Professional Documents
Culture Documents
3BUS094321 en ABB Review Security 2005 3
3BUS094321 en ABB Review Security 2005 3
Industrial information
system security
Standards for securing industrial automation systems
Part 3
This final installment looks at various initiatives that have been started over the last
couple of years by different groups to create standards and other forms of guidance
to secure industrial automation systems. An overview of a number of those initiatives
and their work products is presented, and the approach taken by IEC TC65 WG10 to
produce technical blueprints for securing certain control system scenarios is
explained.
Tutorial
Tutorial
device vendors to document the secu- Security management on the plant floor nature, it is not a normative standard
rity and communication related fea- according to ISA S99 against which compliance can be
tures and requirements of their indi- The ISA SP99 technical report measured. The reader determines the
vidual products. This information can TR99.00.01 [3], “Security Technologies applicability of the information to the
serve as valuable input for the au- for Manufacturing and Control Sys- specific case. It is an excellent docu-
tomation security architect as he de- tems” provides guidance on the appli- ment for those starting to determine
signs and configures the necessary cability of a broad and inclusive range security measures and those with
security mechanisms for the plant. of security technologies. Its advice experience. TR99.00.01 continues to
The benefit of such a Security Data comes from the combined experience be updated but its content will not be
Sheet is that it collects, at a single of security experts from automation covered by the S99 standards.
location, concise security relevant system vendors and users. As the in-
information that is otherwise often formation presented is analytical in As of October of this year, drafts of
hard to obtain from vendor literature. two of the four parts of the S99 stan-
dard are almost ready for public
IEC review.
1 Cyber Security Management System.
In early 2004 the IEC Technical Sub-
Committee 65C (Digital Communica- Part 1 defines terms and describes the
tions), through its working group models used in discussing security in
WG13 (Cyber Security), started to automation systems. Part 2 advises
Plan
address security issues - within the 1. Importance of Cyber Security
how a cyber-security management
IEC 61784 standard – for field buses in Business
system (CSMS) can be established.
and other industrial communication 2. Scope of a Cyber Security There are 18 key elements in a CSMS
networks. These issues are outlined Management System which are structured in a life cycle
in a new part 4 entitled “Digital data 3. Security Policy that is constantly repeated through
communications for measurement and 4. Organizational Security four phases: Plan, Do, Check, and
control – Profiles for secure communi- 5. Personnel Security Act. The CSMS is provided by the
cations in industrial networks”. 6. Physical and Environmental Chemical Industry Data Exchange
Security (CiDX) [7], which adapts the four
What became evident during this phases of the British Standard BS
work was that security issues in the 7799-2:2002 [6] to automation systems
automation system cannot be solved and defines the 18 key elements. The
Do
by protecting communication alone CSMS and its elements are shown in
7. Risk Identification,
and by looking only at the field level. 1 . Its cyclic nature is implicit in step
Classification, and Assessment
Instead, the working group started to 18 in which the security program itself
8. Risk Management and
specify state-of-the-art secure realiza- Implementation
is modified according to lessons
tions of certain common automation 9. Incident Planning and
learned in the course of the preceding
networking scenarios, such as dial-up Response
elements.
remote access. These descriptions, 10. Communications, Operations,
called requirement sets, contain a and Change Management Plan phase:
product independent specification of 11. Access Control Security planning begins with making
technical mechanisms in the context 12. Information and Document a business case so that top manage-
of a best-practice security architecture, Management ment can set a clear top-level policy
as well as guidance on the configura- 13. System Development and that mandates the security program.
tion and operation of these mecha- Maintenance
nisms. The approach is described in 14. Staff Training and Security Organizational Security is planned
greater detail below. Awareness and this takes into account all of the
15. Compliance departments and people that are
Consequently, the work of the group involved with the control system.
was moved to TC65 WG10 to align It identifies roles and establishes
the actual and necessary work with Check responsibilities relative to security.
the IEC committee mandate. The com- 16. Business Continuity Plan
pleted standard IEC 62443, entitled 17. Monitoring and Security relates to people: those who
“Security for industrial process meas- Reviewing CSMS have assets to protect, those who are
urement and control – Network and expected to protect them, and those
system security” is expected in 2006. who might compromise those assets.
The final voting for international va- Act Personnel Security defines personnel
lidity will take place during the first 18. Maintaining and policies to estimate and maintain the
half of 2007. Implementing Improvements trustworthiness of those who are giv-
en greater access to the assets. Physi-
Some other security initiatives are cal and Environmental Security must
briefly described in Table 1 . also be planned. Cyber security is
Tutorial
based on an assumption that there are munications, system operations, and nel to the security policies and proce-
substantial (not absolute) barriers change management. dures must be measured through con-
against physical attack. tinuous monitoring, and periodically,
Access control defines the privileges through audits. Compliance must also
Security risks are identified, classified, that accompany specific roles. It also take into account external requirements
and assessed in the planning phase. defines the procedures that limit peo- such as those of customers, contractual
Detailed instructions about how to do ple’s access to activities and informa- partners, and regulatory agencies.
this is provided in S99 and the materi- tion to which they are privileged.
al that it references. Authentication means are determined Check phase
which will ensure that a particular The Check Phase includes developing
Do phase user (person or software) has the a Business Continuity Plan and fol-
Risk assessment leads directly into the necessary access authorization. lowing it. This plan establishes how
Do Phase. Using the risk assessment, the company will operate through in-
security resources can be efficiently Information and Document Manage- cidents that result in serious damage,
applied to real vulnerabilities. ment identifies the security classifica- plant outage, and possibly community
tion of data and specifies safeguards. catastrophe. The lessons learned from
Procedures are established that plan Security issues of developing and the CSMS activities are reviewed in
the response to potential incidents. maintaining the system are also han- the Check Phase.
Response planning must include when dled by policies and procedures.
it becomes necessary to notify govern- Act phase
ment officials of a significant threat to Staff must be trained in the relevant As the CSMS is a cyclic process, the
the community. security procedures and all personnel security program is revised according
should undertake regular refresher to the review in the Check Phase.
Overall management policies and pro- courses on general security precautions. S99 Part 2 provides more details as
cedures are established to cover com- Compliance of departments and person- well as 19 steps for establishing a
2 Modular security architecture. Each can be mapped to certain components of the automation system and its network.
CNH
Control center/HMI
PEC
Service laptop
ACI
LLCC
Control network (control center lower level)
automation automation
cell cell AFD
controller controller
FC
Tutorial
CSMS. Part 3 aims at providing guid- should, at the same time, allow for servers. ULCC datails network orient-
ance on how to operate the CSMS. different technical solutions. One goal ed security mechanisms specific to
is that it will be possible to meet the this part.
Technical security architecture based on requirements of the standard using Lower Level Control center (LLCC):
IEC 62443 products and technologies that are LLCC outlines network oriented secu-
IEC 62443 mainly addresses – on a commercially available today. The re- rity mechanisms in the part of the
system level – technical aspects of the quirements can also be applied to cur- control network connected to con-
security architecture, and thus compli- rent and legacy systems and they can trollers and PLCs.
ments product oriented initiatives like be scaled down for systems where an Field Control (FC): FC outlines network
IAONA, and process guidance provid- analysis has indicated they represent a oriented security mechanisms in the
ed by SP99 and NERC. low risk for both the enterprise and part of the control network connected
society. to field devices.
Control network host (CNH): CNH ex-
With the ongoing stan- The working group foresees the fol-
lowing modules:
plains how automation workstations
and servers for operations and engi-
dardization efforts for Enterprise – control net interconnect neering can be secured against attacks
Industrial IT security (ECI): ECI defines the security architec- from insiders and malware, for exam-
ture for non-real-time dataflow be- ple.
processes and architec- tween a control network and an enter- Automation field device (AFD): AFD ex-
tures, plant managers prise network, preferably unidirec- plains how field devices and embed-
tional out of the control network. ded controllers can be secured.
have a real chance to im- Interactive remote access (IRA):
plement state-of-the-art IRA details the security architecture Each module describes: a use case to
and cost-efficient informa- needed so that parts of the control which it applies; threats that are ad-
system can be accessed remotely (ie, dressed or not addressed; the underly-
tion system security. via telephone dialup or Internet) for ing assumptions; the requirements;
perhaps engineering or expert diagno- and the party (automation vendor,
sis. system integrator, or plant owner) re-
The basic idea of the IEC approach is Inter control center connect (ICC): sponsible for meeting each of the re-
that of a modular security architec- ICC describes how communications quirements. The core part of each
ture. Each module corresponds to a between fixed control centers over module is the requirement set and it
certain usage or communication sce- public networks can be secured. contains between 20 and 50 require-
nario and can be mapped to certain Stand-alone embedded device (SED): ments, depending on the module.
components of the automation system SED outlines the security requirements
and its network 2 . Each module is for an automation device that is not Each requirement consists of a norma-
represented by a requirement set contained in a security zone and for tive statement, optionally including
specified in the standard. Some of the which a full-blown security perimeter scale-down alternatives, a rationale,
requirements, as well as the physical would not be cost efficient, eg, a and in many cases one or more appli-
or logical components they refer to, pole-top Intelligent Electronic Device cation notes. The rationale is an es-
are common to multiple modules. (IED). sential element, as it enables the read-
Security architecture modules can and Portable engineering computer (PEC): er to make an informed decision
should be combined to suit the specif- PEC details how a control system can about the importance and applicabili-
ic usage and threat situation of an be protected against threats originat- ty of the requirement. The application
automation system. The standard will ing from portable computers that may notes provide technical guidance on
provide guidance on the priority of be moved back and forth between how the requirement could be real-
modules for situations where a com- public networks and the control sys- ized.
plete implementation of the standard tem
is not possible due to budget limita- Portable storage media (PSM): An au- The IEC 62443 standard describes the
tions for initial implementation and tomation system may be exposed to “what” and “why” of the security ar-
ongoing maintenance. malware infections through storage chitecture, but the “how” is specific to
media like memory sticks or CDs. PSM an individual site and system and is
The requirements will be formulated explains how this can be prevented. therefore left to the engineering judg-
in a way that can be used as the basis Automation cell interconnect (ACI): ment of the plant experts and the au-
for Requests for Proposals (RFPs) for ACI outlines the security architecture tomation/IT integrator.
data communication standards, and required for protected communication
offers, as well as security audits. They between automation cells within a Summary
control network. With the ongoing standardization ef-
Footnotes
Upper Level Control center (ULCC): forts for Industrial IT security process-
1) http://www.isa.org/MSTemplate.cfm?Micro- Part of a control network is connected es and architectures, specific to con-
siteID=988&CommitteeID=6821 to operator workstations, “historians ”, trol and automation systems, plants
2) http://www.iaona.org/home/jtwg-se.php application servers and connectivity managers now have a real chance to
www.abb.com/abbreview
Review
The corporate technical journal
of the ABB Group
www.abb.com/abbreview
1 / 2005 3 / 2005
Pioneering Sustainability
spirits
The standardization initiatives de-
scribed above have so far been char- A revolution in high dc current measurement Sustainability is an essential part of
Dick Oyen
ABB ABB
ABB US, Corporate Research Review
The corporate technical journal
of the ABB Group
Review
The corporate technical journal
of the ABB Group
dick.oyen@us.abb.com
www.abb.com/abbreview www.abb.com/abbreview
2 / 2005 4 / 2005
University Innovation –
and industry co- the DNA
operation of business
References 2/2005: 4/2005:
Turning Europe into a dynamic and Best innovations 2005
page 6
The importance of working together with Power lines that don’t spoil the landscape
industry: university viewpoints page 25
Looking ahead:
The future of power system control
page 35
industry cooperation The magnetic stabilizer that saves on zinc
page 60
The DNA of business
national Conference on Emerging Technologies a a