ISA Standards and Practices

Industrial Automation and

Controls Systems

Cybersecurity

The ISA99 Committee and

the 62443 Standards

February 2018 Copyright © ISA – All Rights Reserved

Purpose

Introduce the ISA99 committee and the ISA/IEC 62443

series of standards on Industrial Automation and Control

Systems Security.

1

February 2018 Copyright © ISA – All Rights Reserved

Topics

• Who are we?

• How do we work?

• What are the basics?

• What are our work products?

• Where do things stand?

2

February 2018 Copyright © ISA – All Rights Reserved

Who are we?

3

February 2018 Copyright © ISA – All Rights Reserved

ISA99 Committee

The International Society of Automation (ISA) Committee on

Security for Industrial Automation & Control Systems

Almost 900 members from around the world

4

February 2018 Copyright © ISA – All Rights Reserved

Our Scope

“… industrial automation and control systems whose compromise

could result in any or all of the following situations:

– endangerment of public or employee safety

– environmental protection

– loss of public confidence

– violation of regulatory requirements

– loss of proprietary or confidential information

– economic loss

– impact on entity, local, state, or national security”

5

February 2018 Copyright © ISA – All Rights Reserved

Industry Contribution and Application

• Reflects expertise from many sectors, including:

– Chemical Processing

– Oil and Gas

– Food and Beverage

– Energy

– Pharmaceuticals

– Water

– Manufacturing

– ICS suppliers

6

February 2018 Copyright © ISA – All Rights Reserved

How Do We Work?

7

February 2018 Copyright © ISA – All Rights Reserved

ISA99 and ISA/IEC 62443

• ISA/IEC 62443 is a series of standards being developed by two

groups:

– ISA99 ANSI/ISA-62443

– IEC TC65/WG10 IEC 62443

• In consultation with:

– ISO/IEC JTC1/SC27 ISO/IEC 2700x

8

February 2018 Copyright © ISA – All Rights Reserved

Partners for Related Topics

• Process Safety (ISA84, IEC TC65)

• Wireless Communications (ISA100)

• Intelligent device Management (ISA108)

• Medical Device Security (MDISS)

• Certification (ISCI)

• Communications & Advocacy

(Automation Federation)

• Security Framework (NIST)

9

IACS

Security

February 2018 Copyright © ISA – All Rights Reserved

The Basics

• General Concepts

• Fundamental Concepts

• Foundational Requirements

10

February 2018 Copyright © ISA – All Rights Reserved

General Concepts

• Security Context

• Security Objectives

• Least Privilege

• Defense in Depth

• Threat-Risk Assessment

• Supply Chain Security

Source: ISA-62443-1-1, 2nd Edition (Under development)

11

February 2018 Copyright © ISA – All Rights Reserved

Fundamental Concepts

• Principal Roles

• Life Cycles

• Zones and Conduits

• Security Levels

• Maturity Assessment

• Security and Safety

12

Source: ISA-62443-1-1, 2nd Edition (Under development)

February 2018 Copyright © ISA – All Rights Reserved

Principal Roles

• Product Supplier (PS)

• Integration Provider (IP)

• Asset Owner (AO)

• Maintenance Provider (MP)

• Service Provider (SP)

• System Operator (SO)

• Regulatory Authority (RA)

• Compliance Authority (CA)

#

February 2018 Copyright © ISA – All Rights Reserved

Life Cycles

14

Based on VDI 2182

Operation

& Maintenance

Integration /

Commissioning

Product

Development

Product

SupplierSystem

Integrator

Asset

Owner

Security Documentation

Security Guidelines

Security Support

Requirements

February 2018 Copyright © ISA – All Rights Reserved

Zones and Conduits

• A means for defining…

– How different systems interact

– Where information flows between systems

– What form that information takes

– What devices communicate

– How fast/often those devices communicate

– The security differences between system

components

• Technology helps, but architecture is more

important

15

February 2018 Copyright © ISA – All Rights Reserved

Security Levels

16

Protection against…

February 2018 Copyright © ISA – All Rights Reserved

Maturity Assessment

• A means of assessing capability

• Similar to Capability Maturity

Models

– e.g., SEI-CMM

• An evolving concept in the

standards

– Applicability to IACS-SMS

20

February 2018 Copyright © ISA – All Rights Reserved

Security and Safety

• Safety is much of the reason for

security

– Presenting consequences

• Much to be learned from the safety

community

• Collaboration

– ISA99-ISA84 joint effort

– IEC TC65 work group 20

– ISA Safety and Security Division

18

February 2018 Copyright © ISA – All Rights Reserved

Foundational Requirements

• FR 1 – Identification & authentication control

• FR 2 – Use control

• FR 3 – System integrity

• FR 4 – Data confidentiality

• FR 5 – Restricted data flow

• FR 6 – Timely response to events

• FR 7 – Resource availability

19

February 2018 Copyright © ISA – All Rights Reserved

Work Products

20

February 2018 Copyright © ISA – All Rights Reserved

The ISA-62443 Series

21

February 2018 Copyright © ISA – All Rights Reserved

General Information

• 62443-1-1

– Concepts and Models

• 62443-1-2

– Master Glossary

• 62443-1-3

– Security Compliance Metrics

• 62443-1-4

– Lifecycle & Use Cases

• 62443-1-5

– Protection Levels

22

February 2018 Copyright © ISA – All Rights Reserved

Program Definition

• 62443-2-1

– Security Management System

• 62443-2-2

– Implementation Guidance

• 62443-2-3

– Patch Management

• 62443-2-4

– Requirements for Solution Suppliers

23

February 2018 Copyright © ISA – All Rights Reserved

System Security

• 62443-3-1

– Security Technologies

• 62443-3-2

– Risk Assessment and System Design

• 62443-3-3

– System Requirements and

Security Levels

24

February 2018 Copyright © ISA – All Rights Reserved

Component Security

• 62443-4-1

– Product Development Requirements

• 62443-4-2

– Technical Requirement for Components

25

February 2018 Copyright © ISA – All Rights Reserved

What is Happening

26

February 2018 Copyright © ISA – All Rights Reserved

Current Activity

• 62443-1-1 (2nd Edition)

– Preparing a draft for comment

• 62443-1-2

– Recently circulated as a draft for comment

• 62443-1-4

– Case studies being identified by WG10

• 62443-1-5

– Introduces the potential concept of “Protection Levels”

– Recently circulated as a draft for comment

27

February 2018 Copyright © ISA – All Rights Reserved

Current Activity

• 62443-2-1 (2nd Edition)

– Alignment with ISO 27001:2013

– Recently circulated as a draft for comment

• 62443-2-3

– Technical report published in July 2015

– Under revision to elevate to a standard

• 62443-2-4

– Published by IEC, adopted by ISA99

28

February 2018 Copyright © ISA – All Rights Reserved

Current Activity

• 62443-3-1

– Technical report on risk management being rewritten as a standard

• 62443-3-2

– Committee Draft for Vote (CDV) approved by ISA voting members

– IEC vote pending

29

February 2018 Copyright © ISA – All Rights Reserved

Current Activity

• 62443-4-1

– Approved by ISA and IEC

• 62443-4-2

– Soon to be submitted as a Final Draft Standard to ISA and IEC

30

February 2018 Copyright © ISA – All Rights Reserved

Review

✓ Who are we?

✓ How do we work?

✓ What are the basics?

✓ What are our work products?

✓ Where do things stand?

31

February 2018 Copyright © ISA – All Rights Reserved

Conclusion

32

February 2018 Copyright © ISA – All Rights Reserved

• ISA99 committee page: http://www.isa.org/isa99

• Twitter: @ISA99Chair

• Committee Co-Chairs: isa99chair@gmail.com– Eric Cosman

– Jim Gilsinn

• Managing Director– Joe Weiss

• ISA Staff Contact– Eliana Brazda ebrazda@isa.org

Please provide contact information & area of expertise or interest

More Information…

33

February 2018 Copyright © ISA – All Rights Reserved

Questions

34