ISA99 - Security Standards in water treatment plantsisawwsymposium.com/wp-content/uploads/2013/08/WWAC2013_Teixeira-et... · ISA99 - Security Standards in water treatment plants Marcelo

Presented at the 2013 ISA Water/Wastewater and Automatic Controls Symposium

Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, USA – Aug 6-8, 2013 – www.isawwsymposium.com

ISA99 - Security Standards in water treatment plants

Marcelo Teixeira de Azevedo1*, Alaide Barbosa Martins

2*, and Sergio Takeo Kofuji

1

1Polytechnic School of the University of Sao Paulo, POLI-USP, São Paulo, SP, Brazil

(*[email protected])

2Odebrecht Ambiental – Foz do Brasil, Av. Jorge Amado, S/N, Jaguaribe, Salvador-Bahia

(*[email protected])

KEYWORDS

SCADA, Security, ISA Standards, Industrial networks, ISA99

ABSTRACT

Currently, information security is a constant concern for many institutions and countries that use

computer resources for communication and to deliver services. Protective measures and countermeasures

for traditional networks, such as firewalls and intrusion detectors, are well-known and widely used. For

Supervisory Control and Data Acquisition (SCADA) systems, the situation is no different. In the early days,

such systems were based on mainframes and closed-architecture platforms; in other words, they were

dependent on manufacturers and consequently isolated from other systems. These days, SCADA systems

are converging more and more onto open-system platforms, with architectures heavily reliant on

connectivity; accordingly, interconnection between such systems and the corporate network, and in some

cases, the internet itself, is more common. Taking this issue into account, and based on current

technological development in the information security area, this research proposes a methodology to

implement automation systems in water treatment plants, with an emphasis on security, and a focus on

industrial systems that employ the ISA99 automation safety standards. In summary, the purpose of this

essay is to study the safety rules, methods and methodologies for industrial systems, using the water

treatment process as a working example, and to propose a methodology to minimize inherent safety

hazards.

Introduction

Automated systems have been gaining in prominence over the last few decades and their implementation

has become more and more important in recent times. Among the ubiquitous technologies now available

in modern society, we can highlight electronic commerce, financial transactions over the internet, VPNs,

customer service websites and many other computerized systems that are now an intrinsic part of our

daily lives. The amount of information present in modern society, on which, to one degree or another, we

depend more and more, has evolved exponentially and defense methods and security practices have

become necessary and should be studied in order to ensure greater protection of sensitive information

that, if attacked, could have a substantial negative impact on modern society, countries and concerned

groups. Such attacks could result in great damage, including disruption of services regarded as critical to

the functioning of society, such as:

Azevedo, Martins, Kofuji 2



� Distribution of electric energy, water and natural gas;

� Petrochemical production;

� Nuclear facilities;

� Air and land traffic control systems.

For countries, any disruption of basic services, such as air and urban traffic control systems, road signage,

water management, electricity and gas utilities, to name a few, could create widespread damage and even

a breakdown of social order. In the economic sphere, a disruption to critical systems, such as those

provided by financial institutions, banks and government entities could potentially isolate a country.

In companies operating in many different segments, information security practices have been studied and

implemented in order to minimize apparent risks, however this digital universe is subject to many different

types of attack, both physical and virtual, which can compromise systems in general as well as the people

connected to them. Practices adopted can help to mitigate part of these security issues, and these must

encompass all resources: computers and infra-structure, as well as human resources (MARCIANO, 2006).

From the security standpoint, the human-computer relationship is an essential consideration, and, on the

whole, it makes an important contribution to the security of information. Therefore, information security

practices must take into account both technological and humanistic aspects so that the environment as a

whole can be administered securely (MARCIANO, 2006).

This study proposes that the context of information security be studied and adapted to its operational

environment, taking into account technical, scientific and humanistic aspects, which may vary from

company to company, or even from nation to nation. The industrial automation environment, in which

proprietary systems and dedicated technologies reigned supreme in the early days, consisted of closed

systems with no external connectivity (KRUTZ, 2006). Currently, industrial automation systems, especially

Supervisory Control and Data Acquisition (SCADA), are converging onto open systems and, in some cases,

they are connected to corporate networks or even the internet itself. The use of telecommunications

resources and current technological advances enable remote access, sharing, integration and

consequently, data processing at a distance, by means of these resources. Similarly, this necessity for

integration between different systems within a single company is implicit in the relationship with the other

systems, for the purposes of increased productivity and decision-making efficiency. However, this model of

integration and sharing can give rise to serious issues with regards to security, because the control

systems, as mentioned previously, used to be completely closed and isolated from the other systems

within a company; thus, within this new context, a new approach obviously needs to be considered.

Justification

In the undertaking of this research, a vast collection of references was discovered (articles, standards,

books, dissertations and theses) dealing with the subject of Information Security and Automation

Security. Despite this variety, it is not easy to find a basic methodology or even a set of consistent and

coherent directives to aid in the planning and implementation of an Information Security System for

Industrial Networks. With the aim of overcoming this deficiency, this study proposes a theoretical and




conceptual methodology to aid in the conception, creation and implementation of an information

security project based on the following norms:

• ISA99 Security Guidelines and User Resources for Industrial Automation and Control Systems,

3rd Edition

• ANSI/ISA-99.00.01-2007 - Security for Industrial Automation and Control Systems Part 1:

Terminology, Concepts, and Models

• ANSI/ISA-99.02.01-2009 - Security for Industrial Automation and Control Systems: Establishing

an Industrial Automation and Control Systems Security Program

• ANSI/ISA-TR99.00.01-2007 - Security Technologies for Industrial Automation and Control

Systems

• ANSI/ISA 99.00.03-2007 – Part 3: Operating an Industrial Automation and Control System

Security Program;

• ANSI/ISA 99.00.04-2007 – Part 4: Technical Security Requirements for Industrial Automation

and Control Systems.

Recent studies discuss part of the security issue, although these are focused mainly on security

elements, such as firewalls, IDS and others. Furthermore, the industrial environment is, by definition, a

complex one, comprising of several different components, making further investigation into them all the

more important. Considering all these factors and the complexity of critical systems, the importance of a

study on the security of the industrial environment is justified. The use of a methodology in the area of

industrial automation that enables risks to be mitigated and operational alternatives to be managed and

proposed is one of the main points of motivation for this study.

MATERIAL AND METHODS

For this study, it was decided to look into the identifications of scenarios in a water treatment station.

Accordingly, a system that reflects the entire water treatment process was constructed, can be observed in

Figure 1. The water treatment process studied has the aim of ensuring the production of potable water,

based on Decree no.518 of the Ministry of Health and Resolution SS no. 65 of the State Health

Department.




Figure 1 – Water Treatment Station (WTS). Source: Foz do Brasil.

Scenarios

The following two typical scenarios used in the water treatment process were researched for this case

study:

� Capital Scenario

� Countryside Scenario

In these scenarios, security breaches can occur if the security policy is not suited to the environment,

which may then compromise the overall information within the system. These scenarios will be analyzed,

starting with a definition of the standards and by highlighting the differences with the implementation of

data security. Furthermore, in Figure 2, it is possible to visualize the layout of an architecture

recommended by the ISA 99 standard, which strongly emphasizes the security aspect. In the next chapter,

such scenarios will be analyzed through the ISA 99 standards, with the main purpose of evaluating the

issue of security.




Figure 2 – Scenario suggested by the ISA 99.

Methodology Adopted

The purpose of this item is to propose a methodology for the implementation of a water treatment plant

with a strong emphasis on information security, based on studies and the analysis of three other

methodologies: FMEA, FTA and SPA.

Note that his methodology will probably not be able to completely fulfill the requirements of a given

organization; however, it can serve as an initial reference for the implementation process of a certain

enterprise. The methodology described here follows the recommendations of the ISA 99 and other

standards mentioned previously. The implementation of the proposed system is based on the principle of

standardization and documentation of procedures, tools and techniques used, as well as the creation of

indicators, records and a complete educational process of awareness (MARTINS; SANTOS, 2005). The

stages that make up the process are presented in figure 3.




Figure 3 – Stages for implementation. Source: Martins and Santos (2005).

Step 1: The Establishment of an Information Security Policy

The construction of a security policy for an organization must be based on the standards and norms. This is

because security policy is a document that must describe the security recommendations, rules,

responsibilities and practices, in accordance with the specifications and necessities of the enterprise.

Accordingly, the elaboration of a security policy is a complex task that requires constant review and

alterations.

Step 2: Definition of the Scope

In order to define the scope, it must be determined which company assets are to be governed by the

security policy, including: industrial equipment, systems, communications structure, personnel, internal




and external network infrastructure and services. This step will produce the following results: a map of the

network perimeter, inventory and classification of assets.

Step 3: Risk Analysis

In this step, a security analysis for the previously defined scope is carried out; in other words, through the

identification of the information assets involved and the mapping of all threats pertaining to these. The

level of risk involved must be ascertained for each threat. After an analysis of the risks, those which are

deemed acceptable and unacceptable are defined.

Step 4: Management of Areas of Risk

This step is a continual process, which does not end with the implementation of a security measure.

Constant monitoring itself becomes a resource with which it is possible to identify the effectiveness of the

application of the measure and also for the execution of reviews and adjustments. In this stage, the impact

that a certain risk may cause on the business is estimated. Thus, it is necessary to identify the most critical

assets and vulnerabilities, in order to enable the optimization of efforts and expenditures with regards to

security. Once the risks have been identified and the organization has defined which ones are to be dealt

with, the security measures should finally be implemented.

Step 5: Selection of the Controls and Declaration of Applicability

Controls must be selected and put into practice to ensure that the risks be reduced to a level that they do

not cause problems for the enterprise. This must occur after the identification of the requirements.

Step 6: Implementing Controls

The processes for the implementation of countermeasures and security directives take place throughout

the implementation phase of the methodology. Then, a monitoring process for all the controls

implemented must be put into place and, accordingly, specific indicators must be produced that enable

the working conditions and performance of the analyzed environment to be visualized. The

implementation of the controls selected may involve the acquisition of software and/or hardware

technology (additional costs), but, in some cases, this implementation only results in the creation of

internal standards and norms that must be followed (MARTINS; SANTOS, 2005).

Step 7: Auditing the System

The main purpose of system audits is to check whether the following conditions occur satisfactorily, based

on clear evidence (MARTINS; SANTOS, 2005):

a. that operational procedures and instructions are adequate and effective;

b. that the different sectors of the enterprise have been operating in accordance with the

standards;

c. that the subsidies supplied are sufficient for the creation of periodic critical analysis

reports.




Characterization

In this item, the scenarios described in chapter 3 were submitted for evaluation of the security index based

on the ISA 99 control spreadsheet, and by using the GUT methodology. Finally, recommendations for

improvement were suggested.

Step 1: None of the scenarios presented provided a clear and objective security policy. Concern with the

level of security, i.e., the use of security techniques and equipment, was the responsibility of the

professional in charge of plant automation. Thus, an action plan for the implementation of an information

security policy needed to be structured. It is important to emphasize that the creation of a security policy

should not be dealt with in an isolated manner. It should be presented to all employees and a process of

awareness is necessary to ensure that the principles of this policy are followed by all the users within the

enterprise.

Step 2: A survey of the assets involved is necessary in order to define the scope. A cost-benefit analysis is

very important for the definition of the scope for the implementation of controls, since the broader the

scope, the greater the complexity and, consequently, the greater the investment. The assets survey was

carried out manually, generating the scenarios described in chapter 3.

Step 3: In order to carry out the study of security priorities, the GUT methodology was used, which has the

purpose of evaluating each factor, taking into consideration criteria of gravity, urgency and tendencies.

The parameters and the respective values associated to each aspect are featured in Table 1.

Table 1 – GUT methodology parameters.

VALUE GRAVITY URGENCY TENDENCY

1 No gravity No hurry Will not get worse

2 Not very serious Can wait a little Will get worse in the long term

3 Serious As soon as possible Will get worse in the medium

term

4 Very serious Urgent Will get worse in little time

5 Extremely serious Immediate action required Will get worse quickly

The item “Gravity” concerns the impact caused to the water treatment station for the supply of potable

water, whilst “Urgency” is linked to the time required to reduce or solve the problem and “Tendency” is

associated to future impacts, in the event that no action is taken to solve the problem. Accordingly, wide-

ranging research was carried out with regards to points of criticality that could affect security in water

treatment plants. These items can be observed in Table 2.




Table 2 – Items of criticality.

ITEM G U T. TOTAL

Firewall 5 5 5 125

Firewall with redundancy 3 4 3 26

Equipment with authentication 5 5 4 100

Cryptography 3 3 3 27

Strong cryptography 2 2 2 8

IDS 5 4 3 60

Updated equipment 5 5 5 125

Virtual Private Network 4 3 2 24

Monitoring 2 4 4 32

Control of physical access 4 5 5 100

Periodic updates 3 3 3 27

Virtual Local Network 5 3 3 45

In Graph 1, it is possible to observe the graphic representation of items of criticality, considering that the

most critical items are: lack of firewall, out-of-date equipment and physical access control.

Graph 1 – Items of criticality. Source: The author.




Step 4: The controls necessary to protect assets must be defined after analysis of the risk, in such a

manner that the identification process of the risks and implementation of controls must be continuously

executed. With the study carried out in the previous step, it is possible to measure the impact that a

certain risk may cause and, thus, it was possible to implement controls only in the most critical situations,

because it is very difficult to offer total protection against all existing threats.

Step 5: In this step, from the controls presented by ISA 99, those applicable to the organization were

selected. The control spreadsheet referenced in Chart 2 was created based on the ISA 99 standards, where

recommendations of the ISA 99 are dealt with. It can be observed that the technology suggested by the

security standard is described, and the associated vulnerabilities, deficiencies and recommendations are

displayed.

Chart 2 – ISA 99 recommendations.

TECHNOLOGY DESCRIPTION VULNERABILITIES

CORRECTED DEFICIENCIES RECOMMENDATIONS

Virtual Networks

(Vlan)

Segregation of

physical networks and

logical networks

Segregation of

traffic

Spoof Mac

Spanning tree protocols

VLAN Hopping

Periodic updates of the version;

Segregation of the corporate network

and the industrial network.

Network Firewalls Mechanism used for

traffic control

Protection of

network traffic that

passes through the

device

Necessity to work in

conjunction with intrusion

detectors;

Large quantity of logs;

Professionals trained for daily

operations.

Segmentation of the networks into

zones;

Creation of DMZ for internet traffic.

Virtual Private

Network (VPN)

Remote access with

cryptography

Controlled access to

networks via

authentication

Access from anywhere

(internet) to the corporate

network

Strong method of authentication

Utilities of the

auditing log Supporting log tool

Authentication and

utilization check

Extensive documentation and

backup

Strategic planning in conjunction with

other areas

Biometric

Authentication

Biometric

authentication

Strong

authentication Not extensively used

Occasional use in restricted

equipment

Authentication and

Authorization

Technology

Permission and levels

of access

Controlled access to

networks via

authentication

Necessity to synchronize all

assets in the environment

Authentication/authorization method

centered in the network

Cryptography Encrypting and

decrypting process

Cryptography in

clear text traffic

A cryptography method that

all equipment supports should

be used

Use of cryptography in all internal and

external communication

Intrusion Detectors

Utility for the

detection of

events not permitted

on the network

Identification of

malicious traffic

Requires signature updates

and excess of false-positives Use in segments

Physical Control Restricted access to

field equipment

Only authorized

personnel can

handle

and undertake

physical alterations

If not used with a biometric

method, it could prove to be

ineffective

Controlled access




Step 6: After implementation of the controls, a monitoring mechanism is required to avoid unnecessary

occurrences. The implementation of control may be carried out by monitoring software programs and

issuing periodic reports.

Step 7: The auditors must check that the security conditions of the information have been implemented

and documented correctly and according to the definitions of the security policy. The ISA 99 standards do

not deal with auditing, but a mechanism for the detection of non-conformities and preventative actions is

necessary so that any deviances identified do not occur again. Accordingly, periodic execution of internal

auditing in additional to external auditing is necessary for a more precise verification that the defined

security policy is being followed correctly. In addition, an auxiliary mechanism for the detection of events

based on the behavior of the water treatment station is described in the next item, and this can be used

additionally in the auditing.

For the creation of a criticality index, the GUT methodology table was considered in conjunction with the

recommendations of the ISA 99, which resulted in Table 5.

Table 3 – Criticality Index.

SCORING SITUATION INDEX

100-125 Extremely serious 4

75-100 Very serious 3

50-75 Serious 2

25-50 Not very serious 1

0-25 No gravity 0

With the creation of this index in conjunction with the definitions of the aforementioned stages, the

scenarios were submitted to evaluation. The values defined by the GUT methodology in conjunction with

the criticality index, were transported to the criticality column, which resulted in the value 22. This value is

considered to be a secure index, according to the definitions and security policies of the enterprise. All the

sanitation plants subject to this methodology must get close to this value to be considered secure. The

situation column is the existence, or otherwise, of such technology; existence is represented by the

number 1 and inexistence by the number 0. In the event of inexistence of the technology, the value

attributed to criticality will be subtracted, and the formula below will be responsible for the final value.

Value = (Sum of Criticality – (Value of the Criticality if the Situation =0))

SCENARIO 1 – CAPITAL

For the first scenario, denominated Scenario 1 - Capital, the Plant is considered secure, but only the IDS

was not present in the Plant of the enterprise, as illustrated in Table 6. However, the value of this item was




not considered a priority for the definition of the security policy of the enterprise and accordingly, it did

not affect the security index. But as an additional measure, the acquisition of an intrusion detector is highly

recommended, as well as the execution of its strategic positioning in order to visualize internal and

external traffic.

Table 4 – Capital Plant Index.

TECHNOLOGY CRITICALITY SITUATION

Firewall 4 1

Firewall with redundancy 1 1

Equipment with authentication 4 1

Cryptography 1 1

Strong cryptography 0 1

IDS 2 0

Updated equipment 4 1

Virtual Private Network 0 1

Monitoring 1 1

Control of physical access 3 1

Periodic updates 1 1

Virtual Local Network 1 1

Total 22 20

SCENARIO 2 – COUNTRYSIDE

In the second scenario, called Countryside, the sanitation Plant proved not to be secure, especially in the

most remote plant, normally also less automated, which in some instances does not have firewall, VPN

and VLAN. Therefore the execution of a more specific analysis in the Countryside sanitation plant is highly

recommended, in order for the security technologies described in the ISA 99 standards to be adopted and

used in the best manner possible. Furthermore, the sanitation plant denominated Capital, could be used as

a reference for the implementation of the technologies. In Table 7, it is possible to observe the items not

included in the Plant.




Table 5 – Countryside Plant Index.

TECHNOLOGY CRITICALITY SITUATION

Firewall 4 0

Firewall with redundancy 1 0

Equipment with authentication 4 0

Cryptography 1 1

Strong cryptography 0 0

IDS 2 0

Updated equipment 4 1

Virtual Private Network 0 0

Monitoring 1 1

Control of physical access 3 1

Periodic updates 1 1

Virtual Local Network 1 0

Total 22 10

CONCLUSIONS

For the execution of this study, research was carried out using up-to-date bibliographic references,

covering the most varied of subjects from the information security area, with emphasis on industrial

systems and industrial networks, as well as research pertaining to information security in the global

context.

Firstly, it is important to emphasize that to prepare a methodology for the secure implementation of a

water treatment plant is a complex task, both from the technical and managerial standpoint. In this

perspective, an approach and a definition are proposed by means of a secure implementation

methodology, based on the necessities of the corporation.

The ISA 99 set of security standards provides guidelines for security and managerial elements, with the

main objective of obtaining conformity for all security elements, including both basic and strategic

concepts, however it does not cover practices, procedures and rules for the application or execution of a

secure method of implementation. Accordingly, this study offers a resolution for this deficiency through

the proposal of a secure implementation methodology for water treatment plants, which can be adapted,

with modifications, to other types of equally critical industrial systems.




The execution of the stages of this study has contributed to the knowledge of the behavior of a water

treatment station, with the definitions of the flow chart and all the stages that make up the cycle. The

characterization process has enabled knowledge to be gained on industrial equipment and the system to

execute the data control and acquisition, as well as the protocols used.

The development of a system to characterize the stages of water treatment has enabled the behavior and

the impacts on the interaction between equipment in an industrial plant to be ascertained. The

experiments carried out to ascertain the detection of critical events have proven to be adaptable to the

environment and they are equally linked to the stages and the knowledge of the entire flow and the

criticality of the process. The events considered critical were detected as expected, according to the

business of the enterprise; however, a real approach and the use of some artificial intelligence techniques

are necessary.

There is in planning private company which mostly started the management of water treatment plants,

greater investment and attention to automation processes safely for plants that are still vulnerable, usually

remains this same concern is not observed in public management.

Finally, the use of security techniques in conjunction with the ISA 99 standards in this study may create

benefits with regards to system security, and these may also be extended in adaptations to other equally

critical environments, such as: the power grid, nuclear plants and the petrochemical industry, among

others.

References

ISA99 Security Guidelines and User Resources for Industrial Automation and Control Systems, 3rd Edition.

MARCIANO, J. L. P. Segurança da Informação : uma abordagem social. 2006. 212 p. Tese (Doutorado em Ciências da Informação) – Universidade de Brasília, Brasília, 2006.

KRUTZ, R. L. Securing Scada Systems . Indianapolis: Wiley Publishing, Inc., 2006.

MARTINS, A. B.; SANTOS, C. A. S. Metodologia para implantação do sistema de gestão da segurança da informação. Revista de Gestão da Tecnologia e Sistemas de Infor mação , v. 2, n. 2, p. 121-136, 2005.

TORRES, J. M. Analyzing risk and uncertainty for improving water distribution system security from malevolent water supply contamination events . 2008. Thesis (Master’s) – Office of Graduate Studies of Texas A&M University, Texas, 2008.

WILES, J. et al. Techno security's guide to securing SCADA : a comprehensive handbook on protecting the critical infrastructure. Burlington: Syngress, 2008.

HAMOUD, G.; CHEN, R.-L.; BRADLEY, I. Risk Assessment of Power Systems SCADA. In: Power Engineering Society General Meeting, 2003, Toronto, Canadá. Proceeding… Toronto, Canadá: IEE, 2003. 4 v.

List of Acronyms:

ANSI .................. American National Standards Institute

ASCE ................. American Society of Civil Engineers

AWWA .............. American Water Works Association

BS ..................... British Standard




DFMEA ............. Design Failure Modes and Effects Analysis

DOS................... Denial of Service

WTS .................. Water Treatment Station

FMEA ................ Failure Modes and Effects Analysis

FTA ................... Fault Tree Analysis

HAZOP .............. Hazard and Operability Studies

HIDS .................. Host-Based Intrusion Detection

HMI .................. Human Machine Interface

IDS .................... Intrusion Detection System

IEC ................... International Electrotechnical Commission

IPS..................... Intrusion Prevention System

ISA .................... International Society of Automation

ISO ................... International Organization for Standardization

----

Marcelo Azevedo, MSc has worked for several large companies, including: EDS, IBM and AT&T.

Currently teaches computer network at Politec, in Brazil and is PhD. Student in Electric Engineering from

USP.

Alaíde Martins, MSc has worked for long time in several large companies of Water/Wastewater.

Currently is director of operations of a sewage treatment company at Odebrecht Ambiental, in Brazil

and is PhD. Student in Electric Engineering from USP.

Sergio Takeo, PhD is a teacher at Universidade de São Paulo. He has experience in Electrical Engineering

and Computer Science, with an emphasis on Advanced Computer Architectures.

Documents

ISA99 - Security Standards in water treatment plantsisawwsymposium.com/wp-content/uploads/2013/08/WWAC2013_Teixeira-et... · ISA99 - Security Standards in water treatment plants Marcelo