ISA SP-99 Overview: Manufacturing and Control Systems Security

Document Sample
ISA SP-99 Overview: Manufacturing and Control Systems Security Powered By Docstoc
					        ISA SP-99 Overview:
      Manufacturing and Control
          Systems Security
                        Dave Teumim
                   dave524@verizon.net
             ISA SP-99 WG7 Group Leader
Images Contained Herein May Not be Used Without Explicit Permission



                      ISA–The Instrumentation, Systems, and Automation Society
SP99 – A Brief History
   SP99 committee formed, first meeting at ISA
    conference – October 2002, Chicago
   2nd meeting at the ISA industrial networking
    conference – January 2003, Houston
   3rd meeting following the KEMA conference – April
    2003, Denver
   4th meeting occurred 23 Oct 2003 at the annual ISA
    show in Houston, TX
   5th meeting in April 2004 in Long Beach, CA
   Many working group special sessions and telecons to
    date


                    ISA–The Instrumentation, Systems, and Automation Society
Traditional IT Security
   Typically a near even balance between Confidentiality,
    Integrity, and Availability, often favors Confidentiality
   Concerned mostly with intentional acts resulting in system
    compromise
   Common reaction to security events is to shut down application
    and systems, take remedial action such as patches, virus scans,
    etc., then restore system availability
   Unit, system, and integration testing of new software often
    requires much less time and complexity to complete



                         ISA–The Instrumentation, Systems, and Automation Society
Control System Security
A Shift in Focus:
   Most process control security incidents are the result of well-
    intentioned people causing unintended consequences
        There is a growing trend in the number of externally caused incidents
   Focus on maintaining integrity and availability of systems, versus
    differentiating between malicious and non-malicious intent
        maintain the as-designed run state of the system
   Immediate focus needed on the real and present risks with
    existing installed base of process control systems;
        Specifications for new system security requirements will take quite some
         time to reach the market and have impact.


                             ISA–The Instrumentation, Systems, and Automation Society
ISA SP-99 Introduction
   Provide guidance to manufacturing industries that addresses
    issues specific to manufacturing and control systems
   Develop communications model for both vendors and customers
   Detail steps and procedures for creating a comprehensive
    security program to support manufacturing and control systems
   Assess applicability of security technologies and give specific
    guidance for current and future manufacturing and control
    systems




                         ISA–The Instrumentation, Systems, and Automation Society
ISA SP-99 Committee Composition
   Over 200 members (Voting and Informational)
   Representatives from many industries including:
    •Water/Wastewater              •US Government Labs and
    •Fossil Fuels                  Organizations
    •Nuclear                       •Chemical
    •Food and Beverage             •Petrochemical
    •Pharmaceutical                •Educational Institutions
    •Automotive


                     ISA–The Instrumentation, Systems, and Automation Society
 ISA SP-99 Committee Composition
 (Cont’d)

Four Working Groups:
   WG 1 – Security Technologies for the Manufacturing
    and Control Systems Environment
   WG 2 – Implementing Security in the Manufacturing and
    Control Systems Environment
   WG 3 – Audit and Metrics, Common Language and
    Model
   WG 7 – Liaison Committee

                     ISA–The Instrumentation, Systems, and Automation Society
ISA SP-99 Current Activities
   Published Two Technical Reports
       TR99.00.01 – Security Technologies for Manufacturing and
        Control Systems
       TR99.00.02 – Integrating Security into the Manufacturing and
        Control Systems Environment
   Now working on ISA SP-99 Part 1 (Standard) on
    Manufacturing and Control Systems Security
    Architecture, Model, and References




                        ISA–The Instrumentation, Systems, and Automation Society
ISA SP-99 TR99.00.1 Overview
   ISA SP-99 TR.99.00.01 Security Technologies for
    Manufacturing and Control Systems
   Technology tools are broken up into several “abstract”
    categories and addressed individually:
       Authentication and Authorization Technologies
       Filtering/Blocking/Access Control Devices
       Encryption Technologies and Data Validation
       Audit, Measurement, Monitoring, and Detection Tools
       Computer Software
       Physical Security Controls
       Personnel Security

                        ISA–The Instrumentation, Systems, and Automation Society
ISA SP-99 TR99.00.2 Overview
   Integrating Security into the Manufacturing and Control
    Systems Environment
   Key areas of Focus
       Developing the Business Case
       Quantifying and Understanding Risks
       Identifying vulnerabilities and developing steps to counter
        them
       Techniques for deploying technology tools to a security
        program
       Assessing the effectiveness and completeness of a security
        program and individual security measures


                        ISA–The Instrumentation, Systems, and Automation Society
ISA SP99 Part 1




  ISA–The Instrumentation, Systems, and Automation Society
ISA SP-99 Part 1
   This is the first part of a multi-part standard for
    Manufacturing and Control Systems Security.
   It was clear during the technical report generation that
    there is not a common understanding of what the
    problem is and how to describe problems and solutions
   This pointed out that we need to first all talk the same
    language and use similar analysis tools before we can
    set industry direction



                       ISA–The Instrumentation, Systems, and Automation Society
ISA SP-99 Part 1
   What is included in SP-99 Part 1:
       Definitions of Manufacturing and Control Systems security
        terms
       Description of the terminology used in security as it applies to
        Manufacturing and Control Systems
       A Common Model for specifying security requirements for
        Manufacturing and Control Systems program
       Covers reference architecture for describing the security
        environment
   The standard is not specific to vendors, customers, or
    any particular aspect of Manufacturing and Control
    Systems security

                         ISA–The Instrumentation, Systems, and Automation Society
ISA SP-99 Part 1
   ISA SP-99 Work Group 3 (WG-3) is currently writing the
    first draft of the part 1 standard
   Best estimate is that the draft will be ready for review of
    the full ISA SP99 Committee by year end (December
    2004)




                      ISA–The Instrumentation, Systems, and Automation Society
Additional Information
   How to Get Involved
   www.isa.org – go to: Standards, Committees, SP99
   Bryan L Singer - ISA SP99 Chairman
        blsinger@ra.rockwell.com
   Bob Webb - ISA SP99 Managing Director
        rcw4@ix.netcom.com
   Charley Robinson - ISA Organization
        crobinson@isa.org
   Evan Hand – ISA SP99 Vice Chairman
        ehand@kraft.com

                          ISA–The Instrumentation, Systems, and Automation Society
            ISA SP-99
Manufacturing and Control Systems
             Security

        Questions?


           ISA–The Instrumentation, Systems, and Automation Society

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:58
posted:6/11/2012
language:English
pages:16