1. Slide 1 Using Models Introduced in ISA-d99.00.01 Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting in Scottsdale, AZ June 26, 2007

2. Slide 2 Example Approach to IACS Security using Models Introduced in ISA-d99.00.01 Identify IACS components and develop architecture drawing Group IACS components into Zones and Conduits Conduct risk assessment and assign target Security Level to Zones and Conduits Identify technical and administrative countermeasures to achieve the target Security Level Implement technical and administrative countermeasures to achieve the target Security Level Maintain effectiveness of implemented technical and administrative countermeasures

3. Slide 3 Identify IACS Components and Develop Architecture Drawing Engr. Stn Controller + I/O Fieldbus HMIApp. Stn Engr. Stn Controller + I/O Fieldbus App. StnHMI Plant A Plant B Data Historian Analysis Tools MES Applications Example architecture of a site with multiple plants

4. Slide 4 Zone is a grouping of logical or physical assets that share common security requirements Conduit is a logical grouping of communication assets that protects the security of the channels it contains in the same way that a physical Conduit protects cables from physical damage Channel is a specific communication link established within a communication conduit Group IACS components into Zones and Conduits

5. Slide 5 Example Zones and Conduit for a Site with Multiple Plants

6. Slide 6 Example of Multiple Zones within a Single Plant

7. Slide 7 The level of granularity used to identify Zones and Conduits will depend on various factors which include: Size of IACS Location of IACS components Company policy and organization Type of assets associated with IACS Criticality of assets associated with IACS Granularity of Zones and Conduits

8. Slide 8 The Security Level model proposed in the standard provides the ability to categorize risk associated with a Zone or Conduit Security Level corresponds to the required effectiveness of technical or administrative countermeasures and inherent security properties of IACS components within a Zone or Conduit Security capabilities of IACS components and implemented technical and administrative countermeasures must function with each other to achieve a desired Security Level A minimum of three Security Levels have been proposed in the ISA-99 standard. Each organization should establish a definition of what each SL represents Security Levels

9. Slide 9 SL(Target) – Target SL is assigned to a Zone or Conduit during risk assessment Factors that influence determination of SL(Target) for a Zone are: –Network architecture with defined zone boundaries and conduits –SL(Target) of the zones with which the zone under consideration will communicate with –SL(Target) of conduit, if assigned, used for communication by the zone –Physical access to devices and systems within the zone Target Security Level for Zone or Conduit

10. Slide 10 Qualitative approach - Example using a Risk Matrix Quantitative approach using risk measures based on consequence and incident frequency estimation In both cases, target SL determines the required effectiveness of technical and administrative security countermeasures that will reduce the incident frequency and thereby the risk to an acceptable level Conduct Risk Assessment and Assign Target Security Level to Zone or Conduit

11. Slide 11 Take into consideration all possible scenarios, considering all internal and external threats, that can lead to an incident –Internal threats: Untrained or disgruntled employees –External threats: Connection to the Internet or allowing partner companies to access IACS components Identify Incident Scenarios for each Zone or Conduit Typical DCS Connections

12. Slide 12 Qualitative approach – Selection from a combination of prescriptive technical and/or administrative counter- measures corresponding to each SL Quantitative approach – Conduct an analysis taking into consideration event frequencies and probability of failure of countermeasures Identify countermeasures to Achieve Target Security Level for Zone or Conduit Example quantitative analysis for an Windows based HMI

13. Slide 13 SL(Achieved) depends several factors: –SL(Capability) of countermeasures associated with zone or conduit and inherent security properties of devices and systems within the zone or conduit –SL (Achieved) by the zones with which communication is to be established –Type of conduits and security properties associated with the conduits used to communicate with other zones (zones only) –Effectiveness of countermeasures –Audit and testing interval –Attacker expertise and resources available to attacker –Degradation of countermeasures and inherent security properties of devices and systems over time –Available response time on intrusion detection Security Level Achieved for Zone or Conduit

14. Slide 14 SL(Capability) is a measure of the effectiveness of the countermeasure, device, or system for the security property that they address Example security properties: –proving peer entity authenticity –preserving authenticity and integrity of messages –preserving confidentiality of messages/information/communication –ensuring accountability –enforcing access control policies –preventing denial-of-service attacks –maintaining platform trustworthiness –detecting tampering –monitoring security status Security Level Capability of Devices, Systems, and Countermeasures

15. Slide 15 SL(Capability) – Qualitative measure until sufficient quantitative data on probability of failure is available An evaluation of the effectiveness of technical countermeasures shall take into consideration: –Development process – Availability of written procedures, quality management plan etc, which help reduce systematic errors such as software bugs, memory leaks etc. that may impact security –Testing – Level of testing for each security property addressed by the countermeasures, device or system. Test data may also be inferred from previously assessed systems. –Data Collection – Number of times a zone or conduit was compromised due to a flaw in a similar countermeasure, device or system. Rate and criticality of vulnerabilities discovered for the countermeasure, device or system Administrative countermeasures shall be used when technical countermeasures are not feasible Security Level Capability of Devices, Systems, and Countermeasures …

16. Slide 16 Maintain Effectiveness of Technical and Administrative Countermeasures Countermeasures and inherent security properties of devices and systems will degrade over time due to –discovery of new vulnerabilities –improved attackers skills –attacker familiarity with existing countermeasures, –availability of better resources to attackers The effectiveness of countermeasures and inherent security properties of devices and systems shall be audited and/or tested at regular intervals and whenever new vulnerabilities are discovered based on procedures that will audit and/or test at least the security properties relevant to the zone. Countermeasure shall be updated and upgraded based on audit and testing results to maintain SL(Achieved) equal to or better than SL(Target)

17. Slide 17 Security Level Lifecycle Model

18. Slide 18 Questions?