Cyber Security for the Industrial Environment: An Intro to ISA/IEC 62443

2,812 views
2,243 views

Published on

Presented @ BSidesDE
November 2012
https://www.youtube.com/watch?v=kIMBQp0uX1c

Industrial automation and control system (IACS) and supervisory control and data acquisition (SCADA) cyber security has gotten a lot of press recently due to those systems being the target of attacks by Stuxnet, Duqu, Flame, and others. These are not the first viruses, worms, or malware to affect IACS and SCADA systems, but they carried payloads specifically targeting those systems. While the exact vulnerabilities exploited were considered zero-days, the basic methods they used to infect their target systems were not unknown: infected removable media and drives, peer-to-peer infection on a network, rootkits, and hard-coded passwords. It is unlikely that all of these infections could have been prevented completely, but many common cyber security methods and controls could have prevented different aspects of each of these attacks.

IACS and SCADA cyber security is more about using proven security methods, controls, and technology than it is about the newest widget being sold by your favorite vendor. Many of the same methods, controls, and technology used in the IT environment can be used in the industrial environment, but their usage needs to be carefully analyzed before they can be applied. IACS and SCADA systems have real-world consequences that necessitate taking a risk-based approach to security. The International Society of Automation’s (ISA’s) committee on security for IACS (ISA99) and IEC have developed a series of standards (ISA/IEC 62443) to define procedures for implementing and measuring cyber security. This talk is a primer on the ISA/IEC 62443 series. It’s not intended as a deep-dive, but an introduction to what is and what is not part of the series and where you can go for more information.

Published in: Technology, Business

Cyber Security for the Industrial Environment: An Intro to ISA/IEC 62443

  1. 1. KENEXIS CYBER SECURITY FOR THE INDUSTRIAL ENV.: AN INTRO TO ISA/IEC 62443 KENEXIS Copyright © 2012 2012 Kenexis Security Corporation Copyright © Kenexis Security Corporation
  2. 2. Jim Gilsinn Twitter – @jimgilsinn LinkedIn – linkedin.com/jimgilsinn • Recently Joined Kenexis Consulting – Network & security design • Previously Worked for U.S. National Institute of Standards & Technology (NIST) – 20 years in Engineering Laboratory • Cyber Security – Co-Chair, ISA99 Committee – Co-Chair, ISA99-WG2 Security Program – Co-Chair, ISA99-WG7 Safety & Security • Industrial Ethernet Reliability & Performance – Developed metrics, tests, and tools – Measure, analyze, and report performance for industrial Ethernet devices & systems KENEXIS Copyright © 2012 Kenexis Security Corporation
  3. 3. KENEXIS Copyright © 2012 Kenexis Security Corporation
  4. 4. ISA99 Committee • The International Society of Automation (ISA) Committee on Security for Industrial Automation & Control Systems (ISA99) – Formed in 2002 – 550+ members • 50+ active participants – >200 companies across all sectors, including: • • • • • • • Chemical Processing Petroleum Refining Food and Beverage Energy Pharmaceuticals Water Manufacturing KENEXIS Copyright © 2012 Kenexis Security Corporation
  5. 5. How Does ISA/IEC 62443 Relate to ISA99? • ISA/IEC 62443 is a Series of Standards • Being Developed by 3 Groups – ISA99  ANSI/ISA-62443 – IEC TC65/WG10  IEC 62443 – ISO/IEC JTC1/SC27  ISO/IEC 2700x KENEXIS Copyright © 2012 Kenexis Security Corporation
  6. 6. KENEXIS Copyright © 2012 Kenexis Security Corporation
  7. 7. Other Documents • ISA-TR62443-0-3, Stuxnet Gap Analysis – Look for gaps in ISA-99.02.01-2009 security program standard – 35 gaps identified – 33 recommended improvements • ISA-TR62443-0-4, Implications of SIS Integration with Control Networks – Build on the work of the LOGIIC Consortium KENEXIS Copyright © 2012 Kenexis Security Corporation
  8. 8. KENEXIS Copyright © 2012 Kenexis Security Corporation
  9. 9. eC Us D on o ol ntr (U e Int ata D ata C) ty g ri n Co Re (D I) e fid y alit nti tD tric Training and Capability Decisions and Awareness s Re so C) R w( po ely Re Clauses (new original content to be developed) (D Flo ata s Tim Motivation vs. Defiance Intent, Buy-In, Support Ide fic nti tly) Relationships ati of n rre on (cu us Cla ati nts As se me Hu ire Ph y qu mm en Re ty Po l i cy sic ma Se un tM al cu nR ica Sy an an rity tio es ste dE ag ns ou em ms nv rce an en i ro dO ac sS t nm qu pe ec en isit ra t u ri tal ion ty ion Se ,d sM cu ev an rity elo ag pm Ac em en ce en ta ss Bu t nd Co sin Inc ma ntr es ide ol int sC nt en on Ma an tin ce na uit ge yM me an nt ag em Co en mp t lian ce Co uth ,A al u ri on Se c an ati niz on o ) (AC nd Or ga ti tica C ss cce dA ol ntr u Fo es Components of Security ) DF e Ev to e n ns a Av ce ur ila ty bili RE t (T (R ) A) KENEXIS Copyright © 2012 Kenexis Security Corporation
  10. 10. Foundational Requirements • • • • • • • FR 1 – Identification and authentication control FR 2 – Use control FR 3 – System integrity FR 4 – Data confidentiality FR 5 – Restricted data flow FR 6 – Timely response to events FR 7 – Resource availability KENEXIS Copyright © 2012 Kenexis Security Corporation
  11. 11. Security Levels KENEXIS Copyright © 2012 Kenexis Security Corporation
  12. 12. Zones & Conduits – Chemical Truck Loading Example KENEXIS Copyright © 2012 Kenexis Security Corporation
  13. 13. Zones & Conduits – Manufacturing Example KENEXIS Copyright © 2012 Kenexis Security Corporation
  14. 14. KENEXIS Copyright © 2012 Kenexis Security Corporation
  15. 15. Questions, Comments, Contributions… • ISA99 Wiki – http//isa99.isa.org • Twitter – @ISA99Chair • Committee Co-Chairs – Eric Cosman, eric.cosman@gmail.com – Jim Gilsinn, jimgilsinn@gmail.com • ISA Staff Contact – Charley Robinson, crobinson@isa.org • Please provide contact info & area of expertise/interest KENEXIS Copyright © 2012 Kenexis Security Corporation

×