........................................................................................................101
8.3.5.4
Additional M&CS Security Practices ............................................................................ 101
8.3.5.5
Resources Used........................................................................................................... 102
8.3.6
10
Importance of Cyber Security in Business ............................................................................ 92
8.3.1.1
Physical and Environmental Security..................................................................................102
8.3.6.1
Statement of Management Practice.............................................................................102
8.3.6.2
Applicability to Cyber Security in M&CS ......................................................................103
8.3.6.3
Baseline Practices........................................................................................................103 dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
8.3.6.4
Additional M&CS Security Practices ............................................................................ 104
8.3.6.5
Resources Used........................................................................................................... 105
8.3.7
Risk Identification, Classification, and Assessment ............................................................105
8.3.7.1
Statement of Management Practice.............................................................................105
8.3.7.2
Applicability to Cyber Security in M&CS ......................................................................105
8.3.7.3
Baseline Practices........................................................................................................106
8.3.7.4
Additional M&CS Security Practices ............................................................................ 106
8.3.7.5
Resources Used........................................................................................................... 107
8.3.8
Risk Management and Implementation............................................................................... 107
8.3.8.1
Statement of Management Practice.............................................................................107
8.3.8.2
Applicability to Cyber Security in M&CS ......................................................................107
8.3.8.3
Baseline Practices........................................................................................................108
8.3.8.4
Additional M&CS Security Practices ............................................................................ 108
8.3.8.5
Resources Used........................................................................................................... 109
8.3.9
Incident Planning and Response......................................................................................... 109
8.3.9.1
Statement of Management Practice.............................................................................109
8.3.9.2
Applicability to Cyber Security in M&CS ......................................................................109
8.3.9.3
Baseline Practices........................................................................................................110
8.3.9.4
Additional M&CS Security Practices ............................................................................ 111
8.3.9.5 8.3.10
Resources Used........................................................................................................... 111 Infrastructure-Related Operations and Change Management ........................................ 112
8.3.10.1
Statement of Management Practice.............................................................................112
8.3.10.2
Applicability to Cyber Security in M&CS ......................................................................112
8.3.10.3
Baseline Practices........................................................................................................112
8.3.10.4
Additional M&CS Security Practices ............................................................................ 113
8.3.10.5 8.3.11
Resources Used........................................................................................................... 113 Access Control.................................................................................................................113
8.3.11.1
Statement of Management Practice.............................................................................114
8.3.11.2
Applicability to Cyber Security in M&CS ......................................................................114
8.3.11.3
Account Administration ................................................................................................ 114
8.3.11.3.1
Statement of Management Practice.......................................................................115
8.3.11.3.2
Applicability to Cyber Security in M&CS ................................................................115
8.3.11.3.3
Baseline Practices..................................................................................................115
8.3.11.3.4
Additional M&CS Security Practices......................................................................116
8.3.11.3.5
Resources Used.....................................................................................................116
8.3.11.4
Authentication............................................................................................................... 116
8.3.11.4.1 September 20, 2005
Statement of Management Practice.......................................................................116 dISA-99.00.02 (Draft 1, Edit 5)
11
DRAFT dISA-99.00.02
8.3.11.4.2
Applicability to Cyber Security in M&CS ................................................................116
8.3.11.4.3
Baseline Practices..................................................................................................117
8.3.11.4.4
Additional M&CS Security Practices......................................................................117
8.3.11.4.4.1
Authentication for Local Users.........................................................................117
8.3.11.4.4.2
Authentication for Remote Users.....................................................................118
8.3.11.4.5 8.3.11.5
Resources Used.....................................................................................................119
Authorization ................................................................................................................119
8.3.11.5.1
Statement of Management Practice.......................................................................120
8.3.11.5.2
Applicability to Cyber Security in M&CS ................................................................120
8.3.11.5.3
Baseline Practices..................................................................................................120
8.3.11.5.4
Additional M&CS Security Practices......................................................................121
8.3.11.5.5
Unique Aspect of Authorization for M&CS.............................................................121
8.3.11.5.6
Authorization for Local Users.................................................................................121
8.3.11.5.7
Authorization for Remote Users.............................................................................121
8.3.11.5.8
Resources Used.....................................................................................................122
8.3.12
Information and Document Management ........................................................................122
8.3.12.1
Statement of Management Practice.............................................................................122
8.3.12.2
Applicability to Cyber Security in M&CS ......................................................................122
8.3.12.3
Baseline Practices........................................................................................................122
8.3.12.4
Additional M&CS Security Practices ............................................................................ 123
8.3.12.5
Resources Used........................................................................................................... 123
8.3.13
System Development and Maintenance..........................................................................124
8.3.13.1
Statement of Management Practice.............................................................................124
8.3.13.2
Applicability to Cyber Security in M&CS ......................................................................124
8.3.13.3
Baseline Practices........................................................................................................124
8.3.13.4
Additional M&CS Security Practices ............................................................................ 125
8.3.13.5 8.3.14
Resources Used........................................................................................................... 125 Staff Training and Security Awareness............................................................................126
8.3.14.1
Statement of Management Practice.............................................................................126
8.3.14.2
Applicability to Cyber Security in M&CS ......................................................................126
8.3.14.3
Baseline Practices........................................................................................................126
8.3.14.4
Additional M&CS Security Practices ............................................................................ 127
8.3.14.5 8.3.15
12
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Resources Used........................................................................................................... 128 Compliance ......................................................................................................................128
8.3.15.1
Statement of Management Practice.............................................................................128
8.3.15.2
Applicability to Cyber Security in M&CS ......................................................................128
8.3.15.3
Compliance with Legal, Regulatory, and Security Requirements................................129 dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
8.3.15.3.1
Statement of Management Practice.......................................................................129
8.3.15.3.2
Applicability to Cyber Security in M&CS ................................................................130
8.3.15.3.3
Baseline Practices..................................................................................................130
8.3.15.3.4
Additional M&CS Security Practices......................................................................130
8.3.15.3.5
Resources Used.....................................................................................................131
8.3.15.4
Scheduling and Conducting Audits .............................................................................. 131
8.3.15.4.1
Statement of Management Practice.......................................................................131
8.3.15.4.2
Applicability to Cyber Security in M&CS ................................................................131
8.3.15.4.3
Baseline Practices..................................................................................................131
8.3.15.4.4
Additional M&CS Security Practices......................................................................132
8.3.15.4.5
Unique Aspects of Scheduling and Conducting Audits for M&CS .........................133
8.3.15.4.6
Resources Used.....................................................................................................133
8.3.16
Business Continuity Plan ................................................................................................. 134
8.3.16.1
Statement of Management Practice.............................................................................134
8.3.16.2
Applicability to Cyber Security in M&CS ......................................................................134
8.3.16.3
Baseline Practices........................................................................................................134
8.3.16.4
Additional M&CS Security Practices ............................................................................ 136
8.3.16.5 8.3.17
Resources Used........................................................................................................... 137 Monitoring and Reviewing CSMS....................................................................................137
8.3.17.1
Statement of Management Practice.............................................................................137
8.3.17.2
Applicability to Cyber Security in M&CS ......................................................................138
8.3.17.3
Baseline Practices........................................................................................................138
8.3.17.4
Additional M&CS Security Practices ............................................................................ 138
8.3.17.5 8.3.18
Resources Used........................................................................................................... 139 Maintaining and Implementing Improvements.................................................................139
8.3.18.1
Statement of Management Practice.............................................................................139
8.3.18.2
Applicability to Cyber Security in M&CS ......................................................................140
8.3.18.3
Baseline Practices........................................................................................................140
8.3.18.4
Additional M&CS Security Practices ............................................................................ 141
8.3.18.5
Resources Used........................................................................................................... 141
An nex A
Sampl e Pol ic ies & Proc edur es ............................................................ 143
An nex B
Sampl e Vuln erabili ty Ass essment Procedur e ................................... 144
B.1
Overview of the Process.............................................................................................................144
B.2
Identify the Assets ......................................................................................................................144
B.2.1
Data Assets Examples ........................................................................................................ 144
B.2.2
Application or Device Asset Examples................................................................................145
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
13
DRAFT dISA-99.00.02
B.3
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Identify and Rate the Threats .....................................................................................................146
B.3.1
Probability Rating Scale ...................................................................................................... 147
B.3.2
Consequence Rating Scale................................................................................................. 151
B.3.3
Rating the Probability and Consequence of Assets............................................................ 152
B.3.4
Prioritize Systems for Implementation Phase of Risk Mitigation Plan.................................153
B.4
Design or Select Countermeasures ...........................................................................................153
B.4.1
Implement Risk Mitigation Strategies Based upon Detected Vulnerabilities.......................153
B.4.1.1
Risk Mitigation Strategies............................................................................................. 153
B.4.1.2
Mitigation Design..........................................................................................................154
An nex C
Integrati ng Secur it y int o Vendo r Practic es ........................................ 157
C.1
Product Development .................................................................................................................157
C.2
Documentation and Training ...................................................................................................... 158
C.3
Installation .................................................................................................................................. 159
C.4
Response to Discovered Product Security Issues .....................................................................159
C.5
Security Patches to Third Party Products...................................................................................159
C.6
Compatibility with Third Party Products Such as Anti-virus .......................................................159
C.7
Support of the customer’s security analyses and audits ............................................................160
C.8
Working on the Customer’s Premises ........................................................................................160
An nex D
CSMS Key Elements Self-As sessm ent Question s ............................ 161
D.1
Importance of Cyber Security in Business .................................................................................161
D.2
Scope of Cyber Security Management System..........................................................................161
D.3
Security Policy ............................................................................................................................ 162
D.4
Organizational Security ..............................................................................................................162
D.5
Personnel Security .....................................................................................................................163
D.6
Physical and Environmental Security .........................................................................................163
D.7
Risk Identification, Classification, and Assessment ................................................................... 164
D.8
Risk Management and Implementation......................................................................................164
D.9
Incident Planning and Response................................................................................................ 165
D.10
Communications, Operations, and Change Management......................................................166
D.11
Access Control........................................................................................................................166
D.11.1
Account Administration....................................................................................................166
D.11.2
Authentication ..................................................................................................................167
D.11.3
Authorization....................................................................................................................167
D.11.3.1
M&CS Authorization..................................................................................................... 168
D.12
Information and Document Management................................................................................168
D.13
System Development and Maintenance .................................................................................169
14
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
D.14
Staff Training and Security Awareness...................................................................................169
D.15
Compliance .............................................................................................................................170
D.15.1
Compliance with Legal, Regulatory, and Security Requirements ...................................170
D.15.2
Scheduling and Conducting Audits.................................................................................. 170
D.16
Business Continuity Plan ........................................................................................................ 171
D.17
Monitoring and Reviewing CSMS ...........................................................................................172
D.18
Maintaining and Implementing Improvements ........................................................................172
An nex E
Partic ipation i n Industr y Forums and Development Programs ........ 174
E.1
ISA – The Instrumentation, Systems, and Automation Society..................................................174
E.2
International Electrotechnical Commission (IEC).......................................................................174
E.3
U.S. National Institute of Standards and Technology (NIST)..................................................... 174
E.4
Process Control System Cyber Security Forum (PCSRF).........................................................175
E.5
North American Electric Reliability Council (NERC) ..................................................................175
E.6
Chemical Industry Data Exchange (CIDX).................................................................................175
E.7
Institute of Electrical and Electronics Engineers (IEEE).............................................................175
E.8
International Council on Large Electric Systems (CIGRE).........................................................175
E.9
U.S. Department of Energy National SCADA Test Bed Program ..............................................175
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
15
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Figures Figure 1 – ANSI/ISA-95 Functional Hierarchy ............................................................................................21 Figure 2 – Maturity Curve for an Integrated Cyber Security Management System ....................................29 Figure 3 – Resources in a Cyber Security Management System along the Maturity Curve ...................... 30 Figure 4 – Continuous Activity in a Cyber Security Management System ................................................. 31 Figure 5 – 18 Key Elements of a CSMS Mapped into the Plan-Do-Check-Act Phases .............................31 Figure 6 – Overlapping Stages of a Cyber Security Management System along the Maturity Curve........32 Figure 7 – Individual Projects in the Cyber Security Management System along the Maturity Curve .......32 Figure 8 – Timeline of Projects for a Cyber Security Management System along the Maturity Curve....... 33 Figure 9 - CERT Reported Attacks on Computer Systems ........................................................................37 Figure 10 – Timeline of Activities to Develop a Cyber Security Management System............................... 38 Figure 11 – Relationship of Existing Risk Management Organizations to a New Cyber Security Management System .................................................................................................................................. 46 Figure 12 – Sample Manufacturing and Control Network Inventory Sheet ................................................62 Figure 13 – Example of a Graphically Rich Network Diagram....................................................................63 Figure 14 – 18 Key Elements of a Cyber Security Management System................................................... 89 Figure 15 – Network Connection Types....................................................................................................149 Figure 16 – Network Segments Including Corporate Intranet and Dial-In ................................................150 Figure 17 – Network Segments in Site LAN and Integrated MCN............................................................ 150 Figure 18 – Network Segments in Isolated MCN......................................................................................151
16
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
Tables Table 1 – Relationship Between the (19) Process Activities and the (18) Key Elements in the CSMS .....47 Table 2 – A Typical Likelihood Scale ..........................................................................................................56 Table 3 – A Typical Consequence Scale ....................................................................................................56 Table 4 – A Typical Risk Tolerance Level Matrix........................................................................................ 57 Table 5 – Typical Roles and Training Objectives for Personnel Involved in Cyber Security...................... 59 Table 6 – Example Data Assets Table......................................................................................................145 Table 7 – Example Application / Device Assets Table .............................................................................146 Table 8 – Example Probability / Consequence Table...............................................................................147 Table 9 – Example Threat Probability Table............................................................................................. 149 Table 10 – Quantitative Assessment of Probability and Consequence Ratings.......................................152 Table 11 – Example Device Assets Table With Data ...............................................................................152 Table 12 – Example Application / Device Assets Table With Data...........................................................153 Table 13 – Ratings for an Example Application / Device Assets Table ....................................................154 Table 14 – Example Mitigation Strategy Matrix for Application / Device Assets ...................................... 154 Table 15 – Ratings for an Example Data Assets Table ............................................................................ 155 Table 16 – Example Mitigation Strategy Matrix for Data Assets...............................................................155 Table 17 – Example MCN Design Document Showing Nodes, Applications, Site Architecture, etc. .......156
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
17
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Forward Text to Come
18
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
Introduction This is part of a multi-part standard that addresses the subject of Manufacturing and Control Systems security. The focus of the document is on “Establishing a Manufacturing and Control Systems Security Program”, and the purpose is to provide practical guidance and direction on how to establish the business case for a security program and how to design the program to meet your business needs. Technical questions addressed by this document include: 1. Question #1? 2. Question #2? 3. etc. Additional parts of the standard currently planned or under development include: •
ISA 99.00.01 – Models and Terminology
•
ISA 99.00.03 – Operating a Manufacturing and Control Systems Security Program
•
ISA 99.00.04 – Specific Security Requirements for Manufacturing and Control Systems
There is also a technical report associated with this standard. This technical report may be updated more frequently than indicated in this standard. Refer to ISA for the most recent version. •
ISA-TR99.00.01-2004, Security Technologies for Manufacturing and Control Systems
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
19
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
1 Scope In defining the scope of this standard the concept of Manufacturing and Control Systems (M&CS) electronic security is applied in the broadest practical sense, encompassing all types of manufacturing plants and facilities, as well as other processing operations such as utilities (i.e., electric, gas and water), pipelines and transportation systems or other industries which use automated or remotely controlled vehicles. Specifically, Manufacturing and Control Systems include all systems that can affect or influence the safe, secure and reliable operation of an industrial process. They include, but are not limited to: •
•
•
Process Control Systems, including Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), Remote Terminal Units (RTU), Intelligent Electronic Devices (IED), Supervisory Control and Data Acquisition (SCADA), networked electronic sensing and control, and monitoring and diagnostic systems (In this context, process control systems include Basic Process Control System (BPCS) and Safety Instrumented System (SIS) functions, whether they are physically separate or integrated.) Associated information systems such as advanced or multi-variable control, online optimizers, dedicated equipment monitors, graphical interfaces, process historians, manufacturing execution systems and plant information management systems Associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes.
Scope may be defined in terms of a functional reference model, or by providing a set of criteria for selecting activities that are considered to be included. Each of these methods is applied in the following sections. 1.1
Functi onal Criteria
The scope of this standard can be expressed in terms of the range of functionality addressed. Such functionality is usually described in the form of a logical model. One example of such a model that is relevant to the process industries is presented in ANSI/ISA-95 and reproduced in Figure 1. Similar models could be used to describe functional scope for other types of industries. The primary focus of this standard is on levels 0 through 3 of the ANSI/ISA-95 model. Business Planning and Logistics Systems (i.e., Level 4) are not included within the scope of this document, although the integrity of data communications from the Manufacturing and Control Systems domains into the Enterprise Resource Business Systems should be included.
20
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program Level 4
Business Planning & Logistics Plant Production Scheduling, Operational Management, etc
Level 3
DRAFT dISA-99.00.02
4 - Establishing the basic plant schedule -
production, material use, delivery, and shipping. Determining inventory levels. Time Frame
Months, weeks, days 3 - Work flow / recipe control to produce the
Manufacturing Operations Management Dispatching Production, Detailed Production Scheduling, Reliability Assurance, ...
desired end products. Maintaining records and optimizing the production process. Time Frame
Days, Shifts, hours, minutes, seconds
Level 2
2 - Monitoring, supervisory control and Batch Control
Continuous Control
Discrete Control
automated control of the production process
Level 1
1 - Sensing the production process,
Level 0
0 - The actual production process
manipulating the production process
Figure 1 – A NSI/ISA-95 Functi onal Hierarchy 1.2
Acti vity -Based Criteria
It is also possible to describe the scope of the standard in terms of the activities that are addressed. A system should be considered to be within in the scope of this standard if any of the following criteria are met: •
•
The activity performed is critical to process safety The activity performed is critical to process reliability or availability
•
The activity performed is critical to process efficiency
•
The activity performed is critical to product quality
•
The activity performed is critical to maintaining regulatory compliance
This includes systems whose compromise could result in the endangerment of public or employee health or safety, loss of public confidence, violation of regulatory requirements, loss or invalidation of proprietary or confidential information, economic loss or impact on entity, local or national security.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
21
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
2 Definitions 2.1
Infor mation Technol ogy (IT)
Information technology by itself describes the computer related assets of an organization that represent non-physical assets. These may be things like software applications, process programs, personnel files, etc. Throughout this document, this use of the term “information technology” is not abbreviated. Another use of Information Technology (IT) refers to the company’s internal organization (e.g. the IT department) or the items that are traditionally maintained by this department (i.e. the administrative computers, servers, network infrastructure, etc.). 2.2
Cyber Security Management System (CSMS)
A program designed by an organization to maintain the security of the entire organization’s assets, whether they are on the business side or the Manufacturing & Control System side of the organization. 2.3
Human -Machin e Inter face (HMI)
A device used to convey and collect information to and from an operator for a particular device. In many cases, these involve video screens or computer terminals, push buttons, auditory feedback, flashing lights, etc. 2.4
Stakeholder
Stakeholders are personnel in an organization responsible for promoting and overseeing the cyber security process. These personnel include the manager of the cyber security program as well as the cross-functional team of individuals from all of the departments affected by the cyber security program. 2.5
Asset
An asset is any item that should be protected as part of the cyber security management system. These may be physical assets (i.e. operator stations, SCADA systems, PLCs, etc.), or they can be data assets (i.e. control algorithms, set points, account names and passwords, etc.). 2.6
Business continu ity plan
2.7
Gatekeeper
Gatekeepers are the trusted individuals that senior managers use to filter the important issues they need to address from the other issues that others are more suited to address. 2.8
Consequence
A consequence is the result that occurs from a security incident. 2.9
Safety Instru mented System (SIS)
A system specifically designed to monitor certain conditions to maintain the safety of the facility. 2.10
22
Bur ner Management System
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program 2.11
Manufactur ing Executio n System (MES)
2.12
Likelihood
DRAFT dISA-99.00.02
The quantitative chance that an incident may occur. 2.13
Threat likeli hoo d
The likelihood that a particular threat will occur. 2.14
Vulnera bility likelihood
The likelihood that a particular vulnerability will be exploited. 2.15
Risk toleranc e
2.16
Programm able Log ic Contro ller (PLC)
Type of control system in which the system is tightly coupled and usually located in a relatively small area NOTE: PLCs are commonly found in manufacturing lines, electrical transmission and distribution facilities, pulp and paper facilities, etc.
2.17
Process Inform ation Management (PIM) syst em
2.18
Cyber Security Vulnerabil ity Assess ment (CSVA)
2.19
Vulnerabili ty Ass essment Methodol ogy (VAM)
2.20
Risk miti gation
2.21
Account
an access control function that allows the user(s) access to a particular set of data or functions for certain equipment NOTE: Many times accounts are linked to user ID’s and passwords. These user ID’s and passwords may be linked to an individual or group of individuals.
2.22
Operator
a particular type of user that is usually responsible for maintaining the correct operation of the process equipment
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
23
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
2.23
Health, Safety, and Enviro nmental (HS&E)
2.24
Media Access Contro l (MAC) address
the hardware address that differentiates one device on a network from another NOTE: For some networks, like Ethernet, this address is typically encoded on a chip in the device, while in some industrial networks, like DeviceNet, these can be controlled in software or with a hardware switch.
2.25
Change management
the process of controlling and documenting any change in a system to maintain the proper operation of the process equipment 2.26
Legacy sys tem
systems that already exist in a facility today that may not be removable/replaceable 2.27
Incident
2.28
ISO/IEC 17799
2.29
Compliance
2.30
Remote access
2.31
Proc ess Safety Managemen t (PSM)
2.32
Social engin eering
2.33
Six-Sigma
2.34
Authenticator
24
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program 2.35
DRAFT dISA-99.00.02
Adm inis trative Practices
defined and documented practices/procedures that individuals are personally accountable to follow at all times. NOTE: These are usually in the conditions of employment for the organization. In the M&CS environment, these often have HS&E implications.
2.36
Loc al user
A user who is physically present in the immediate manufacturing area of control room 2.37
Remote user
A user who is not physically present in the immediate manufacturing area or control room 2.38
Ushered Access
The procedure for monitoring the actions of a remotely connected user, also called Shadowing. 2.39
Evergreen Process
A process that needs to be done continuously. Virus updates and patches are a good example of this.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
25
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
3 Normati ve References The following normative documents contain provisions, which through reference in this text constitute provisions of this part of this standard. At the time of publication, the editions indicated were valid. All normative documents are subject to revision, and parties to agreements based on this part of this standard are encouraged to investigate the possibility of applying the most recent editions of the normative documents indicated below. Members of IEC and ISO maintain registers of currently valid normative documents. 1. ANSI/ISA-95.00.01-2000, Enterprise-Control System Integration Part 1: Models and Terminology – Referred to throughout this document as “ISA-99, Part 1” 2. ANSI/ISA-88.01-1995, Batch Control Part 1: Models and Terminology – Referred to throughout this document as “ISA-88, Part 1” 3. ANSI/ISA-TR99.00.01-2004, Security Technologies for Manufacturing and Control Systems – Referred to throughout this document as “ISA-TR99.00.01” 3.1
Other References
The following documents contain material referenced in this standard. 4. Purdue Research Foundation, A Reference Model for Computer Integrated Manufacturing, 1989, ISBN 1-55617-225-7 – Referred to throughout this document as the “Purdue Model” 5. Guidance for Addressing Cybersecurity in the Chemical Sector, Version 2.0, December 2004, Chemical Industry Data Exchange (CIDX) – Referred throughout this document as “CIDX Guidance for Cybersecurity” 6. Report on Cybersecurity Vulnerability Assessments Methodologies, Version 2.0, November 2004, CIDX – Referred to throughout this document as “CIDX Report on CSVA” 7. Cybersecurity Reference Model, Version 1.0, August 2004, CIDX – Referred to throughout this document as “CIDX Reference Model” 8. NASA/Science Office of Standards and Technology (NOST), http://ssdoo.gsfc.nasa.gov/nost/isoas/us04/defn.html 9. Zachmann Enterprise Reference Model, http://www.zifa.com/ 10. ISO/IEC International Standard 17799, Information Technology – Code of Practice for Information Security Management, 2000 – Referred to throughout this document as “ISO/IEC 17799” 11. British Standard 7799-2:2002, Information Security Management – Specification with Guidance for Use, September 2002 – Referred to throughout this document as “BS 7799” 3.2
Infor mation al References & Resources
The following sources were used in the development of this document but do not have specific references to content in this standard. 3.2.1 •
26
Indus try/Sector Specific
Cybersecurity Guidance for Risk Assessment, Version 2.0, CIDX
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program •
•
3.2.2 •
•
•
DRAFT dISA-99.00.02
Guidance for Cybersecurity Vulnerability Assessment Methodology Process, Version 1.0, CIDX. Document Superseded by Report on Cybersecurity Vulnerability Assessment U.S. Chemicals Sector Cyber-Security Strategy, June 2002 Websites
Sarbanes – Oxley website, http://www.sarbanes-oxley.com/ Sans website, http://www.sans.org/ MIS Training Institute, http://www.misti.com/
•
U.S. National Institute of Standards & Technology, http://www.nist.gov/
•
Information Systems Technology Audit Programs, http://www.auditnet.org/asapind.htm
•
eScan Security Assessment, http://www.escan.nist.gov/sat/index.htm
•
American National Standards Institute, http://www.ansi.org/
•
3.2.3 •
IDEAL Model, http://www.sei.cmu.edu/ideal/ideal.html Other Document s & Resources
Report on the Evaluation of Cybersecurity Self-assessment Tools and Methods, November 2004, CIDX – Referred to throughout this document as “CIDX Report on Self-assessment”
•
NIST Special Publication 800-30, Risk July 2002 – Referred to throughout thisManagement document asGuide “NISTfor SPInformation 800-30” Technology Systems, •
•
•
•
•
•
•
Carlson, Tom, Information Security Management: Understanding ISO 17799 , 2001, http://www.responsiblecaretoolkit.com/pdfs/Cybersecurity_att3.pdf - Referred to throughout this document as “Understanding ISO 17799” ISO/IEC International Standard 15408, Common Criteria – Referred to throughout this document as “ISO/IEC 15408” NIST Special Publication 800-61, Computer Security Incident Handling Guide , January 2004 – Referred to throughout this document as “NIST SP 800-61” NIST Process Control Security Requirements Forum (PCSRF), Industrial Control System – System Protection Profile (ICS-SPP) – Referred to throughout this document as “PCSRF ICSSPP” Control Objectives for Information and Related Technology (COBIT), http://www.isaca.org/ Corporate Governance Task Force “Information Security Governance- A call to action” http://www.cyberpartnership.org/InfoSecGov4_04.pdf NIST Special Publication 800-55, Security Metrics Guide for Information Technology Systems, July 2003 – Referred to throughout this document as “NIST SP 800-55”
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
27
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
4 Executiv e Overview Addressing cyber security on a company wide basis can seem like a daunting task. A frequent question is “Where do I begin?” After some initial investigation often comes a plea “Just tell me what I have to do!” Unfortunately there is no simple cookbook for security. There is good reason for this. There is not a onesize-fits-all set of security practices. Absolute security may be achievable, but is probably undesirable because of the loss of functionality that would be necessary to achieve this near perfect state of absolute security. Security is really a balance of risk versus cost. All situations will be different. In some situations the risk may be safety, health, or environmental related rather than purely an economic impact. The risk may have an unrecoverable consequence rather than a temporary financial setback. Therefore a cookbook set of mandatory security practices will either be overly restrictive and likely quite costly to follow, or be insufficient to address the risk. Although the actual security policies and practices cannot be addressed with a cookbook approach, it is possible to follow a set of guidance that identifies the elements that should be considered in a quality security program and a logical process of how one would go about developing the program. ISA-99.00.02 provides this overall guidance for manufacturing and control systems. This Executive Overview section of the document is an easy “must-read” that builds the foundation for understanding the large set of details and key terms found in the document. It is intended to provide: •
•
•
4.1
An initial grounding and understanding of the big picture of what it takes to implement a cyber security program An understanding of what a cyber security management system is How one would go about developing the cyber security management system appropriate for your company Maturity of a Company’ s Cyber Security Program
Driven by increasing cyber security risks, many companies have taken a proactive approach towards Information Technology security. Certain sectors have also begun to establish cyber security procedures for their characteristic process control systems and networks. Historically, Information Technology (IT) and Manufacturing organizations operated in two mutually exclusive areas, and the expertise and requirements of each organization were not understood or appreciated by the other. Issues arose as organizations tried to employ common IT security practices to manufacturing and control systems. In some cases, the security practices were in opposition to normal manufacturing procedures designed to maximize safety and continuity of production. Because today’s open information technologies are used extensively in manufacturing and control systems, additional knowledge is required to safely employ these technologies. The IT and manufacturing organizations need to work together and bring their knowledge and skills together to tackle security issues. In industries with a high potential for safety, health, or environmental incidents, it is important to bring Process Safety Management and physical security personnel to the table as well. The goal is a “mature” security program that integrates all aspects of cyber security, incorporating desktop and business computing systems, manufacturing and control systems, and the value chain systems interacting with customers, suppliers, and transportation providers. Figure 2 shows the integration journey most businesses face while trying to reach maturity.
28
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
Point B
" m a r g ro P ty ri u c e S r e b y C a f o y ti r tu a M "
Point A
Desktop and Business Systems Cyber Security Manufacturing and Control Systems Cyber Security Value Chain Systems Cyber Security
Time Figure 2 – Maturity Curve for an Integrated Cyber Security Management System
As indicated in the graphic, many companies have fairly detailed and complete cyber security programs for their desktop and business computer systems, but cyber security management procedures are not as fully developed for manufacturing and control systems and value chain systems. While the desired end result is the same (a cyber security management system that encompasses all aspects of electronic security), every company’s journey to achieve that goal will be different based on company objectives and tolerance for risk. Integrating cyber security into a company’s standard practices is a cultural thatthat takes time and resources. As Figure 2 suggests, step. It is anchange evolution standardizes on the approach to cyber security.it cannot be achieved in one The security procedures implemented are proportionate to the risk level and will vary from one company to another. They may even be different for various operations within the same company based on global needs and requirements. Individual policies and procedures may also be different for each class of system within a company because the levels of risk and security requirements are different. The cyber security management system establishes the overall program that accommodates these differences. Some of the options for handling the differences between the IT and manufacturing organizations and developing a mature cyber security management system include: •
•
•
Training the manufacturing and process control personnel to understand technology and cyber security issues Training IT personnel to understand manufacturing processes and technologies, along with the Process Safety Management (PSM) processes and methods Developing procedures that join the skill sets of both organizations to deal with cyber security collaboratively
For the cyber security program to be successful, it is important to bring together the right mix of people on both the mitigation projects and the overall Cyber Security Management System program development. Figure 3 illustrates the skills and understanding that need to be pulled together from multiple groups of people in order to reach the desired integrated, mature cyber security program state.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
29
DRAFT dISA-99.00.02
" m ra g ro P y itr u c e S r e b y C a f o y itr u t a M "
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Integra tion of Resources
Business IT
Network IT
Desktop and Business System Cyber Security Manufacturing and Control Systems Cyber Security
Suppliers
Value Chain Systems Cyber Security Value Chain Partners Process Safety Manufacturing & Controls Manufacturing & Operations
Time Figure 3 – Resources in a Cyber Security Management System along the Maturity Curve 4.2
Establis hin g an Integrated Security Program
4.2.1
Overview of a Cyber Security Management System
The cyber security management system is the umbrella set of security policies and procedures that collectively are used to drive cyber security throughout the company. The management system addresses creation of the policies and procedures, mitigation activities to reduce vulnerabilities, periodic reassessment of the changing landscape of vulnerabilities and the effectiveness of institutionalized procedures, and finally, the overall effectiveness of the umbrella program. The maturity of the company’s cyber security program increases as the elements of the cyber security management system are implemented. The complete cyber security management system consists of (18) key elements that take place in the following four major phases: •
•
•
•
Plan – Establish the scope and policy of the cyber security management system, identify, classify, and assess risks, and develop a business continuity plan. Do – Implement and operate the security management system and all its processes. Check – Monitor, assess, and measure performance and report results to management for review. Act – Take corrective and preventive actions and continually improve performance.
Figure 4 indicates that the activity is a continuous one. The program must be evergreen and will require upgrades to address the changing landscape of security risks.
30
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
Plan Establish
Act
Maintain And Improve
Cyber Security Management System
Implement And Operate
Do
Monitor And Review Check
Figure 4 – Continuous A ctivity in a Cyber Security Mana gement Syste m
The Cyber Security Management System (CSMS) defined in Section 8 identifies the (18) key elements that should be included in a CSMS. Figure 5 shows the mapping of the (18) key elements into the four macro-level Plan-Do-Check-Act phases described above. In reality, there is a mini set of Plan-Do-CheckAct steps that will be done as each of the (18) key elements is implemented.
Plan
Do
Check
1. Importance of Cyber Security in Business
4. Organizational Security
15. Compliance
2. Scope of Cyber Security Management System
5. Personnel Security
17. Monitoring and Reviewing CSMS
3. Security Policy
6. Physical and Environmental Security
7. Risk Identification, Classification, and Assessment
9. Incident Planning and Response
8. Risk Management and Implementation
10. Communications, Operations, and Change Management
16. Business Continuity Plan
11. Access Control
Act 18. Maintaining and Implementing Improvements
12. Information and Document Management
13. System Development and Maintenance
14. Staff Training and Security Awareness
Figure 5 – 18 Key Elements o f a CSMS Mapped i nto the Plan-Do-C heck-Act Phases
With any program, there is a starting point and a progression of activities to get to an end state. When applied to the development of an integrated security program, the high level phases can be thought of as taking place in overlapping stages along the maturity curve. This concept is depicted in Figure 6. Depending upon a company’s starting point and security needs, the phases may compress or expand.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
31
DRAFT dISA-99.00.02 " m ra g o r P y ti r u c e S r e b y C a f o ty ir u t a M "
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
ACT: Tak e actio n to m ake improvements
CHECK: Complian ce, Audit, an d CSMS Metrics Phase
DO: Risk Assessment and Mitigation Phase
Desktop and Business Systems Cyber Security PLAN: CSMS Development Phase
Manufacturing and Control Systems Cyber Security Value Chain Systems Cyber Security
Time Figure 6 – Overlapping Stages of a Cyber Security Management System along the Maturity Curve
It is important to consider the overall design of the cyber security management system early and incorporate that thinking as the program is developed. While all the implementation details are not required, it is extremely important to establish responsibilities, accountabilities, corporate principles, and high-level policies that guide further development of the key Cyber Security Management System elements and the overall program. During the cyber security journey, it is necessary to identify the unsatisfactory risks that require the proper mitigating controls to reduce the level of risk. A common approach is to launch targeted projects that employ a project-based Plan-Do-Check-Act (PDCA) model. Figure 7 shows how individual projects contribute to a higher level of security procedures as the program matures. " m a r g o r P y t ri u c e S r e b y C a f o y t ri tu a M "
Cybe r Security Mitigatio n Projects Strong Authentica tion Program for Remote Users
Plan
Do
Act
Check
New Production Area Pro ject
Plan
Do
Act
Check
DCS Area B, Site 1 Project
Vendor Interface Improvement Proj.
Plan
Do
Act
Check
Plan
Do
Act
Check
New Value Chain Project
Plan
Do
Act
Check
PLC Area C, Site 3 Project DCS Area A, Site 1 Project
Plan
Do
Act
Check
Plan
Do
Act
Check
Desktop and Business Systems Cyber Security Manufacturing and Control Systems Cyber Security Value Chain Systems Cyber Security
Time Figure 7 – Individual Projects in the Cyber Security Management System along the Maturity Curve
32
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program 4.2.2
DRAFT dISA-99.00.02
Acti viti es Required to Develop a Cyber Security Program
As was indicated earlier in the document, the cyber security management system identifies the kinds of procedures that should be in place in a security program. Getting to that end-state is a journey that will be different for each company. However despite company differences, there is a fairly common logical set of activities that lead to the development of the cyber security management system. The figure below attempts to identify the activities and depict the relationship and timing of these activities during the development of the cyber security management system. Section 6 gives a high level overview description for each of the (19) process activities depicted in the figure. Realize that every company’s approach to the process will be different based on the company’s objectives, for or risk, and degree maturity their cyber security program. Some companies may choosetolerance to combine eliminate stepsofalong the of journey. Some activities may be sequential and need to be completed before the next activity can begin; others can be done in parallel. Figure 8 shows the timeframe involved and points out areas where steps can be overlapped.
15. Develop Additional Elements of the Cyber SecurityManagement System Plan
13. Develop Detailed M&CS Cyber Security Policies and Procedures
10. Inventory M&CS Devices & Networks
9. Organize for Security
18. Refine and Implement the Cyber SecurityManagement System
14. Define the Standard Set of M&CS Security Risk Mitigation Controls
11. Screening and Prioritization of M&CS Systems
17. Charter, Design, and Execute Cyber Security Risk Mitigation Projects
12. Conduct a Detailed Screening Assessment
8. Establish High-Level Cyber Security Policies that Support the Risk Tolerance Level
y itr tu a M
19. Adopt Continuous Improvement OperationalMeasures
16. Quick Fix
7. Prioritize & Calibrate Risks
6. Characterize the Key M&CS Risks
4. Form a Team of Stakeholders
5. Raise Staff Cyber Security Capability Through Training
3. Define the Charter and Scope of M&CS Security for Your Company
Legend Plan Phase
Do Phase
2. Obtain Leadership Commitment,Support, and Funding
Activity MUST be completed before proceeding to next activity
Check Phase
1. Develop a Business Case
Act Phas e
Activity DOES NOT need to be completed before proceeding to next activity
Time
Figure 8 – Timeline of Projects for a Cyber Security Management System along the Maturity Curve 4.3
How to Use This Document
This Executive Overview Section introduced the concept of initiating a cyber security program/initiative to put in place a set of policies and procedures that collectively embody the cyber security management
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
33
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
system. Some companies question why they need to spend money to address cyber security. Section 5 discusses the business case and bottom line benefit to a company for addressing cyber security. It highlights some business benefits specific to manufacturing and control systems that can be obtained through improved cyber security procedures. Figure 8 introduced a logical set of (19) process activities that lead up to establishment of the cyber security management system. The details of which were not included to keep the Executive Overview brief. The reader of this document should review Section 6 to gain additional insight to the process/journey leading to the cyber security management system. It is fairly brief and is meant to be an educational overview to further explain the process. Once the big activities picture is understood, reader should reviewimplementers Section 7 to obtain detailed guidance the (19) process to assist thethe team of cyber security to layout and execute theon plan. Section 7 begins to focus more on the manufacturing and control system aspects of cyber security. Section 7 includes a mapping of the (19) process activities to the (18) key elements in the cyber security management system that result from executing the (19) process activities in the plan. The details of the cyber security management system are described in Section 8. Each of the (18) key elements is discussed in detail along with references to supporting information that is available in other standards and commercially available documents. This section should be used to measure completeness of a company’s cyber security procedures for manufacturing and control system. The section does not describe a one size fits all approach, though. It is meant to stimulate thinking and provide resources that a company can use as it determines its approach to implementing corporate security management procedures throughout its IT and manufacturing and controls systems.
34
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
5 Establis hing the Busin ess Case for Manufacturi ng and Contro l System Security Within each organization, the journey to develop an effective Cyber Security Program for Manufacturing & Control Systems starts with individuals who recognize the risks the organization is taking and begin to articulate these risks internally, not just in technical terms, but in business terms that resonate with upper management. The negative business consequences of cyber attacks against Manufacturing & Control Systems can include the following: •
Reduction or loss of production at one site or multiple sites simultaneously
•
Injury or death of employees
•
Injury or death of persons in the community
•
Damage to equipment
•
Environmental damage
•
•
Violation of regulatory requirements Product contamination
•
Criminal or civil legal liabilities
•
Loss of proprietary or confidential information
•
Loss of brand image or customer confidence
•
Economic loss
In prioritizing the risk of these consequences occurring it will also be important to consider the potential source or threat that initiates a cyber attack and the likelihood that such an event would occur. Cyber threats could arise from sources inside or outside of an organization, threats could be the result of either intentional or unintentional actions, and threats could either be directed at a specific target or undirected. Cyber security incidents can result from any of the following types of threat agents: •
•
•
•
•
•
Thrill-seeking, hobbyist or alienated individuals who gain a sense of power, control, selfimportance, and pleasure through successful penetration of computer systems either via undirected attacks (viruses and worms) or directed attacks (hacking) to steal or destroy information or disrupt an organization’s activities. Disgruntled employees or contractors who damage systems or steal information for revenge or profit. Well-intentioned employees who inadvertently make changes to the wrong controller or process. Employees who break quality, safety, or security policies or procedures to meet other urgent needs (production goals, etc.) Terrorists typically motivated by political beliefs for whom cyber attacks offer the potential for low cost, low risk but high gain attacks especially when linked with coordinated physical attacks. Professional thieves who steal information for sale.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
35
DRAFT dISA-99.00.02
•
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Adversary nations or groups who use the internet as a military weapon for cyber warfare to disrupt the command, control and communication capabilities of a foe.
Documented cases provide insight into how and how often one of these threat agents succeeds in inflicting negative business consequences. The rapid adoption of new network technologies has led to the development of new tools to enable cyber attacks. With the lack of a recognized publicly-accessible, incident reporting system, it will be extremely difficult in the near future to determine a quantitative likelihood of any specific type of event occurring. Likelihood will need to be evaluated qualitatively based on an organization’s own internal incident history and on the few cases that have been publicly documented. Several of these cases are described below: •
•
•
In the SQL Slammer Worm rapidly spread from onenetwork computer to another across theJanuary, internet 2003, and within private networks. It penetrated a computer at Ohio’s Davis-Besse nuclear power plant and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall. It occurred due to an unprotected interconnection between plant and corporate networks. The SQL Slammer Worm downed one utility’s critical SCADA network after moving from a corporate network to the control center LAN. Another utility lost its Frame Relay Network used for communications and some petrochemical plants lost Human Machine Interfaces (HMIs) and data historians. A 911 call center was taken offline, airline flights were delayed and canceled, and bank ATMs were disabled. Over several months in 2001, a series of cyber attacks were conducted on a computerized waste water treatment system by a disgruntled contractor in Queensland, Australia. One of these attacks caused the diversion of millions of gallons of raw sewage into a local river and park. There were 46 intrusions before the perpetrator was arrested. In September, 2001, a teenager allegedly hacked into a computer server at the Port of Houston in order to target a female chat room user following an argument. It was claimed that the teenager intended to take the woman’s computer offline by bombarding it with a huge amount of useless data and hecomputer needed to use a number of other servers to beport ablewith to do so. The of attack bombarded scheduling systems at the world’s eighth largest thousands electronic messages. The port’s web service, which contained crucial data for shipping pilots, mooring companies and support firms responsible for helping ships navigate in and out of the harbor, was left inaccessible.
•
36
The CERT organization has been monitoring and tracking the number of attacks occurring on internet-connected systems since 1988. As of 2004, they have stopped tracking the number of attacks because the prevalence of automated attack tools has led to attacks becoming so commonplace that the number of incidents reported provides little information with regard to assessing the scope and impact of attacks. A graph of their incident data is shown below to demonstrate the dramatic increase that has occurred over the last 15 years.
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
Attacks on Computer Systems 140000
T R 120000 E C 100000 o t d te r o p e R r e b m u N
80000 60000 40000 20000 0 8 9 9 1
9 8 9 1
0 9 9 1
1 9 9 1
2 9 9 1
3 9 9 1
4 9 9 1
5 9 9 1
6 9 9 1
7 9 9 1
8 9 9 1
9 9 9 1
0 0 0 2
1 0 0 2
2 0 0 2
3 0 0 2
Year
Figure 9 - C ERT Reported A ttacks on Comp uter Systems
While various industries may find certain types of business impact of more concern and may feel that certain types of threats are more likely, all industries that use manufacturing and control systems should be concerned that they are entering a new risk environment. At the same time that manufacturing and control systems have adapted the use of commercial IT operating systems and network technologies and users have interconnected their private networks with their manufacturing and control systems networks the number of threats has also increased exponentially. In virtually all of these cases the security-related work processes and technologies developed for classical IT applications have not been deployed partly due to ignorance but partly due to valid constraints that don’t exist in classical IT applications. The objective of this standard is to address both issues.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
37
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
6 Act ivi ties Requir ed to Develop a Cyber Secur it y Management Syst em – An Overview This section gives an overview of the (19) process activities involved in developing a security program through establishment of the cyber security management system. Short descriptions are provided for each activity, along with information on where to find further information in this standard. More detailed discussions of each of the activities are given in Section 7. Realize that every company’s approach to the process will be different based on the company’s objectives, tolerance for risk, and degree of maturity of their cyber security program. Some companies may choose to combine or eliminate steps along the journey. Some activities may be sequential and need to be completed before the next activity can begin; others can be done in parallel. Figure 10 is a repeat of Figure 8 on page 33 showing the timeframe for the activities involved in developing a cyber security management system and points out areas where steps can be overlapped.
15. Develop Additional Elements of the Cyber SecurityManagement System Plan
13. Develop Detailed M&CS Cyber Security Policies and Procedures
10. Inventory M&CS Devices & Networks
9. Organize for Security
18. Refine and Implement the Cyber SecurityManagement System
14. Define the Standard Set of M&CS Security Risk Mitigation Controls
11. Screening and Prioritization of M&CS Systems
17. Charter, Design, and Execute Cyber Security Risk Mitigation Projects
12. Conduct a Detailed Screening Assessment
8. Establish High-Level Cyber Security Policies that Support the Risk Tolerance Level
y it r tu a M
19. Adopt Continuous Improvement OperationalMeasures
16. Quick Fix
7. Prioritize & Calibrate Risks
6. Characterize the Key M&CS Risks
5. Raise Staff Cyber Security Capability Through Training
4. Form a Team of Stakeholders
3. Define the Charter and Scope of M&CS Security for Your Company
Legend Plan Phase
Do Phase
2. Obtain Leadership Commitment,Support, and Funding
Activity MUST be completed before proceeding to next activity
Check Phase
1. Develop a Business Case
Act Phas e
Activity DOES NOT need to be completed before proceeding to next activity
Time
Figure 10 – Timeline of Activities to Develop a Cyber Security Management System 6.1
Acti vity 1 – Develop a Bus iness Case
The business case provides the justification (financial and business impact) for creating an integrated cyber security program. It should include detailed information about:
38
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program •
the benefits of creating an integrated security program
•
potential risks if the system is not created
•
costs and resources required to develop the security program
•
potential costs and damage scenarios if a system is not put in place
•
6.2
DRAFT dISA-99.00.02
a high-level overview of the process required to implement, operate, monitor, review, maintain, and improve the cyber security program. Activity 2 – Obtain Leadership Commitment, Support, and Funding
Present the business case to leadership for Information Technology, manufacturing and control systems, value chains, and third parties involved. Obtain buy-in and support from all involved parties, and determine how funding requirements will be divided. The business leadership will be responsible for approving and driving cyber security policies, assigning security roles, and implementing the cyber security program across the company. NOTE: Funding for the entire program can usually be done in phases. While some funding may be required to start the cyber security activity, additional funding can be obtained later as the security vulnerabilities and needs of the program are better understood and additional strategies are developed.
6.3
Acti vit y 3 – Define the Charter and Scope of M&CS Security for Your Company
Establish the corporate policy that defines the guiding charter of the security organization and the roles, responsibilities, and accountabilities of system owners and users. Decide upon and document the objective of the Cyber Security Management System, the business organizations affected, all the computer systems and networks involved, the budget, resources required, and division of responsibilities. The scope can also address business, legal, and regulatory requirements, timetables, and responsibilities. There may already be a program in place or being developed on the Business/Information Technology side of your company. Find out whether anything is underway and if you can “piggyback” on an existing effort. In the long run, it will be easier to get results if you are able to share resources with others in your company who have similar objectives. 6.4
Acti vity 4 – Form a Team of Stakeholders
As stated before, the objective for a cyber security management system is an integrated approach that involves traditional desktop and business computing systems, manufacturing and control systems, and value chain systems that interact with customers, suppliers, and transportation providers. While representatives from those organizations are automatic stakeholders in the cyber security program, the list of stakeholders impacted by cyber security incidents should extend to a broad range of disciplines and functions, including Human Resources, Security, and Legal. The above listed resources are necessary to develop the overall integrated cyber security management system. However it will probably be most effective to utilize a smaller subset of stakeholders to focus on the cyber security procedures for manufacturing and control systems. This core set of stakeholders include people accountable for manufacturing operations, process safety management, network support, process control, site physical security, maintenance, and IT support. The stakeholders are responsible for moving the security initiative forward. With support from senior leadership the stakeholders initiate the next activities and engage the right resources to accomplish the tasks September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
39
DRAFT dISA-99.00.02
6.5
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Acti vity 5 – Raise Staff Cyber Security Capability Throug h Training
Installing a cyber security program may bring changes to the way in which personnel access computer programs, applications, and the computer “desktop” itself. Design effective training programs and communication vehicles to help employees understand why new access and control methods are required, ideas they can use to reduce risks, and the impact on the company if control methods are not incorporated. Training programs also demonstrate management’s commitment to and value for a cyber security program. Feedback from staff exposed to this type of training can be a valuable source of input for refining the charter and scope as the project gets under way. 6.6
Acti vity 6 – Characterize the Key M&CS Risks
Each company must clarify the M&CS risks they are experiencing. These risks may impact the company in any of the following ways: •
safety of personnel
•
financial loss or impact
•
environmental and regulatory consequences
•
damage to company image
•
impact to investors
•
loss of customer confidence
•
impact on infrastructure
At this stage, stakeholders should consider a wide range of cyber security threats and a wide range of potential vulnerabilities in the company’s M&CS operations. All of the stakeholders need to understand how these cyber security threats could potentially affect company assets to inflict damage in these various ways. The deliverable at this stage is a list of potential scenarios each describing a particular combination of threat, vulnerability and asset to cause harm. 6.7
Acti vit y 7 – Priorit ize and Calibrate Risks
Once the threats, vulnerabilities and consequences are clarified, each scenario needs to be prioritized and calibrated versus the corporate risk tolerance level that has been developed by other risk management systems. For example, a company’s environmental risk management organization should already have a severity scale that describes what will be viewed as a high severity environmental incident. This scale is relevant since it was based on the impact to the business regardless of whether the incident was triggered by a process failure or a process control failure. If the M&CS cyber security risks were only prioritized, it would not provide management with information regarding how these risks compare to other risks that they are already managing. With calibration information, there is a linkage to the action requirements that should already have been established in regard to the other risk management systems. This provides the rationale for leadership to support the creation of security polices and deployment of risk mitigation solutions.
40
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program 6.8 Level
DRAFT dISA-99.00.02
Activity 8 – Establish High-Le vel Cyber Security P olicies tha t Support the Risk Tolera nce
Develop the cyber security policies and gain approval from leadership. Communicate the policies so that everyone understands the objective of the policies, how to comply with them, how they are enforced, and by whom. Most companies already have a security program and policies that address traditional Information Technology assets and practices. An integrated cyber security policy defines and addresses the various risks associated with traditional Information Technology assets, as well as with manufacturing and control systems and other partners involved in the value chain. Remember that the policies addressing manufacturing and control systems assets and practices may differ from those applied to traditional Information Technology assets and practices because of the different requirements of each part of the business. Wholesale adoption (or rejection) of existing Information Technology policies is probably the wrong answer. 6.9
Acti vity 9 – Organize for Security
Establish the organizational structure responsible for managing physical and cyber security within the company. Accountability for security may fall under one organization, or can be shared among multiple groups. If these security functions can be performed by an organization that is already in existence and charged with similar responsibilities (e.g., physical security might be properly the responsibility of the corporate police/security department), you can avoid the “turf wars” that may arise when gray areas of responsibility are addressed later. The organizational structure developed has responsibility for communicating direction, developing policies, and confirming that processes are in place to protect company assets and information. 6.10
Acti vity 10 – Inventor y M&CS Devices and Networks
Identify the applications, computer systems, and networks within the information technology and manufacturing and control system areas. 6.11
Acti vity 11 – Screening and Priori tization of M&CS Systems
Assess each class of system to understand the financial and safety consequences in the event that confidentiality (measure of the importance of the data), integrity (measure of confidence in the accuracy of the data being accessed), or availability (measure of the reliability and ease with which data can be obtained when needed) of the system are compromised. 6.12
Acti vity 12 – Conduc t a Detailed Security Assess ment
Because every company has a limited set of resources, use the results of the screening assessment (Section 6.9 above) to prioritize the systems to be addressed based upon the risk consequences. Begin with systems that have the highest consequence and perform a detailed security vulnerability assessment. The risk assessment will help identify any weaknesses that may be present in the system that could allow inappropriate access to systems and data, along with the related cyber security risks and mitigation approaches to reduce the risks. A typical risk assessment includes the following steps: •
Determine the assets you need to protect.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
41
DRAFT dISA-99.00.02
•
•
•
6.13
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Determine the threats to those assets – typical threats might include theft of information, falsification or loss of data, denial of service or system malfunction or application failure, or inappropriate system or application access. Use these threats to identify various “damage scenarios.” Estimate the cost of compromise involved with each of the assets. For example, loss of accounting information might not have any permanent cost associated with it (especially if the data can be reconstructed from other sources), but loss of control on a process unit might have serious capital, environmental, and legal costs that cannot be mitigated after they occur. Complete the assessment of threats against your assets. Acti vit y 13 – Develop Detailed M&CS Cyber Security P olic ies and Procedur es
After the risks for the various systems are clearly understood, examine existing security policies to see if they adequately address the risks. If needed, develop additional sufficiently detailed policies and procedures to address desktop and business systems, manufacturing and control systems, and value chain systems. 6.14
Acti vity 14 – Define the Standard Set of M&CS Security R isk Mitig ation Contr ols
Analyze the detailed risk assessment, identify the cost of mitigation for each risk, compare the cost with the risk of occurrence, and select those mitigation controls where cost is less than the potential risk. Because it may be impractical or impossible to eliminate all risks, focus on mitigating the risk for the most critical applications and infrastructures. The mitigation controls to address a specific risk may be different for the different kinds of systems. For example, user authentication controls may be different for corporate payroll systems, manufacturing and control systems, and e-Business systems. Document and communicate the selected controls, along with the policies and procedures for using the controls. 6.15
Acti vit y 15 – Develop Additi onal Elements of the Cyber Security M anagement System Plan
Establish the objectives and expectation of the cyber security management system. Examine the existing site and business operating practices for the three classes of systems. Seek ways to incorporate enhancements into existing processes to meet the objectives of the overall cyber security management system rather than starting fresh and developing an entirely new set of practices spanning all system classes. Seek ways to align, leverage solutions, and evolve existing practices to meet the need. For example, one of the 19 key elements of a security management system is employing adequate change management procedures. This task involves separation of duties and good review and approval processes. For manufacturing and control systems, it may be more appropriate to align change management with existing process safety management procedures. Minor enhancements to an existing related institutionalized process to meet the overall cyber security management system objectives may be more readily accepted, adopted, and implemented at lower cost than creating a new separate process aligned with business IT processes. 6.16
Acti vity 16 – Quick Fix
As you develop the integrated security plan, you may identify several risks that can be mitigated by “quick fix” solutions- low cost, high value practices that can significantly reduce risk. Examples of activities that fall into the category include restricting Internet access and eliminating e-mail access on operator control
42
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
stations. Pick the “low hanging fruit” and implement quick fix activities as soon as possible to begin reducing security risks and achieving benefits. 6.17
Acti vit y 17 – Charter, Design, and Execute Cyber Security R isk Mitig ation Project s
The life cycle of a security risk mitigation project begins with conception and ends with the retirement product. This risk reduction strategy may involve a series of actions on multiple systems (e.g., firewall installation, authentication controls, access controls, physical and environmental controls). Each addressed as individual projects, each with its own “Plan-Do-Check-Act” cycle. The Plan and Do phases (up-front design followed by installation activities) are normal approaches of projects. is important to compliance follow installation with the Check in and phases security for eachmanagement project. Startsystem using the initial Itconcepts of the and review elements theAct proposed to ensure that the risk reduction objectives are being achieved. In order to finish with a product that meets the requirements, it is necessary to use an established process. Security risk mitigation projects are meant to secure systems (in this case, manufacturing and control systems) from unintended use. The stages of a security risk mitigation project, as addressed in this section, consist of charter, design, and execute. Maintenance, repairs, and upgrades can also follow this same methodology. 6.17.1 Charter the Cyber Securit y Risk Mitig ation Project
Chartering or establishing a project requires an understanding of the project’s purpose and the degree of certainty that is necessary in assessing the project’s completeness. The first step is identifying the problem (and the cause of the problem) that the project will address. Without understanding the problem, it is not possible to determine how it can be fixed. If a problem is identified, the next step is to identify and consider what options are available to correct the problem. Once all of the options have been considered, a decision is made determining what the project will consist of and whether the project will be procured or manufactured. At this stage specific security requirements for the project should be developed and documented. As with any venture, there is a degree of risk associated with each security risk mitigation project. Risk can be related to doing nothing or to making a change. When establishing a project, it is necessary to evaluate the risk associated with a project and identify acceptable risk in doing nothing or making changes to the system. 6.17.2 Project Design
The second stage of the project life cycle is the design. This stage not only covers the preparation of the project specification, but also planning the verification method and initial verification that the project meets the stated requirements. The initial verification is performed through a paper analysis. The final verification is performed through testing of the component. 6.17.3 Project Executio n
The execution of the project consists of obtaining the system components, verifying that they meet the stated requirements, following successfulorcompletion of integration testing, theand backed components. Prior to and, installing new hardware software, ensure that the systeminstalling is secured up and that the installation process will not interrupt manufacturing and control process or that provisions have been made to have the system out of function for a given period.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
43
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
6.17.4 Decision s to Make When Planning a T est Prog ram
The purpose of a test program is to verify that the system meets the stated requirements for the project. Ultimately, an installed system needs to meet both the operational objectives and the security goals. The first decisions to be made when planning system testing are the level of assurance the user wants from the product and the type of testing that is appropriate for that level. The next decision is sufficiency. Ideally, a system would be tested under all possible states to ensure that every security contingency is met, or at least so that the residual risk differential becomes known. While theoretically possible, this is, in actuality, unobtainable. Therefore, the testing required to verify the requirements must be determined. After determining the level of assurance and the level of sufficiency of the testing, the next step is to determine how the requirements will be verified. 6.17.5 Testing
Testing is performed at various stages of the process. The first round of testing takes place after the manufacture of the component. The second test occurs when all of the components for a given system are assembled and tested on the bench as a system. Finally, the entire system is tested as a system in place. These three stages are: Component Testing, Integration Testing, and System Validation Testing. A good component, integration, and system validation program needs to include operational (non-security) testing, as well as security performance testing of the system. After the initial test planning, a written test plan should be prepared for each test stage. These are highlevel plans containing the purpose, scope, and constraints of the testing. These test plans should also indicate the type of results expected, the accuracy required, and any action to be taken if the requirements are not met. Using the test plan, test procedures should be prepared detaining how the testing is to be performed. They should include system configuration, system inputs and outputs, and tolerable error bands. During testing, it is important to constantly check results and verify that they are as expected or determine if corrective action needs to be taken. After each stage of the testing is completed, the data should be evaluated to determine if the results are as expected. If the test results are not as expected or are not within the required accuracy range, testing should be stopped until the problems are resolved and then the testing repeated. Following the system validation test, a final report should be prepared reviewing the results of all of the testing and summarizing the conclusions. 6.18
Acti vity 18 – Refine and Implement the Cyber Security M anagement System
Continuously monitor the cyber security management system to ensure that all processes are working correctly, and evaluate security performance. As changes occur to information technology and manufacturing and control systems, implement improvements as necessary to make sure the security management system stays in-step. •
Implement change management, incident response, and system development processes
•
Develop and implement integrated audit and compliance processes •
44
Develop and implement the processes to maintain and improve the cyber security management system procedures
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program 6.19
DRAFT dISA-99.00.02
Activity 1 9 – Adopt C ontinuo us Improveme nt Opera tional Measures
Use a series of self-assessments and independent audits to measure and review the performance of the cyber security management system and evaluate performance against the program’s policies and objectives. Identify appropriate corrective and preventative actions, prioritize them, and put them into place to further improve system performance. Use tools such as trend analysis or Six Sigma to identify areas of improvement and measure sustainability.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
45
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
7 Act ivi ties Requir ed to Develop a Cyber Secur it y Management Syst em – A Detailed Discussio n This section describes in detail the activities involved in developing a security program. Each subsection provides more detailed information for the corresponding subsection in Section 6. In implementing a cyber security management system it is important to keep the following general considerations in mind. 1. Become familiar with the overall process and individual activities. In becoming familiar with the overall process for developing a cyber security management system as described in Section 6, an understanding for issues that will need to be dealt with at a later time will be developed. This will not only provide perspective for why the activities in early stages are important but will also lead to opportunities to accelerate the development of the cyber security management system 2. Become familiar with the existing risk management systems in the organization. In becoming familiar with existing risk management systems in the organization, an understanding for methods used to manage related risks in the organization will be developed. These methods will provide a template for managing risks associated with cyber security that management and the rest of the organization will more easily understand. Most large organizations have existing risk management systems and organizations to execute those systems in the areas of physical security, information security, process safety and business continuity as shown in Figure 11. In many cases the risk management systems and their organizations exist as silos of information in relative isolation from each other. In general, while the risks of cyber security will justify a new risk management system, they will NOT be able to justify an entirely new risk management organization. To be cost-effective, the existing risk management organizations need to be modified and supplemented to support the creation of a new risk management system.
Physical Security Risk
Information Security Risk
M&CS Cyber Security Risk
Health , Safety & Environmental Risk
Business Continuity Risk
Figure 11 – Relationship of Existing Risk Management Organizations to a New Cyber Security Management System
46
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
3. Take advantage of opportunities for collaboration. In becoming familiar with existing risk management systems and their current initiatives, opportunities for collaboration may become apparent. Consider taking advantage of these opportunities even if it means deviating from the model described in Section 8. These opportunities offer a way to accelerate the implementation of the cyber security program. As was noted earlier in the Executive Overview in Section 4, the (19) process activities that are detailed in this section lead to establishment of the cyber security management system which has (18) key elements. There is not a one-to-one mapping. Included below is a reference table identifying the relationship of the process activities to the key elements they impact. Performing the activities in Figure 10 lays the foundation for many of the elements in the cyber security management system. Table 1 – Relationsh ip Betw een the (1 9) Process Acti vities and th e (18) Key Elements i n th e CSMS Process Acti viti es
Key Elements in the CSMS
Activity 1 – Develop a Business Case Activity 2 – Obtain Leadership Commitment, Support, and Funding Activity 3 – Define the Charter and Scope of M&CS Security for Your Company
• •
•
• •
Activity 4 – Form a Team of Stakeholders Activity 5 – Raise Staff Cyber Security Capability Through Training Activity 6 – Characterize the Key M&CS Risks Activity 7 – Prioritize and Calibrate Risks Activity 8 – Establish High-Level Cyber Security Policies9that Support the Risk Tolerance Level Activity – Organize for Security Activity 10 – Inventory M&CS Devices and Networks Activity 11 – Screening and Prioritization of M&CS Systems Activity 12 – Conduct a Detailed Security Assessment Activity 13 – Develop Detailed M&CS Cyber Security Policies and Procedures Activity 14 – Define the Standard Set of M&CS Security Risk Mitigation Controls Activity 15 – Develop Additional Elements of the Cyber Security Management System Plan Activity 16 – Quick Fix Activity 17 – Charter, Design, and Execute Cyber Security Risk Mitigation Projects Activity 18 – Refine and Implement the Cyber Security Management System Activity 19 – Adopt Continuous Improvement Operational Measures
• •
• • •
• •
•
•
• • •
•
• •
•
• • •
September 20, 2005
3 - Security Policy 3 - Security Policy 2 - Scope of a Cyber Security Management System 3 - Security Policy 4 - Organizational Security 4 - Organizational Security 14 - Staff Training and Security Awareness 1 - Importance of Cyber Security in Business 1 - Importance of Cyber Security in Business 3 - Security Policy 4 - Organizational Security 7 - Risk Identification, Classification, and Assessment 7 - Risk Identification, Classification, and Assessment 7 - Risk Identification, Classification, and Assessment 3 - Security Policy 8 - Risk Management and Implementation 8 - Risk Management and Implementation All 8 - Risk Management and Implementation 8 - Risk Management and Implementation All 15 - Compliance 16 - Business Continuity Plan 17 - Monitoring and Reviewing CSMS
dISA-99.00.02 (Draft 1, Edit 5)
47
DRAFT dISA-99.00.02
7.1
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Acti vity 1 – Develop a Bus iness Case
The first step to implementing a cyber security program for manufacturing and control systems is to develop a compelling business case for the unique needs of the organization. This will take the information provided in Section 5 and customize it to capture the business concerns of senior management while being founded in the experience of those who are already dealing with many of the same risks. This section deals with the key components of the resulting business case and key resources to help you identify those components. 7.1.1
Key Compon ents of the Bus iness Case
There key components of the impact. business case: prioritized business consequences, prioritized threatsare andthree estimated annual business Consequence s – The list of potential business consequences provided in Section 5 needs to be distilled to the particular business consequences that senior management will find the most compelling. For instance, a food and beverage company that handles no toxic or flammable materials and typically processes its product at relatively low temperatures and pressures might not be concerned about equipment damage or environmental impact but might be more concerned about loss of production availability and degradation of product quality. Regulatory compliance might also be a concern. The insight here is based on histories of past incidents as well as knowledge of how manufacturing and control systems are actually used in the business and the potential business impact that unauthorized technical changes could cause. Prioritized Business
Prioritized Threats – The list of potential threats provided in Section 5 needs to be refined, if
possible, to those threats that are deemed credible. For instance, a food and beverage company might not find terrorism a credible threat but might be more concerned with viruses and worms and disgruntled employees. The insight here is primarily based on histories of past incidents. Estimate Annu al Business Impact – The highest priority items shown the listbusiness of prioritized business d consequences should be scrutinized to obtain an estimate of thei nannual impact preferably, but not necessarily, in financial terms. For the food and beverage company example, they may have experienced a virus incident within their internal network that the Information Security organization estimated as resulting in a specific financial cost. Since the internal network and the controls network are interconnected its conceivable that a virus srcinating from the controls network could cause the same amount of business impact. The insight here is primarily based on histories of past incidents.
There are two main resources for information to help form this business case: external resources in trade organizations and internal resources in related risk management programs or engineering and operations. External resources in trade organizations can often provide useful tips as to what factors most strongly influenced their management to support their efforts and what resources within their organizations proved most helpful. For different industries, these factors may be different but there may be similarities in the roles that other risk management specialists can play. Internal resources in related risk management efforts (information security, health, safety and environmental risk, physical security, business continuity, etc.) can provide tremendous assistance based on their experience with related incidents in the organization. This information is helpful from the standpoint of prioritizing threats and estimating business impact. These resources can also provide insight into which managers are focused on dealing with which risks and, thus, which managers might prove the most appropriate or receptive to serving as a champion. Internal resources in control systems engineering and operations can provide insight into the details how control systems are actually used within the organization. How are networks typically segregated? How
48
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
are high-risk combustion systems or safety-instrumented-systems typically designed? What security countermeasures are already commonly used? Keeping in mind the organization’s history with mergers and acquisitions, it’s also important to understand how representative any particular site might be of the entire business unit, region or overall organization. Keep in mind that at this early stage of the process, the primary focus will be on identifying one or two high priority issues that justify continued effort. As the manufacturing and controls cyber security program develops further, other items may appear on the list and priorities may be shuffled but it should not detract from the result of this srcinal effort to justify initiating the program. 7.2
Activity 2 – Obtain Leadership Commitment, Support, and Funding
The commitment to a security program begins at the top. Senior management must demonstrate a clear commitment to cyber security. Cyber security is a business responsibility shared by all members of the enterprise and especially by leading members of the business, manufacturing, IT and risk management teams. Cyber security programs with visible, top-level support and “buy-in” from organization leaders are more likely to gain compliance, function more smoothly, and have earlier success. This activity is closely linked with its prerequisite Activity 1 – Develop a Business Case and, in order to achieve leadership commitment there may need to be some revisions to the business case. There are four primary tasks in this activity: 7.2.1
Identify Appr opr iate Senior Managers
Most corporations are typically organized in a three-dimensional matrix where one dimension is by business line, a second dimension is by function or discipline and a third dimension is by geographical region. Individual managers typically have responsibilities for some subsection of this overall organization. For a senior manager to effectively champion a cyber security program they must be convinced that the costs of the program that they will pay out of their budgets will be less than the costs of the risk to their areas of responsibility. order to determine who theclarified. appropriate senior managers are, budgetary responsibilities and scope ofIn responsibility will need to be Since a system is only as secure as its weakest link, a cyber security system will ultimately need to be developed that spans the entire geographical reach of the organization. Cyber security deals with a number of different risks that can generally be classified into concerns about confidentiality, integrity or availability. Concerns about confidentiality are typically managed by an information security program. Concerns about integrity in a manufacturing context are typically managed by a Process Safety or Quality Assurance program. Concerns about availability would typically be managed by a Business Continuity Planning program or Network Security program. Because cyber security impacts so many different risk areas, it is likely that no one single manager will have the necessary scope of responsibility to authorize a cyber security program for manufacturing and controls systems. It will often be necessary to convene and convince a small group of senior managers who, quite possibly, have never had to work closely together before to make a consensual decision. 7.2.2
Identify Gatekeepers and Persuade, If Necessary
Due to the constraints of time, most senior managers have trusted advisers they use to filter the important issues they need to address from the issues that others are more suited to address. These individuals are gatekeepers. In large organizations, there are frequently staff organizations that senior managers use to generate recommendations for technically complex issues. It may be necessary to work with these staff organizations initially to collect sufficient information to make the business case. These organizations may also be able to provide insight into which senior managers typically handle specific types or risks.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
49
DRAFT dISA-99.00.02
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
One common practice to convince either a gatekeeper or a senior manager is to test new programs in a small geographic region or at a particular site to prove that new procedures/programs work prior to devoting a large amount of resources. This can be another effective approach to either get access to senior managers or actually make the business case to senior managers. 7.2.3
Revise the Bus iness Case, If Necessary
Once the gatekeepers are convinced, it’s important to review the srcinal business case to determine if it’s still valid or, if in the process of convincing the gatekeepers, new emphasis points have been recognized or old emphasis points have been found to be unpersuasive. 7.2.4
Present the Case to the Senior Managers
Once the appropriate senior managers have been identified, it’s important to decide whether to present to them all as a group or to approach them sequentially. It’s more efficient to convince them all simultaneously, but they may not all be receptive to the discussion simultaneously. If you need to persuade a leadership team, it’s helpful to identify an ally on the leadership team to review the presentation and offer input prior to making the presentation to the whole team. Due to the number of different risk areas that are affected by cyber security, it is not uncommon to require persuasion of more than one leadership team. If the costs of the cyber security program cannot be determined initially due to lack of a computer inventory or lack of standard countermeasures, a second round of presentations may be required once these costs are determined more precisely. The emphasis at this early stage needs to be on putting a system in place to balance the costs of the countermeasures with the costs of the risks. Usually there is inadequate information at this stage to request a specific budget for implementing countermeasures. 7.2.5
Prerequisites
•
Activity 1 – Develop a Business Case – in funds order to persuade management security risks justify the application of organization and energy, senior you must be able to that showcyber current or potential business impact that is meaningful to them. 7.3
Acti vit y 3 – Define the Charter and Scope of M&CS Security for Your Company
With the business case established and management support obtained, the next step is to develop a formal charter or scope for the effort. This charter should explain what is to be accomplished (in business terms) and when. The scope of the program defines the specific entity of focus. The charter should be owned by a senior executive program champion who will be responsible for guiding the team during program development. The champion will ultimately be responsible for making sure that the program is executed, including communications, funding, enforcement and auditing. Ultimately, the cyber security risk management system must encompass all business units and all geographic sections of the organization. If leadership commitment cannot be obtained initially for this scope of work, define a smaller scope of work and use this as an opportunity to build credibility and demonstrate the value of the cyber security risk management system. The overall scope of work needs to be clarified from three different perspectives: business, architectural and functional. From a business perspective the scope of work needs to answer the following questions: 1. Which corporations are included?
50
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
2. Which business units are included? 3. Which geographical regions are included? 4. Which specific sites are included? From an architectural standpoint, the scope of work needs to answer the following questions: 1. Which computer systems and networks will be addressed? 2. Will SCADA and distribution monitoring systems be included? 3. Will non-production related computer systems (both those supported by the IT organization and those not supported by the IT organization) in manufacturing be included? 4. Will Manufacturing Execution Systems (MES) be included? 5. Will Burner Management Systems and Safety Instrumented Systems be included? 6. Will Robotic Systems be included? 7. Will connections to suppliers or customers be included? The functional scope of work can be divided into two categories: Direct Risk Manage ment Act ivities – these are activities that involve the evaluation,
communication and prioritization of risk. Examples include designation of local cyber security owners, collecting and maintaining an asset inventory, developing and maintaining network architecture, completing internal or external audits and reporting these results on a business unit or corporate basis. Risk Management Related P roject s – these are activities that are funded on the basis of
reducing the risks identified by the risk management activities. These indirect risk management solutions take the form of projects that are bounded in time and the development and deployment ongoing services. In clarifying the functional scope consider the following questions: 1. How does the scope of this work relate to existing risk management systems? 2. How does the scope of this work relate to information security policies that already apply to these systems and organizations? 3. How does the scope of this work relate to technical standards and procedures that already apply to specific architectural components (basic process control systems, SCADA systems, safety instrumented systems, burner management systems, robotic systems, etc.)? 4. How does the scope of this work relate to projects that are already funded? 5. How does the scope of this work relate to existing services? 7.3.1 •
Prerequisites
Activity 1 – Develop a Business Case – the business case provides the background for what risks are
to be reduced by the cyber security risk management system which is being chartered. September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
51
DRAFT dISA-99.00.02
•
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Activity 2 – Obtain Leadership Commitment, Support, and Funding – leadership support provides the
endorsement of the effort by managers who are responsible for assigning resources to reduce risks and accomplish tasks. 7.4
Acti vity 4 – Form a Team of Stakeholders
The stakeholders are responsible for moving the security initiative forward. With support from senior leadership the stakeholders initiate the next activities and engage the right resources to accomplish the tasks. This activity is closely linked with its prerequisites Activity 2 – Obtain Leadership Commitment, Support, and Funding Activity 3 –and Define the Charter andtoScope of M&CS Security for Your Company. Identifying theand stakeholders securing their time work on improving security requires support and commitment from senior leadership. This is essential for success. Similarly, the charter and scope of the initiative establishes the boundaries of the work to be accomplished. It is likely that senior leadership may identify a project leader whose job it is to round up the right people to work on the security effort. This person must have a high level understanding of the current state of cyber security procedures in the company. It is important to recognize that a truly integrated cyber security management system involves traditional desktop and business computing systems, manufacturing and control systems, and value chain systems that interact with customers, suppliers, and transportation providers. The Charter and Scope mentioned earlier brings focus on who needs to be involved to meet the objectives of the initiative. Assuming that the goal is to improve the cyber security management procedures for M&CS, the project leader should look for the areas that could be impacted by M&CS cyber security incidents and identify the key people that are recognized as responsible/accountable for these areas. The focus should be on identifying people in the right role, not the organization. It is important toThe note thatisdifferent company organizational structures may have these peoplethat in different organizations. goal to develop cost effective cyber security management procedures leverage existing processes and organizations rather than create a whole new organization. Look for people in the right role and with the right experience. Breaking down turf issues may be an important activity of this stakeholder team. The core team of stakeholders should be cross-functional in nature and bring together skills not typically found in any single person. The team should include people with the following roles: •
Process control person(s) who may be implementing and supporting the M&CS devices
•
Operations person/s responsible for making product and meeting customer orders.
•
•
•
•
Process Safety Management person/s whose job it is to ensure that no people or environment health safety incidents occur. IT person(s) who may be responsible for network design and operation, support of desktops and servers, etc. Security person/s associated with physical and IT security at the site. Additional resources could include people in Legal, Human Resources, and customer support/order fulfillment.
The set of stakeholders may change over time or specific individuals may take on higher profile roles during different phases or activities in the life of developing the cyber security management system. It is 52
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
DRAFT dISA-99.00.02
not important which company organization leads the effort, but rather that the leader exhibits the right set of behaviors that foster working together as a team with a unified purpose. The parent organizations to which the above individuals are aligned each have something to offer and have a stake in decisions and outcome of the cyber security management system. 7.4.1 •
•
Prerequisites
Activity 2 – Obtain Leadership Commitment, Support, and Funding – TEXT GOES HERE! Activity 3 – Define the Charter and Scope of M&CS Security for Your Company – TEXT GOES HERE!
7.5
Acti vity 5 – Raise Staff Cyber Security Capability Throug h Training
Training of one sort or another is an activity that spans almost the entire period during which a Cyber Security Risk Management System is developed and implemented. It begins after the scope of the effort is clarified and the team of stakeholders is identified. The training activities can be described based on the Plan-Do-Check-Act (PDCA) cycle to which they pertain. 7.5.1
Plan
During the Plan phase, training is appropriate for the team of stakeholders as well as the community of individuals in the M&CS community who will ultimately be impacted. The team of stakeholders will need specific training on the charter and scope of work as well as background information on incidents that have occurred to these systems either within the organization or within industry in general and on the types of architectures and systems that are in use within the organization. The M&CS community will need some information regarding the type of risks that are being considered and the scope of work that management has approved. Formal classroom training is not necessary to share this Presentations at business meetings and brief email announcements are examples of ways to information. share the info. 7.5.2
Do
In the Do phase, training will be needed for employees as they prepare to assume new roles either within the direct risk management system or within the indirect provision of related services. Virtually all members of the M&CS community will receive a certain amount of training during this phase. Some of the direct risk management roles will include responsibilities for self-assessments or internal audits that might also be considered part of the Check phase. 7.5.3
Check
In the Check phase, training will be needed for auditors to help them understand the nature of the systems and networks they will be auditing as well as the specific policies that have been created. 7.5.4
Act
In the Act phase, there isby nomany specific training this will primarily be however, a reevaluation overall security program of its initial requirement leaders and since stakeholders. There will, be anof the ongoing need for training at all levels of the risk management system due to attrition of those who have already been trained and due to the need to provide updates as policies and services are modified through time.
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
53
DRAFT dISA-99.00.02
7.5.5 •
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Prerequisites
Activity 3 – Define the Charter and Scope of M&CS Security for Your Company – TEXT GOES
HERE! •
Activity 4 – Form a Team of Stakeholders – these individuals will need some of the most intensive
training to evaluate the risks the organization is facing. •
Activity 9 – Organize for Security – This activity is not required to begin activity 5, but it is necessary
to complete activity 5. Various roles need to be identified and defined before training can be developed. Individuals need to be identified before training can be delivered. 7.6
Acti vity 6 – Characterize the Key M&CS Risks
Once the key stakeholders have been identified and provided with some training regarding the nature of M&CS they need to clarify the nature of the individual risks to the organization that arise from the use of M&CS. This clarity is needed to ultimately select the most cost-effective countermeasures to be designed or deployed and to help justify the costs of their deployment. While this task is the first step of a risk analysis, it is NOT a detailed vulnerability or threat assessment. There are a variety of risk analysis methods that have been developed and marketed by different organizations. In general, these can be classified according to two factors: how they characterize the individual risks (qualitatively vs. quantitatively) and how they structure the risk identification exercise (scenario-based vs. asset-based). There are two broad issues that need to be discussed in regards to risk analysis methods 7.6.1
Qualitative vs. Quantitativ e
In performing risk analysis, there are two general approaches: qualitative risk analysis and quantitative risk analysis. Qualitative risk analysis typically relies on the input of experienced employees and/or experts to provide information regarding likelihood and severity of specific threats impacting specific assets. In addition, different levels of likelihood and severity are identified by general classes such as high, medium and low rather than specific probabilities or economic impacts. Qualitative risk analysis is preferred when there is a lack of reliable information regarding the likelihood of specific threats impacting specific assets or estimating the overall impact of damage to specific assets. Quantitative risk analysis typically relies on extensive data sets that document the rate at which damage occurs to assets based on exposure to defined combinations of threats and vulnerabilities. If this information is available, it can provide more precise risk estimates than qualitative risk analysis methods. Due to the recent exposure of Manufacturing & Control Systems to cyber security threats, the relative infrequency at which incidents occur and the rapidly evolving nature of the threats, extensive data sets do not yet exist to aid in the analysis of cyber security threats to M&CS. At this stage, qualitative risk analysis is the preferred method for evaluating these risks. 7.6.2
Scenario-Based vs. Ass et-Based
In conducting a risk analysis, it is usually helpful to focus the participant’s thoughts along one of two lines: the scenariosThe by which threats take advantage of vulnerabilities to impact assets or with the assets themselves. scenario-based approach tends to take advantage of experience actual incidents or near-incidents but may not penetrate to discover threats or vulnerabilities to sensitive assets that have not been previously threatened. The asset-based approach tends to take advantage of knowledge of an organization’s systems and work processes and particular assets whose compromise would lead to high economic impact but may not penetrate to discover types of threats or vulnerabilities that would place these assets in jeopardy. Whichever general approach is used, it is recommended that some aspect of the other approach be included to provide a more thorough risk analysis. 54
dISA-99.00.02 (Draft 1, Edit 5)
September 20, 2005
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program 7.6.3
DRAFT dISA-99.00.02
Risk Analys is Session
In order to make the most efficient use of participant’s time, it is normally necessary to schedule somewhere between a half and a full day to conduct the risk analysis session with all the stakeholder participants in attendance. There are two phases of this risk analysis session: background information and risk identification. Activity 7 may also be conducted within this risk analysis session. No matter which approach is ultimately used it is also important to provide the participants in the risk analysis session with appropriate background information before beginning to identify the risks. Typical background information includes an overview of the business case/charter, an overview of M&CS architectures and functions and an overview of specific types of incidents that have either occurred within the organization or incidents that have occurred in other organizations that have been publicized. The deliverable document from the risk analysis session is a list of scenarios that describe how a particular threat could take advantage of a particular vulnerability and damage particular assets resulting in a particular negative business consequences. 7.6.4 •
Prerequisites
Activity 2 – Obtain Leadership Commitment, Support, and Funding – If senior management is not
convinced that the potential exists for severe risks they will not support the use of employees’ time to perform the risk analysis to characterize the risks. •
Activity 4 – Form a Team of Stakeholders – The stakeholders, both those who have experience with
M&CS applications in the business units and those responsible for the management of related risks, need to participate in the risk analysis effort to leverage their expertise and experience. 7.7
Acti vit y 7 – Priorit ize and Calibrate Risks
The list to of Manufacturing scenarios produced in Activity 6 describes a number of different posedofficers to organizations by threats and Control Systems. Part of the fiduciary duty ofrisks corporate is to manage all the risks to their organizations. To facilitate this effort risks need to be identified and prioritized. This subsection describes the steps required to develop a framework to prioritize individual risks so the appropriate corrective actions can be justified. Before describing the framework for risk prioritization and calibration, it’s important to understand a basic concept of risk analysis: the risk equation. 7.7.1
The Risk Equation
NOTE: Need to add in reference to the security model developed in Part 1. Likelihood is the probability that a specific action will occur. It is made up of Threat Likelihood – the probability that a specific threat will occur – and Vulnerability Likelihood – the probability that a specific vulnerability will occur.
Likelihood
=
Threat _ Likelihood × Vulnerability _ Likelihood
Risk is made up of both likelihood and consequence, where consequence is the negative impact experienced by the organization due to the specific harm to the asset of assets of the organization by the specific threat or vulnerability.
Risk = Likelihood × Concequence
September 20, 2005
dISA-99.00.02 (Draft 1, Edit 5)
55
DRAFT dISA-99.00.02
7.7.2
Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program
Calibrating Lik elihoo d and Consequenc e Scales
The assets endangered by threats to M&CS have been endangered by other types of threats for decades. If you consider threats from natural disasters and acts of war, these assets have been endangered ever since the beginning of civilization. Due to this long history and, in some cases, to regulatory requirements, risk management systems have been developed within most organizations to deal with a wide-variety of these risks. These risk management systems make use of the same risk equation to prioritize the risks to the organization by the same type of threats to different assets (information security) or by different threats to the same assets (business continuity, process safety, environmental safety, physical security). In most corporations, these risk management systems will already have developed scales for likelihood and consequence. A typical likelihood scale is shown below. This scale is only an example, the organization will need to determine the actual values used in this scale for themselves. Table 2 – A Typical Lik elihoo d Scale Likelihood Category
Description
High Medium Low Not Applicable
A threat/vulnerability whose occurrence is probable in the next year. A threat/vulnerability whose occurrence is probable in the next 10 years. A threat/vulnerability whose occurrence is probable in the next 100 years. A threat/vulnerability for which there is no history of occurrence and for which the probability of occurrence is deemed extremely unlikely.
Consequence is usually measured in different terms for different types of risks. A typical consequence scale is shown below. As above, this scale is only an example and will need to be calibrated for the organization. Table 3 – A Typic al Consequ ence Scale Consequence Related Risk Area
Business Continuity Planning
Category
Mfg. Outage - 1 Site
Business Continuity Planning Mfg OutageMultiple Sites
Information Security
Information Security
Information Security
Process Safety
Process Safety
Environmental Safety
Cost
Legal
Public Confidence
PeopleOnsite
PeopleOffsite
Environment
Fatality
Fatality or Major Community Incident
Citation by Regional/National Agency or longterm, significant damage over large area
Complaints or Local Community Impact
Citation by Local Agency
Criminal Offense Felony
Loss of Brand Image
High
>7 days
> 1 Day
>$500 million
Medium
>2 days
> 1 Hour
>$5 million
Criminal Offense Misdemeanor
Loss of Customer Confidence
Low
