1 / 10

ISA S99 – WG4 IEC 62443

ISA S99 – WG4 IEC 62443. Markus Brändle CHCRC.C5. PAS: Scope 1/2. This PAS provides guidance on security objectives to: automation system designers manufacturers (vendors) of devices, subsystems, and systems integrators of subsystems and systems

giovanni-lynagh
Download Presentation

ISA S99 – WG4 IEC 62443

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISA S99 – WG4IEC 62443 Markus Brändle CHCRC.C5

  2. PAS: Scope 1/2 This PAS provides guidance on security objectives to: • automation system designers • manufacturers (vendors) of devices, subsystems, and systems • integrators of subsystems and systems • automation system owners/operators (responsible for PCS operation) The PAS considers the following concerns: • graceful migration/evolution for existing systems • meeting security objectives with COTS technologies and products • reliability/availability of the secured communications service • scalability (especially down to small, low cost, low risk systems) • separation of security, safety and automation functionality requirements where appropriate

  3. PAS: Scope 2/2 Operational policies … specify how the provisions of corporate security policy are implemented in respective organizational areas. They define what a specific organizational area will do to achieve the objectives of corporate policy. Operational Procedures define how to perform Operational Policy. They define activities and may refer to relevant methods and references, i.e. standards. Operational practice should contain specific measurable requirements and detail the procedures by providing specific practices of the owner/operator. As these are even more specific to the organization and organizational area only examples may be provided by this PAS. The measures provided by this PAS are rather process based and general in nature than technically specific or prescriptive in terms of countermeasures and configurations.

  4. PAS: Generic reference configuration • Good insight into the recommendations for concrete solutions. • Language of these contributions must be changed to a more normative specification with options • Must be adapted to match S99 zones and conduits

  5. PAS: Security Policy - Measures 8.1 Availability management 8.2 Integrity management 8.3 Logical access management 8.4 Physical access management 8.5 Partition management 8.6 External access management • Mostly process requirements  99.03 • Some technical requirements  99.04

  6. PAS: Conclusions • PAS written as policy statements with few concrete requirements “This PAS will provide countermeasures as processes, and this in form of a proposed policy”  more applicable to 99.03 • Compliance testing for products? • Document does not seem to address some of the unique issues of IACS explicitly, e.g. patch management or importance of availability • Good starting point on the areas/issues to be covered

  7. 65/360/NP: Informative material • Summary of threat actions & consequences • Typical attack vectors

  8. 65/360/NP: Elements • Structure • Elements for securing external network communications paths into industrial automation and process control networks, e.g. • Interactive remote access to a control network (IRA) • Portable engineering computer (PEC) • Elements for securing internal communications paths within an industrial automation or process control network • Elements for devices of an industrial automation or process control network • Rationale given for each requirement • Responsibilities assigned

  9. 65/360/NP: Security Levels • Security levels • NONE • LOW • REDUCED • FULL • ISOLATED • Requirements given with respect to security level The remote client [SRL:{ LOW}: should, SRL:{ REDUCED ,FULL}: shall] run a file system integrity checker. The file system integrity …. • Appendix contains evaluation of security levels

  10. 65/360/NP: Conclusions • Very detailed & extensive document • Compliance testing possible • Requirements better suited for 99.04 than PAS • Style of requirement definition useful for 99.04 (rationale & security levels) • Work needed to filter, restructure and adapt requirements • Unfinished document

More Related