ISPE Cyber Security S99 Update December 08, 2009.

Slides:

Advertisements

Similar presentations

Course: e-Governance Project Lifecycle Day 1

Advertisements

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

ISA 99 Technical Requirements Situation assessment as seen by Dennis Holstein, Lead Editor 13 November 20081ISA99WG04.

Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Management of IT Environment (5) LS 2012/ Martin Sarnovský Department of Cybernetics and AI, FEI TU Košice ITIL:Service Design IT Services Management.

© Copyright 2009 TEM Consulting, LP - All Rights Reserved Presentation To Travis County, TX - May 27, 2009Rev 1 – 05/22/09 - HSB US Voting System Conformity.

Risk Assessment Frameworks

Breakout Group 2: Software Quality Assurance Outcome 8/18/10 1.

Development and Quality Plans

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

ISO 9001:2015 Revision overview - General users

What is Business Analysis Planning & Monitoring?

The LOGIIC Consortium Zachary Tudor, CISSP, CISM, CCP Program Director SRI International.

SEC835 Database and Web application security Information Security Architecture.

Lessons Learned in Smart Grid Cyber Security

Standards Certification Education & Training Publishing Conferences & Exhibits 1Copyright © 2007 ISA ISA 99 WG4 Technical Requirements Organization and.

ITIL & COBIT O6PLM Kevin Lisay – Rendy Winarta –

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.

1 ISASecure ISASecure Device Test Development and Execution ISA99 Standards Committee Other Standards Organizations Marketplace Donors ISA Security Compliance.

© Cyber SECurity Consultingwww.cybersecconsulting.com 2318 Monkton Rd. Monkton MD USA Proprietary & Confidential Automation and Security.

Doc.: IEEE TG4a January 2006 Pat Kinney - Kinney Consulting LLC.Slide 1 Project: IEEE P Working Group for Wireless Personal Area.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.

BOTSWANA NATIONAL CYBER SECURITY STRATEGY PROJECT

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Lessons Learned: Certification and Accreditation.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Introduction to the ISO series ISO – principles and vocabulary (in development) ISO – ISMS requirements (BS7799 – Part 2) ISO –

CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -

© 2007 CH-RD MB - 1 ISA S99 – WG4 IEC Markus Brändle CHCRC.C5.

Component 11/Unit 8b Data Dictionary Understanding and Development.

IEEE SCC41 PARs Dr. Rashid A. Saeed. 2 SCC41 Standards Project Acceptance Criteria 1. Broad market application  Each SCC41 (P1900 series) standard shall.

1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.

Standards Certification Education & Training Publishing Conferences & Exhibits ISA SP-99 Working Group #3 October 27, 2005 Chicago, IL Eric Cosman, Evan.

ISA–The Instrumentation, Systems, and Automation Society ISA SP-99 Introduction: Manufacturing and Control Systems Security -- Kickoff Meeting Call to.

ISA Setting the Standard for Automation ™ Automation Standards Compliance Institute ISA Security Compliance Institute (ISCI) Prepared by: Andre Ristaino,

Standards Certification Education & Training Publishing Conferences & Exhibits ISA SP-99 Structure & Organization October 24, 2005 Chicago, IL Bryan L.

Standards Certification Education & Training Publishing Conferences & Exhibits 1Copyright © 2006 ISA ISA-SP99: Security for Industrial Automation and Control.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

Project Scope Management Information Technology Project Management, Fifth Edition Note: some slides have been removed from the author’s original presentation.

IEC Cyber Security Activity

Part 11 Public Meeting PEERS Questions & Responses The opinions expressed here belong to PEERS members and not the corporate entities with which they are.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

ISA99 - Industrial Automation and Controls Systems Security

Chapter 8 Auditing in an E-commerce Environment

Standards Certification Education & Training Publishing Conferences & Exhibits ISA Standards for Automation An Overview.

Technology Services – National Institute of Standards and Technology Conformity Assessment ANSI-HSSP Workshop Emergency Communications December 2, 2004.

Internal Audit Quality Assessment Guide

Cook Children’s 1 Theresa Meadows, RN, MS, CHCIO Senior Vice President and CIO Co-Chair HHS Health Care Cyber Security Task Force July 2016 Cybersecurity:

Standards Certification Education & Training Publishing Conferences & Exhibits 1 Copyright © ISA, All Rights reserved ISA99 - Industrial Automation and.

ISA-SP99: Security for Industrial Automation and Control Systems

Component 11 Configuring EHRs

ITIL:Service Design IT Services Management Martin Sarnovský

Quality Management Systems

IS4680 Security Auditing for Compliance

IS4550 Security Policies and Implementation

QUALITY MATTERS - OVERVIEW OF ISO QUALITY MANAGEMENT SYSTEM

EER Assurance December 2018

Group Meeting Ming Hong Tsai Date :

Enterprise Architecture at Penn State

Cyber Security ISA 99 / IEC D14 DLC-Meet, Jan 2019.

ISO and TR Update for FDA Regulated Industries

Alignment of Part 4B with ISAE 3000

{Project Name} Organizational Chart, Roles and Responsibilities

Security Policies and Implementation Issues

Presentation transcript:

ISPE Cyber Security S99 Update December 08, 2009

Topics to be covered  Does it matter?  Activity  ISA S99  S99 Work completed  S99 Work in progress

SCADA Specific information Freely available Documented case

DCS Controls Systems Security Program (CSSP) administered by DHS 15 ICS assements 245 vulnerabilities All systems at risk Not inclusive, only most critical vulnerabilities identified

Activity Standards  NERC CIP  Chemical Sector Guidance Documents  NIST  NIST  ANSI/ISA-TR  ANSI/ISA  ISA (Draft)  DHS Certifications  CISP  CISM ®  CGIET ®  CISA ®  ISP

Why a industrial security standard? IT IT Security Control Systems Control System Cyber Security Copyright © 2009 ISA

Multiple Perspectives 7 The right Balance of Understanding in: Industry Sector drivers Control Vendor Limitations User Implementation Challenges Economic/Financial Burdens Community acceptance Community Support Requirements

Committee Scope The ISA99 Committee addresses industrial automation and control systems whose compromise could result in any or all of the following situations:  endangerment of public or employee safety  loss of public confidence  violation of regulatory requirements  loss of proprietary or confidential information  economic loss  impact on entity, local, state, or national security 8

Participation  Over 250 members from more than 200 companies  Sectors include:  Chemical Processing  Petroleum Refining  Food and Beverage  Power  Pharmaceuticals  Process Automation Suppliers  IT Suppliers  Government Labs  Consultants 9

Work Product Types (*)  STANDARD: A document that embodies requirements (normative material) that, if not followed, could directly affect safety, interchangeability, performance, or test results. In general, such requirements should already be widely recognized and used. Standards also include Draft Standards for Trial Use (DSTU), which are draft standards intended for subsequent submittal to ANSI for approval as American National Standards. A standard may contain informative material as long as it is clearly identified as such.  RECOMMENDED PRACTICE: A document that embodies recommendations (informative material) that are likely to change because of technological progress or user experience, or which must often be modified in use to accommodate specific needs or problems of the user of the document.  TECHNICAL REPORT: A document that embodies informative material. For example, reports of technical research, tutorials, and factual data obtained from a survey, or information on the "state-of-the-art" in relation to standards on a particular subject. (*) – From ISA Standards and Practices Department Procedures 10

Common Topics Across Standards… Common Concepts, Models & Terminology (ISA99.01.xx) Management System (ISA99.02.xx) System Technical Requirements (ISA99.03.xx) Component Technical Requirements (ISA99.04.xx) Reference Architecture & Models Zones and Conduits Foundational Requirements Terminology 11 Copyright © 2009 ISA

ISA99 Work Products (*) ISA Establishing an IACS Security Program ISA Terminology, Concepts And Models ISA Operating an IACS Security Program ISA-TR Master Glossary of Terms and Abbreviations ISA-TR Patch Management in the IACS Environment ISA Product Development Requirements ISA Embedded Devices ISA Host Devices ISA Network Devices ISA Applications, Data And Functions Security Program Technical - System Technical - Component ISA99 Common ISA System Security Requirements and Security Assurance Levels was Foundational Requirements was ISA ISA-TR Security Technologies for Industrial Automation and Control Systems was ISA-TR ISA Security Assurance Levels for Zones and Conduits was Target Security Levels ISA System Security Compliance Metrics was ISA Copyright © 2009 ISA

Phased Approach to Requirements Standards Part TitleScope and Purpose Primary UsersExpected Publication Date Technical Requirements: Target Security Levels  Use NIST mapping to establish target security levels  Includes high-level description of domains including their zones and conduits  Asset owner  Security system architect  System integrator  System providers including 3 rd party outsources Mid 2009 Technical Requirements: System Security Compliance Metrics Defines measurable compliance metrics that are context specific  Asset owner  Security system architect  System integrator  ISA Compliance Institute  System providers including 3 rd party outsources Late 2009 Technical Requirements: Allocation to Subsystems and Components  Normative specification of security requirements including rationale and supporting use cases based on example reference models  Includes detailed description of domains including their zones and conduits  Asset owner  Security system architect  System integrator  ISA Compliance Institute  System, subsystem and component providers including 3 rd party outsources 2013 Note: this part could be further subdivided to improve timeliness of publication 13 Copyright © 2009 ISA

Guidelines for Implementing RequirementsRisk Analysis Countermeasure Selection DesignImplementation Continuous Improvement ISA-TR ISA ISA ISA ISA  Part 1 for Definition, Requirements, and “Coming to Terms with Terms”  Part 2 for Program Elements from Business Case to Implementation  Technical Report 1 for Evaluation and Selection of Countermeasures  Part 3 for Performance and Benefit Driven Analysis and Continuous Improvement  Part 4 for Vendors and Asset Owners to Specify and Build More Secure Components – Similar to SIL Copyright © 2009 ISA

Work Products List (1/2) ISA NumberIEC Number (per IEC SMB) Work Product SubjectStatus ISA IEC/TS Terminology, Concepts And ModelsReleased ISA- TR IEC/TR Master Glossary of Terms and Abbreviations Draft ISA IEC Security Compliance MetricsDraft ISA IEC Establishing an IACS Security ProgramReleased ISA IEC Operating an IACS Security ProgramProposed ISA- TR IEC/TR Patch Management in the IACS Environment Proposed Copyright © 2009 ISA 15 October 2009

Work Products List (2/2) ISA NumberIEC Number (per IEC SMB) Work Product SubjectStatus ISA- TR IEC/TR Security Technologies for Industrial Automation and Control Systems Released ISA IEC Security Assurance Levels for Zones and Conduits Draft ISA IEC System Security Requirements and Security Assurance Levels Draft ISA IEC Product Development RequirementsProposed ISA IEC Embedded DevicesProposed ISA IEC Host DevicesProposed ISA IEC Network DevicesProposed ISA IEC Applications, Data and FunctionsProposed Copyright © 2009 ISA 16 October 2009

Connecting with Others ISA100 (Wireless) ISA84 (Safety) ISCI (Compliance) MSMUG ISA99 Committee (Standards) IEC (International) Copyright © 2009 ISA 17 October 2009