Title: Baseline Technical Requirements for the Development of Industrial Control System Cyber Security Stan
1Baseline Technical Requirements for the
Development of Industrial Control System Cyber
Security Standards
Presented by Mark D. Hadley National
Laboratory Standards Awareness Team Presented
for Process Control Systems Requirement Forum
Meeting La Jolla, California June 8, 2006
2National Laboratory Standards Awareness Team
3Team Objective
- New standards are needed to address specific
cyber security needs of control systems - The Department of Homeland Security (DHS) can
assist functioning standards bodies and
associations by providing multi-laboratory
expertise and by collecting and developing proven
requirements and recommended practices - Effective cyber security standards for control
systems, when implemented, can help reduce the
overall risk of cyber attacks to control systems
4Strategy FY06
- Develop supplemental guidance for NIST 800-53,
Recommended Security Controls for Federal
Information Systems, and NIST 800-82, Guide to
Supervisory Control and Data Acquisition (SCADA)
and Industrial Control System Security - Develop technical requirements for the
ISA-99.00.04 standard, Specific Security
Requirements for Manufacturing and Control
Systems - Develop Standard IEC 62443, Security for
Industrial Process Measurement and Control
Network and System Security - Integrate the Department of Energy (DOE) and DHS
standards improvement efforts to ensure a
consistent approach and sharing of resources, as
well as to avoid duplication of efforts
5Strategy FY06 (cont.)
- The program will work with DOE, NIST, IEC, and
the Instrumentation, Systems, and Automation
Society (ISA) to coordinate and develop
comprehensive technical bases for securing
control systems - The requirements bases will flow down to other
DHS Control System Security Programs (CSSPs) and
industry products
6National SCADA Test Bed Program
- The DOEs National SCADA Test Bed (NSTB) program
is also pursuing standards-related activities per
the Roadmap to Secure Control Systems in the
Energy Sector facilitated by DOE and DHS - The NSTB and CSSP have already started
integrating their efforts, and the same
multi-laboratory team will be used to ensure
consistency and avoid duplication of efforts - A combined effort will present a unified
interface with industry
7Purpose of the Project
- Identify requirements that can be used by all
sectors in the development of control system
cyber security standards, recommended practices,
etc. - Provide input to be used as a starting point for
ISA-99.04 and other efforts (such as ISA SP100)
8Need for the Project
- There are many standards, guidelines, and best
practices that address control system cyber
security requirements and recommendations - These requirements need to be coordinated and
consolidated into a single resource
9The Approach
- Determine requirement level
- Determine requirement format
- Review other sources for input
- Glean requirements
- Prepare consolidated requirements
- Combine into a single document
- Obtain industry review
- Publish
10Determine Requirement Level
- There are many different levels of detail in
current standards - Try to find a middle level of detail that can be
used by the majority of organizations in the
process industries
11Determine Requirement Format
- Based on NIST SP800-53
- Recommended requirement topic
- Statement of the requirement and area addressed
- Supplemental guidance
- Additional guidance on how the requirement might
be implemented, other possible interpretations,
etc. - Requirement enhancements
- Guidance to enhance the requirements based on
criticality scale
12Format Example
- SEED DOCUMENT EXAMPLE
- Recommended Requirement
- The organization identifies an alternate control
center and initiates necessary agreements to
permit the resumption of industrial control
system operations for critical mission/business
functions within Assignment organization-defined
time period when the primary control center is
unavailable. - Supplemental Guidance
- Equipment and supplies required to resume
operations within the organization-defined time
period are either available at the alternate
control center or contracts are in place to
support delivery to the site. - Requirement Enhancements
- 1) The alternate control center is geographically
separated from the primary processing site so as
not to be susceptible to the same hazards. - 2) The organization identifies potential
accessibility problems to the alternate control
center in the event of an area-wide disruption or
disaster and outlines explicit mitigation
actions. - 3) Alternate control center agreements contain
priority-of-service provisions in accordance with
the organizations availability requirements. - 4) The alternate control center is fully
configured to support a minimum required
operational capability and ready to use as the
operational site.
13Review Other Sources for Inputs
14Glean Requirements
- Many standards address the same requirements in
different formats - Extract the most important concepts
- Ensure all ideas and best practices are covered
15Prepare the Requirement
- Determine the topic of the requirement by
defining a single primary topic - Prepare a control statement that includes the
required action that should be taken - Prepare a supplemental statement outlining how
the requirement might be implemented, other views
on the requirement, etc.
16Combine Requirements into a Single Report
Awareness and Training
???
Identification and Authentication
???
System and Communications Protection
17Industry Review
- Obtain reviews and comments of the proposed
recommended requirements - Incorporate consensus recommendations into future
Best Practices drafts
18Publish
- Publish the report so that it can be used by any
organization in their preparation of standards or
recommended practices - Publish the report as an input to ISA-99.04
19Summary and Conclusions
- DOE and DHS actively support the development and
promulgation of strong industrial control system
(ICS) security standards - The National Laboratory Standards Awareness Team
is ready to assist standards efforts that are
consistent with the Roadmap to Secure Control
Systems in the Energy Sector facilitated by DOE
and DHS - Standards for the ICS industry, if widely
implemented, will raise the level of control
systems security
20Team Contact
- Mark D. Hadley
- Pacific Northwest National Laboratory
- Mark.Hadley_at_pnl.gov
- (509) 375-2298