ISA 99 Security Levels Proposal

Security Levels in ISA-99 / IEC 62443 Summary Assessment of the security protection of a plant A Security Protection Level has to be assessed in a plant in operation A Protection Level requires both: The fulfillment of the policies and procedures by the asset owner according to a Security Management System (Series 2) and The fulfillment of a Security Level of the solution operated by the asset owner to control the plant (Series 3) Proposal: Assess the fulfillment of the policies and procedures according to the CMMI model Assess the functional capabilities of the solution according to the SLs Define Protection Levels (PLs)as a combination of both Assessment of the security capabilities of control systems and components There is no direct relationship between Capability SLs as currently defined and component capability levels There is no contribution of levels of the product development process to component capability levels Proposal: Control Systems: Assess the functional capabilities according to the Capability SLs (already described in the SAL vector concept). No explicit requirements to the components. Components: Specify the product development requirements without any level Assess the fulfillment of the product development requirements according to the CMMI model Assess the functional capabilities of the component according to the Component Feature Levels Define Component Capability Levels (CCLs) as a combination of both Pierre Kobes

Security Levels in ISA-99 / IEC 62443 Outline 1.

ISA-99 / IEC 62443 documents addressing policies and procedures vs. functional requirements

2.

Assessment of protection levels of a plant Solution vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs)

3.

Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs)

4.

Summary if ISA-99 / IEC 62443 relevant document for the various assessments types

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 ISA-99 / IEC 62443 covers requirements on processes / procedures as well as functional requirements IEC 62443 / ISA-99 General

Policies and procedures

1-1 Terminology, concepts and models

2-1 Establishing an IACS security program

1-2 Master glossary of terms and abbreviations

2-2 Operating an IACS security program

1-3 System security compliance metrics

2-3 Patch management in the IACS environment 2-4 Certification of IACS supplier security policies and practices

System 3-1 Security technologies for IACS

3-2 Security assurance levels for zones and conduits

Component 4-1 Product development requirements 4-2 Technical security requirements for IACS products

3-3 System security requirements and security assurance levels

WIB M-2784 2.0

Definitions Metrics

Requirements to the security organization and processes of the plant owner and suppliers

Requirements to a secure system

Requirements to secure system components

Functional requirements

Processes / procedures

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 ISA-99 / IEC 62443 covers requirements on processes / procedures as well as functional requirements IEC 62443 / ISA-99 General 1-1 Terminology, concepts and models

1-2 Master glossary of terms and abbreviations

1-3 System security compliance metrics

Policies and procedures 2-1 Establishing an IACS security program

2-2 Operating an IACS security program

2-3 Patch management in the IACS environment

System 3-1 Security technologies for IACS

3-2 Security assurance levels for zones and conduits

Component 4-1 Product development requirements 4-2 Technical security requirements for IACS products

3-3 System security requirements and security assurance levels

2-4 Certification of IACS supplier security policies and practices

Definitions Metrics

Requirements to the security organization and processes of the plant owner and suppliers

Requirements to a secure system

Requirements to secure system components

Functional requirements

Processes / procedures

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 Outline 1.

ISA-99 / IEC 62443 documents addressing policies and procedures vs. functional requirements

2.

Assessment of protection levels of a plant Solution vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs)

3.

Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs)

4.

Summary if ISA-99 / IEC 62443 relevant document for the various assessments types

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 A solution is a deployed control system to fulfill the protection requirements of a plant

Plant environment Asset Owner

specifies

Required protection level of the plant ISA-99 IEC 62443

System Integrator

deploys the control system to

develops Product supplier

Solution

Part 3-2 Zones and Conduits

Control System as a combination of

Part 3-3 System requirements

PLCs HMIs PC devices

Network Devices Software

Series 4 Components

Independent of plant environment Pierre Kobes

Security Levels in ISA-99 / IEC 62443 All stakeholder are involved in the protection of the plant during plant life cycle Product supplier

Product development

Phase

Control System as a combination of PLCs

Network Devices

HMIs PC devices

Asset Owner Software

Deliverable of a phase

Requirement specification

Required protection level of the plant

Project phases

System Integrator

Solution deployment

System Design

FAT SAT

Commissioning

Operation Maintenance

Solution

Solution

Solution

Solution

Project application Configuration User Mgmnt

Project application Configuration User Mgmnt

Security settings

Security settings

Security settings

Security settings

…

…

Operational policies and procedures

Operational policies and procedures

Asset Owner

Plant operation

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 A Security Protection Level has to be assessed in a plant in operation

Protection Level Asset Owner

operates

Solution

Has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution

ISA-99 IEC 62443 Series 2 Policies and Procedures

+ Fulfills the functional capabilities required by the target protection level of the plant -> Security Level

Series 3 System

controls

Plant

A Protection Level requires Fulfillment of policies and procedures AND Fulfillment of a Security Level of the solution Pierre Kobes

Security Levels in ISA-99 / IEC 62443 An assessment of the protection level is mainly relevant in a plant in operation Phase Deliverable of a phase

Protection Level Solution fulfills the functional capabilities required by the target protection level of the plant -> Security Level

Commissioning

Operation Maintenance

+

Solution

Solution

Security settings

Security settings

Operational policies and procedures

Operational policies and procedures

Asset Owner has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution

Asset Owner

Plant operation

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 The concept of SL applies to a solution and a control system

IEC 62443 / ISA-99 SL 1

Protection against casual or coincidental violation

SL 2

Protection against intentional violation using simple means

SL 3

Protection against intentional violation using sophisticated means

System

Risk assessment System architecture zones, conduits

3-2 Security assurance levels for zones and conduits

Target SLs Achieved SLs

Solution

SL 4

Protection against intentional violation using sophisticated means with extended resources

3-3 System security requirements and security assurance levels

Capabilty SLs

Control System features

The concept of SL is coherent within Part 3-2 and Part 3-3: 1. Part 3-2: asset owner / system integrator define zones and conduits with target SLs 2. Part 3-3: product supplier provides system features according to capability SLs 3. In the project design phase capability SLs are deployed to match target SLs

Security Levels in ISA-99 / IEC 62443 The concept of SL is coherent within Part 3-2 and Part 3-3

Plant environment Risk assessment

Required protection level of the plant ISA-99 IEC 62443

Solution

Part 3-2 Zones and Conduits

System architecture zones, conduits Target SLs Achieved SLs

Solution

Control System

Part 3-3 System requirements

Capabilty SLs Control System features

Independant of plant environment

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 The SL concept is applicable mainly in the design phase of the plant life cycle Product supplier

Product development

Phase Deliverable of a phase

Control System

Capabilty SLs Control System features

Project phases

System Integrator

Solution deployment

System Design

Solution

Required protection level of the plant

FAT SAT

Solution

Project application Configuration User Mgmnt

Project application Configuration User Mgmnt

Security settings

Security settings

…

…

Risk assessment System architecture zones, conduits Target SLs Achieved SLs

Solution Pierre Kobes

Security Levels in ISA-99 / IEC 62443 A protection level can only be assessed in plant in operation

Protection Level Asset Owner has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution

ISA-99 IEC 62443

Assessment type

Series 2

Assessment of management system (e.g. ISO 9000, ISO 27000…)

Policies and Procedures

CMMI levels are appropriate

+ Solution fulfills the functional capabilities required by the target protection level of the plant -> Security Level

Series 3 System

Assessment of solution capabilities Security Levels are appropriate

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 Proposal for the assessment of protection levels

Protection Level Asset Owner has the appropriate policies and procedures in place -> Security Management System to operate in a secure fashion a solution

CMMI

+ Solution fulfills the functional capabilities required by the target protection level of the plant -> Security Level

SL

PL1

PL2

PL3

PL4

>1

>2

>3

>3

+

+

+

+

1

2

3

4

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 Outline 1.

ISA-99 / IEC 62443 documents addressing policies and procedures vs. functional requirements

2.

Assessment of protection levels of a plant Solution vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs)

3.

Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs)

4.

Summary if ISA-99 / IEC 62443 relevant document for the various assessments types

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 Control system features are often realized by a combination of component features ISA-99 IEC 62443 Control System Control System features contribute to

(System) Capabilty SLs

3-3 System requirements

No direct relationship

Component features PLCs HMIs PC devices

Network Devices

Component Capabilty Levels

4-2 Technical security requirements for IACS products

Software

There no direct relationship between Component Capability Levels and (System) Capability SLs Pierre Kobes

Security Levels in ISA-99 / IEC 62443 Example from Identification and Authentication Control There no direct relationship between Component Capability Levels and (System) Capability SLs Extract of ISA-99.03.03, Draft 4

Control system HMI Terminal bus trusted

Server System bus trusted

Firewall

PLC

SL

System Requirement SR 1.1 The control system shall provide the capability to identify and authenticate all users (humans, software processes and devices). This capability shall enforce such identification and authentication on all interfaces which provide access to the control system to support segregation of duties and least privilege in accordance with applicable security policies and procedures.

1

SR 1.1 RE 1 The control system shall provide the capability to uniquely identify and authenticate all users (humans, software processes and devices)

2

SR 1.1 RE 2 The control system shall provide the capability to employ multifactor authentication for human user access to the control system via an untrusted network (see 4.12, SR 1.10 – Access via untrusted networks).

3

SR 1.1 RE 3 The control system shall provide the capability to employ multifactor authentication for all human user access to the control system.

4

PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 Example from Identification and Authentication Control

Control system

Case 1

SL

HMI fulfills only SR 1.1

HMI fulfills SR 1.1 and RE 1 and has multifactor authentication

PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level

PLC has no user management. Has a managed communication to the HMI and can only be accessed via the HMI device. -> Regarding SR 1.1 the PLC has a low Component Capability Level

HMI Terminal bus trusted

Server System bus trusted

Firewall

PLC

Case 2

1

SL

4

Different capability SLs can be realized with the same Component Capabilty Level of the PLC A requested capability SL does not require a given / minimum Component Capability Level of the Embedded Devices

There no direct relationship between Component Capability Levels and (System) Capability SLs Pierre Kobes

Security Levels in ISA-99 / IEC 62443 Components Capability Levels are only defined by component features

ISA-99 IEC 62443 Component features

PLCs HMIs PC devices

Network Devices

Component Capabilty Levels

4-2 Technical security requirements for IACS products

Product Development Levels ?

4-1 Product development requirements

Software

Product development levels don’t contribute to Component Capability Levels -> Proposal: Specify the product development requirements without levels Follow the CMMI approach Pierre Kobes

Security Levels in ISA-99 / IEC 62443 Proposal for the assessment of Component Capability Levels

Component Capabilty Level Product Supplier has the appropriate policies and procedures in place -> Product Development Process to develop the product according to security requirements

CCL1 CCL2 CCL3 CCL4

CMMI

+ Component fulfills the functional capabilities required by the Component Capability Level -> Component (Security) Feature Level

CFL

>2

>2

>3

>3

+

+

+

+

1

2

3

4

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 Outline 1.

ISA-99 / IEC 62443 documents addressing policies and procedures vs. functional requirements

2.

Assessment of protection levels of a plant Solution vs. control system Plant life cycle and product development Requirements for the protection of a plant The SLs concept is coherent for a solution and a control system Proposal for Protection Levels (PLs)

3.

Assessment of security capabilities of control systems and components No direct relationship between capability SLs and Component Capability Levels (CCL) No contribution of levels of the Product Development Requirements to the CCL Proposal for Componet Capability Levels (CCLs)

4.

Summary if ISA-99 / IEC 62443 relevant document for the various assessments types

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 ISA-99 / IEC 62443 documents relevant for the assessment of the protection of a plant

IEC 62443 / ISA-99 General

Assessment of the 1-1 Terminology, concepts and models protection of a plant according 1-2 Master glossary of toterms Protection Levels and abbreviations 1-3 System security compliance metrics

Policies and procedures 2-1 Establishing an IACS security program

2-2 Operating an IACS security program

2-3 Patch management in the IACS environment

System

Component

3-1 Security technologies for IACS

4-1 Product development requirements

3-2 Security assurance levels for zones and conduits

4-2 Technical security requirements for IACS products

3-3 System security requirements and security assurance levels

2-4 Certification of IACS supplier security policies and practices

Definitions Metrics

Requirements to the security organization and processes of the plant owner and suppliers

Requirements to a secure system

Requirements to secure system components

Functional requirements

Processes / procedures

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 ISA-99 / IEC 62443 documents relevant for the assessment of the control system functional capabilities IEC 62443 / ISA-99 General

Policies and procedures

Assessment of the 1-1 Terminology, concepts and models functional capabilties of a control system 1-2 Master glossary of according terms and abbreviations to Capabilty SLs 1-3 System security compliance metrics

2-1 Establishing an IACS security program

2-2 Operating an IACS security program

2-3 Patch management in the IACS environment

System

Component

3-1 Security technologies for IACS

4-1 Product development requirements

3-2 Security assurance levels for zones and conduits

4-2 Technical security requirements for IACS products

3-3 System security requirements and security assurance levels

2-4 Certification of IACS supplier security policies and practices

Definitions Metrics

Requirements to the security organization and processes of the plant owner and suppliers

Requirements to a secure system

Requirements to secure system components

Functional requirements

Processes / procedures

Pierre Kobes

Security Levels in ISA-99 / IEC 62443 ISA-99 / IEC 62443 documents relevant for the assessment of the component functional capabilities IEC 62443 / ISA-99 General

Policies and procedures

Assessment of the 1-1 Terminology, concepts 2-1 Establishing an IACS and models functional capabilties security program of components 1-2 Master glossary of 2-2 Operating an IACS according terms and abbreviations security program to Component Capability Levels 1-3 System security compliance metrics

2-3 Patch management in the IACS environment

System 3-1 Security technologies for IACS

3-2 Security assurance levels for zones and conduits

Component 4-1 Product development requirements 4-2 Technical security requirements for IACS products

3-3 System security requirements and security assurance levels

2-4 Certification of IACS supplier security policies and practices

Definitions Metrics

Requirements to the security organization and processes of the plant owner and suppliers

Requirements to a secure system

Requirements to secure system components

Functional requirements

Processes / procedures

Pierre Kobes