1. 1 Validating the Security Assurance of Industrial Automation Products Andre Ristaino, ASCI Managing Director Andre Ristaino, ASCI Managing Director (ISA) Graham Speake, Principal Systems Architect, Yokogawa John Cusimano, Director of Security Services, Exida ICSJWG Spring 2011 ISASecure™ www.isasecure.org www.ansi.org/isasecure

2. 2 Agenda ISA Security Compliance Institute (ISCI) Organization ISASecure Embedded Device Security Assurance Program Program benefits Who to contact for more information Questions

3. 3 ISA Security Compliance Institute (ISCI) Organization

4. 4 An ISA Owned Organization

5. 2011 ASCI Board of Directors Chairman ISA Past President (Nelson Ninin) Vice Chairman ISA VP Stds./Practices (Donald Dunn) Secretary ISA Exec. Director (Pat Gouhin) At Large – legal counsel (Hugh Webster) ISA Treasurer (Jim Keaveney) At Large – Compliance Expert (Michael Hamm) Designated Senior ISA Staff Director (vacant for 2010)

6. 6 ISA Security Compliance Institute (ISCI) Who We Are Consortium of Asset Owners, Suppliers, and Industry Organizations formed in 2007 under the ISA Automation Standards Compliance Institute (ASCI): Mission Establish a set of well-engineered specifications and processes for the testing and certification of critical control systems products Decrease the time, cost, and risk of developing, acquiring, and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers, and other stakeholders

7. 77 ISCI Member Companies ISCI membership is open to all organizations –Strategic membership level –Technical membership level –Informational membership level Current membership –Chevron –Egemin –exida –ExxonMobil –Honeywell –Invensys –Siemens –Yokogawa –ISA99/ISCI Joint Working Group Liaison

8. 8 ISASecure Designation Trademarked designation that provides instant recognition of product security characteristics and capabilities. Independent Industry stamp of approval. Similar to ‘Safety Integrity Level’ Certification (ISO/IEC 61508).

9. ANSI/ACLASS Accredited Conformance Scheme 9 ISASecure Embedded Device Security Assurance (EDSA) certification accredited as an ISO/IEC Guide 65 conformance scheme by ANSI/ACLASS. This includes both ISO/IEC 17025 and ISO/IEC 17011. Go to www.ansi.org/isasecure for details.www.ansi.org/isasecure 1.Provides global recognition for ISASecure certification 2.Independent CB accreditation by ANSI/ACLASS 3.ISASecure can scale on a global basis 4.Ensures certification process is open, fair, credible, and robust.

10. Why Do We Need Secure Devices Increased Industrial Control System exploits and attacks –Stuxnet –Nearly 40 exploits released recently Hacker conferences starting to have control system tracks –Black Hat –Hacker Halted Control systems using standard IT devices 10

11. ISASecure Certification Specification Process ISCI board defines scope and work process Technical steering committee manages working groups who draft specifications Specifications reviewed by external 3 rd party if required Voted and approved by full ISCI voting membership Approved specifications adopted by ISCI Governing Board and posted on website Specifications developed to-date have been donated to ISA for submission to the ISA99 Standards Committee 11

12. ISASecure Supplier Device Approval Process Supplier submits device to ANSI ACLASS charted lab Charted lab completes three part assessment –Physically evaluates device for functional security (FSA) –Conducts communication robustness test (CRT) using ISCI- approved test tool –Charted lab completes supplier audit (SDSA) on software development practices Charted lab issues final assessment report and certification upon successful test and audit 12

13. 13 ISA 99 Work Products

14. 14 ISCI Program Outreach Website www.isasecure.org ISASecure EDSA Certification Specifications and Program Definition Documents Approved and posted for public access at www.isasecure.org ISCI Board donated EDSA FSA and SDSA technical specification to ISA-99 Committee via ISA99-ISCI Joint Working Group Webinar Series throughout 2011

15. 15 ISASecure Embedded Device Security Assurance Program

16. Embedded Device Special purpose device running embedded software designed to directly monitor, control or actuate an industrial process Examples: –Programmable Logic Controller (PLC) –Distributed Control System (DCS) controller –Safety Logic Solver –Programmable Automation Controller (PAC) –Intelligent Electronic Device (IED) –Digital Protective Relay –Smart Motor Starter/Controller –SCADA Controller –Remote Terminal Unit (RTU) –Turbine controller –Vibration monitoring controller –Compressor controller 16

17. Embedded Device Security Assurance Certification Integrated Threat Analysis (ITA) Software Development Security Assurance (SDSA) Functional Security Assessment (FSA) Communications Robustness Testing (CRT) Detects and Avoids systematic design faults The vendor’s software development and maintenance processes are audited Ensures the organization follows a robust, secure software development process Detects Implementation Errors / Omissions A component’s security functionality is audited against its derived requirements for its target security level Ensures the product has properly implemented the security functional requirements Identifies vulnerabilities in networks and devices A component’s communication robustness is tested against communication robustness requirements Tests for vulnerabilities in the 4 layers of OSI Reference Model Provides a common perspective on how threat scenarios can be sufficiently covered Documents the expected resistance of the system to potential threat agents and threat scenarios Clearly documents expected user measures versus inherent product protection measures

18. ISASecure Levels Communication Robustness Testing Software Development Security Assessment Functional Security Assessment Software Development Security Assessment Functional Security Assessment Software Development Security Assessment Functional Security Assessment LEVEL 1 LEVEL 2 LEVEL 3 Requirements Necessary to Achieve Certification Levels Level 1Level 2Level 3Total Count in Specification SDSA130149170 FSA204982 CRTAll CRT Common Specification plus all 6 Protocol CRT Specifications

19. Communications Robustness Test (CRT) Measures the extent to which network protocol implementations on an embedded device defends themselves and other device functions against unusual or intentionally malicious traffic received from the network. Inappropriate message response (s), or failure of the device to continue to adequately maintain essential services, demonstrates potential security vulnerabilities within the device. Common CRT Requirements (EDSA-310) Communication Robustness Testing Ethernet (EDSA-401) IPv4 (EDSA-403) ICMP (EDSA-404) ARP (EDSA-402) TCP (EDSA-406) UDP (EDSA-405)

20. Functional Security Assessment (FSA) Security Feature Tests Purpose: –Verification and validation that the device or system under test incorporates a minimum set of security features needed to counteract common security threats Composition –Set of requirements, derived from existing reference standards and traceable to source standard –One or more acceptable solutions (countermeasures) identified for each requirement –If applicable, procedures to verify the requirement has been satisfied Functional Security Assessment

21. Structure of FSA Requirements Access ControlUser authorization, user authentication, system use notification, session locking/termination Use ControlDevice authentication, audit trail Data IntegrityData in transit, data at rest Data ConfidentialityData in transit, data at rest, crypto Restrict Data FlowInformation flow enforcement, application partitioning, function isolation Timely Response to Event Incident response Network Resource Availability Denial of service protection, backup & recovery 21

22. Software Security Development Assessment Secure Software Engineering Purpose: –Verification and validation that software for the device or system under test was developed following appropriate engineering practices to minimize software errors that could lead to security vulnerabilities Composition –Set of requirements, derived from existing reference standards and traceable to source standard (IEC 61508, ISO/IEC 15408) –One or more acceptable arguments identified for each requirement Software Development Security Assessment

23. Security Development Lifecycle 23

24. EDSA Certification Process Level 1Level 2Level 3 1. CRT test all accessible TCP/IP interfaces 1 - 2 weeks 2. Perform FSA on device and all interfaces < 1 week1 week1 – 2 weeks 3. Audit supplier’s software development process 1 week1 – 2 weeks 4. Perform ITA and issue report 1 week 3 – 5 weeks4 – 6 weeks4 – 10 weeks Typical Chartered Lab Level of Effort in Man Weeks

25. 25 Why ISASecure?

26. Benefits End-user Easy to specify Build security requirement into RFP Reduced time in FAT/SAT Know security level out of the box Supplier Evaluated once Recognition for effort Build in security Product differentiator 26

27. 27 Who to contact for more information

28. 28 Who to Contact to Certify Products ISASecure EDSA Chartered Lab exida John Cusimano Director of Security Services Phone: (215) 453-1720 Fax: (215) 257-1657 Email: jcusimano@exida.comjcusimano@exida.com Website: http://www.exida.comhttp://www.exida.com

29. 29 Who to contact for CRT Test Tool http://www.wurldtech.com Wurldtech Security Technologies, Inc. Greg Maciel Achilles Sales Manager Phone: (949) 300-4040 Email: gmaciel@wurldtech.com

30. 30 Who to contact for ISCI Membership Andre Ristaino Managing Director, ASCI Direct Phone: 919-990-9222 Fax: 919-549-8288 Email: aristaino@isa.orgaristaino@isa.org Website: http://www.isasecure.orghttp://www.isasecure.org

31. Q&A 31 Questions?

32. FAQ’s 1.Who will perform ISASecure certification assessment and testing? ANSI/ACLASS accredit organizations (called “chartered labs”) to perform ISASecure certification evaluations. ISCI will also recognize test platforms designed to perform communication robustness testing for use by these organizations and by device vendors in preparation for certification. 2.Who will grant ISASecure certifications? The chartered labs will register ISASecure certified devices when the device has passed the ISASecure certification requirements. ISCI will publish a list of certified products on its web site. 3.Describe the First ISASecure certification that will be available. The ISASecure Embedded Device Security Assurance Certification is the first certification offered. The certification will include all three certification elements: software development security assessment, functional security assessment, and communication robustness testing..

33. Functional Security Assessment Reference Standards [N1] ISA-99.01.03D2- 20090527 Security for Industrial Automation and Control Systems: System Security Requirements and Security Assurance Levels ISA-99.01.03 [N2] NERC Standards CIP- 001-1 through CIP-001- 9 North American Electric Reliability Council Cyber Security Standards [N3]NIST 800-53 Recommended Security Controls for Federal Information Systems [N4] ISO/IEC 15408-1 through I5408-3 Information technology — Security techniques — Evaluation criteria for IT security — Part 1 through Part 3 [N5] Department of Homeland Security: Catalog of Control Systems Security: Recommendations for Standards Developers

34. SDSA Specification Development Reference Standards for Software Development Security Assessment [N4] ISO/IEC 15408-1 through I5408-3 Information technology — Security techniques — Evaluation criteria for IT security — Part 1 through Part 3 [N6]IEC 61508 Part 3 Functional safety of electrical/electronic/programmable electronic safety-related systems: Software Development [N7]RTCA/DO-178B Software Considerations in Airborne Systems and Equipment Certifications [N8] ISBN-13: 978- 0735622142 The Security Development Lifecycle, M. Howard, S. Lipner, Microsoft Press (June 28, 2006) [N9]OWASP CLASP OWASP CLASP (Comprehensive, Lightweight Application Security Process)

35. 4.How were the ISASecure certification criteria developed? The ISASecure effort has leveraged the substantial existing work in general cyber security and process control system cyber security. The SDSA and SFA criteria are aligned wherever possible with draft work products of the ISA SP-99 committee. The Software Development Security Assessment requirements are ultimately traceable to requirements in the following source documents: FAQ’s

36. The Functional Security Assessment requirements are ultimately traceable to requirements in the following source documents: FAQ’s

37. 5.Will a vendor that has already obtained a certification for a device be allowed to submit those results for the ISASecure certification? Yes. ISCI has identified specific certifications from which pre-existing artifacts may be offered as evidence for meeting specific certification requirements in the ISASecure specification. For example, an organization who has already received an IEC61508 certification for a device may submit artifacts on their software development practices to satisfy specific requirements in the ISASecure Software Development Security Assurance specification section of the EDSA certification. FAQ’s