037 Prosalus Easton
037 Prosalus Easton
037 Prosalus Easton
1
Safety System Security 2
States that a SRA must be carried out to identify the security vulnerabilities of the SIS.
The SRA output needs to include:
1. A description of the devices covered by the SRA – What is the scope of the System Under
Assessment (SuC);
2. A description of the identified threats that could exploit vulnerabilities and result in security
events;
3. The potential consequences resulting form the security events and the likelihood of these
events occurring;
4. Consideration of vulnerabilities and threats at all of the lifecycle phases;
5. The determination of requirements for additional risk reduction;
6. A description of, or references to information on, the security and compensating measures to be
taken to reduce or remove the threats.
A description of the devices covered by the SRA 7
Consequence Likelihood IACS Device
IACS Device Asset
Rating rating Risk Level
Clearly document the IACS and
Operator control room HMI associated assets.
Remote operator Panel Gather and organise information such
as:
Engineering Workstation
System architecture diagrams –
Historian Server components, connectivity & location
Controller Network diagrams – physical
construct and assignments
Pressure Sensor
Devices (Ethernet & IP Address)
Valve Positioner
Configurations – hardware & software
Gateway - Scan & MAP tools
Identify known vulnerabilities
IEC 62443-2-1 Example IACS Asset table
Security Vulnerability Assessments (The clever stuff) 8
High Level – Gap Assessment:
Assessment of existing operational procedures and practices
Interviews, site audit, review of drawings, sample configurations,
questionaire
(Questionnaire could make use of US - Cyber Security Evaluation Tool
– ICS-CERT)
Passive vulnerability assessment:
Review architecture & network drawings & traffic analysis tools,
Research using vulnerability databases – ICS-CERT, NVD, Nessus
Active vulnerability assessment
Active network scanning
Active vulnerability scanning
Penetration test.
Metasploit
Zones and Conduits – 31 – ISA-TR84.00.09-2013 9
WLAN Enterprise
Web
Server
Enterprise
Firewall
Internet
`
SIS
BPCS
Engineering
Workstation
IAMS
Engineering
Domain
Controller
24 VDC
4-20 mA 24 VDC
Block Control
Valve 4-20 mA
Valve 4-20 mA
Pump
Controller
Transmitter Transmitter
Figure A.3 – Example Network Security Architecture with Integrated 2 Zone SIS
A description of the identified threats that could 10
exploit vulnerabilities and result in security events
reduction Start
14
Historical data and other List of threats
DRAR 1 – Identify threats
threat information sources
Vulnerability assessment,
DRAR 2 – Identify List of vulnerabilities
prior audits, vulnerability
vulnerabilities
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
databases, etc.
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Draft IEC 62443-3-2 – Security for IACS Threats, vulnerabilities,
DRAR 3 – Determine Assessment of impact
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
existing PHAs, other risk
consequences and impact
assessments
Assessment of
Requirement
countermeasures
Updated likelihood,
Residual cyber security
impact and corporate DRAR 9 – Calculate residual
risk
risk matrix risk
Yes
Detailed risk
DRAR 12 – Document and
assessment report
communicate results
612
The determination of requirements for additional risk 15
reduction
IEC 62443-3-2 Example table for mapping Cyber Risk Reduction Factor to Target Security Level
Description of information on the security & compensating
16
measures taken to reduce / remove the threats
The counter measures to address a specific risk will be different depending on the system. For example,
different “Authentication” rules will apply for controllers and HMI etc.
Counter measures must be documented along with the procedure / guidance for using them.
IEC 62443 approach similar to IEC 61508 – identified control measures that can be used to demonstrate
risk is reduced broken down by requirements – IEC 62443-3-3.
Consideration of vulnerabilities and threats at all of 17
the lifecycle phases
ISA TR84.00.09 Management Process - Identifies additional requirements for Cyber security, including:
Clause 5 - Management of FS – Inventory of vulnerabilities, risk assessment, security of operation, host protection, patch
upgrade management, confidentiality of cyber security information;
Clause 8 – Additional requirements for security protection, potential threats taken from IEC 62443 guidance;
Clause 9 – To include security counter measures and compensating measures for when it is not possible to implement
security counter measures in the SIS;
Clause 10 – SRS should have a section dedicated to counter measures specifically considering that the counter measures
do not degrade SIS performance such as response time or field devices;
Clause 11 & 12 – Additional requirements for when full independence and segregation is not feasible based on air gap,
integrated zone hierarchy, firewalls & vendor to supply security concepts that cover the SIS lifecycle;
Clause 14 and 15 – consideration of mechanical integrity and ongoing cyber security;
Clause 16 - Ongoing cyber security, such protection during back up and restoration, patches and upgrades, remote access,
bypasses and checking of tools .
Clause 17 & 18 – Modifications to the SIS related security counter measures should follow the MOC programme and an
impact analysis carried out to include access control, authorisation and reasons for access, virus checking and control
Cyber Security - Competency and Training for C&I Engineers 18
OG-0086 – Cyber Security for IACS identifies BS EN 61511 as the recognised good
practice (RGP).
The reference is related to 2nd Edition Clause 8.2.4 requirements for a Security
Risk Assessment (SRA).
Both OG-0086 & IEC 61511 reference IEC 62443 as the applicable international
standard as well as ISA-TR84.00.09-2013 – Security Countermeasures Related to
SIS as the relevant standards for IACS SRA and implementation.
20
OG-0086 Framework
Process for the
management of Cyber
Security for IACS
21
Framework for Cyber Security
The OG-0086 approach is similar to the US NIST 800 Cyber security Framework of:
Protect, detect and respond - It is important to be able to detect possible attacks and respond in an
appropriate and timely manner in order to minimise the impacts.
Defence in depth. No single security countermeasure provides absolute protection as new threats
and vulnerabilities can be identified at any time. To reduce these risks, implementing multiple
protection measures in series avoids single point failures.
Technical, procedural and managerial protection measures. Technology is insufficient on its own to
provide robust levels of protection
22
Any questions?