Cyber Manual Adhering to the cybersecurity requirements of a toxins
permitrequirements of a toxins permit July 2020 Version 1.3
Ministry of Environmental Protection Emergency and Cybersecurity
Division
Industrial Cybersecurity Department
2. Definitions 5
4. Background – cybersecurity in the hazardous substances industry
10
5.Explanation of the process 11
6. Work planning 15
7. Required deliverables 15
9. Calculating the level of cyber risks 17
10. Determining the controls that must be implemented 19
11. Gap analysis – comparing the current situation to the controls
required and mapping of the gaps 20
12. Building a work plan based on the mapping of the gaps 20
13. Appendices 21
Appendix A – Table used to calculate the impact (I) of a business
holding hazardous substances 21
Appendix B – Table used to determine the level of
exposure/probability (P) of a cyber incident in a business
holding hazardous substances 22
Appendix C – Details of the required controls 26
Appendix D – Threshold requirements of an external advisor for the
preparation of a cyber risk survey 43
Appendix E – Letter of appointment of a cybersecurity officer in
the business 45
Appendix F – Initial mapping of a hazardous process that is
managed/controlled by a computerized system6 46
Appendix G – Declaration of the toxins permit holder regarding the
performance of a cyber risk assessment
and classification of the business 47
Appendix H – Declaration of the toxins permit holder regarding the
completion of a cyber risk mitigation plan 48
Appendix I – Cyber Incident Report 49
Appendix J – Declaration of the toxins permit holder regarding the
absence of computerized systems
managing/controlling hazardous substances 51
Document version management 63
1.1 On February 15, 2015, Government Resolution 2443 – “Advancing
National Regulation and Governmental Leadership in Cybersecurity”
was passed (hereinafter: “the Government Resolution”). This
resolution was passed pursuant to Government Resolution 3611 –
“Advancing National Capabilities in Cyberspace” of August 7,
2011.
1.2 On the same day (February 15, 2015), another resolution was
passed, Government Resolution 2444 – “Advancing National
Preparedness for Cybersecurity,” in which the government decided to
formulate a comprehensive cybersecurity policy and to establish a
National Cybersecurity Authority in the National Cyber Directorate
in the Prime Minister’s Office.
1.3 These resolutions were designed to advance national
cybersecurity regulations and increase the national resilience in
cyberspace in the State of Israel.
1.4 As a result of the Government Resolution, professional
cybersecurity guidance and direction to the Israeli economy were
incorporated into the governmental regulatory framework. This means
that defense against cyber attacks that pose a threat to the
environment, to public health or to human lives would be carried
out through regulatory tools (such as toxins permits issued
pursuant to the Hazardous Substances Act).
1.5 The Industrial Cyber Defense department was formed in the
Emergency and Cybersecurity Division of the Ministry of
Environmental Protection and was tasked with prescribing
instructions relating to defense against cyber attacks that pose a
threat to the environment, to public health or to human lives. The
department operates under the professional guidance of the National
Cyber Directorate.
1.6 The Industrial Cybersecurity department engages in
cybersecurity guidance, supervision, and enforcement with
businesses holding hazardous substances. The department’s role is
to define the sectorial policy and regulatory requirements, provide
ongoing professional assistance, and respond to professional
queries according to the characteristics of the businesses it
supervises.
1.7 This manual presents the unique methodology that the department
developed for conducting risk surveys in plants that hold hazardous
substances and are required to obtain a toxins permit from the
Ministry of Environmental Protection. The methodology that was
developed is based on the National Cyber Directorate’s Cyber
Defense Methodology for Organizations and was adapted for the
hazardous substances industry. The methodology development process
included consultations with leading professionals in the fields of
cybersecurity, control systems, and hazardous substances, as well
as cooperation with the Manufacturers’ Association throughout the
entire process.
1.8 This document is version 1.3 and constitutes a binding version.
Earlier versions were published for public comments and, after
meticulous examination of these comments, some of them were
incorporated into this version. Updates to the methodology were
also made according to insights gleaned from risk surveys conducted
at businesses and according to consultations with various companies
and businesses that hold hazardous substances.
1. Introduction
1.9 The instructions in this manual were designed to help companies
implement the conditions stipulated in their toxins permits and
include instructions with regard to mapping and assessing risks and
implementing the requisite protections.
1.10 Notwithstanding the guidelines in this manual, the
Commissioner of Hazardous Substances has the authority to issue
instructions in toxins permits that differ from the instructions
prescribed herein. Individual adjustments or changes will be made
in coordination with the District Commissioner of Hazardous
Substances and in coordination with the Emergency and Cybersecurity
Division of the Ministry of Environmental Protection.
1.11 If multiple risk management requirements apply to a business
(risk management in relation to hazardous substances, earthquakes
and cyber attacks), then the instructions in this manual will
apply, in conformity with the combined risk management conditions.
If only cyber risk management conditions apply to a business, then
activities should be carried out solely according to this
manual.
Gilad Ben Ari, Head Emergency and Cybersecurity Division,
Ministry of Environmental Protection
Ministry of Environmental Protection
Any questions about this manual may be sent to:
[email protected]
5 6
2. Definitions
Term Definition
Physical security The physical means required to protect:
computerized equipment, access to a business’s information, and the
survivability of computerized systems containing databases and
computerized industrial components.
Threat Potential hacker who is likely to deliberately or randomly
compromise a business’s hazardous processes/computerized
systems.
Hazardous substances event
Uncontrolled incident or accident involving a hazardous substance
that causes or is likely to cause a risk to the public and to the
environment, including spills, leaks, dispersions, explosions,
evaporation or fire.
Major hazardous substances event
An event that causes or could cause major harm to the public or to
the environment. In this regard, harm includes leaks of toxic,
flammable or explosive substances in the public space, explosions
or fire resulting from the presence of a hazardous substance or
irreversible harm to the environment.
Cyber incident/ industrial cyber incident
An incident that could potentially lead to the possible compromise
of computerized systems, resulting from a deliberate or accidental
act, and which could cause a major hazardous substances
event.
Controls The means that businesses must implement in order to
protect themselves from cyber incidents.
Compensating control Control designed to compensate for an
inability to implement the recommended control and that provides an
adequate solution to the problem of the existing cybersecurity
gap.
Identification Process that provides authenticated identification
of a person or computer using unique information about a person or
computer or about a physically-identifying element or
feature.
Strong authentication (MFA)
Identification method based on a combination of at least two of the
following authentication characteristics: Something that a user
knows, like a password. Something that a user has, such as a
physical element, like a token or a single-use password generator
or a smart card. A user’s biological characteristic, such as a
fingerprint or retinal pattern.
The Directorate The National Cyber Directorate.
5 6
Term Definition
The National CERT Center to help contend with cyber threats. The
National CERT strives to improve defensive resilience in
cyberspace, helps contain cyber threats and cyber incidents,
collects and shares relevant information with all economic
entities, and constitutes a hub between security entities and
economic entities.
Worst-case scenario (WCS)
Scenario in which the largest amount possible of a hazardous
substance is released from a container or facility, or a process
failure results in a hazard zone with the greatest distance to the
endpoint.
Data availability Verification that authorized users have access to
information and to associated hazardous processes as needed, on an
ongoing basis and without interference.
Cyber risk level calculation
The cyber risk level calculation is based on the weighting of the
expected magnitude of the damage (Impact – I), considering the
probability that damage will occur (Level of exposure – P)
according to the following formula: Risk = P + I*3 (the risk is
equal to the Probability + the Impact multiplied by three).
Information Data about and/or relating to the activity, operation
or functioning of computerized systems in businesses. This data is
located in: computerized, magnetic or electronic storage means or
physical information platforms. It may also be transmitted
orally.
Commissioner As defined in the Hazardous Substances Act of
1993.
Cybersecurity officer The person responsible for implementing and
fulfilling the additional cyber risk mitigation requirements in the
business, which are specified in this document.
National cyber laboratory
7 8
Term Definition
General term encompassing several types of control systems used in
industrial manufacturing. The systems can be comprised of the
following components: Intelligent electronic devices – IEDs
(sensors, actuators, and other electronic devices) Remote terminal
units – RTUs Programmable logic controllers – PLCs Wide area
network communication – WAN Supervisory control and data
acquisition – SCADA Distributed control systems – DCSs
Human-machine interfaces – HMIs
Sensitive location As defined in the Criminal Procedure Order –
Finable Offenses – Maintaining Cleanliness (2000): national park,
nature reserve, memorial site, archeological site, forest, sea,
coastline, water source (as defined in Section 2 of the Water Act
of 1959) or any location in proximity to a water source.
Computer resources Databases, files, systems, programs or other
means, the entry into which enables access to information and to
computerized systems in the business’s possession.
H risk statements The hazardous properties of a substance: physical
properties, risk to public health or to the environment.
Cyber attack Aggressive action of penetrating the cyberspace of the
target and endangering a process, including systems,
infrastructures, and services supported by them.
Combined risk management
Confidential information
Information that the owner has determined must not be disclosed to
anyone without authorization.
Classification Index defining the sensitivity level of information
and supporting systems.
7 8
Term Definition
Cyberspace Metaphoric space of computer systems and computer
networks in which electronic data are stored and in which
interactive, online communications take place, irrespective of the
geographic location of the users.
Low-voltage network Designated TCP/IP-based communications network
intended to defend and supervise the security of the facility. The
system can be comprised of the following components:
IP security cameras and thermal cameras (fixed/LPR/PTZ) VMS and
analytic systems Intrusion detection systems Entry control systems
Smart fence system Radar systems Command and control systems
Industrial Internet of Things – IIoT
Process Industrial activity involving a hazardous substance,
including storage, mixing, and production, and which is connected
to computerized systems.
Hazardous process One of the following: a. Process in a business
that involves a quantity of a hazardous substance that
exceeds 2% of the lower threshold value for that substance, which
is listed in Appendix K to this manual.
b. Process located in close proximity to a hazardous process, as
defined in section A, when an incident in that process is likely to
cause a major hazardous substances event in the dangerous process,
as defined in section A (“domino effect”).
Computerized industrial process
Defense methodology The National Cyber Directorate’s Cyber Defense
Methodology for Organizations1
NIST CSF National Institute of Standards and Technology – Cyber
Security Framework
1 National Cyber Directorate, “Cyber Defense Methodology for
Organizations.”
To provide assistance and guidance to businesses whose toxins
permits stipulate additional cybersecurity conditions, regarding
ways to implement the conditions, and to define work stages in the
implementation of cyber regulations for owners/employees
responsible for compliance with the business’s toxins permit.
This manual was designed to provide instructions and tools for
reducing any potential to harm public health and the environment,
as well as for mitigating, to the extent possible, the risk that a
cyber incident or other type of sabotage that could trigger a
hazardous substances event might occur in technological processes
or in computerized systems that manage/control hazardous
substances.
This manual defines requirements and directives on conducting cyber
risk surveys on computerized systems that manage/control hazardous
substances. The process is based on the principles of the National
Cyber Directorate’s Defense Methodology (version 1.0), which
largely relies on the U.S. National Institute of Standards and
Framework’s Cyber Security Framework (NIST CSF), with regard to
cybersecurity for computerized control systems in industry, while
adapting it for industrial applications in general and the
hazardous substances industry in particular.
Please note: In the event of a contradiction or inconsistency
between these instructions and other documents, including the
National Cyber Directorate’s Defense Methodology and the NIST CSF,
the instructions in this manual take precedence.
3. Purpose of this manual
2 https://www.nist.gov/cyberframework
9 10
4. Background – cybersecurity in the hazardous substances
industry
4.1 A cyber incident causing a failure in computerized systems that
control/manage the manufacturing, transport, and storage of
hazardous substances could trigger a hazardous substances event
that results in harm to public health and to the environment.
4.2 The following are several examples of hazardous substances
events that could be triggered by a cyber incident:
Gas emissions endangering the public Explosion of hazardous
substances Ignition of hazardous substances in three states of
matter Spill of a hazardous liquid, without fire Dispersion of a
hazardous solid, without fire Industrial spill into a flowing water
source/into the drainage system Industrial spill onto open land
Industrial spill into the sewage system (water reservoirs/treated
waste water).
4.3 Sharing information between organizations and reporting events
to the Industrial Cybersecurity department of the Ministry of
Environmental Protection, including to the National CERT, will
promote early detection of potential cyber incidents. Holders of
toxins permits can identify any potential for attacks during any of
the preliminary stages and mitigate the potential risk of damage
being caused.
4.4 Once a cyber incident has ended, the business is required to
prepare a cyber incident report according to Appendix I to this
manual. If a hazardous substances event was caused as a result of a
cyber incident, the report must include the incident investigation
as defined in the general conditions of the toxins permit.
11 12
5.1.1 Cybersecurity officer appointment letter
5.1.1.1 Within 60 days of the receipt of the cybersecurity
conditions in the toxins permit, the toxins permit holder must
appoint an employee who will be responsible for implementing and
fulfilling these additional cyber-risk-mitigation conditions and
who must forward Appendix E (“Letter of appointment of a company
cybersecurity officer”) to the district commissioner. This employee
is to be called a “cybersecurity officer” (hereinafter:
“cybersecurity officer”). The cybersecurity officer will perform
his/her role concurrent with his/her primary role, or may be
appointed specifically to carry out this role, at the discretion of
the toxins permit holder.
5.1.1.2 The cybersecurity officer’s role is to be the liaison
officer to the Industrial Cybersecurity Department in the Ministry
of Environmental Protection, in relation to all matters pertaining
to cybersecurity activities in the business.
5.1.1.3 The toxins permit holder must appoint an alternate to stand
in whenever the cybersecurity officer is absent.
5.1.2 Policy document
5.1.2.1 Businesses must draw up an IT and cybersecurity policy
document that defines the security objectives, managerial
processes, means to realize them, security implementation
principles, commitment of the company management to a process of
increasing the business’s cyber resilience – including the
allocation and budgeting of resources, and the drafting of work
procedures - including a cyber incident management procedure.
Businesses must present their policy documents to the commissioner
upon request.
5.2 Stages of the process
5.2.1 Mapping
5.2.1.1 Mapping of the hazardous substances – All hazardous
substances held in the business must be mapped according to the
table of hazardous substances in Appendix K to this manual and to
the instructions set out in the appendix. The quantity of every
hazardous substance that has been approved for holding in the
toxins permit must be used to calculate and ascertain compliance
with the requirements thresholds for imposition of the regulation,
as specified in Appendix K to this manual.
5.2.1.2 Mapping of substances relating to a hazardous process – Of
the substances mapped according to clause 5.2.1.1, only those
substances involved in a hazardous process, as defined in this
manual, are to be taken into account.
5.Explanation of the process
11 12
5.2.1.3 Mapping of substances managed/controlled by computerized
systems – With regard to the substances defined in clause 5.2.1.2,
businesses must map those substances that are managed/controlled by
computerized systems and complete Appendix F to this manual
(“Initial mapping of a hazardous process that is managed/controlled
by a computerized system”).
5.2.2 Conducting a risk survey and assimilating controls
5.2.2.1 Conducting a cyber risk survey – The level of cyber risk is
calculated by weighting the probability and the impact according to
the instructions in this manual. The set of controls that must be
implemented must be determined depending upon the results of the
risk survey.
5.2.2.2 Performing a gap analysis – Businesses must compare the
existing controls in their companies against the controls that they
are required to implement, according to the results obtained in the
risk survey stage.
5.2.2.3 Building a work plan – Businesses must build work plans to
close the gaps.
5.2.2.4 Implementing the controls according to the work plan –
Businesses must implement the controls required according to the
conclusions of their risk surveys and according to their work
plans. If, for any reason, the controls cannot be implemented as
specified in the list of controls, compensating controls may be
selected that will provide a solution for the gap, after consulting
with the Ministry of Environmental Protection’s Industrial
Cybersecurity Department.
5.2.2.5 Ongoing supervision and monitoring – Businesses must
monitor and supervise all stages of the process on an ongoing
basis, as described in this clause.
5.3 Stages in the mapping of hazardous substances for a cyber risk
survey
Mapping of hazardous substances according to Appendix K
Mapping of hazardous substances relating to a hazardous
process
Mapping of substances managed / controlled by a computerized
system
1.
3.
2.
1. Map
hazardous substances
and processes
5.5 Timetable for implementing the directives
5.5.1 Immediately upon the imposition of cybersecurity conditions
in the toxins permit, implementation of stages 1 through 3
(inclusive) – 12 months.
5.5.2 Immediately upon completing the first three stages,
implementation of stages 4 through 6 (inclusive) – 24 months.
The entire process, including mapping, risk survey, and
implementation of the requisite controls – 36 months.
5.5.3 After implementing the controls, a 6-month interval will be
granted for the purpose of performing needed supplementary actions,
to the extent required.
5.5.4 The work process is cyclical and is repeated every 42 months
after the start date of the process.
13 14
5.6 Repetition of the work process
The work process must be repeated in each of the following
instances:
5.6.1 Every 42 months (3.5 years): After completing the process and
the period for performing supplementary actions over a period of 42
months, another cycle must begin.
5.6.2 Whenever a new computerized system is added that
manages/controls hazardous substances.
5.6.3 Whenever any new hazardous substance is added.
5.6.4 Whenever a change is made in an existing computerized system
that manages/controls hazardous substances, including any addition,
removal or change of computerized components in an existing
computerized system managing hazardous substances.
5.7 Performance timetable:
15 16
6.1 Cybersecurity activities should be an integral part of a
business’s organizational culture, and should be based on the
commitments of the toxins permit holders and of the company’s
management to implement the requirements of this manual.
6.2 The most important step in following the instructions of this
manual is the meticulous planning of all stages of the work plan –
coupled with the allocation of the resources needed to implement it
– according to the defined timetables.
7.1 Upon completing the survey, Appendix G to this manual must be
completed and forwarded to the commissioner. This includes a
declaration by the toxins permit holder regarding the performance
of the cyber risk assessment in the business, and a table
specifying the name of the system, data on the probability and the
impact as obtained, a calculation of the risk profile, and the set
of controls for implementation according to a heat map.
7.2 Upon completing the survey, a written gap analysis must be
performed. This document is to be kept at the plant but does not
have to be submitted to the commissioner, except upon
request.
7.3 After completing the gap analysis, a work plan must be drafted
for assimilating the controls. This plan is to be kept at the plant
but does not have to be submitted to the commissioner, except upon
request.
7.4 Upon completing the implementation of the work plan and the
assimilation of the controls, the declaration in Appendix H to this
manual must be completed and forwarded to the commissioner. This
includes the table that specifies the name of each of the mapped
systems, the set of controls allocated for the assessed risk, the
list of assimilated controls, and comments.
6. Work planning
7. Required deliverables
15 16
8.1 In this manual, “cyber risk assessment” refers to every
activity in the OT (operation technology) network, including on the
production floor, in which computerized systems that manage/control
hazardous substances are operating.
It is important to note that risks deriving from a cyber incident
in the plant’s computerized information systems that are not
located on the production floor, including those found in the IT
(information technology) systems, such as the email systems,
Internet access, sensitive business information, highly classified
information, etc., are not addressed within the framework of the
Ministry of Environmental Protection’s cybersecurity regulations,
as specified in this manual. However, they should be dealt with as
an attack vector to the OT network that contains computer systems
managing/controlling hazardous substances.
8.2 The cyber risk assessment should also relate to a cyber attack
on safety systems, defense systems, and supporting systems located
on the production floor, such as a cyber attacks on controller
safety systems, on detectors, on camera systems, etc.
8.3 The risk assessment should relate to any exposure of
information about the plant’s computerized processes that handle
hazardous substances, including the system architecture and its
defense systems: information about the type of controllers, the
model, the hardening version, the software version, etc.
8.4 The risk assessment should relate to any compromising of system
reliability – damage to the normal functioning of a device or a
system according to their specifications and according to their
design process. For example: a cyber attack that alters the
information flow of the process and thereby disrupts the
process.
8.5 The risk assessment should relate to any disruption of the
availability of system components: disruption of the availability
of a human-machine interface (HMI), of a controller or of field
components (taps, regulators, etc.). For example: a cyber attack on
computerized control systems that causes loss of control over a
controller, a sensor or any field component. In such instances, the
process is likely to become uncontrolled and trigger a hazardous
substances event.
8.6 If a business opts to receive assistance in performing a cyber
risk survey or any other cyber-related activity through external
advisory services, the advisor must meet the requirements set out
in Appendix D to this manual.
8. Cyber risk assessment
17 18
9.1 Risk management is based on a risk assessment that reflects the
degree of vulnerability of computerized systems and on an
assessment of the threats, the probability of their
materialization, and their potential repercussions.
9.2 The risk assessment must be performed according to the
principles in the most recently published version of this manual.
This manual is based on the National Cyber Directorate’s Defense
Methodology, with specific adjustments for the hazardous substances
industry and for industrial control systems. The possible scenarios
should be analyzed from the perspective of an attacker, since a
human will always be behind any attack. The path to an optimal
cybersecurity solution requires thoroughly understanding attackers’
operating methods, identifying them, and preventing them.
9.3 The assumption is that during a malicious cyber attack, most of
the hazardous substance will be released through a component that
contains the largest quantity in the hazardous process that is
connected to the computerized system3 (as opposed to a release due
to a malfunction or accident). Therefore, the dispersion of the
hazardous substance should be calculated accordingly.
9.4 The risks are based on threats that are relevant to the
components of any system, according to the risk analysis performed
in the business.
9.5 Risk assessment – calculating the impact (I). A risk assessment
begins by assessing the impact that is likely to be caused to the
environment or to public health if a hazardous substances event
occurs as a result of a cyber attack. The impact will be assessed
on a scale of 1 to 4, applying the method presented in the table in
Appendix A to this manual. Please note: The score is assigned at
this stage according to an assessment of the maximum damage.
9.6 Risk assessment – calculating the level of exposure or
probability (P). After calculating the expected impact of a
hazardous substances event caused by a cyber attack on the
business, the level of exposure or the probability of a cyber
incident in systems managing/controlling hazardous substances must
be calculated. This calculation is entered into the table in
Appendix B to this manual.
9. Calculating the level of cyber risks
3 To be taken from the WCS – Worst-Case Scenario.
17 18
9.7 Calculation of the risk assessment and classification of the
business’s systems
The risk assessment is based on a weighting of the expected impact,
considering the probability that damage will occur, according to
the following formula:
(Risk equals Probability + the Impact multiplied by 3)
(I) = the expected impact relative to the worst-case scenario (WCS)
(value to be obtained according to Appendix A to this
manual).
(P) = the probability that the damage will occur (average obtained
from the calculation according to Appendix B to this manual).
The above formula for calculating the risk level will produce a
score of 4 to 16.
Each of the computerized systems in the business that
manages/controls hazardous substances as defined in this manual
must be classified under one of four levels according to its risk
assessment, as specified below:
Level 1: low risk potential (score of between 4 to 7); Level 2:
moderate risk potential (score of between 8 to 11); Level 3: high
risk potential (score of between 12 to 14); Level 4: very high-risk
potential (score of between 15 to 16).
Risk = P+I*3
19 20
9.8 The heat map lists the risk levels as a function of impact and
probability:
9.9 Number of controls for assimilation at each risk level (as
appears in Appendix C to this manual). Please note that every level
of control includes the controls from the level below it; for
example, level 4 controllers include all possible controls from
levels 1, 2, 3, and 4.
(I) Impact
(P) Probability
Risk potential Set of controls according to the risk
potential
Number of controls for this set
7-4 1 41
11-8 2 59
14-12 3 81
16-15 4 92
10.1 After calculating the level of risk in the process, the
business will know which set of controls4 to implement according to
the following key:
Level of risk at values of between 4 – 7 (inclusive): control set
1. Level of risk at values of between 8 – 11 (inclusive): control
set from level 2 (which includes
controls from level 1 and controls from level 2). Level of risk at
values of between 12 – 14 (inclusive): control set from level 3
(which includes
controls from level 1, controls from level 2, and controls from
level 3). Level of risk at values of between 15 – 16 (inclusive):
control set from level 4 (which includes
controls from level 1, controls from level 2, controls from level
3, and controls from level 4).
4 According to the list of controls in Appendix C to this
manual.
10. Determining the controls that must be implemented
19 20
11.1 Using the list of security controls specified in Appendix C to
this manual, the business must examine what
it is implementing at the time the risk survey was conducted in
relation to each of the examined systems,
and what it needs to implement according to the results of the risk
survey.
11.2 The outcome of the process described in the previous clause
will be a list of gaps (gap analysis) in “needed
versus what exists” that the business must compile.
11.3 The business must be diligent about performing an individual
analysis of every computerized system that
manages/controls hazardous substances and according to the mapping
of its hazardous processes as
described in clause 5.2.1.
11.4 The list of gaps obtained constitutes the foundation for
building the business’s work plan.
12.1 The toxins permit holder/business’s cybersecurity officer is
responsible for formulating a plan for
implementing the work plan to implement the requisite controls.
This plan must specify which employees
are involved, timetables, and handling methods. The business owner
must allocate the necessary resources,
including the budget, manpower, and time needed to implement the
requisite controls.
12.2 The priorities for implementing the controls that the business
lacks will be determined in the work plan by
weighting the risk level of the hazardous process, the cost, and
complexity of the solution for implementing
the controls, and the speed with which the controls are
implemented.
12.3 The business must decide its own priorities in implementing
the controls, as long as the business complies
with the timetable specified in this manual.
11. Gap analysis – comparing the current situation to the controls
required and mapping of the gaps
12. Building a work plan based on the mapping of the gaps
21 22
Appendix A – Table used to calculate the impact (I) of a business
holding hazardous substances
In this table, answer all four questions in the “question” column
by assigning a score of 1 to 4. After assigning
scores to all of the questions, the impact will be the highest
value entered in the “score” column.
Question 1 2 3 4 Score (4-1)
The impact is assessed using one or more of the following
criteria:5 S
(Safety) Public health:
2. Environ- ment: no impact on the environ- ment.
Public health:
1. No impact on the public receptor.
2. Environ- ment: potential for a hazardous substanc- es event that
could have an impact on the environ- ment.
Public health:
1. Potential impact on the public receptor at the PAC 2
level.
2. Potential for a UVCE: maximum pressure for a public receptor of
0.1 bars.
3. Potential for a BLEVE – 1.6 kw/m2 for 60 consecutive seconds (or
radiation of parallel intensity for a shorter time)
Public health:
1. Potential impact on the public receptor at the PAC 3
level.
2. Potential for a UVCE: maximum pressure for a public receptor of
0.28 bars.
3. Potential for a BLEVE – 5 kw/m2 for 60 consecutive seconds (or
radiation of parallel intensity for a shorter time)
S (Safety)
What impact on public health or on the environ- ment could there be
as a result of any compromis- ing of the safety of the system owned
by the business?
C (Confidentiality)
C (Confidentiality)
What impact on public health or on the environ- ment could be
caused as a result of exposure of information about a computerized
system managing /controlling hazardous substances owned by the
business?
I (Integrity)
I (Integrity)
What impact on public health or on the environ- ment could be
caused as a result of corruption of the information in the
industrial component or disruption of the process in which the
industrial component is an integral part?
A (Availability)
A (Availability)
What impact on public health or on the environ- ment could be
caused as a result of a shutdown of the industrial component or of
a computerized process?
13. Appendices
5 The data are taken from the director general’s circular – Policy
of separation distances in fixed sources of risk – revised version
(in Hebrew)
21 22
Examined parameter 1 2 3 4 Score (4-1)
1. Number of employees with access to HMIs that manage or control
hazardous substances
Up to 5 6 - 10 11- 50 More than 50
2. Number of employees with access to controllers that
manage/control a hazardous substances system
Up to 10 11- 25 26 - 50 More than 50
3. Responsibility for programming HMIs
Only internal employees
Specific external suppliers
Appropriate external suppliers
Only internal employees
Specific external suppliers
Appropriate external suppliers
5. Number of HMI stations in the business
1 2 - 5 6 - 10 More than 10
6. Number of controllers relating to hazardous substances in the
business
Up to 5 6 - 10 11 - 50 More than 50
7. Communications between administrative network and an operating
network
None – physi- cally discon- nected
Yes, using a firewall and a unidirectional diode
Yes, using a firewall only
Yes, without any control means
8. Is Internet access allowed from the ICS (industrial control
system) environment?
No. There is a con- nection, but it is usually disconnected.
Operated for remote sup- port purposes
Yes, but with a firewall and content filter or with other security
components
Yes
Appendix B – Table used to determine the level of
exposure/probability (P) of a cyber incident in a business holding
hazardous substances
In this table, answer all 36 questions in the column “examined
parameter” by assigning a score of 1 to 4. After grading
all of the questions, calculate the level of exposure (probability)
of a cyber incident by adding up all of the scores and
calculating the average for the entire table. The outcome obtained
is the probability – P.
Perform the analysis according to this table in relation to every
process indicated in the mapping of hazardous processes
and in relation to every computerized system in each of these
processes.
23 24
9. Updating of firmware in controllers
Performed regularly and fully
Performed regularly and fully
Only authorized personnel have access
Specific external suppliers have access
Appropriate external suppliers have access
Other parties also have access
12. Physical security for hazardous substances controllers
Only authorized personnel have access
Specific external suppliers have access
Appropriate external suppliers have access
Other parties also have access
13. Physical security for field components affecting hazardous
substances (taps, regulators, valves, etc.)
Only authorized personnel have access
Specific external suppliers have access
Appropriate external suppliers have access
Other parties also have access
14. Number of physical protection and security means in the
examined system out of the following 4 means: cameras, alarm
system, biometric access, guards
4 3 2 1
15. Number of existing logical security means for HMI systems, such
as: communications security, application security, antivirus
3 or more 2 1 None
16. Number of logical security means (communications security,
application security, antivirus) for hazardous substances
controllers
3 or more 2 1 None
17. Information security awareness campaign for employees on the
production floor
Conducted on a regularly scheduled basis
Frequently conducted
Rarely conducted
Examined parameter 1 2 3 4 Score (4-1)
18. Is there an orderly onboarding process for new employees with
access to computerized industrial systems?
Yes Partial process Oral instructions only
No
19. Is there an orderly process on employee severance, including
deletion of authorizations and user name?
Yes Partial process Oral instructions only
No
20. When an employee transfers from one role to another in the
business, is there a process to change his/her access to
computerized industrial systems?
Yes Partial process Oral instructions only
No
Up to 3 components are used
4 to 10 components are used
More than 10 components are used
22. Is there a written organizational policy about managing,
controlling and protecting the ICS environment?
Yes Partially In a very limited manner
No
Yes Partially In a very limited manner
No
24. Is cellular technology used to connect to HMI stations or to
other components of the ICS?
No Yes, with encryption and smart identification
Yes, either unencrypted or non-smart identification
Yes, no encryption and no smart identification
25. Handling of default access authorizations (default user name
and password)
We change the default user name and password
We only change the default password
We only change the user name
We leave the default values
26. Is there a wireless network on the production floor?
No Yes, but with strong encryption
Yes, but with weak encryption
Yes, and it is not protected at all
27. Are inventories of components in the plant that could have an
impact on a hazardous substances event being recorded and
controlled?
Yes, regularly Yes, frequently Yes, but on rare occasions
No, not at all
28. Can HMI systems be remotely accessed?
No Yes, with encryption and smart identification
Yes, either unencrypted or non-smart identification
Yes, no encryption and no smart identification
29. Can ICSs be remotely accessed?
No Yes, with encryption and smart identification
Yes, either unencrypted or non-smart identification
Yes, no encryption and no smart identification
30. Is cloud computing used? No Yes, slightly Yes,
considerably
Yes, fully
Yes, regularly Yes, frequently
No, not at all
32. Is there hardware redundancy for critical computerized
components that handle hazardous substances?
Yes, fully Yes, for most of the critical components
Yes, for a small portion of the critical components
No redundancy checks
USB port is disabled
USB device is operated with CDR (content disarm and reconstruct)
capability
USB device is operated by authorized personnel only
USB device is freely enabled
34. Has a log collection and monitoring system been
implemented?
Yes Mostly imple- mented
No
35. Is the access to HMIs enabled only via a personal user name for
each operator?
Only personal user names
Largely personal user names
Largely generic user names
Only generic user names
Smart iden- tification, no biometric
Password sub- ject to policy
Password, no policy
1. Introduction
To mitigate the risk of the materialization of a cyber incident,
toxins permits holders are required to implement various
cybersecurity controls. These controls include processes,
procedures, security systems, technologies, etc.
These controls are grouped by topic: controls to protect servers
and terminal stations, user-management controls, monitoring
controls, procedures, etc.
2. Details of the list of controls
There are four levels of controls, ranked from 1 to 4. Business
owners must perform a risk survey and implement the level of
controls required according to the risk profile obtained. If any
contradictions or inconsistencies are discovered between the
various controls, the highest level of control must be
implemented.
27 28
The list of controls is specified in the table below:
Clause Required control Details Recommendations / Comments Level
Checks
Number of
Mapping of computerized systems and hazardous substance control
systems
1.1 The business owner must map all hazardous substances that are
managed by computerized systems
1.2 The business owner must map all computerized systems, network,
control, sensing and automation systems in the business and those
that: a. relate to storage, use, flow, manufacturing, transport,
destruction and detection of deviations and leaks of hazardous
substances.
b. are likely to cause or contribute to a malicious hacking of
hazardous substances or an improper action with them.
c. relate to the recordkeeping of inventories of hazardous
substances and logistics.
1.2 The mapping must include: the list of computers, not- ing their
function and the systems installed in them for the purpose of their
function; designat- ed/ integrated HMI/ automation stations, noting
model and software version; controllers and de- tector
switchboards, noting model, firmware/ software versions and type of
WiFi communi- cations (ethernet, telephone, other); IoT/IIoT
components and detectors, not- ing model, location and type of
commu- nication with them; network compo- nents (switches, routers,
wireless ac- cess points, firewall), noting model and their
connections to other networks/the Internet.
1.2 b. It is recommended that the business owner consult with
hazardous substances professionals to clarify whether a
computerized system that does not manage hazardous substances but
may catch fire or explode due to a cyber attack (such as a steam
boiler with a programmed controller) endangers hazardous substances
in its vicinity.
1
1.1 Has mapping of hazardous substances been performed?
1.2 Has mapping of computerized systems and control systems been
performed?
2
1
Penetration test
1.6 Penetration testing must be conducted once every two years
using an information security specialist, and will include at
least: a. testing of the durability of computerized systems and
control systems for the hazardous substances to attacks from
outside the business.
b. testing of the durability of computerized systems and control
systems for the hazardous substances to attacks from the IT network
inside the business.
c. testing of the durability of computerized systems and control
systems for the hazardous substances to an attacker with physical
access to operating stations and to communications cabinets and the
controllers.
4
Number of
Basic access control
4.1 The computerized stations must be protected by personal user
names and passwords, and must automatically lock after 10 minutes
of nonuse or at the discretion of the business, but not more than
30 minutes.
4.2 Users of the computerized systems must be separated by at least
two levels of authorizations with regard to the operating system –
“user” (minimum authorizations to operate systems will be enforced
on them depending upon their role; minimum access to files and
resources in the network; inability to install software) and
“administrator” having broader authorizations at the discretion of
the business.
4.3 For operating stations (designated/ integrated HMI/ automation
workstations), application access authorizations must be defined
for authorized users. The authorizations will be for viewing, for
operating defined processes, and for performing changes in systems
and in processes.
4.4 Officers must be appointed with authorization to make changes
in definitions and perform maintenance operations on controllers,
sensors, and SCADA components. Employees who are authorized to do
this remotely (through an application, network connection,
telephony, etc.) must be listed by name.
4.5 Officers must be appointed with authorization to make changes
and definitions in the business’s networks.
4.6 For every HMI station, workstation, and computer that uses
controller software, the configuration of the required software
must be defined, and a ban must be imposed on installing other
software.
The access control policy is designed to ensure that only
authorized personnel can access, view, and make changes in
computerized systems and control systems for hazardous substances,
solely according to their job definitions and subject to
supervision.
1
4.4-5 Present the list of officers.
4.6 Perform random inspection of software installed in
stations.
6
Number of
Advanced access control
4.7 The list of users with access authorizations to computerized
systems and control systems for hazardous substances must be
reviewed at least quarterly and updated if changes have occurred in
the personnel and in authorized officers in the business.
4.8 A user’s connection to a system must be blocked after 5 failed
connection attempts, by disabling any possibility of connecting for
a defined timeframe or until released by the system
administrator.
4.9. A policy must be drawn up and enforced regarding remote
connection to the operating network, defining the restrictions on
remote connection to computerized systems and automation systems
for hazardous substances. Every remote connection must be encrypted
end-to-end and requires strong personal identification (2FA).
4.10 Access to computerized systems and control systems for
hazardous substances from the business’s wireless networks must be
banned and blocked, and only be enabled from the business’s
computers that are cable-connected to the network.
4.11 An appropriate passwords policy must be drawn up and enforced,
including requirements for the length and complexity of the
password and an expiration date.
4.12 A policy must be drawn up for authorizing laptops used for
local configuration of controllers and automation systems.
4.13 Critical changes in HMI stations, such as a change in
pressures, temperatures and flow, must trigger a popup window
demanding additional identification. No critical changes may be
made according to an instruction issued via email/text message/
telephone call/video call.
4.11 We recommend at least 8 characters, at a complexity of 3 out
of 4 (capital letters, lower-case letters, numbers and special
characters).
4.12 For example: a laptop without connection to the Internet that
never leaves the business’s premises and is used solely to program
the controller; or a laptop of a recognized external technician
that has been scanned for malware.
4.13 Attackers are capable of forging emails and text messages, of
impersonating someone else via telephone and even during a video
call.
4.10 This can be implemented using a unidirectional connection
system to electrical signals directly from the sensors and
actuators (level 0) using a configuration that is completely
severed from the enterprise network and is not affected by
it.
4.13 A compensating control may be used at the business’s
discretion to trigger a popup window demanding additional
identification. The compensating control must ensure that no
unauthorized party can make any significant change that could
trigger a hazardous substances event.
2
4.8 Perform a test on a random station.
4.9 Demonstrate the mode of remote connection.
4.10 Perform a test using a computer that is connected to a
wireless network.
4.11 Demonstrate a password change.
4.12 Present the policy.
7
Number of
Strict access control
4.14 The remote connection policy must be limited solely to users
who identify themselves with a strong 2FA and whose computers have
been inspected and identified as safe (scanned and free of
malicious code, with information security updates in the operating
system and updated antivirus software).
4.15 Any user who tries to perform a prohibited operation
(inserting a DOK, installing software) must be immediately locked
out and an alert must be issued to the system administrator.
4.16 Any user with high authorizations (computerization
administrator, ability to alter a configuration in the production
systems) must be required to use strong authentication (MFA) and
must be restricted (if the system allows this) to operating on a
single workstation or a single remote connection at a time.
4.17 Any possibility of a direct takeover of computerized hazardous
substance systems that operate in Internet mode (remote desktop,
TeamViewer, Remote Assist, AnyDesk, etc.) must be prohibited and
completely blocked.
4.18 Direct access to hardware components (controllers, sensors,
etc.) from outside the business must be prohibited and
blocked.
4.19 All activity performed remotely must be monitored and
documented.
4.20 Any creation, alteration, enabling, locking, and removal of an
account must be documented in an automatic log record.
4.16 A compensating control will be allowed as long as it meets the
security requirements.
4.17 A suitable compensating control will be allowed as long as it
prevents any possibility of access by an unauthorized party to the
computerized systems managing/ controlling hazardous
substances.
3
4.14 Demonstrate the process.
4.15 Demonstrate the process.
4.16 Demonstrate the process.
4.17 Test the definitions in computers and in the network
(FW/switch).
4.18 Demonstrate the process.
4.20 Examine the logging mechanism and recent logs.
7
4
Maximum access control
4.21 Computers that came from outside of the company or that left
the premises must not be allowed to access computerized and
automated systems managing hazardous substances.
4.22 Remote connection to the operating system must not be allowed,
apart from viewing only (to view status) through a secure
unidirectional connection.
4.23 Conditions for blocking the use of accounts must be defined
and enforced according to the business’s operating hours and
according to the work schedules of the various types of
employees.
4.21 Such as by technicians’ laptops, SCADA applications for smart
phones on the employees’ devices. Examples of entry blocking
conditions: weekends, nights.
4.22 This can be implemented using a unidirectional connection
system to electrical signals directly from the sensors and
actuators (level 0) using a configuration that is completely
severed from the enterprise network and is not affected by
it.
4
4.22 Present the mode of use.
3
Number of
Hardening of workstations, HMI stations and servers
6.1 The system must be configured so that it provides the minimum
required functionality (while removing applications, blocking
functions, ports, and protocols that are not required) based on
accepted practices, so that they will include, at the very least:
a. blocking of any unnecessary ports;
b. removing applications, operating system software, and
unnecessary services;
c. removal of guest/default and local administrator accounts;
d. secure mechanism for receiving operating system updates;
e. disabling connections of storage devices and media;
f. blocking the installation of software and hardware by
unauthorized users.
6.1 d. Such as WSUS or updates that are brought manually on
media.
6.1 e. Such as DOKs, CDs/DVDs, cellular devices, cameras,
etc.
6.1 Configurations may be based on accepted practices, such as
NIST, publications by the national CERT, etc., or on the services
of an expert who will prepare hardening procedures according to the
relevant technology.
1
6.1 Present the mode of hardening performed for every type of
computerized system.
1
7
Basic prevention of malicious code
7.1 Tools must be assimilated to identify and prevent malicious
code on workstations and servers in the business. These tools will
be operated using an alert/active protection format (at the
business’s discretion) and periodic scans must be performed.
7.2 The business must define procedures for cleaning stations,
networks or servers infected with malicious code.
7.3 A mechanism must be defined for receiving/transferring updates
to tools (referred to in clause 7.1) at least on a biweekly
basis.
7.1 Since some malware may be able to penetrate the security
mechanisms, businesses must make sure that controls for handling
malicious code are implemented in all servers and
workstations.
7.3 Similar to operating system updates, an updating solution for
the tool must be presented.
7.1 Any tool for identifying and preventing hostile code from a
recognized manufacturer may be used (such as antivirus).
1
7.2 Present the procedures.
3
Number of
Advanced prevention of malicious code
7.4 Tools to detect and block malware must be assimilated at the
network level.
7.5 The business must operate an IDS/ IPS that identifies behavior
that deviates from what is acceptable and reasonable (detecting
anomalies in the network and in user/station behaviors).
7.6 The business must manage all malicious code prevention and
information security tools in the business through a central SIEM
control solution.
7.4 This requirement may be met by using a firewall with a content
filter and by using network IDSs.
7.5 Another compensating control may be used that will provide a
solution for this requirement.
7.5 This may be implemented by assimilating a system to detect
process anomalies in the electrical signals environment.
7.5 The IDS component in the IPS may be operated alone, provided
that there is a human response to replace the automatic blocking
response, who will exercise judgment and decide what to
block.
3
3
Number of
Basic network security
9.1 The business must document the description of the networks
serving the computerized and automated systems for hazardous
substances, the separations, the restrictions, and the protections
to be implemented in them.
9.2 The access to networks serving the computerized and automated
systems for hazardous substances from other networks in the
business (IT, WiFi) must be restricted through authorization
management.
9.3 Mechanisms must be implemented to prevent unauthorized
connection to networks serving the computerized and automated
systems for hazardous substances.
9.4 The networks serving the computerized and automated systems for
hazardous substances must be disconnected from the Internet, apart
from the possibility of an encrypted designated connection
(VPN).
9.5 Bridging between various networks used for command and control
over equipment through the use of cables and various connectors,
such as serial connections (RS-232 and the like), must be
prevented. Computers used for on- site definitions of equipment
must be disconnected from the Internet.
9.6 There must be verification that all unique and complex
administrator passwords to all network components (switches,
routers, firewalls, access points) have been changed from the
manufacturer’s default password and are known only to officers who
are authorized to make changes in definitions of the network.
9.3 The business must verify that all unused ports in switches are
disabled and are only enabled by manual definition or by NAC
mechanisms.
It is recommended to separate networks physically or through the
use of firewalls.
1
9.2-6 Present the implemented restrictions.
6
Number of
Advanced network security
9.7 Disable or remove any hardware components that support or
enable wireless connection.
9.8 Direct access to hardware components from outside the local
network must be prevented. Access from outside the local network
must be limited solely to administrator stations requiring
identification.
9.9 Communications filters must be implemented at an individual
level in networks serving the computerized and automated systems
for hazardous substances. The permitted ports and communications
routers must be precisely defined.
9.10 Periodic network monitoring scans must be performed. These
scans listen to communications in the computerized and automated
networks for hazardous substances, in order to: identify all
elements participating in the communications and the types of
communications that they initiate and receive; remove unidentified
elements; analyze anomalies in communications; and correct the
separation mechanisms accordingly. These scans must be performed at
least once every 18 months.
3
9.10 Present the results of the last scan.
4
9
Maximum network security
9.11 The networks serving the computerized and automated systems
for hazardous substances must be closed, cabled, and completely
separated (separate switches and cables) from the business’s other
networks.
9.12 The only outgoing connection that will be allowed will be for
unidirectional sending of control data/statuses/logs to another
network, using a solution approved for unidirectional information
transmissions.
9.13 Mechanisms must be implemented in the networks that filter any
communication not corresponding to the structure of the
protocol/the expected information.
4
9.13 Present the filtering solution. 3
35 36
Number of
section
10
Separation of the environment of the computerized and automated
systems in the operating network containing hazardous
substances
10.1 An approval process must be drawn up for the transmission of
data, scripts and software received from another environment inside
the business or from outside it to this environment.
10.2 Software and firmware updates must be performed directly from
the equipment or software manufacturer in an authenticated
manner.
10.3 The introduction of scripts or configurations into
manufacturing automation/HMIs or configurations of controllers from
unknown or unverified sources must be prohibited.
10.2 Verify the software and firmware using checksum or by
receiving media directly from the manufacturer’s
representative.
1
10.1-3 Present the processes for transmitting and authenticating
software and firmware updates.
3
11
Use of public cloud resources for computerized and automated
systems in the operating network containing hazardous
substances
11.1 A limited number of officers with access to the cloud
service’s administrator interface must be defined.
11.2 The connection to the cloud service’s administrator interface
must be secured with strong authentication (MFA).
11.3 The business must verify that the servers/machines that are
operated in the cloud also comply with all of the requirements
corresponding to the requisite level of control dictated by the
risk potential (including hardening, restriction of communications,
tools to prevent malicious code, use of minimum user
authorizations, etc.).
11. All of the controls in this document are also valid for the use
of public cloud computing.
Any business uploading data to a cloud must ensure a clear division
of responsibilities for securing the information between the cloud
provider and the client.
1
11.1-2 Present the officers and the mode of identification.
11.3 Present the types of machines in use and the implemented
protections. 3
11
Unidirectional connection
11.4 Computerized systems and control systems for hazardous
substances must be restricted to exporting data to a cloud via
unidirectional connection, using an approved solution for
unidirectional transmission of information.
11.4 This can be implemented using a unidirectional connection
system to electrical signals directly from the sensors and
actuators (level 0) using a configuration that is completely
severed from the company network and is not affected by it.
4
1
Number of
12.1 Company officers must be appointed with authorization to
access controllers (for on-site maintenance) and administrator
stations/HMI stations, and procedures must be drawn up for making
changes in configuration, identifying and contending with
controller failures (required authorizations, supervision, order
for shutting down/operating systems).
12.2 Firmware updates, changes in configuration, etc., must be
examined in advance in a laboratory environment before transferring
them to the production environment.
12. The goal is to prevent an incident involving hazardous
substances due to human error, a controller failure or an erroneous
change in configuration.
1
2
12
Configuration and backup monitoring
12.3 The business must keep a record of the controllers relating to
hazardous substances, which will include at least: manufacturer,
model, firmware version, configuration version, location of the
configuration file for backup, location of the firmware version for
backup.
12.4 Firmware and configurations of controllers, scripts, image
configurations, workstations, HMIs and manufacturing processes must
be backed up in a secure/separate system that is physically remote
(by at least 50 kilometers) from the site where the backup was
performed.
12.5 The business must be capable of restoring a controller from
backup or of restoring a workstation/HMI station within one workday
of the identification of a malfunction or anomalous operation.
Alternatively, the controlled process will be shut down until the
restoration has been completed.
12.6 The business must maintain continuous contact with the
manufacturers of the controllers and systems in its possession and
must obtain updates about information security issues and updated
software and firmware versions.
12.5 This capability may be independent or through
outsourcing.
12.4 It is also advisable to keep copies on detachable media (disc,
DOK) that will be kept on site.
2
4
Number of
Advanced security
12.7 Hardening of the controllers must be performed according to
the manufacturer’s instructions and all of the controller’s
information security capabilities relating to identification, to
limiting and protecting communications with it and to preventing
unwanted changes, must be used. The hardening must be tested in a
laboratory environment before transfer to the production
environment.
12.8 The business must verify that every controller has a unique,
complex administrator password and that the manufacturer’s default
password is not being used. The password must be known only to
officers who are authorized to make changes in controllers.
12.9 The access to workstations/ HMI stations must require strong
authentication (MFA).
12.10 The operating system of a workstation/HMI station that is not
in use must be locked after 10 minutes, or at the discretion of the
operator, but not longer than 30 minutes, apart from stations
defined as for viewing purposes only.
12.11 Any attempt to make a significant change in a process, such
as changing pressure thresholds, temperatures, flows or reactions
must require the entering of an additional password or strong
authentication (MFA) before any change is executed.
12.7 Different manufacturers have different hardening instructions
depending upon the equipment’s capabilities, including closing
ports, discontinuing the support of unencrypted protocols,
requiring identification prior to making any configuration change,
capability of automatic restoration of an earlier configuration,
etc.
3
12.11 Present the implementation of the required authentication
method.
5
12
Maximum security
12.12 The computerized systems must be obligated to run on an
up-to-date supported operating system that receives continuous
security updates.
12.13 Any change in a process must require authorization from a
senior manager via strong authentication (MFA).
12.14 The controllers must be separated into different networks
according to their functions/the process in which they are
participating. Workstations/HMI stations must be connected to a
network that is separated from the controllers. Communications
between the networks must be managed using a firewall.
12.12 Versions supported by Windows, Linux, etc.
12.14 Alternative controllers may be used as a test before
uploading to production or on production controllers during
production system downtimes.
12.13 A variety of means may be used, such as biometric
identification, smart cards, OTP, etc.
4
3
Number of
Security and separation of safety, detection and security
systems
12.15 The business must verify that the network of detectors in the
business is isolated in a separate network, without any possibility
of accessing computerized systems and control systems for hazardous
substances from it.
12.16 The detector controller station must be locked in a
communications cabinet in order to ensure that no uncontrolled
changes are made.
12.17 If the detector controller enables locking of the
controller’s programming mode, it must be kept routinely
locked.
12.18 If the detector controller is connected via network/telephony
to a security/support center, the business must verify that any
ability to change definitions remotely or to shut down the
controller is disabled.
12.19 Electrical definitions, access control systems and
low-voltage systems must be separated in the network without any
possibility of accessing computerized systems and control systems
for hazardous substances from them.
12.20 Security cameras – physical access to the security cameras
must be prevented and they must be separated in the network without
any possibility of accessing computerized systems and control
systems for hazardous substances from them.
12.15 If the detector network is part of the production network,
any hacking into this network will enable access to the network on
the production floor.
12.16 If the controller station is conspicuous, it is exposed to
potential changes in the detectors’ threshold values.
12.17 Controllers have programming modes and operating modes. No
controller should be left open in programming mode during routine
operation.
12.18 If necessary, changes in definitions will be enabled only for
the purpose of providing remote support for a defined timeframe and
then must be redisabled.
12.19-20 If physical access to cameras and to other low- voltage
systems is freely allowed, then detachable media are likely to be
connected to them or they may be tampered with in some other way in
order to inject malicious code.
12.15 This may be implemented using a firewall or physical
isolation or by deploying dry touch detectors.
12.17 This may be implemented using physical or logical locking as
supported by the controller.
12.19-20 This may be implemented using a firewall or physical
isolation.
12.20 It is recommended, to the extent possible, to install the
cameras high up and to disable wireless connection
1
6
Number of
Media used in controllers and operating/HMI stations
15.1 In order to transmit software and firmware versions,
configurations, scripts, etc., designated company media must be
used solely for this purpose and must be stored in a secure
location.
15.2 Media used for backups of firmware versions, configurations of
controllers and scripts must be stored and locked in secure
locations.
15.3 Media used for transferring information must be scanned for
malware before each use.
15.1 If media are used for other purposes, they are more
susceptible to being infected with malware.
15.2 Scanning the media for malware should be performed on a
computer/ CDR station that is not connected to computerized systems
and control systems of hazardous substances.
1
3
18
Awareness and enforcement
18.1 Suitable directives should be disseminated among the employees
and guards. Employees and guests who have no role relating to the
control systems and computerized systems for hazardous substances
are not supposed to be in their vicinity. Any unauthorized employee
found next to the controller or detector cabinets, who is
connecting elements to a network at his own initiative, or who is
attempting to access operating/HMI stations, will be dealt with
severely. The business must draft and disseminate a procedure
conveying these directives.
18.2 Communications cabinets and controller cabinets must be locked
and their keys must be kept in a discrete location.
1
18.1 Present the explanations given to the employees and
guards.
18.2 Check the locks.
Number of
Advanced security
18.3 Security cameras must be installed to document the access to
communications cabinets, controller cabinets and workstations/HMI
stations.
18.4 An alarm system must be installed that will issue an alert
about any attempt to access communications cabinets, controller
cabinets and workstations other than during business hours.
18.5 Suitable directives must be disseminated among the employees
and guards – external technicians and visitors will be required to
deposit all media (magnetic, optic), cellular phones and computers
in their possession before accessing or coming into physical
proximity to computerized systems and control systems for hazardous
substances.
18.3 This may be implemented by installing cameras opposite HMI
stations or cameras with roving lenses that also scan the vicinity
of the HMI stations and local panels.
18.4 If there is internal opposition in the company to the
installation of cameras for reasons of privacy protection,
opposition from employee committees, etc., another compensating
control must be implemented that constitutes an adequate
alternative solution for this control.
18.5 It is recommended to apply the procedure also to employees,
apart from designated media used solely for work purposes.
3
18.5 Present the explanations given to the employees and
guards.
3
Number of
Employees with access to computerized and automated systems
managing hazardous substances
19.1 The employees’ signatures must be obtained on a statement of
full commitment to comply with the business’s information security
requirements and on a non-disclosure agreement with regard to the
computerized systems and control systems for hazardous substances,
formulas, processes for using hazardous substances and related
logistics in the business.
19.2 If there are concerns about employees (disgruntled, unstable,
careless about complying with rules), their access must be
suspended.
19.3 When employment is severed, access authorizations should be
cancelled and user accounts must be blocked.
19.4 Employees must be ordered to not accept instructions to
perform operations in computerized systems and control systems for
hazardous substances according to instructions sent via email/ text
message/ telephone call/video call.
19.1 The exposure of information about computerized systems and
control systems, formulas for chemical substances prepared in the
company (by both mixing and reaction), or logistics procedures and
recordkeeping of hazardous substances in the company, can enable an
attacker to plan and execute a cyber attack that could trigger a
hazardous substances event.
19.4 Attackers are capable of forging emails and text messages and
of impersonating someone else via telephone and even during a video
call.
2
4
Number of
Cyber incident detection and management for computerized and
automated systems managing hazardous substances
24.1 The business must prepare a response plan for a cyber incident
in computerized systems connected to hazardous substances. The
procedure must be drilled at least once a year.
24.2 If a suspected cyber incident in computerized systems
connected to hazardous substances has been verified, the business
must inform the call center of the National Cyber Directorate and
the Industrial Cybersecurity (ICS) Department in the Ministry of
Environmental Protection.
24.3 If the incident impacted hazardous substances, first the
required processes/ drills must be performed, the authorities must
be alerted and the business’s hazardous substances coordinator must
be informed as is required for any hazardous substances event in
the business pursuant to any law.
24.4 The business must make sure that the business’s
procedures/drills for a hazardous substances event include
references to a situation in which the computerized systems and
control systems are not functioning properly.
24.1 The procedure must refer to clarifying suspicious behavior
with professionals in the business and with external professionals,
notifying the management, authorization to make a decision to
disconnect a component/shut down a system/ disconnect
communications until the incident is clarified and the tests of
good working order that must be performed on other components have
been completed.
24.2 The National Cyber Directorate’s call center operates 24/7 –
dial 119; and email team@cyber. gov.il
Industrial Cybersecurity Department email: cyber_industry@
sviva.gov.il
24.1 Refer to existing procedures for system shutdowns and for
replacing corrupted components.
1
24.1 Present the procedures.
24.2 Present the history of cyber incidents that have been detected
and reported.
24.3 Present the method for handling incidents impacting hazardous
substances. Present the changes/ additions in handling a hazardous
substances event resulting from a cyber attack.
4
25
Repair and resumption of operations subsequent to a cyber
incident
25.1 The information security policy document must refer to the
post-incident recovery process. The plan must take into account
various disaster scenarios involving hazardous substances (for
example: how long a particular controller or HMI system be can be
safely shut down).
25.2 The business must make sure that the resumption of the routine
is performed in compliance with the procedure for resuming routine
operations.
25.3 Within 60 days of the detection of a cyber incident, the
business must prepare an investigation report summarizing the
nature of the incident, the failures that enabled it to occur and
the lessons learned, and must send it to the Industrial
Cybersecurity Department.
25.1 Refer to existing procedures for system shutdowns and for
replacing corrupted components.
2
25.2 Present the replacements and backups to demonstrate the
recovery capability.
25.3 Present the reports of previous incident investigations.
3
92
1. Threshold educational requirements:
or
or
graduate of a technological unit in the IDF (Center of Computing
and Information Systems, 8200, teleprocessing and parallel units)
and/or the Information Security Authority, provided that he/she
engaged in the technological field subject to appropriate
authorizations
or
participated in a cybersecurity course for industrialists in
cooperation with the Ministry of Environmental Protection and the
Manufacturers’ Association and/or any other entity.
2. Threshold experience requirements:
and
experience working on the production floor on OT (operation
technology) systems, in the context of working with ICS (industrial
control systems), including experience with SCADA (supervisory
control and data acquisition) systems and HMI (human-machine
interface) systems. Experience in programming controllers, planning
a SCADA system, making changes to HMI systems, monitoring and
handling alerts received from HMI systems;
Six years of experience performing the tasks described for the
role, including at least two years of experience managing
technological teams.
43 44
3. Additional requirements with regard to education, experience,
qualifications, and skills (if any); Desired qualifications:
1. tertiary education in the field of chemistry, chemical
engineering or industrial engineering or natural sciences or
business administration.
2. practical familiarity with industrial cyber defense
methodologies – significant advantage.
3. drafting of industrial cyber defense methodologies – significant
advantage.
4. practical experience in the chemical industry – significant
advantage.
5. experience as a computer professional in the chemical industry,
particularly experience in process control systems.
6. experience in defining organizational policies, in drafting
procedures; experience implementing policy documents and
procedures.
7. experience in performing information security audits.
8. familiarity with security techniques and information security
tools in SCADA systems – significant advantage.
45 46
Appendix E – Letter of appointment of a cybersecurity officer in
the business
Date:
Reference:
Re: Letter of appointment of a cybersecurity officer
Pursuant to the Hazardous Substances Act of 1993 (hereinafter: “the
Act”) and to the requirements specified in the toxins permit, I
hereby appoint you as the cybersecurity officer in our
organization.
The cybersecurity officer will act in direct subordination to the
toxins permit holder.
The role of the cybersecurity officer will include:
1. formulating a cybersecurity policy according to the
organizational risk management process and according to the
requirements stipulated in the toxins permit and in the Cyber
Manual;
2. building a cybersecurity work plan in conformity with the
policy;
3. controlling and monitoring the execution of the work plan and
compliance with the cybersecurity conditions in the toxins
permit;
4. performing aspects of cybersecurity activities in conformity
with the Cyber Manual and the current security updates of the
Industrial Cybersecurity Department of the Ministry of
Environmental Protection.
Sincerely,
45 46
Appendix F – Initial mapping of a hazardous process that is
managed/ controlled by a computerized system6
Business:
Facility:
Approved quantity in the toxins permit
Is the hazardous substance included in a process that is
controlled/ integrated in computerized systems?
Explanation of the hazardous process (stages of the process, its
purposes, mode of execution)
Details of the computerized systems/ digital process involved in
the hazardous process
Potential impact on public health or on the environment7
6 To be completed only if an independent cyber risk survey was
performed without combined risk management 7According to the impact
calculation table in this manual
47 48
Appendix G – Declaration of the toxins permit holder regarding the
performance of a cyber risk assessment and classification of the
business
I, the undersigned __________________ ID No. __________________
having been informed that I must tell the whole truth and that I
can expect the punishment prescribed by law if I fail to do so, do
hereby declare:
1. The undersigned is the __________________ (position)
for__________________ (company name), toxins permit No.
__________________.
2. The cybersecurity classification process for the business was
completed on __________________.
3. A document specifying the key results of the classification
process for the business and the cyber risk assessment is appended
hereto.
4. I performed the risk assessment myself/I availed myself of the
services of the consulting firm __________________ (delete as
appropriate) and prepared the document summarizing the key results
of the business classification process and the risk assessment and,
to the best of my knowledge and understanding, these documents are
complete and accurate, were prepared in conformity with the Cyber
Manual and present a precise situation report of the
business.
5. The risk assessment process and the summary of its results in
relation to cybersecurity were completed on
_________________.
6. The following is a summary of the results of the risk
assessment:
System name Probability (1-4) Impact (1-4) Level of risk
(4-16)
(1-4)
7. I myself prepared/I checked (delete as appropriate) the table
summarizing the risk assessment being submitted to the Ministry of
Environmental Protection as required in the directives and, to the
best of my knowledge and understanding, the summary is complete and
accurate and presents a precise situation report of the
business.
8. I declare all of the above to be true. Signature of the
declarant ___________________________
Attorney’s confirmation
I, the undersigned _________________, attorney, do hereby confirm
that on _______________________ ___________ appeared before me, who
is known to me personally/whom I identified according to ID No.
_________________, and that after I had informed him/her of the
requirement to tell the whole truth and nothing but the truth and
of the punishment prescribed by law if he/she failed to do so,
he/she affirmed the veracity of his/her above declaration and
signed it in my presence.
Signature and stamp: ______________________
47 48
Appendix H – Declaration of the toxins permit holder regarding the
completion of a cyber risk mitigation plan
I, the undersigned ____________________________, ID No.
____________________, having been informed that I must tell the
whole truth and that I can expect the punishment prescribed by law
if I fail to do so, do hereby declare::
1. The undersigned is the CEO/owner (delete as appropriate)
of__________________ (company name), toxins permit No.
_______________________.
2. The process of implementing a plan to prevent risk to public
health and to the environment as a result of a cyber incident, was
completed on ____________________.
3. The following is a summary of the assimilation of controls to
mitigate cyber risks:
System name Required set of controls (1-4) List of assimilated
controls Remarks
4. I have examined the summary document being submitted to the
Ministry of Environmental Protection as required in the directives
and, to the best of my knowledge and understanding, the document is
complete and accurate.
5. I declare all of the above to be true. Signature of the
declarant: ___________________________
Attorney’s confirmation
I, the undersigned _________________, attorney, do hereby confirm
that on ____________________________ appeared before me, who is
known to me personally/whom I identified according to ID No.
_________________ and, after I had informed him/her of the
requirement to tell the whole truth and nothing but the truth and
of the punishment prescribed by law if he/she failed to do so,
he/she affirmed the veracity of his/her above declaration and
signed it in my presence.
Signature and stamp:
Name:
Role:
Telephone:
Summary of the incident:
Date and time the incident was discovered:
Status of the handling of the incident Not handled
Handling started but not completed
Handling completed
Physical location of the incident
Systems affected by the incident
Have additional parties outside of the plant been affected by the
incident? (if yes, specify)
4. Extent of the damage/potential damage: (mark everything that
applies)
Harm to a computerized system that manages/controls hazardous
substances without any release of hazardous substances
Harm to a computerized system that manages/controls hazardous
substances including the release of hazardous substances that
caused harm to the environment
Harm to a computerized system that manages/controls hazardous
substances including the release of hazardous substances that
caused harm to public health
At this stage, the extent of the damage is not known
Brief verbal description of the impact:
Appendix I – Cyber Incident Report
49 50
List of people who were informed about the incident
Name Role Telephone
6. What measures have been taken to date? (Mark everything that
applies)
At this stage, no measures have been taken at all
The systems were disconnected from the OT environment
The system was scanned for viruses
The systems’ logs were saved for the investigation
Restoration was performed from backups
Another operation was performed (describe what was done)
Brief verbal description of the measures taken:
7. Additional data/additional information which, in your opinion,
is important to report and which is not requested in the incident
report form
8. Lessons and conclusions in order to prevent any recurrence of an
incident of this type::
Actions to be taken Person responsible Timetable
Full name: ID: Signature:
51 52
Appendix J &