Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISPE Cyber Security S99 Update December 08, 2009.

Published byJune Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "ISPE Cyber Security S99 Update December 08, 2009."— Presentation transcript:

1 ISPE Cyber Security S99 Update December 08, 2009

2 Topics to be covered  Does it matter?  Activity  ISA S99  S99 Work completed  S99 Work in progress

3 SCADA Specific information Freely available Documented case

4 DCS Controls Systems Security Program (CSSP) administered by DHS 15 ICS assements 245 vulnerabilities All systems at risk Not inclusive, only most critical vulnerabilities identified

5 Activity Standards  NERC CIP  Chemical Sector Guidance Documents  NIST 800-53  NIST 800-82  ANSI/ISA-TR99.00.01- 2007  ANSI/ISA-99.00.01-2007  ISA-99.00.02 (Draft)  DHS Certifications  CISP  CISM ®  CGIET ®  CISA ®  ISP

6 Why a industrial security standard? IT IT Security Control Systems Control System Cyber Security Copyright © 2009 ISA

7 Multiple Perspectives 7 The right Balance of Understanding in: Industry Sector drivers Control Vendor Limitations User Implementation Challenges Economic/Financial Burdens Community acceptance Community Support Requirements

8 Committee Scope The ISA99 Committee addresses industrial automation and control systems whose compromise could result in any or all of the following situations:  endangerment of public or employee safety  loss of public confidence  violation of regulatory requirements  loss of proprietary or confidential information  economic loss  impact on entity, local, state, or national security 8

9 Participation  Over 250 members from more than 200 companies  Sectors include:  Chemical Processing  Petroleum Refining  Food and Beverage  Power  Pharmaceuticals  Process Automation Suppliers  IT Suppliers  Government Labs  Consultants 9

10 Work Product Types (*)  STANDARD: A document that embodies requirements (normative material) that, if not followed, could directly affect safety, interchangeability, performance, or test results. In general, such requirements should already be widely recognized and used. Standards also include Draft Standards for Trial Use (DSTU), which are draft standards intended for subsequent submittal to ANSI for approval as American National Standards. A standard may contain informative material as long as it is clearly identified as such.  RECOMMENDED PRACTICE: A document that embodies recommendations (informative material) that are likely to change because of technological progress or user experience, or which must often be modified in use to accommodate specific needs or problems of the user of the document.  TECHNICAL REPORT: A document that embodies informative material. For example, reports of technical research, tutorials, and factual data obtained from a survey, or information on the "state-of-the-art" in relation to standards on a particular subject. (*) – From ISA Standards and Practices Department Procedures 10

11 Common Topics Across Standards… Common Concepts, Models & Terminology (ISA99.01.xx) Management System (ISA99.02.xx) System Technical Requirements (ISA99.03.xx) Component Technical Requirements (ISA99.04.xx) Reference Architecture & Models Zones and Conduits Foundational Requirements Terminology 11 Copyright © 2009 ISA

12 ISA99 Work Products (*) ISA-99.02.01 Establishing an IACS Security Program ISA-99.01.01 Terminology, Concepts And Models ISA-99.02.02 Operating an IACS Security Program ISA-TR99.01.02 Master Glossary of Terms and Abbreviations ISA-TR99.02.03 Patch Management in the IACS Environment ISA-99.03.04 Product Development Requirements ISA-99.04.01 Embedded Devices ISA-99.04.02 Host Devices ISA-99.04.03 Network Devices ISA-99.04.04 Applications, Data And Functions Security Program Technical - System Technical - Component ISA99 Common ISA-99.03.03 System Security Requirements and Security Assurance Levels was Foundational Requirements was ISA-99.01.03 ISA-TR99.03.01 Security Technologies for Industrial Automation and Control Systems was ISA-TR99.00.01-2007 ISA-99.03.02 Security Assurance Levels for Zones and Conduits was Target Security Levels ISA-99.01.03 System Security Compliance Metrics was ISA-99.03.03 12 Copyright © 2009 ISA

13 Phased Approach to Requirements Standards Part TitleScope and Purpose Primary UsersExpected Publication Date Technical Requirements: Target Security Levels  Use NIST 800-53 mapping to establish target security levels  Includes high-level description of domains including their zones and conduits  Asset owner  Security system architect  System integrator  System providers including 3 rd party outsources Mid 2009 Technical Requirements: System Security Compliance Metrics Defines measurable compliance metrics that are context specific  Asset owner  Security system architect  System integrator  ISA Compliance Institute  System providers including 3 rd party outsources Late 2009 Technical Requirements: Allocation to Subsystems and Components  Normative specification of security requirements including rationale and supporting use cases based on example reference models  Includes detailed description of domains including their zones and conduits  Asset owner  Security system architect  System integrator  ISA Compliance Institute  System, subsystem and component providers including 3 rd party outsources 2013 Note: this part could be further subdivided to improve timeliness of publication 13 Copyright © 2009 ISA

14 Guidelines for Implementing RequirementsRisk Analysis Countermeasure Selection DesignImplementation Continuous Improvement ISA-TR99.00.01 ISA-99.00.01 ISA-99.00.02 ISA-99.00.03 ISA-99.00.04  Part 1 for Definition, Requirements, and “Coming to Terms with Terms”  Part 2 for Program Elements from Business Case to Implementation  Technical Report 1 for Evaluation and Selection of Countermeasures  Part 3 for Performance and Benefit Driven Analysis and Continuous Improvement  Part 4 for Vendors and Asset Owners to Specify and Build More Secure Components – Similar to SIL Copyright © 2009 ISA

15 Work Products List (1/2) ISA NumberIEC Number (per IEC SMB) Work Product SubjectStatus ISA-99.01.01IEC/TS 62443-1-1Terminology, Concepts And ModelsReleased ISA- TR99.01.02 IEC/TR 62443-1- 2 Master Glossary of Terms and Abbreviations Draft ISA-99.01.03IEC 62443-1-3Security Compliance MetricsDraft ISA-99.02.01IEC 62443-2-1Establishing an IACS Security ProgramReleased ISA-99.02.02IEC 62443-2-2Operating an IACS Security ProgramProposed ISA- TR99.02.03 IEC/TR 62443-2- 3 Patch Management in the IACS Environment Proposed Copyright © 2009 ISA 15 October 2009

16 Work Products List (2/2) ISA NumberIEC Number (per IEC SMB) Work Product SubjectStatus ISA- TR99.03.01 IEC/TR 62443-3- 1 Security Technologies for Industrial Automation and Control Systems Released ISA-99.03.02IEC 62443-3-2Security Assurance Levels for Zones and Conduits Draft ISA-99.03.03IEC 62443-3-3System Security Requirements and Security Assurance Levels Draft ISA-99.03.04IEC 62443-3-4Product Development RequirementsProposed ISA-99.04.01IEC 62443-4-1Embedded DevicesProposed ISA-99.04.02IEC 62443-4-2Host DevicesProposed ISA-99.04.03IEC 62443-4-3Network DevicesProposed ISA-99.04.04IEC 62443-4-4Applications, Data and FunctionsProposed Copyright © 2009 ISA 16 October 2009

17 Connecting with Others ISA100 (Wireless) ISA84 (Safety) ISCI (Compliance) MSMUG ISA99 Committee (Standards) IEC (International) Copyright © 2009 ISA 17 October 2009

Download ppt "ISPE Cyber Security S99 Update December 08, 2009."

Similar presentations

Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
ISA 99 Technical Requirements Situation assessment as seen by Dennis Holstein, Lead Editor 13 November 20081ISA99WG04.

ISA 99 Technical Requirements Situation assessment as seen by Dennis Holstein, Lead Editor 13 November 20081ISA99WG04.
Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Management of IT Environment (5) LS 2012/2013 1 Martin Sarnovský Department of Cybernetics and AI, FEI TU Košice ITIL:Service Design IT Services Management.

Management of IT Environment (5) LS 2012/ Martin Sarnovský Department of Cybernetics and AI, FEI TU Košice ITIL:Service Design IT Services Management.
© Copyright 2009 TEM Consulting, LP - All Rights Reserved Presentation To Travis County, TX - May 27, 2009Rev 1 – 05/22/09 - HSB US Voting System Conformity.

© Copyright 2009 TEM Consulting, LP - All Rights Reserved Presentation To Travis County, TX - May 27, 2009Rev 1 – 05/22/09 - HSB US Voting System Conformity.
Risk Assessment Frameworks

Risk Assessment Frameworks
Breakout Group 2: Software Quality Assurance Outcome 8/18/10 1.

Breakout Group 2: Software Quality Assurance Outcome 8/18/10 1.
Development and Quality Plans

Development and Quality Plans
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
ISO 9001:2015 Revision overview - General users

ISO 9001:2015 Revision overview - General users
What is Business Analysis Planning & Monitoring?

What is Business Analysis Planning & Monitoring?
The LOGIIC Consortium Zachary Tudor, CISSP, CISM, CCP Program Director SRI International.

The LOGIIC Consortium Zachary Tudor, CISSP, CISM, CCP Program Director SRI International.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lessons Learned in Smart Grid Cyber Security

Lessons Learned in Smart Grid Cyber Security
Standards Certification Education & Training Publishing Conferences & Exhibits 1Copyright © 2007 ISA ISA 99 WG4 Technical Requirements Organization and.

Standards Certification Education & Training Publishing Conferences & Exhibits 1Copyright © 2007 ISA ISA 99 WG4 Technical Requirements Organization and.

Similar presentations

Ads by Google