1 / 33

ISA SP-99 Working Group #3

ISA SP-99 Working Group #3. October 27, 2005 Chicago, IL. Eric Cosman, Evan Hand. Meeting Purpose. Assess the current status of the content of dS99.00.01 and determine what additional work is required to create a draft suitable for committee vote.

athena-kinney
Télécharger la présentation

ISA SP-99 Working Group #3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISA SP-99Working Group #3 October 27, 2005 Chicago, IL Eric Cosman, Evan Hand

  2. Meeting Purpose • Assess the current status of the content of dS99.00.01 and determine what additional work is required to create a draft suitable for committee vote. • Review each of the major sections and identify any needed additions or updates. Create specific assignments and expected completion dates.

  3. Session Ground Rules • One topic will be discussed at a time. • All opinions and input are important but some discussions may be tabled in order to keep to the agenda. • All unresolved topics and action items will be recorded for follow-up. • Please yield to the meeting leader to help keep the sessions on track

  4. SP-99 Goals (A Review) • Capture current industry “best practice” thought and apply it to the industrial automation environment in a manner that clearly communicates to this industry space • Provide guidance on the applicability of current technologies to industrial automation systems • Create recommendations for future security needs • Create standards that are specifically tailored to the unique needs of industrial automation systems

  5. A Brief History of ISA SP-99 • Foundations formed in late 2001 • Committee formed in July 2002 • First meetings in Chicago (October 2002) • Regular meetings since 2002 • Two Technical Reports published • Two parts of the standard being prepared

  6. Purpose Statement “The SP99 Committee will establish standards, recommended practices, technical reports, and related information that will define procedures for implementing electronically secure manufacturing and control systems and security practices and assessing electronic security performance. Guidance is directed towards those responsible for designing, implementing, or managing manufacturing and control systems and shall also apply to users, system integrators, security practitioners, and control systems manufacturers and vendors.”

  7. ISA SP-99 Scope • The SP99 Committee addresses Manufacturing and Control Systems whose compromise could result in any or all of the following situations: • endangerment of public or employee safety • loss of public confidence • violation of regulatory requirements • loss of proprietary or confidential information • economic loss • impact on national security

  8. “Manufacturing & Control Systems” “The concept of manufacturing and control systems security is applied in the broadest possible sense, encompassing all types of plants, facilities, and systems in all industries. Manufacturing and control systems include, but are not limited to, hardware and software systems such as DCS, PLC, SCADA, networked electronic sensing, and monitoring and diagnostic systems, and associated internal, human, network, or machine interface used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes.”

  9. Current Organization ISA 99.00.01 – Scope, Concepts, Models & Terminology ISA 99.00.02 – Establishing a Manufacturing and Control Systems Security Program ISA 99.00.03 – Operating a Manufacturing and Control Systems Security Program ISA 99.00.04 – Specific Security Requirements for Manufacturing and Control Systems

  10. Our Objectives • Make sure that: • the necessary fundamental concepts are addressed • each major topic is well framed and bounded • introductory sections establish the proper foundation for the more detailed parts that follow (forward references) • detailed information is consistent with basic concepts introduced earlier (backward references)

  11. Messages from October 24 Meeting • Expand the title to include “Scope” (i.e., Scope of the ISA-99 series) • Scope: • Current material addresses the scope of the subject; not just part 1 • Move this information into the foreword or introduction • Repurpose as the scope of this document • Normative References • Move non-normative references to a bibliography (check for alignment with ISA style guide) • Glossary • Glossary terms to be finalized and all sources cited

  12. Messages from October 24 Meeting • Overview: • Material from the current Overview can move to the Introduction • Concepts: • List of concepts needs review for completeness • any concepts in Part 2 that need a foundation? • Models: • Rationalize various discussions related to security “Level” • Confirm use of material from INL Framework • Complete the few remaining “empty parts” • Case Studies: • Should illustrate the application of models and concepts

  13. Sections and Clauses (Revised) • Foreword • Structure of ISA-99, including a description of the content of each part • Introduction • Describe the “boundaries of investigation” of the subject. (i.e., what is included in “M&CS Security?”) • Clause 1: Scope • Establish the scope of this document (Part 1) • Clause 2: Normative References • List of other documents or standards that form the basis for this work • Clause 3: Glossary • consolidated list of terms for all parts of ISA-99

  14. Sections and Clauses (Revised) • Clause 4: Overview of the Subject • Why is this subject important? • What has changed from past situations and practices? • What are seen as major trends? • Clause 5: Concepts • Describes the fundamental concepts that form the basis of ISA-99? • Clause 6: Models • Describe the basic models and how they are related • Annex: Case Studies • Annex: Bibliography

  15. Things to Consider… • necessary fundamental concepts are addressed • each major topic is well framed and bounded • introductory sections establish the proper foundation for the more detailed parts that follow (forward references) • detailed information is consistent with basic concepts introduced earlier (backward references)

  16. Introduction • Describe the “boundaries of investigation” of the subject. • Think of this as a “scope” for all four parts. • Could be replicated in Parts 2 through 4

  17. Company Management Information Company Management Information Company Management Data Presentation Company Management Data Presentation Level 5 Level 5 Company Production Assignment Scheduling Supervision Company Production Assignment Scheduling Supervision Company Production Scheduling Assignment Company Production Scheduling Assignment IT Security Policies and Practices (ISO 17799) IT Security Policies and Practices (ISO 17799) Common technologies, policies and practices Common technologies, policies and practices Production Scheduling & Operational Management Production Scheduling & Operational Management Operational & Production Supervision Operational & Production Supervision Level 4 Level 4 Purdue reference Model Levels Purdue reference Model Levels Inter-Area Coordination Inter-Area Coordination Supervisor’s Console Supervisor’s Console Level 3 Level 3 Supervisory Control Supervisory Control Supervisor’s Console Supervisor’s Console Level 2 Level 2 Mfg Security Policies and Practices (ISA 99) Mfg Security Policies and Practices (ISA 99) Direct Digital Control Direct Digital Control Operator’s Console Operator’s Console Level 1 Level 1 Process Safety (ISA 84, IEC 61508, IEC 61511) Process Safety (ISA 84, IEC 61508, IEC 61511) Controllers Controllers Process Process Scope of Security Standards

  18. Clause 1: Scope • Has to be rewritten to address this document only. • Expand on one element of the outline that appears in the foreword • Look to other ISA and IEC standards for examples

  19. Clause 2: Normative References(Models & Concepts) • ANSI/ISA 95.00.01-2000, Enterprise-Control System Integration Part 1: Models and Terminology • ANSI/ISA-88.01-1995, Batch Control Part 1: Models and Terminology • ISO/IEC 7498: Information processing systems – Open System Interconnection – Basic reference Model, Part 2: Security Architecture • ISO 15408, Common Criteria

  20. Clause 2: Normative References (Terminology) • CNSS Instruction No. 4009, National Information Assurance Glossary, May 2003 • SANS Glossary of Terms used in Security and Intrusion Detection, May 2003 • RFC 2828, Internet Security Glossary, May 2000 • Federal Information Processing Standards (FIPS) PUB 140-2, (2001) “SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES,” Section 2, Glossary of Terms and Acronyms, U.S. National Institute of Standards and Technology. • Federal Information Processing Standards Publication, FIPS PUB 140-2, Security Requirements for Cryptographic Modules, December 2002

  21. Clause 3: Glossary • Will incorporate terms from Part 2 • Consolidate definitions with AGA-12 and other related efforts

  22. Clause 4: Overview of the Subject • Some of this content may be relocated to Introduction • Section will survive if sufficient content remains

  23. Clause 5: Concepts • Security Context • Reference Model • Zones and Conduits • Security Levels • Policy

  24. Context Model (from ISO 15408)

  25. Model Relationships

  26. Enterprise Level 5 Site Business Planning and Logistics Level 4 Enterprise Manufacturing Site Manufacturing Operations and Control Level 3 Level 2 Area Supervisory Control Control Basic Control Level 1 Safety-Critical Safety Process Level 0 Basic Reference Model

  27. Supervisory Control Operator Interface Batch Control Discrete Control Protective System Detailed Reference Model Enterprise Network • Level 5 - Enterprise • Enterprise Financial Systems WAN Router • Level 4 - Site Business Planning • Site Production Scheduling • Site Accounting Site Business Network • Level 3 - Site Manufacturing Operations • Production Control • Optimizing Control • Process History • Windows Domains Production Control Optimizing Control Process History Process Control Network • Level 2 - Area Supervisory Control • Supervisory Controllers • Primary Operator Interface Supervisory Control Operator Interface • Level 1 - Basic Process Control • Batch Controllers • Continuous Controllers • Discrete Controllers • Process Monitoring Continuous Control Process Monitoring • Level 0 - Field Instrumentation • Sensors, Transmitters, Control Valves • Field Networks (e.g. Foundation Fieldbus, Profibus) Process • Safety-Critical • Protective Systems • Safety Instrumented Systems

  28. Clause 6: Models • Assets • Reference Architecture • Zones and Conduits • Maturity • Security Integrity

  29. Assets

  30. Zone Model

  31. Maturity Model • May “adopt” content from Part 2

  32. Security Integrity • Introduces “security levels” • Current content, technical note and other sources

  33. Annex: Case Studies

More Related