Baseline Technical Requirements for the Development of Industrial Control System Cyber Security Stan

1
Baseline Technical Requirements for the
Development of Industrial Control System Cyber
Security Standards
Presented by Mark D. Hadley National
Laboratory Standards Awareness Team Presented
for Process Control Systems Requirement Forum
Meeting La Jolla, California June 8, 2006
2
National Laboratory Standards Awareness Team
3
Team Objective

• New standards are needed to address specific
  cyber security needs of control systems
• The Department of Homeland Security (DHS) can
  assist functioning standards bodies and
  associations by providing multi-laboratory
  expertise and by collecting and developing proven
  requirements and recommended practices
• Effective cyber security standards for control
  systems, when implemented, can help reduce the
  overall risk of cyber attacks to control systems

4
Strategy FY06

• Develop supplemental guidance for NIST 800-53,
  Recommended Security Controls for Federal
  Information Systems, and NIST 800-82, Guide to
  Supervisory Control and Data Acquisition (SCADA)
  and Industrial Control System Security
• Develop technical requirements for the
  ISA-99.00.04 standard, Specific Security
  Requirements for Manufacturing and Control
  Systems
• Develop Standard IEC 62443, Security for
  Industrial Process Measurement and Control
  Network and System Security
• Integrate the Department of Energy (DOE) and DHS
  standards improvement efforts to ensure a
  consistent approach and sharing of resources, as
  well as to avoid duplication of efforts

5
Strategy FY06 (cont.)

• The program will work with DOE, NIST, IEC, and
  the Instrumentation, Systems, and Automation
  Society (ISA) to coordinate and develop
  comprehensive technical bases for securing
  control systems
• The requirements bases will flow down to other
  DHS Control System Security Programs (CSSPs) and
  industry products

6
National SCADA Test Bed Program

• The DOEs National SCADA Test Bed (NSTB) program
  is also pursuing standards-related activities per
  the Roadmap to Secure Control Systems in the
  Energy Sector facilitated by DOE and DHS
• The NSTB and CSSP have already started
  integrating their efforts, and the same
  multi-laboratory team will be used to ensure
  consistency and avoid duplication of efforts
• A combined effort will present a unified
  interface with industry

7
Purpose of the Project

• Identify requirements that can be used by all
  sectors in the development of control system
  cyber security standards, recommended practices,
  etc.
• Provide input to be used as a starting point for
  ISA-99.04 and other efforts (such as ISA SP100)

8
Need for the Project

• There are many standards, guidelines, and best
  practices that address control system cyber
  security requirements and recommendations
• These requirements need to be coordinated and
  consolidated into a single resource

9
The Approach

• Determine requirement level
• Determine requirement format
• Review other sources for input
• Glean requirements

• Prepare consolidated requirements
• Combine into a single document
• Obtain industry review
• Publish

10
Determine Requirement Level

• There are many different levels of detail in
  current standards
• Try to find a middle level of detail that can be
  used by the majority of organizations in the
  process industries

11
Determine Requirement Format

• Based on NIST SP800-53
• Recommended requirement topic
• Statement of the requirement and area addressed
• Supplemental guidance
• Additional guidance on how the requirement might
  be implemented, other possible interpretations,
  etc.
• Requirement enhancements
• Guidance to enhance the requirements based on
  criticality scale

12
Format Example

• SEED DOCUMENT EXAMPLE
• Recommended Requirement
• The organization identifies an alternate control
  center and initiates necessary agreements to
  permit the resumption of industrial control
  system operations for critical mission/business
  functions within Assignment organization-defined
  time period when the primary control center is
  unavailable.
• Supplemental Guidance
• Equipment and supplies required to resume
  operations within the organization-defined time
  period are either available at the alternate
  control center or contracts are in place to
  support delivery to the site.
• Requirement Enhancements
• 1) The alternate control center is geographically
  separated from the primary processing site so as
  not to be susceptible to the same hazards.
• 2) The organization identifies potential
  accessibility problems to the alternate control
  center in the event of an area-wide disruption or
  disaster and outlines explicit mitigation
  actions.
• 3) Alternate control center agreements contain
  priority-of-service provisions in accordance with
  the organizations availability requirements.
• 4) The alternate control center is fully
  configured to support a minimum required
  operational capability and ready to use as the
  operational site.

13
Review Other Sources for Inputs
14
Glean Requirements

• Many standards address the same requirements in
  different formats
• Extract the most important concepts
• Ensure all ideas and best practices are covered

15
Prepare the Requirement

• Determine the topic of the requirement by
  defining a single primary topic
• Prepare a control statement that includes the
  required action that should be taken
• Prepare a supplemental statement outlining how
  the requirement might be implemented, other views
  on the requirement, etc.

16
Combine Requirements into a Single Report
Awareness and Training
???
Identification and Authentication
???
System and Communications Protection
17
Industry Review

• Obtain reviews and comments of the proposed
  recommended requirements
• Incorporate consensus recommendations into future
  Best Practices drafts

18
Publish

• Publish the report so that it can be used by any
  organization in their preparation of standards or
  recommended practices
• Publish the report as an input to ISA-99.04

19
Summary and Conclusions

• DOE and DHS actively support the development and
  promulgation of strong industrial control system
  (ICS) security standards
• The National Laboratory Standards Awareness Team
  is ready to assist standards efforts that are
  consistent with the Roadmap to Secure Control
  Systems in the Energy Sector facilitated by DOE
  and DHS
• Standards for the ICS industry, if widely
  implemented, will raise the level of control
  systems security

20
Team Contact

• Mark D. Hadley
• Pacific Northwest National Laboratory
• Mark.Hadley_at_pnl.gov
• (509) 375-2298