|
'''Industrial Control Systemsystem security''', or '''automation and control system (ICSACS) Cybersecuritycybersecurity''', is the prevention of (intentional or unintentional) interference with the proper operation of [[automation|industrial automation]] and [[industrial control systems|control systems]]. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and [[programmable logic controller|programmable controllers]], each of which could contain [[vulnerability (computing)|security vulnerabilities]]. The 2010 discovery of the [[Stuxnet|Stuxnet worm]] demonstrated the vulnerability of these systems to cyber incidents.<ref name="tofinoexida201202">{{cite web | url=http://www.exida.com/index.php/News/new_whitepaper_the_7_steps_to_ics_and_scada_security/ | title=The 7 Steps to ICS Security | accessdate=March 3, 2011 | author1=Byres, Eric | author2=Cusimano, John | date=February 2012 | publisher=Tofino Security and exida Consulting LLC | url-status=dead | archiveurl=https://web.archive.org/web/20130123141949/http://www.exida.com/index.php/News/new_whitepaper_the_7_steps_to_ics_and_scada_security/ | archivedate=January 23, 2013 }}</ref> The United States and other governments have passed [[cyber-security regulation]]s requiring enhanced protection for control systems operating critical infrastructure.
Control system security is known by several other names such as ''[[SCADA]] security'', ''PCN security'', ''Industrial [[network security]]'', ''[[Industrial control system]] (ICS) Cybersecurity'', ''[[Operational Technology]] (OT) Security, Industrial automation and control systems'' and ''Control System Cyber Security''.
== Risks ==
Insecurity of, or vulnerabilities inherent in industrial automation and control systems (IACSACS) can lead to severe consequences in categories such as safety, loss of life, personal injury, environmental impact, lost production, equipment damage, information theft, and company image.
Guidance to assess, evaluate and mitigate these potential risks is provided through the application of many Governmental, regulatory, industry documents and Global Standards, addressed below.
== Vulnerability of automation and control systems ==
Industrial automationAutomation and controlControl systemsSystems (ACS) have become far more vulnerable to security incidents due to the following trends that have occurred over the last 10 to 15 years.
* HeavyIncreasing use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that process controlthese systems aremay now vulnerable tohave the same viruses,or wormssimilar andvulnerabilities trojansas that affectcommon IT systems .
* Enterprise integration (using plant, corporate and even public networks) means that process control systemsthese (legacy) aresystems may now beingbe subjected to stresses that they were not designed for.
* Demand for Remote Access - 24/724x7 access for engineering, operations or technical support meansincreases the attack surface, possibly leading to more insecure or rogue connections to control system.
* Increased awareness and understanding of industrial systems - As more and more people become aware of these systems, the strategy of [[Security through obscurity|Security Through Obscurity]] is no longer viable.
* [[ Security_through_obscurity | Security Through Obscurity]] - Using not publicly available protocols or standards is detrimental to system security
The* Although the cyber threats and attack strategies on automation systems are changing rapidly . Fortunately, regulation of industrial control systemsystems for security is rare as regulationand is a slow -moving process. The United States, for example, only does so for the [[nuclear power in the United States|nuclear power]] and the [[chemical industry|chemical industries]].<ref name="gross201104">{{cite webmagazine|url=http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104|title=A Declaration of Cyber-War|author=Gross, Michael Joseph |first=|date=2011-04-01| workmagazine=Vanity Fair|publisher=Condé Nast|archiveurl=https://web.archive.org/web/20140713082739/http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104|archivedate=2014-07-13|accessdate=2017-11-29 |df=}}</ref> ▼
▲The cyber threats and attack strategies on automation systems are changing rapidly. Fortunately, regulation of control system security is rare as regulation is a slow moving process. The United States, for example, only does so for the [[nuclear power in the United States|nuclear power]] and the [[chemical industry|chemical industries]].<ref name="gross201104">{{cite web|url=http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104|title=A Declaration of Cyber-War|author=Gross, Michael Joseph|first=|date=2011-04-01|work=Vanity Fair|publisher=Condé Nast|archiveurl=https://web.archive.org/web/20140713082739/http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104|archivedate=2014-07-13|accessdate=2017-11-29|df=}}</ref>
== Government efforts ==
The U.S. Government [[Computer Emergency Readiness Team]] (US-CERT) originally instituted a [[control systems security program]] (CSSP) now the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security.<ref>{{cite web|url=http://www.us-cert.gov/control_systems/csstandards.html|title=Standards and References - NCCIC / ICS-CERT|website=ics-cert.us-cert.gov/|access-date=2010-10-27|archive-url=https://web.archive.org/web/20101026045026/http://www.us-cert.gov/control_systems/csstandards.html|archive-date=2010-10-26|url-status=dead}}</ref> The U.S. Government Joint Capability Technology Demonstration (JCTD) known as MOSAICS (More Situational Awareness for Industrial Control Systems) is the initial demonstration of cybersecurity defensive capability for critical infrastructure control systems.<ref>{{Cite web|title=More Situational Awareness For Industrial Control Systems (MOSAICS) Joint Capability Technology Demonstration (JCTD): A Concept Development for the Defense of Mission Critical Infrastructure – HDIAC|url=https://hdiac.org/articles/more-situational-awareness-for-industrial-control-systems-mosaics-joint-capability-technology-demonstration-jctd-a-concept-development-for-the-defense-of-mission-critical-infrastructure/|access-date=2021-07-31|language=en-US}}</ref> MOSAICS addresses the Department of Defense (DOD) operational need for cyber defense capabilities to defend critical infrastructure control systems from cyber attack, such as power, water and wastewater, and safety controls, affect the physical environment.<ref>{{Cite web|title=More Situational Awareness for Industrial Control Systems (MOSAICS): Engineering and Development of a Critical Infrastructure Cyber Defense Capability for Highly Context-Sensitive Dynamic Classes: Part 1 – Engineering – HDIAC|url=https://hdiac.org/articles/more-situational-awareness-for-industrial-control-systems-mosaics-engineering-and-development-of-a-critical-infrastructure-cyber-defense-capability-for-highly-context-sensitive-dynamic-classes-par/|access-date=2021-07-31|language=en-US}}</ref> The MOSAICS JCTD prototype will be shared with commercial industry through Industry Days for further research and development, an approach intended to lead to an innovative, game-changing capabilities for cybersecurity for critical infrastructure control systems.<ref>{{Cite web|title=More Situational Awareness for Industrial Control Systems (MOSAICS): Engineering and Development of a Critical Infrastructure Cyber Defense Capability for Highly Context-Sensitive Dynamic Classes: Part 2 – Development – HDIAC|url=https://hdiac.org/articles/more-situational-awareness-for-industrial-control-systems-mosaics-engineering-and-development-of-a-critical-infrastructure-cyber-defense-capability-for-highly-context-sensitive-dynamic-classes-par-2/|access-date=2021-07-31|language=en-US}}</ref>
== Industrial Automation &and Control System (IACS) Cybersecurity Standards ==
The international standard for cybersecurity of automation and control systems is the [[IEC 62443]]. In addition, multiple national organizations such as the NIST and NERC in the USA released guidelines and requirements for cybersecurity in control systems.
=== ANSI/ISA-99===
ANSI/ISA-99 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.
These documents were originally referred to as '''ANSI/ISA-99''' or '''ISA99''' standards, as they were created by the [[International Society of Automation|International Society for Automation (ISA)]] 99 committee, accredited by and publicly released as [[American National Standards Institute|American National Standards Institute (ANSI)]] documents. In 2010, they were renumbered to be the '''ANSI/ISA-62443''' series. This change was intended to align the ISA and ANSI document numbering with the corresponding [[International Electrotechnical Commission|International Electrotechnical Commission (IEC)]] standards.
All ISA work products are now numbered using the convention “ISA-62443-x-y” and previous ISA99 nomenclature is maintained for continuity purposes only.
ISA99 remains the name of the Industrial Automation and Control System Security Committee of the ISA. Since 2002, the committee has been developing a multi-part series of standards and technical reports on the subject of IACS security. These work products are then submitted to the ISA approval and then publishing under ANSI. They are also submitted to IEC for consideration as standards and specifications in the IEC 62443 series following the IEC standards development process.
=== IEC 62443 ===
{{anchor|62443}}
{{Main|IEC 62443}}
IEC 62443 is an international series of standards on "Industrial communication networks - IT security for networks and systems". The standard is divided into different sections and describes both technical and processor-related aspects of industrial cybersecurity. It divides the industry into different roles: the operator, the integrators (service providers for integration and maintenance) and the manufacturers. The different roles each follow a risk-based approach to prevent and manage security risks in their activities.<ref>{{cite web|url=https://webstore.iec.ch/publication/7033|title=Standards and References - IEC-62443|website=www.iec.ch}}</ref>
The IEC 62443 cybersecurity standards define processes, techniques and requirements for Automation and Control Systems (IACS). The IEC 62443 standards and technical reports are organized into four general categories called ''General'', ''Policies and Procedures'', ''System,'' ''Component'', ''Profiles'' and ''Evaluation''.
These standards are being used by practitioners in several industries to design and evaluate automation systems for cybersecurity resilience. Several of the standards are being used in personnel, engineering process, product, and system cybersecurity certification programs (also called conformity assessment programs). Certifications are awarded by accredited Certification Bodies (CB) who operate following ISO/IEC 17065 and ISO/IEC 17025. Certification Bodies are accredited to perform the auditing, assessment, and testing work by an Accreditation Body (AB). There is often one national AB in each country. These ABs operate per the requirements of ISO/IEC 17011, a standard that contains requirements for the competence, consistency, and impartiality of accreditation bodies when accrediting conformity assessment bodies. ABs are typically members of the International Accreditation Forum (IAF) for work in management systems, products, services, and personnel accreditation or the International Laboratory Accreditation Cooperation (ILAC) for laboratory accreditation. A Multilateral Recognition Arrangement (MLA) between ABs will ensure global recognition of accredited CBs.
# The first (top) category includes common or foundational information such as concepts, models and terminology. Also included are work products that describe security metrics and security life cycles for IACS.▼[[File:ISA-62443_Standard_Series_2012.png|thumb|right|alt=The numbering and organization of IEC 62443 work products into categories.|Planned and published IEC 62443 work products for IACS Security.]] All IEC 62443 standards and technical reports are organized into four general categories called ''General'', ''Policies and Procedures'', ''System'' and ''Component''.<ref>Historic information about the activities and plans of the ISA99 committee is available on the committee Wiki site ([https://web.archive.org/web/20110402180044/http://isa99.isa.org/ISA99%20Wiki/Home.aspx])</ref>
▲# The first (top) category includes common or foundational information such as concepts, models and terminology. Also included are work products that describe security metrics and security life cycles for IACS.
# The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
# The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
# The fourth category includes work products that describe the specific product development and technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products.
# The fifth category provides profiles for industry-specific cybersecurity requirements according to IEC 62443-1-5.
# The sixth category defines assessment methodologies that ensure that assessment results are consistent and reproducible.
===NERC===
== Control system security certifications == ▼The most widely recognized and latest NERC security standard is NERC 1300, which is a modification/update of NERC 1200. The latest version of NERC 1300 is called CIP-002-3 through CIP-009-3, with CIP referring to Critical Infrastructure Protection. These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes.
Certifications for control system security have been established by several global Certification Bodies. Most of the schemes are based on the [[IEC 62443]] and describe test methods, surveillance audit policy, public documentation policies, and other specific aspects of their program. ▼
===NIST===
=== IEC 62443 certifications ===
{{Main|National Institute of Standards and Technology}}
Cybersecurity certification programs for IEC 62443 standards are being offered globally by several recognized CBs including exida, CertX, SGS-TÜV Saar, TÜV Nord, TÜV Rheinland, TÜV SÜD and UL. Global Accreditation and Recognition A global infrastructure has been established to ensure consistent evaluation per these standards. Impartial third-party organizations called Certification Bodies (CB) are accredited to operate ISO/IEC 17065 and ISO/IEC 17025. Certification Bodies are accredited to perform the auditing, assessment, and testing work by an Accreditation Body (AB). There is often one national AB in each country. These ABs operate per the requirements of ISO/IEC 17011, a standard that contains requirements for the competence, consistency, and impartiality of accreditation bodies when accrediting conformity assessment bodies. ABs are members of the International Accreditation Forum (IAF) for work in management systems, products, services, and personnel accreditation or the International Laboratory Accreditation Cooperation (ILAC) for laboratory accreditation. A Multilateral Recognition Arrangement (MLA) between ABs will ensure global recognition of accredited CBs.
Although it is not a standard, the [[NIST Cybersecurity Framework]] (NIST CSF) provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. It is intended to help private sector organizations that provide [[critical infrastructure]] with guidance on how to protect it.<ref>{{cite web | url=https://www.nist.gov/cyberframework/ | title=NIST Cybersecurity Framework | work=NIST | date=12 November 2013 | accessdate=2016-08-02 }}</ref>
=== IEC CB Scheme ===
The IEC CB Scheme is a multilateral agreement that facilitates market access for manufacturers of electrical and electronic products.
NIST Special Publication 800-82 Rev. 2 "''Guide to Industrial Control System (ICS) Security''" describes how to secure multiple types of Industrial Control Systems against cyber attacks while considering the performance, reliability, and safety requirements specific to ICS.<ref>{{cite journal | last1=Stouffer | first1=Keith | last2=Lightman | first2=Suzanne | last3=Pillitteri | first3=Victoria | last4=Abrams | first4=Marshall | last5=Hahn | first5=Adam | title=Guide to Industrial Control Systems (ICS) Security | website=CSRC | NIST | date=2015-06-03 | doi=10.6028/NIST.SP.800-82r2 | url=https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final | access-date=2020-12-29}}</ref>
The origin of the CB Scheme comes from the CEE (former European "Commission for Conformity Testing of Electrical Equipment") and was integrated into the IEC in 1985. Currently, 54 Member Bodies are in the IECEE, 88 NCBs (National Certification Bodies), and 534 CB Test Laboratories (CBTL). In the field of product certification, this procedure is used to reduce the complexity in the approval procedure for manufacturers of products tested and certified according to harmonized standards.
▲== Control system security certifications ==
A product that has been tested by a CBTL (certified testing laboratory) according to a harmonized standard such as the IEC 62443, can use the CB report as a basis for a later national certification and approval such as GS, PSE, CCC, NOM, GOST/R, BSMI.
{{Main|IEC 62443}}
▲Certifications for control system security have been established by several global Certification Bodies. Most of the schemes are based on the [[IEC 62443]] and describe test methods, surveillance audit policy, public documentation policies, and other specific aspects of their program.
=== ISA Security Compliance Institute (ISCI) ISASecure ===
* [https://www.iec.ch/cyber-security IEC 62443]
The International Security Compliance Institute (ISCI) created the first conformity assessment scheme (commonly known as a certification scheme) for the ANSI/ISA 62443 standards. This program certifies Commercial Off-the-shelf (COTS) automation, control systems, and IOT devices, addressing securing the control systems supply chain. ISCI development processes include maintenance policies to ensure that the ISASecure certifications remain in alignment with the IEC 62443 standards as they evolve. While the ANSI/ISA 62443 standards are designed to horizontally address technical cybersecurity requirements of a cross-section of industries, the ISASecure working groups have included subject matter experts from traditional process industries and building management system suppliers and asset owners.
* [http://www.nist.gov US NIST webpage] NIST▼
* [http://www.nerc.com/page.php?cid=2|20 US NERC Critical Infrastructure Protection (CIP) Standards] {{Webarchive|url=https://web.archive.org/web/20110101035920/http://www.nerc.com/page.php?cid=2%7C20 |date=2011-01-01 }}▼Two COTS product certifications are available under the ISASecure brand: CSA (Component Security Assurance) certifying automation products to the IEC 62443-4-1 / IEC 62443-4-2 cybersecurity standards and SSA (System Security Assurance), certifying systems to the IEC 62443-3-3 standard. A third certification, SDLA (Secure Development Lifecycle Assurance) is available from ISCI which certifies automation systems development organizations to the IEC 62443-4-1 cybersecurity standard.
* [https://www.npsa.gov.uk/tools-catalogues-and-standards UK NPSA Tools, Catalogues and Standards]
The ISASecure 62443 conformity assessment scheme is an ISO 17065 program whose labs (certification bodies or CB) are independently accredited by ANSI/ANAB, JAB and other global ISO 17011 accreditation bodies (AB). The certification labs must also meet ISO 17025 lab accreditation requirements to ensure consistent application of certification requirements and recognized tools. Through Mutual Recognition Arrangements (MRA) with IAF, ILAC and others, the accreditation of the ISASecure labs by the ISA 17011 accreditation bodies ensures that certificates issued by any of the ISASecure labs are globally recognized.
The ISASecure scheme includes a process for recognizing test tools to ensure the tools meet functional requirements necessary and sufficient to execute all required product tests and that test results will be consistent among the recognized tools.
ISCI development processes include maintenance policies to ensure that the ISASecure certifications remain in alignment with the IEC 62443 standards as they evolve. While the IEC 62443 standards are designed to horizontally address technical cybersecurity requirements of a cross-section of industries, the ISASecure scheme’s certification requirements working groups include subject matter experts from the chemical and oil and gas industries and are reflective of their cybersecurity needs.
ISCI published a 2017 study which confirmed applicability of the IEC 62443 standards and ISASecure certification to Building Management Systems (BMS). ISCI has added BMS suppliers to its membership and established a BMS working group to support ongoing expansion of ISASecure certifications for BMS.
==References==
<references />
{{reflist}}
* [http://www.isa.org/isa99/ ISA 99 Standards]
* [http://www.isasecure.org/ ISA Security Compliance Institute]
* [http://www.nerc.com/page.php?cid=220/ NERC Standards (see CIP 002-009)]{{dead link|date=August 2017 |bot=InternetArchiveBot |fix-attempted=yes }}
▲* [http://www.nist.gov NIST webpage] NIST
*[https://www.paphossecurity.com/api-standard-1164-pipeline-scada-security-second-edition/ API 1164 Pipeline SCADA Security]
▲*[http://www.nerc.com/page.php?cid=2|20 NERC Critical Infrastructure Protection (CIP) Standards]
*[https://web.archive.org/web/20101019133350/http://americanchemistry.com/s_chemitc/sec.asp?CID=1641&DID=6201 ChemITC Guidance Documents]
*[http://www.cpni.gov.uk/advice/cyber/Security-for-Industrial-Control-Systems/ CPNI Security for Industrial Control Systems Guidance]
*[http://www.iaf.nu/ International Accreditation Forum]
*[http://www.exida.com/ exida IEC62443 Certification Program]
*[http://www.cssc-cl.org/]
*[http://www.tuv.com/ TUV Certification Program]
{{DEFAULTSORT:Cyber Security Standards}}
[[Category:Computer security procedures]]
[[Category:Computer security]]
| 