Cyber security guidance

Holly Beum, Interface Technologies -- Control Engineering, 6/1/2004

In April 2004, two groups of cyber security and automation system experts issued more than 260 pages of security guidelines for industrial control systems. The ISA-SP99 standards committee issued the first two of several Technical Reports on Manufacturing and Control Systems Security and the National Institute of Standards and Technology's (NIST) Process Control Security Requirements Forum issued the System Protection Profile for Industrial Control Systems (SPP-ICS).

ISA—The Instrumentation, Systems, and Automation Society— established the SP99 committee specifically to address the growing threats to industrial system security.

"The purpose of SP99 is to address the security needs of manufacturing and control systems. While many similarities exist between information systems techniques and control systems, differences in technology and terminology warrant careful attention. The SP99 committee is focused on developing material to assist organizations in developing a comprehensive security program," said SP99 chairman Bryan Singer of Rockwell Automation. Members of SP99 represent a wide variety of control system vendors, end-users, system integrators, consultants, and cyber security vendors.

The first two technical reports that the committee issued are "Security Technologies for Manufacturing and Control Systems" (ISA-TR99.00.01-2004), also known as TR1, and "Integrating Electronic Security into the Manufacturing and Control Systems Environment" (ISA-TR99.00.02-2004), also known as TR2.

TR1 describes electronic security technologies currently available to the manufacturing and control systems environment. Twenty-eight technologies in six categories are examined. Categories include authentication and authorization; filtering/blocking/access control; encryption and data validation; audit, measurement, monitoring and detection tools; and computer software and physical security controls. Each technology is evaluated according to seven aspects: security vulnerabilities addressed by this technology, typical deployment, known issues and weaknesses, assessment of use in the manufacturing and control system environment, future directions, recommendations and guidance, and information sources and reference material.

TR1 does not recommend one technology over another, but provides guidance for using the technologies as well as information to consider when developing a site or corporate security program for automation. TR1 can be a primer for control engineers who want to learn about security technologies, as well as a resource for IT personnel to learn the limitations of deploying traditional security methods in a real-time environment. "It was our intention to arm control engineers with the basic information they need to make sense of security offerings. We also wanted to inform IT professionals of the caveats of applying their tools, such as why they can't assume that Microsoft Windows-based control systems carry the latest patches," said Eric Byres, chair of the TR1 Work Group.

TR2 is a more comprehensive discussion of methodologies and components necessary to create a complete security program. In TR2, SP99 introduces the Security Lifecycle (see graphic). This is similar to the approach developed for management of safety-related systems in the IEC 61508 standard. TR2 gives specific guidance and references for each step of the lifecycle.

In addition to the security lifecycle steps, TR2 details specific elements that comprise a comprehensive security program and includes a number of helpful templates and examples. A template is provided to complete a thorough screening inventory of a company's manufacturing systems, with a step-by-step procedure for a risk analysis of industrial network segments and an example of a corporate industrial network policy and procedures document.

According to Bob Webb, chair of the TR2 Work Group, "The most important aspect of security is to recognize that most control systems are a combination of new and legacy components. There is no single step that you can apply to make a system secure. Rather, you need to go through a process, which is what we provide in TR2. We also emphasize the sensitivity of control systems and that control engineers must continually think of the impact of each countermeasure on the overall system response."

Complementing ISA-SP99's focus on securing current systems, the main goal of the NIST effort is to define a precise set of common information security requirements for future process control systems. The NIST Process Control Security Requirements Forum (PCSRF) consists of 450 members from government, academic, and private sectors (many are also active in ISA-SP99).

PCSRF System Protection Profile for Industrial Control Systems (SPP-ICS) document is an extension of ISO/IEC 15408 Common Criteria tailored to automation systems. Common Criteria is used extensively to secure government operations, such as the FAA, but is a new concept for automation. SPP-ICS is a baseline document that states necessary industrial security requirements at an implementation-independent level. It will be used to create security specifications for specific systems and components, such as a water treatment system or a power substation.

"System integrators and end-users can apply SPP-ICS to specify security functional requirements to procure new systems while vendors can use it to demonstrate assurance that their products meet these security requirements. Our involvement of members from all areas of manufacturing and process control will also help vendors create a business case for developing these security functions in their products," said Keith Stouffer, SPP-ICS project manager at NIST.

Both ISA and NIST anticipate that their efforts will evolve into IEC/ISO standards.

The ISA reports "Security Technologies for Manufacturing and Control Systems" (ISA-TR99.00.01-2004) and "Integrating Electronic Security into the Manufacturing and Control Systems Environment" (ISA-TR99.00.02-2004) are available for purchase by calling ISA at (919) 549-8411 or by visiting www.isa.org. The price per report is $99 for ISA members or $109 for non-members.

The NIST SPP-ICS document is available free on the PCSRF site: (Microsoft Word version) http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.doc

(PDF Version) http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.pdf